This commit is contained in:
Cyrus Daboo
2026-06-08 10:27:51 -04:00
parent 67045e2fa0
commit 9468f879c3
664 changed files with 20746 additions and 2407 deletions
+151
View File
@@ -0,0 +1,151 @@
# Changes
Significant changes in this release.
---
## declarative/declarations/configurations
### New Objects
- New: declarative/declarations/configurations/app.settings.yaml
- New: declarative/declarations/configurations/content-cache.settings.yaml
- New: declarative/declarations/configurations/extensible-sso.yaml
- New: declarative/declarations/configurations/network.dns-proxy.yaml
- New: declarative/declarations/configurations/network.dns-settings.yaml
- New: declarative/declarations/configurations/network.relay.yaml
- New: declarative/declarations/configurations/network.vpn.always-on.yaml
- New: declarative/declarations/configurations/network.vpn.ikev2.yaml
- New: declarative/declarations/configurations/network.vpn.ipsec.yaml
- New: declarative/declarations/configurations/network.vpn.vpn-plugin.yaml
- New: declarative/declarations/configurations/webcontent-filter.plugin.yaml
### New Payload Keys
- New: declarative/declarations/configurations/intelligence.settings.yaml/Apps/Calendar
- New: declarative/declarations/configurations/legacy.interactive.yaml/ProfileAssetReference
- New: declarative/declarations/configurations/legacy.yaml/ProfileAssetReference
- New: declarative/declarations/configurations/package.yaml/UninstallBehavior
- New: declarative/declarations/configurations/safari.settings.yaml/Privacy
### Objects with New OS Support
- Changed: declarative/declarations/configurations/siri.settings.yaml [tvOS 27.0]
### Payload Keys with New OS Support
- Changed: declarative/declarations/configurations/app.managed.yaml/AppConfig [macOS 27.0]
- Changed: declarative/declarations/configurations/app.managed.yaml/ExtensionConfigs [macOS 27.0]
- Changed: declarative/declarations/configurations/app.managed.yaml/LegacyAppConfigAssetReference [macOS 27.0]
---
## declarative/status
### New Objects
- New: declarative/status/content-cache.info.yaml
- New: declarative/status/content-cache.parents.yaml
- New: declarative/status/content-cache.peers.yaml
- New: declarative/status/content-cache.status.yaml
- New: declarative/status/device.system.health.yaml
- New: declarative/status/enhanced-logging.applecare-token.yaml
- New: declarative/status/enhanced-logging.status.yaml
- New: declarative/status/enhanced-logging.timestamp.yaml
- New: declarative/status/mdm.enrollment-type.yaml
- New: declarative/status/mdm.is-awaiting-configuration.yaml
- New: declarative/status/mdm.is-return-to-service.yaml
- New: declarative/status/mdm.is-shared-ipad.yaml
- New: declarative/status/mdm.push-magic.yaml
- New: declarative/status/mdm.push-token.yaml
- New: declarative/status/security.lockdown-mode.yaml
### Payload Keys with New OS Support
- Changed: declarative/status/app.managed.list.yaml/app.managed.list/status_value/config-state [macOS 27.0]
---
## mdm/checkin
### New Payload Keys
- New: mdm/checkin/returntoservice.yaml/ReturnToService/ShouldRetryEnrollment
---
## mdm/commands
### New Objects
- New: mdm/commands/cancel.enhanced.log.collection.yaml
- New: mdm/commands/trigger.enhanced.log.collection.yaml
### New Payload Keys
- New: mdm/commands/device.erase.yaml/ReturnToService/ShouldRetryEnrollment
### Removed Objects
- Removed: mdm/commands/system.update.available.yaml
- Removed: mdm/commands/system.update.scan.yaml
- Removed: mdm/commands/system.update.schedule.yaml
- Removed: mdm/commands/system.update.status.yaml
### Removed Payload Keys
- Removed: mdm/commands/information.device.yaml/Queries/OSUpdateSettings
- Removed: mdm/commands/information.device.yaml/Queries/SoftwareUpdateDeviceID
- Removed: mdm/commands/information.device.yaml/Queries/SoftwareUpdateSettings
- Removed: mdm/commands/information.device.yaml/QueryResponses/SoftwareUpdateDeviceID
- Removed: mdm/commands/information.device.yaml/QueryResponses/SoftwareUpdateSettings
- Removed: mdm/commands/settings.yaml/Settings/SoftwareUpdateSettings
---
## mdm/profiles
### New Payload Keys
- New: mdm/profiles/com.apple.applicationaccess.yaml/ForceCaptivePortalConnectionFromLockScreen
- New: mdm/profiles/com.apple.applicationaccess.yaml/ForceWifiConfigurationOnLockScreen
- New: mdm/profiles/com.apple.extensiblesso.yaml/PlatformSSO/AllowWebLoginPasswordSync
- New: mdm/profiles/com.apple.extensiblesso.yaml/PlatformSSO/WebLoginURLAllowList
### Payload Keys with New OS Support
- Changed: mdm/profiles/com.apple.applicationaccess.yaml/allowAutomaticAppDownloads [visionOS 27.0]
- Changed: mdm/profiles/com.apple.applicationaccess.yaml/allowCamera [visionOS 27.0]
- Changed: mdm/profiles/com.apple.applicationaccess.yaml/allowListedAppBundleIDs [visionOS 27.0]
- Changed: mdm/profiles/com.apple.applicationaccess.yaml/blockedAppBundleIDs [visionOS 27.0]
### Removed Objects
- Removed: mdm/profiles/com.apple.SoftwareUpdate.yaml
### Removed Payload Keys
- Removed: mdm/profiles/com.apple.applicationaccess.yaml/allowRapidSecurityResponseInstallation
- Removed: mdm/profiles/com.apple.applicationaccess.yaml/allowRapidSecurityResponseRemoval
- Removed: mdm/profiles/com.apple.applicationaccess.yaml/enforcedSoftwareUpdateDelay
- Removed: mdm/profiles/com.apple.applicationaccess.yaml/enforcedSoftwareUpdateMajorOSDeferredInstallDelay
- Removed: mdm/profiles/com.apple.applicationaccess.yaml/enforcedSoftwareUpdateMinorOSDeferredInstallDelay
- Removed: mdm/profiles/com.apple.applicationaccess.yaml/enforcedSoftwareUpdateNonOSDeferredInstallDelay
- Removed: mdm/profiles/com.apple.applicationaccess.yaml/forceDelayedAppSoftwareUpdates
- Removed: mdm/profiles/com.apple.applicationaccess.yaml/forceDelayedMajorSoftwareUpdates
- Removed: mdm/profiles/com.apple.applicationaccess.yaml/forceDelayedSoftwareUpdates
---
## mdm/errors
No changes.
---
## other
### New Payload Keys
- New: other/skipkeys.yaml/AccessibilityAppearance
- New: other/skipkeys.yaml/LiquidGlass
+13 -5
View File
@@ -8,11 +8,13 @@ This release corresponds to the following OS versions
| OS | Version |
|----------|---------|
| iOS | 26.4 |
| macOS | 26.4 |
| tvOS | 26.4 |
| visionOS | 26.4 |
| watchOS | 26.4 |
| iOS | 27.0 |
| macOS | 27.0 |
| tvOS | 27.0 |
| visionOS | 27.0 |
| watchOS | 27.0 |
See [Changes](CHANGES.md) for the significant changes in this release.
## What's Available
@@ -29,6 +31,12 @@ The following schema items are available:
* Other device management data formats
* Examples for schema items - `examples`
* This directory contains `declarative`, `mdm`, and `other` directories.
* Each sub-directory contains directories and files that mirror the structure of the corresponding schema directories.
* Each schema item has its own directory containing the example files for the schema object.
* Each YAML schema file contains an `examples` key that includes relative file paths to its example files.
## YAML Schema Definition
See [YAML Schema](docs/schema.md).
@@ -15,6 +15,7 @@ payload:
introduced: '10.0'
payloadkeys:
- key: StandardConfigurations
title: Standard configurations
type: <array>
presence: required
content: An array of strings that specify the identifiers of configurations to install.
@@ -22,10 +23,22 @@ payloadkeys:
from installing.
subkeys:
- key: StandardConfigurationsItems
title: Standard configurations items
type: <string>
- key: Predicate
title: Predicate
type: <string>
presence: optional
content: A predicate format string as [Apple's Predicate Programming](https://developer.apple.com/library/archive/documentation/Cocoa/Conceptual/Predicates/AdditionalChapters/Introduction.html)
describes. The activation only installs when the predicate evaluates to `true`
or isn't present.
examples:
title: Activation examples
files:
- tab: One configuration
description: This activation applies one configuration.
file: examples/declarative/declarations/activations/simple/example1.json
- tab: Predicate
description: This activation applies two configurations and uses a predicate to
limit those to only apply on an Apple TV device.
file: examples/declarative/declarations/activations/simple/example2.json
@@ -15,6 +15,7 @@ payload:
introduced: '10.0'
payloadkeys:
- key: Reference
title: External reference
type: <dictionary>
asset-content-types:
- application/json
@@ -26,22 +27,26 @@ payloadkeys:
- Uses a media type of `application/json`, and if it includes a `ContentType` sub-key, that sub-key media type is also `application/json`
subkeys:
- key: DataURL
title: Data URL
type: <string>
presence: required
content: The URL to retrieve data, which needs to start with `https://`.
- key: ContentType
title: Content type
type: <string>
presence: optional
content: The media type that describes the data. If present, the system checks
the actual media type of the downloaded data, and an error occurs if the values
don't match.
- key: Size
title: Size
type: <integer>
presence: optional
content: The size of the data. Set the size to `0` if there's no expectation of
a response body. If present, the system checks the actual size of the downloaded
data, and an error occurs if the values don't match.
- key: Hash-SHA-256
title: SHA-256 hash
type: <string>
presence: optional
content: A SHA-256 hash of the data stored at the `DataURL`. Don't set this value
@@ -49,11 +54,14 @@ payloadkeys:
the actual hash of the downloaded data, and an error occurs if the values don't
match.
- key: Authentication
title: Server authentication
type: <dictionary>
presence: optional
content: The server authentication details.
content: The server authentication details. If this key is absent, the default authentication
type is MDM.
subkeys:
- key: Type
title: Authentication type
type: <string>
presence: required
rangelist:
@@ -63,7 +71,10 @@ payloadkeys:
The type of authentication, which has these allowed values:
- `MDM`: A request that uses MDM semantics, which includes the device-identity certificate, and any user authentication. This is equivalent to an MDM request made to the `CheckInURL` or `ServerURL`. This option is only available through declarative device management.
- `None`: A standard GET request.
If the `Authentication` dictionary is absent, the default authentication type is MDM.
- key: Accessible
title: Accessible
type: <string>
presence: optional
rangelist:
@@ -75,3 +86,7 @@ payloadkeys:
- `Default`: The most restrictive accessibility that still satisfies all uses of the asset by configurations that reference it.
- `AfterFirstUnlock`: The keychain item is only available after the first unlock of the device.
examples:
title: Asset example
files:
- file: examples/declarative/declarations/assets/credential.acme/example1.json
@@ -15,6 +15,7 @@ payload:
introduced: '10.0'
payloadkeys:
- key: Reference
title: External reference
type: <dictionary>
asset-content-types:
- application/pkcs1
@@ -26,22 +27,26 @@ payloadkeys:
corresponding media type.
subkeys:
- key: DataURL
title: Data URL
type: <string>
presence: required
content: The URL to retrieve data, which needs to start with `https://`.
- key: ContentType
title: Content type
type: <string>
presence: optional
content: The media type that describes the data. If present, the system checks
the actual media type of the downloaded data, and an error occurs if the values
don't match.
- key: Size
title: Size
type: <integer>
presence: optional
content: The size of the data. Set the size to `0` if there's no expectation of
a response body. If present, the system checks the actual size of the downloaded
data, and an error occurs if the values don't match.
- key: Hash-SHA-256
title: SHA-256 hash
type: <string>
presence: optional
content: A SHA-256 hash of the data stored at the `DataURL`. Don't set this value
@@ -49,11 +54,14 @@ payloadkeys:
the actual hash of the downloaded data, and an error occurs if the values don't
match.
- key: Authentication
title: Server authentication
type: <dictionary>
presence: optional
content: The server authentication details.
content: The server authentication details. If this key is absent, the default authentication
type is MDM.
subkeys:
- key: Type
title: Authentication type
type: <string>
presence: required
rangelist:
@@ -63,3 +71,9 @@ payloadkeys:
The type of authentication, which has these allowed values:
- `MDM`: A request that uses MDM semantics, which includes the device-identity certificate, and any user authentication. This is equivalent to an MDM request made to the `CheckInURL` or `ServerURL`. This option is only available through declarative device management.
- `None`: A standard GET request.
If the `Authentication` dictionary is absent, the default authentication type is MDM.
examples:
title: Asset example
files:
- file: examples/declarative/declarations/assets/credential.certificate/example1.json
@@ -15,6 +15,7 @@ payload:
introduced: '10.0'
payloadkeys:
- key: Reference
title: External reference
type: <dictionary>
asset-content-types:
- application/json
@@ -26,22 +27,26 @@ payloadkeys:
- Uses a media type of `application/json`, and if it includes a `ContentType` sub-key, that sub-key media type is also `application/json`
subkeys:
- key: DataURL
title: Data URL
type: <string>
presence: required
content: The URL to retrieve data, which needs to start with `https://`.
- key: ContentType
title: Content type
type: <string>
presence: optional
content: The media type that describes the data. If present, the system checks
the actual media type of the downloaded data, and an error occurs if the values
don't match.
- key: Size
title: Size
type: <integer>
presence: optional
content: The size of the data. Set the size to `0` if there's no expectation of
a response body. If present, the system checks the actual size of the downloaded
data, and an error occurs if the values don't match.
- key: Hash-SHA-256
title: SHA-256 hash
type: <string>
presence: optional
content: A SHA-256 hash of the data stored at the `DataURL`. Don't set this value
@@ -49,11 +54,14 @@ payloadkeys:
the actual hash of the downloaded data, and an error occurs if the values don't
match.
- key: Authentication
title: Server authentication
type: <dictionary>
presence: optional
content: The server authentication details.
content: The server authentication details. If this key is absent, the default authentication
type is MDM.
subkeys:
- key: Type
title: Authentication type
type: <string>
presence: required
rangelist:
@@ -63,7 +71,10 @@ payloadkeys:
The type of authentication, which has these allowed values:
- `MDM`: A request that uses MDM semantics, which includes the device-identity certificate, and any user authentication. This is equivalent to an MDM request made to the `CheckInURL` or `ServerURL`. This option is only available through declarative device management.
- `None`: A standard GET request.
If the `Authentication` dictionary is absent, the default authentication type is MDM.
- key: Accessible
title: Accessible
type: <string>
presence: optional
rangelist:
@@ -75,3 +86,7 @@ payloadkeys:
- `Default`: The most restrictive accessibility that still satisfies all uses of the asset by configurations that reference it.
- `AfterFirstUnlock`: The keychain item is only available after the first unlock of the device.
examples:
title: Asset example
files:
- file: examples/declarative/declarations/assets/credential.identity/example1.json
@@ -15,6 +15,7 @@ payload:
introduced: '10.0'
payloadkeys:
- key: Reference
title: External reference
type: <dictionary>
asset-content-types:
- application/json
@@ -26,22 +27,26 @@ payloadkeys:
- Uses a media type of `application/json`, and if it includes a `ContentType` sub-key, that sub-key media type is also `application/json`
subkeys:
- key: DataURL
title: Data URL
type: <string>
presence: required
content: The URL to retrieve data, which needs to start with `https://`.
- key: ContentType
title: Content type
type: <string>
presence: optional
content: The media type that describes the data. If present, the system checks
the actual media type of the downloaded data, and an error occurs if the values
don't match.
- key: Size
title: Size
type: <integer>
presence: optional
content: The size of the data. Set the size to `0` if there's no expectation of
a response body. If present, the system checks the actual size of the downloaded
data, and an error occurs if the values don't match.
- key: Hash-SHA-256
title: SHA-256 hash
type: <string>
presence: optional
content: A SHA-256 hash of the data stored at the `DataURL`. Don't set this value
@@ -49,11 +54,14 @@ payloadkeys:
the actual hash of the downloaded data, and an error occurs if the values don't
match.
- key: Authentication
title: Server authentication
type: <dictionary>
presence: optional
content: The server authentication details.
content: The server authentication details. If this key is absent, the default authentication
type is MDM.
subkeys:
- key: Type
title: Authentication type
type: <string>
presence: required
rangelist:
@@ -63,7 +71,10 @@ payloadkeys:
The type of authentication, which has these allowed values:
- `MDM`: A request that uses MDM semantics, which includes the device-identity certificate, and any user authentication. This is equivalent to an MDM request made to the `CheckInURL` or `ServerURL`. This option is only available through declarative device management.
- `None`: A standard GET request.
If the `Authentication` dictionary is absent, the default authentication type is MDM.
- key: Accessible
title: Accessible
type: <string>
presence: optional
rangelist:
@@ -75,3 +86,7 @@ payloadkeys:
- `Default`: The most restrictive accessibility that still satisfies all uses of the asset by configurations that reference it.
- `AfterFirstUnlock`: The keychain item is only available after the first unlock of the device.
examples:
title: Asset example
files:
- file: examples/declarative/declarations/assets/credential.scep/example1.json
@@ -16,6 +16,7 @@ payload:
introduced: '10.0'
payloadkeys:
- key: Reference
title: External reference
type: <dictionary>
asset-content-types:
- application/json
@@ -27,22 +28,26 @@ payloadkeys:
- Uses a media type of `application/json`, and if it includes a `ContentType` sub-key, that sub-key media type is also `application/json`
subkeys:
- key: DataURL
title: Data URL
type: <string>
presence: required
content: The URL to retrieve data, which needs to start with `https://`.
- key: ContentType
title: Content type
type: <string>
presence: optional
content: The media type that describes the data. If present, the system checks
the actual media type of the downloaded data, and an error occurs if the values
don't match.
- key: Size
title: Size
type: <integer>
presence: optional
content: The size of the data. Set the size to `0` if there's no expectation of
a response body. If present, the system checks the actual size of the downloaded
data, and an error occurs if the values don't match.
- key: Hash-SHA-256
title: SHA-256 hash
type: <string>
presence: optional
content: A SHA-256 hash of the data stored at the `DataURL`. Don't set this value
@@ -50,6 +55,7 @@ payloadkeys:
the actual hash of the downloaded data, and an error occurs if the values don't
match.
- key: Authentication
title: Server authentication
supportedOS:
iOS:
introduced: '17.0'
@@ -61,9 +67,11 @@ payloadkeys:
introduced: '10.0'
type: <dictionary>
presence: optional
content: The server authentication details.
content: The server authentication details. If this key is absent, the default authentication
type is MDM.
subkeys:
- key: Type
title: Authentication type
type: <string>
presence: required
rangelist:
@@ -73,3 +81,9 @@ payloadkeys:
The type of authentication, which has these allowed values:
- `MDM`: A request that uses MDM semantics, which includes the device-identity certificate, and any user authentication. This is equivalent to an MDM request made to the `CheckInURL` or `ServerURL`. This option is only available through declarative device management.
- `None`: A standard GET request.
If the `Authentication` dictionary is absent, the default authentication type is MDM.
examples:
title: Asset example
files:
- file: examples/declarative/declarations/assets/credential.userpassword/example1.json
@@ -31,13 +31,13 @@ payloadkeys:
relatively weak indication because of the risk that an attacker may intercept
and duplicate the client identifier.
- key: KeySize
title: Key Size
title: Key size
type: <integer>
presence: required
content: The valid values for `KeySize` depend on the values of `KeyType` and `HardwareBound`.
See those keys for specific requirements.
- key: KeyType
title: Key Type
title: Key type
type: <string>
presence: required
rangelist:
@@ -53,7 +53,7 @@ payloadkeys:
> Note:
> The key size is `521`, not `512`, even though the other key sizes are multiples of `64`.
- key: HardwareBound
title: Hardware Bound
title: Hardware bound
type: <boolean>
presence: required
content: |-
@@ -78,22 +78,22 @@ payloadkeys:
You can represent OIDs as dotted numbers or use shortcuts for country (`C`), locality (`L`), state (`ST`), organization (`O`), organizational unit (`OU`), and common name (`CN`).
subkeys:
- key: ACMESubjectArrayInnerArray
title: Array Inside ACME Subject Array
title: Array inside ACME subject array
type: <array>
subkeys:
- key: ACMESubjectArrayPair
title: Subject Array Pair
title: Subject array pair
type: <array>
subkeys:
- key: ACMESubjectArrayPairItem
title: ACME Subject Array Pair Item
title: ACME subject array pair item
type: <string>
repetition:
min: 2
max: 2
content: One item in the array representing a pair of OID and value
- key: SubjectAltName
title: Subject Alt Name
title: Subject alt name
type: <dictionary>
presence: optional
content: Specifies the subject's alternative name that the device requests for the
@@ -101,12 +101,12 @@ payloadkeys:
this field in the certificate it issues.
subkeys:
- key: rfc822Name
title: RFC 822 Name
title: RFC 822 name
type: <string>
presence: optional
content: The RFC 822 email address.
- key: dNSName
title: DNS Name
title: DNS name
type: <string>
presence: optional
content: The DNS name.
@@ -116,12 +116,12 @@ payloadkeys:
presence: optional
content: The uniform resource identifier.
- key: ntPrincipalName
title: NT Principal Name
title: NT principal name
type: <string>
presence: optional
content: The NT principal name. Use an other name OID set to `1.3.6.1.4.1.311.20.2.3`.
- key: UsageFlags
title: Key Usage
title: Key usage
type: <integer>
presence: optional
content: |-
@@ -129,7 +129,7 @@ payloadkeys:
The value is a bit field. Bit `0x01` indicates digital signature, and bit `0x04` indicates key encipherment.
- key: ExtendedKeyUsage
title: Extended Key Usage
title: Extended key usage
type: <array>
presence: optional
content: |-
@@ -168,4 +168,8 @@ notes:
| Attest key support | iPhone, iPad | Mac | Apple TV | Apple Watch | Vision Pro |
|--------------------|--------------------------------------|----------------|-------------------------|----------------|------------|
| Ignored | A10x Fusion and earlier | Intel | A10x Fusion and earlier | S3 and earlier | none |
| Supported | A11 Bionic and later<br>All M series | Apple Silicon | A12 Bionic and later | S4 and later | All |
| Supported | A11 Bionic and later<br>All M series | Apple silicon | A12 Bionic and later | S4 and later | All |
examples:
title: Credential example
files:
- file: examples/declarative/declarations/assets/credentials/acme/example1.json
@@ -15,10 +15,16 @@ payload:
introduced: '10.0'
payloadkeys:
- key: Password
title: Password
type: <string>
presence: required
content: 'The password required to decrypt the PKCS #12 identity data.'
- key: Identity
title: Identity
type: <data>
presence: required
content: 'The PKCS #12 identity data.'
examples:
title: Credential example
files:
- file: examples/declarative/declarations/assets/credentials/identity/example1.json
@@ -38,15 +38,15 @@ payloadkeys:
You can represent OIDs as dotted numbers or use shortcuts for country (`C`), locality (`L`), state (`ST`), organization (`O`), organizational unit (`OU`), and common name (`CN`).
subkeys:
- key: SCEPSubjectArrayInnerArray
title: Array Inside SCEP Subject Array
title: Array inside SCEP subject array
type: <array>
subkeys:
- key: SCEPSubjectArrayPair
title: Subject Array Pair
title: Subject array pair
type: <array>
subkeys:
- key: SCEPSubjectArrayPairItem
title: SCEP Subject Array Pair Item
title: SCEP subject array pair item
type: <string>
repetition:
min: 2
@@ -58,7 +58,7 @@ payloadkeys:
presence: optional
content: A preshared secret.
- key: Keysize
title: Key Size
title: Key size
type: <integer>
presence: optional
rangelist:
@@ -68,13 +68,13 @@ payloadkeys:
default: 1024
content: The key size in bits, either `1024`, `2048`, or `4096`.
- key: Key Type
title: Key Type
title: Key type
type: <string>
presence: optional
default: RSA
content: The key type, which always has the value `RSA`.
- key: Key Usage
title: Key Usage
title: Key usage
type: <integer>
presence: optional
default: 0
@@ -94,25 +94,25 @@ payloadkeys:
content: The number of times the device should retry if the server sends a `PENDING`
response.
- key: RetryDelay
title: Retry Delay
title: Retry delay
type: <integer>
presence: optional
default: 10
content: The number of seconds to wait between subsequent retries. The system makes
the first retry without this delay.
- key: SubjectAltName
title: Subject Alt Name
title: Subject alt name
type: <dictionary>
presence: optional
content: The subject's alternative name for the certificate.
subkeys:
- key: rfc822Name
title: RFC 822 Name
title: RFC 822 name
type: <string>
presence: optional
content: The RFC 822 email address.
- key: dNSName
title: DNS Name
title: DNS name
type: <string>
presence: optional
content: The DNS name.
@@ -122,7 +122,11 @@ payloadkeys:
presence: optional
content: The uniform resource identifier.
- key: ntPrincipalName
title: NT Principal Name
title: NT principal name
type: <string>
presence: optional
content: The NT principal name. Use an other name OID set to `1.3.6.1.4.1.311.20.2.3`.
examples:
title: Credential example
files:
- file: examples/declarative/declarations/assets/credentials/scep/example1.json
@@ -15,10 +15,16 @@ payload:
introduced: '10.0'
payloadkeys:
- key: UserName
title: User name
type: <string>
presence: required
content: The user name for this credential.
- key: Password
title: Password
type: <string>
presence: optional
content: The password for this credential.
examples:
title: Credential example
files:
- file: examples/declarative/declarations/assets/credentials/usernameandpassword/example1.json
+15 -1
View File
@@ -15,27 +15,32 @@ payload:
introduced: '10.0'
payloadkeys:
- key: Reference
title: External reference
type: <dictionary>
presence: required
content: The external reference.
subkeys:
- key: DataURL
title: Data URL
type: <string>
presence: required
content: The URL to retrieve data, which needs to start with `https://`.
- key: ContentType
title: Content type
type: <string>
presence: optional
content: The media type that describes the data. If present, the system checks
the actual media type of the downloaded data, and an error occurs if the values
don't match.
- key: Size
title: Size
type: <integer>
presence: optional
content: The size of the data. Set the size to `0` if there's no expectation of
a response body. If present, the system checks the actual size of the downloaded
data, and an error occurs if the values don't match.
- key: Hash-SHA-256
title: SHA-256 hash
type: <string>
presence: optional
content: A SHA-256 hash of the data stored at the `DataURL`. Don't set this value
@@ -43,11 +48,14 @@ payloadkeys:
the actual hash of the downloaded data, and an error occurs if the values don't
match.
- key: Authentication
title: Server authentication
type: <dictionary>
presence: optional
content: The server authentication details.
content: The server authentication details. If this key is absent, the default authentication
type is MDM.
subkeys:
- key: Type
title: Authentication type
type: <string>
presence: required
rangelist:
@@ -57,3 +65,9 @@ payloadkeys:
The type of authentication, which has these allowed values:
- `MDM`: A request that uses MDM semantics, which includes the device-identity certificate, and any user authentication. This is equivalent to an MDM request made to the `CheckInURL` or `ServerURL`. This option is only available through declarative device management.
- `None`: A standard GET request.
If the `Authentication` dictionary is absent, the default authentication type is MDM.
examples:
title: Asset example
files:
- file: examples/declarative/declarations/assets/data/example1.json
@@ -15,12 +15,16 @@ payload:
introduced: '10.0'
payloadkeys:
- key: FullName
title: Full Name
title: Full name
type: <string>
presence: optional
content: The user's full name.
- key: EmailAddress
title: Email Address
title: Email address
type: <string>
presence: optional
content: The email address of the user.
examples:
title: Asset example
files:
- file: examples/declarative/declarations/assets/useridentity/example1.json
@@ -37,32 +37,30 @@ payload:
watchOS:
introduced: n/a
apply: multiple
content: A CalDAV configuration defines a CalDAV calendar and reminders account
for a user.
payloadkeys:
- key: VisibleName
title: Account Name
title: Account name
type: <string>
presence: optional
content: The name that apps show to the user for this calendar account. If not present,
the system generates a suitable default.
- key: HostName
title: Server Host Name
title: Server host name
type: <string>
presence: required
content: The hostname or IP address of the CalDAV server.
- key: Port
title: Server Port
title: Server port
type: <integer>
presence: optional
content: The port number for the CalDAV server.
- key: Path
title: Server Path
title: Server path
type: <string>
presence: optional
content: The path for the CalDAV server.
- key: AuthenticationCredentialsAssetReference
title: Authentication Credentials Asset Reference
title: Authentication credentials asset reference
type: <string>
assettypes:
- com.apple.asset.credential.userpassword
@@ -73,3 +71,8 @@ related-status-items:
- status-items:
- account.list.caldav
note: Each configuration will have a corresponding status item.
examples:
title: Configuration example
files:
- description: This configuration sets up a CalDAV account for calendars.
file: examples/declarative/declarations/configurations/account.caldav/example1.json
@@ -37,31 +37,30 @@ payload:
watchOS:
introduced: n/a
apply: multiple
content: A CardDAV configuration defines a CardDAV contacts account for a user.
payloadkeys:
- key: VisibleName
title: Account Name
title: Account name
type: <string>
presence: optional
content: The name that apps show to the user for this address book account. If not
present, the system generates a suitable default.
- key: HostName
title: Server Host Name
title: Server host name
type: <string>
presence: required
content: The hostname or IP address of the CardDAV server.
- key: Port
title: Server Port
title: Server port
type: <integer>
presence: optional
content: The port number for the CardDAV server.
- key: Path
title: Server Path
title: Server path
type: <string>
presence: optional
content: The path for the CardDAV server.
- key: AuthenticationCredentialsAssetReference
title: Authentication Credentials Asset Reference
title: Authentication credentials asset reference
type: <string>
assettypes:
- com.apple.asset.credential.userpassword
@@ -72,3 +71,8 @@ related-status-items:
- status-items:
- account.list.carddav
note: Each configuration will have a corresponding status item.
examples:
title: Configuration example
files:
- description: This configuration sets up a CardDAV account for contacts.
file: examples/declarative/declarations/configurations/account.carddav/example1.json
@@ -37,16 +37,15 @@ payload:
watchOS:
introduced: n/a
apply: multiple
content: This payload configures an Exchange ActiveSync account on an iOS device.
payloadkeys:
- key: VisibleName
title: Account Name
title: Account name
type: <string>
presence: optional
content: The name that apps show to the user for this Exchange account. If not present,
the system generates a suitable default.
- key: EnabledProtocolTypes
title: Enabled Protocol Types
title: Enabled protocol types
type: <array>
presence: required
content: |-
@@ -66,7 +65,7 @@ payloadkeys:
- EAS
- EWS
- key: UserIdentityAssetReference
title: User Identity Asset Reference
title: User identity asset reference
type: <string>
assettypes:
- com.apple.asset.useridentity
@@ -74,12 +73,12 @@ payloadkeys:
content: The identifier of an asset declaration that contains the user identity
for this account. The corresponding asset must be of type `UserIdentity`.
- key: HostName
title: Server Host Name
title: Server host name
type: <string>
presence: optional
content: The IP address or fully qualified domain name (FQDN) of the Exchange host.
- key: Port
title: Server Port
title: Server port
supportedOS:
iOS:
introduced: n/a
@@ -90,7 +89,7 @@ payloadkeys:
content: The port number of the EWS server. The system uses this only when this
declaration has a `HostName` value.
- key: Path
title: Server Path
title: Server path
supportedOS:
iOS:
introduced: n/a
@@ -101,7 +100,7 @@ payloadkeys:
content: The path of the EWS server. The system uses this only when this declaration
has a `HostName` value.
- key: ExternalHostName
title: Server External Host Name
title: Server external host name
supportedOS:
iOS:
introduced: n/a
@@ -111,7 +110,7 @@ payloadkeys:
presence: optional
content: The external hostname of the EWS server (or IP address).
- key: ExternalPort
title: Server External Port
title: Server external port
supportedOS:
iOS:
introduced: n/a
@@ -122,7 +121,7 @@ payloadkeys:
content: The external port number of the EWS server. The system uses this only when
this declaration has a `ExternalHostName` value.
- key: External Path
title: Server External Path
title: Server external path
supportedOS:
iOS:
introduced: n/a
@@ -144,6 +143,7 @@ payloadkeys:
presence: required
content: If `true`, enables OAuth for this account.
- key: SignInURL
title: Sign in URL
type: <string>
presence: optional
content: The URL that this account uses for signing in with OAuth. The system
@@ -151,6 +151,7 @@ payloadkeys:
when a declaration contains this URL, so the declaration must also contain a
`HostName`.
- key: TokenRequestURL
title: Token request URL
supportedOS:
macOS:
introduced: n/a
@@ -159,7 +160,7 @@ payloadkeys:
content: The URL that this account uses for token requests with OAuth. The system
ignores this value unless `Enabled` is `true`.
- key: AuthenticationCredentialsAssetReference
title: Authentication Credentials Asset Reference
title: Authentication credentials asset reference
type: <string>
assettypes:
- com.apple.asset.credential.userpassword
@@ -168,7 +169,7 @@ payloadkeys:
this account to authenticate with an Exchange server. Set the corresponding asset
type to `CredentialUserNameAndPassword`.
- key: AuthenticationIdentityAssetReference
title: Authentication Identity Asset Reference
title: Authentication identity asset reference
type: <string>
assettypes:
- com.apple.asset.credential.acme
@@ -178,7 +179,7 @@ payloadkeys:
content: The identifier of a credential asset declaration that contains the identity
that this account requires to authenticate with the Exchange server.
- key: SMIME
title: S/MIME Settings
title: S/MIME settings
supportedOS:
iOS:
introduced: '17.0'
@@ -189,18 +190,18 @@ payloadkeys:
content: Settings for S/MIME.
subkeys:
- key: Signing
title: S/MIME Signing Settings
title: S/MIME signing settings
type: <dictionary>
presence: optional
content: Settings for S/MIME signing.
subkeys:
- key: Enabled
title: Signing Enabled
title: Signing enabled
type: <boolean>
presence: required
content: If `true`, the system enables S/MIME signing.
- key: IdentityAssetReference
title: S/MIME Signing Identity Asset Reference
title: S/MIME signing identity asset reference
type: <string>
assettypes:
- com.apple.asset.credential.acme
@@ -210,31 +211,31 @@ payloadkeys:
content: Specifies the identifier of an asset declaration containing the identity
required for S/MIME signing of messages sent from this account.
- key: UserOverrideable
title: Signing User Overrideable
title: Signing user overrideable
type: <boolean>
presence: optional
default: false
content: If `true`, the user can turn S/MIME signing on or off in Settings.
- key: IdentityUserOverrideable
title: Signing Identity User Overrideable
title: Signing identity user overrideable
type: <boolean>
presence: optional
default: false
content: If `true`, the user can select an S/MIME signing identity in Settings.
- key: Encryption
title: S/MIME Encryption Settings
title: S/MIME encryption settings
type: <dictionary>
presence: optional
content: Settings for S/MIME encryption.
subkeys:
- key: Enabled
title: Encryption By Default Enabled
title: Encryption by default enabled
type: <boolean>
presence: required
content: If `true`, the system enables S/MIME encryption by default, which the
user can't override if `PerMessageSwitchEnabled` is `false`.
- key: IdentityAssetReference
title: S/MIME Encryption Identity Asset Reference
title: S/MIME encryption identity asset reference
type: <string>
assettypes:
- com.apple.asset.credential.acme
@@ -247,31 +248,33 @@ payloadkeys:
sends encrypted mail, the system uses the public certificate to encrypt the
copy of the mail in their Sent mailbox.
- key: UserOverrideable
title: Encryption By Default User Overrideable
title: Encryption by default user overrideable
type: <boolean>
presence: optional
default: false
content: If `true`, the user can turn S/MIME encryption by default on or off
in Settings.
- key: IdentityUserOverrideable
title: Encryption Identity User Overrideable
title: Encryption identity user overrideable
type: <boolean>
presence: optional
default: false
content: If `true`, the user can select an S/MIME signing identity in Settings.
- key: PerMessageSwitchEnabled
title: Per Message Switch Enabled
title: Per message switch enabled
type: <boolean>
presence: optional
default: false
content: If `true`, the system enables the per-message encryption switch in
the compose view.
- key: MailServiceActive
title: Mail service active
type: <boolean>
presence: optional
default: true
content: If `true`, the system activates the mail service for this account.
- key: LockMailService
title: Lock mail service
supportedOS:
macOS:
introduced: n/a
@@ -281,11 +284,13 @@ payloadkeys:
content: If `true`, the system prevents the user from changing the status of the
mail service for this account.
- key: ContactsServiceActive
title: Contacts service active
type: <boolean>
presence: optional
default: true
content: If `true`, activates the address book service for this account.
- key: LockContactsService
title: Lock contacts service
supportedOS:
macOS:
introduced: n/a
@@ -295,11 +300,13 @@ payloadkeys:
content: If `true`, the system prevents the user from changing the status of the
address book service for this account.
- key: CalendarServiceActive
title: Calendar service active
type: <boolean>
presence: optional
default: true
content: If `true`, activates the calendar service for this account.
- key: LockCalendarService
title: Lock calendar service
supportedOS:
macOS:
introduced: n/a
@@ -309,11 +316,13 @@ payloadkeys:
content: If `true`, the system prevents the user from changing the status of the
calendar service for this account.
- key: RemindersServiceActive
title: Reminders service active
type: <boolean>
presence: optional
default: true
content: If `true`, the system activates the reminders service for this account.
- key: LockRemindersService
title: Lock reminders service
supportedOS:
macOS:
introduced: n/a
@@ -323,11 +332,13 @@ payloadkeys:
content: If `true`, the system prevents the user from changing the status of the
reminders service for this account.
- key: NotesServiceActive
title: Notes service active
type: <boolean>
presence: optional
default: true
content: If `true`, the system activates the notes service for this account.
- key: LockNotesService
title: Lock notes service
supportedOS:
macOS:
introduced: n/a
@@ -340,3 +351,8 @@ related-status-items:
- status-items:
- account.list.exchange
note: Each configuration will have a corresponding status item.
examples:
title: Configuration example
files:
- description: This configuration sets up a Microsoft Exchange account.
file: examples/declarative/declarations/configurations/account.exchange/example1.json
@@ -37,18 +37,15 @@ payload:
watchOS:
introduced: n/a
apply: multiple
content: A Google configuration defines a Google account for a user. The user will
be prompted to enter their credentials shortly after the configuration successfully
installs.
payloadkeys:
- key: VisibleName
title: Account Name
title: Account name
type: <string>
presence: optional
content: The name that apps show to the user for this Google account. If not present,
the system generates a suitable default.
- key: UserIdentityAssetReference
title: User Identity Asset Reference
title: User identity asset reference
type: <string>
assettypes:
- com.apple.asset.useridentity
@@ -61,3 +58,8 @@ related-status-items:
- status-items:
- account.list.google
note: Each configuration will have a corresponding status item.
examples:
title: Configuration example
files:
- description: This configuration sets up a Google account.
file: examples/declarative/declarations/configurations/account.google/example1.json
@@ -38,26 +38,25 @@ payload:
watchOS:
introduced: n/a
apply: multiple
content: An LDAP configuration defines an LDAP directory account for a user.
payloadkeys:
- key: VisibleName
title: Account Name
title: Account name
type: <string>
presence: optional
content: The name that apps show to the user for this LDAP account. If not present,
the system generates a suitable default.
- key: HostName
title: Server Host Name
title: Server host name
type: <string>
presence: required
content: The hostname or IP address of the LDAP server.
- key: Port
title: Server Port
title: Server port
type: <integer>
presence: optional
content: The port number or IP address of the LDAP server.
- key: AuthenticationCredentialsAssetReference
title: Authentication Credentials Asset Reference
title: Authentication credentials asset reference
type: <string>
assettypes:
- com.apple.asset.credential.userpassword
@@ -65,7 +64,7 @@ payloadkeys:
content: The identifier of an asset declaration that contains the credentials for
this account. Set the corresponding asset type to `CredentialUserNameAndPassword`.
- key: SearchSettings
title: Search Settings
title: Search settings
type: <array>
presence: optional
content: The array of nodes to start LDAP searches from. There must be at least
@@ -73,17 +72,17 @@ payloadkeys:
other items in the array.
subkeys:
- key: SearchSettingsItem
title: An LDAP Search Setting
title: An LDAP search setting
type: <dictionary>
subkeys:
- key: VisibleDescription
title: Visible Description
title: Visible description
type: <string>
presence: optional
content: The description of this search setting in the Contacts and Settings
apps. If not present, the apps display no name.
- key: SearchBase
title: Search Base
title: Search base
type: <string>
presence: required
content: The path to the node where a search starts. For example, `ou=people,o=example
@@ -107,3 +106,8 @@ related-status-items:
- status-items:
- account.list.ldap
note: Each configuration will have a corresponding status item.
examples:
title: Configuration example
files:
- description: This configuration sets up an LDAP directory account.
file: examples/declarative/declarations/configurations/account.ldap/example1.json
@@ -37,16 +37,15 @@ payload:
watchOS:
introduced: n/a
apply: multiple
content: An email configuration defines an email account for a user.
payloadkeys:
- key: VisibleName
title: Account Name
title: Account name
type: <string>
presence: optional
content: The name that apps show to the user for this mail account. If not present,
the system generates a suitable default.
- key: UserIdentityAssetReference
title: User Identity Asset Reference
title: User identity asset reference
type: <string>
assettypes:
- com.apple.asset.useridentity
@@ -54,13 +53,13 @@ payloadkeys:
content: The identifier of an asset declaration that contains the user identity
for this account. Set the corresponding asset type to `UserIdentity`.
- key: IncomingServer
title: Incoming Server Settings
title: Incoming server settings
type: <dictionary>
presence: required
content: The settings for the incoming mail server for this account.
subkeys:
- key: ServerType
title: Server Type
title: Server type
type: <string>
presence: required
rangelist:
@@ -68,17 +67,17 @@ payloadkeys:
- POP
content: The mail protocol this account uses.
- key: HostName
title: Server Host Name
title: Server host name
type: <string>
presence: required
content: The host name for the incoming mail server.
- key: Port
title: Server Port
title: Server port
type: <integer>
presence: optional
content: The port number for the incoming mail server.
- key: AuthenticationMethod
title: Server Authentication Method
title: Server authentication method
type: <string>
presence: required
rangelist:
@@ -89,7 +88,7 @@ payloadkeys:
- HTTPMD5
content: The authentication method for the incoming mail server.
- key: AuthenticationCredentialsAssetReference
title: Authentication Credentials Asset Reference
title: Authentication credentials asset reference
type: <string>
assettypes:
- com.apple.asset.credential.userpassword
@@ -99,29 +98,29 @@ payloadkeys:
If the `AuthenticationMethod` is `None`, this field must be blank. Otherwise, the declaration must contain this field.
- key: IMAPPathPrefix
title: IMAP Path Prefix
title: IMAP path prefix
type: <string>
presence: optional
content: The path prefix for the IMAP server. The system uses this only when `ServerType`
is `IMAP`.
- key: OutgoingServer
title: Outgoing Server Settings
title: Outgoing server settings
type: <dictionary>
presence: required
content: The settings for the outgoing mail server for this account.
subkeys:
- key: HostName
title: Server Host Name
title: Server host name
type: <string>
presence: required
content: The host name for the outgoing mail server.
- key: Port
title: Server Port
title: Server port
type: <integer>
presence: optional
content: The port number for the outgoing mail server.
- key: AuthenticationMethod
title: Server Authentication Method
title: Server authentication method
type: <string>
presence: required
rangelist:
@@ -132,7 +131,7 @@ payloadkeys:
- HTTPMD5
content: The authentication method for the outgoing mail server.
- key: AuthenticationCredentialsAssetReference
title: Authentication Credentials Asset Reference
title: Authentication credentials asset reference
type: <string>
assettypes:
- com.apple.asset.credential.userpassword
@@ -142,7 +141,7 @@ payloadkeys:
If the `AuthenticationMethod` is `None`, this field must be blank. Otherwise, the declaration must contain this field.
- key: SMIME
title: S/MIME Settings
title: S/MIME settings
supportedOS:
iOS:
introduced: '17.0'
@@ -153,18 +152,18 @@ payloadkeys:
content: Settings for S/MIME.
subkeys:
- key: Signing
title: S/MIME Signing Settings
title: S/MIME signing settings
type: <dictionary>
presence: optional
content: Settings for S/MIME signing.
subkeys:
- key: Enabled
title: Signing Enabled
title: Signing enabled
type: <boolean>
presence: required
content: If `true`, the system enables S/MIME signing.
- key: IdentityAssetReference
title: S/MIME Signing Identity Asset Reference
title: S/MIME signing identity asset reference
type: <string>
assettypes:
- com.apple.asset.credential.acme
@@ -174,31 +173,31 @@ payloadkeys:
content: Specifies the identifier of an asset declaration containing the identity
required for S/MIME signing of messages sent from this account.
- key: UserOverrideable
title: Signing User Overrideable
title: Signing user overrideable
type: <boolean>
presence: optional
default: false
content: If `true`, the user can turn S/MIME signing on or off in Settings.
- key: IdentityUserOverrideable
title: Signing Identity User Overrideable
title: Signing identity user overrideable
type: <boolean>
presence: optional
default: false
content: If `true`, the user can select an S/MIME signing identity in Settings.
- key: Encryption
title: S/MIME Encryption Settings
title: S/MIME encryption settings
type: <dictionary>
presence: optional
content: Settings for S/MIME encryption.
subkeys:
- key: Enabled
title: Encryption By Default Enabled
title: Encryption by default enabled
type: <boolean>
presence: required
content: If `true`, the system enables S/MIME encryption by default, which the
user can't override if `PerMessageSwitchEnabled` is `false`.
- key: IdentityAssetReference
title: S/MIME Encryption Identity Asset Reference
title: S/MIME encryption identity asset reference
type: <string>
assettypes:
- com.apple.asset.credential.acme
@@ -211,20 +210,20 @@ payloadkeys:
sends encrypted mail, the system uses the public certificate to encrypt the
copy of the mail in their Sent mailbox.
- key: UserOverrideable
title: Encryption By Default User Overrideable
title: Encryption by default user overrideable
type: <boolean>
presence: optional
default: false
content: If `true`, the user can set the default value for S/MIME encryption
to on or off in Settings.
- key: IdentityUserOverrideable
title: Encryption Identity User Overrideable
title: Encryption identity user overrideable
type: <boolean>
presence: optional
default: false
content: If `true`, the user can select an S/MIME signing identity in Settings.
- key: PerMessageSwitchEnabled
title: Per Message Switch Enabled
title: Per message switch enabled
type: <boolean>
presence: optional
default: false
@@ -236,3 +235,9 @@ related-status-items:
- account.list.mail.outgoing
note: Each configuration will have a corresponding status item for incoming and
outgoing accounts.
examples:
title: Configuration example
files:
- description: This configuration sets up an IMAP email account with SMTP outgoing
mail.
file: examples/declarative/declarations/configurations/account.mail/example1.json
@@ -37,11 +37,9 @@ payload:
watchOS:
introduced: n/a
apply: multiple
content: A subscribed calendar configuration defines a subscribed calendar for a
user.
payloadkeys:
- key: VisibleName
title: Account Name
title: Account name
type: <string>
presence: optional
content: The name that apps show to the user for this calendar account. If not present,
@@ -52,7 +50,7 @@ payloadkeys:
presence: required
content: The URL of the subscribed calendar, which needs to start with `https://`.
- key: AuthenticationCredentialsAssetReference
title: Authentication Credentials Asset Reference
title: Authentication credentials asset reference
type: <string>
assettypes:
- com.apple.asset.credential.userpassword
@@ -64,3 +62,8 @@ related-status-items:
- status-items:
- account.list.subscribed-calendar
note: Each configuration will have a corresponding status item.
examples:
title: Configuration example
files:
- description: This configuration subscribes to a calendar feed.
file: examples/declarative/declarations/configurations/account.subscribed-calendar/example1.json
@@ -41,7 +41,7 @@ payloadkeys:
type: <string>
presence: optional
content: |-
The App Store ID of the managed app that is downloaded from the App Store.
The App Store ID of the managed app that's downloaded from the App Store.
Only one of `AppStoreID`, `BundleID`, `ManifestURL`, or `AppComposedIdentifier` needs to be present.
- key: BundleID
@@ -49,7 +49,7 @@ payloadkeys:
type: <string>
presence: optional
content: |-
The bundle ID of the managed app that is downloaded from the App Store.
The bundle ID of the managed app that's downloaded from the App Store.
Only one of `AppStoreID`, `BundleID`, `ManifestURL`, or `AppComposedIdentifier` needs to be present.
- key: ManifestURL
@@ -60,13 +60,11 @@ payloadkeys:
type: <string>
presence: optional
content: |-
The URL of the manifest for the managed app that the device downloads from a web site. The manifest is returned as a `ManifestURL` property list.
The URL of the manifest for the managed app that the device downloads from a web site. The manifest is a `ManifestURL` property list.
Only one of `AppStoreID`, `BundleID`, `ManifestURL`, or `AppComposedIdentifier` needs to be present.
Available only in iOS and visionOS.
- key: AppComposedIdentifier
title: App Composed Identifier
title: App composed identifier
supportedOS:
iOS:
introduced: n/a
@@ -77,20 +75,18 @@ payloadkeys:
type: <string>
presence: optional
content: |-
A string that specifies the composed identifier of an existing app that needs to be managed. The device uses this to take over management of an app installed by some other process, for example installed manually by the user, or via a package configuration. If the app isn't present when the device applies the configuration, the device takes over management of it when it does install.
A string that specifies the composed identifier of an existing app that needs to be managed. The device uses this to take over management of an app installed by some other process, for example installed manually by the user, or via a package configuration. If the app isn't present when the device applies the configuration, the device takes over management of it when it does install. Management of the app occurs only if its code signature matches the composed identifier.
The following rules apply when the device takes over management:
- If the `InstallBehavior.Install` key is set to `Required`, the device takes over management of the app.
- If the `InstallBehavior.Install` key is set to `Optional`, the device takes over management of the app when the user "installs" it using an MDM management app.
The format of the composed identifier is either "Bundle-ID (Team-ID)" or "Bundle-ID {Designated-Requirement}". For example, `com.example.app (ABCD1234)` for the team ID format, or `com.example.app {anchor apple generic}` for the designated requirement format. Management of the app occurs only if its code signature matches the composed identifier.
The format of the composed identifier is either "Bundle-ID" or "Bundle-ID (Team-ID)". "Bundle-ID" is the bundle identifier string of the provider. "Team-ID" is the team identifier from the provider's code signature. For example, "com.example.app" for the bundle ID format, or "com.example.app (ABCD1234)" for the team ID format.
In macOS, only one of `AppStoreID`, `BundleID`, or `AppComposedIdentifier` needs to be present.
Available only in macOS.
- key: iOSApp
title: iOS App
title: iOS app
supportedOS:
iOS:
introduced: n/a
@@ -101,12 +97,10 @@ payloadkeys:
type: <boolean>
presence: optional
default: false
content: |-
If `true`, the device installs an iOS or iPadOS app that runs on a Mac with Apple Silicon. This is only used when the app is an App Store app.
Available only in macOS.
content: If `true`, the device installs an iOS or iPadOS app that runs on a Mac
with Apple silicon. This is only used when the app is an App Store app.
- key: InstallBehavior
title: Install Behavior
title: Install behavior
type: <dictionary>
presence: optional
content: A dictionary that describes how and when to install the app.
@@ -147,7 +141,7 @@ payloadkeys:
This key needs to be present for App Store apps, when either `AppStoreID` or `BundleID` are present in the configuration.
- key: VPPType
title: VPP Type
title: VPP type
supportedOS:
iOS:
removed: '18.0'
@@ -179,7 +173,7 @@ payloadkeys:
type: <integer>
presence: optional
content: |-
The App Store external version identifier (EVID) of the version of the app the device installs. You can retrieve this value from the App Store. For more information, see `Apps and Books for Organizations`. This key is ignored if the app isn't an App Store app.
The App Store external version identifier (EVID) of the version of the app the device installs. You can retrieve this value from the App Store. For more information, see `Apps and books metadata for organizations`. This key is ignored if the app isn't an App Store app.
The following rules apply when the device applies or updates the configuration:
@@ -196,7 +190,7 @@ payloadkeys:
> Note:
> The device never installs an older version of the app over a newer version.
- key: AllowDownloadsOverCellular
title: Allow Downloads Over Cellular
title: Allow downloads over cellular
supportedOS:
iOS:
introduced: '26.0'
@@ -221,10 +215,8 @@ payloadkeys:
- `StoreSettings`: The device uses the settings for the corresponding store when downloading apps.
The device always uses the store settings to download apps when the install or update operation is user initiated.
Available only in iOS.
- key: UpdateBehavior
title: Update Behavior
title: Update behavior
supportedOS:
iOS:
introduced: '26.0'
@@ -237,7 +229,7 @@ payloadkeys:
content: A dictionary that specifies how the device updates apps.
subkeys:
- key: AutomaticAppUpdates
title: Automatic App Updates
title: Automatic app updates
type: <string>
presence: required
rangelist:
@@ -251,35 +243,29 @@ payloadkeys:
- `AlwaysOff`: The device never automatically updates the app.
- `StoreSettings`: The device uses the settings for the corresponding store to determine when to automatically update the app. For Enterprise apps, this setting behaves the same as `AlwaysOff`.
When the `InstallBehavior.Version` key is specified, the device ignores this key and Automatic App Updates are disabled.
When you specify the `InstallBehavior.Version` key, the device ignores this key and Automatic App Updates are disabled.
In macOS, the device ignores this setting if the `AppComposedIdentifier` key is set in the configuration.
- key: IncludeInBackup
title: Include in Backup
title: Include in backup
supportedOS:
macOS:
introduced: n/a
type: <boolean>
presence: optional
default: true
content: |-
If `true`, backups contain the app and its data.
Available only in iOS and visionOS.
content: If `true`, backups contain the app and its data.
- key: Attributes
title: App Attributes
title: App attributes
supportedOS:
macOS:
introduced: n/a
type: <dictionary>
presence: optional
content: |-
A dictionary of values to associate with the app.
Available only in iOS and visionOS.
content: A dictionary of values to associate with the app.
subkeys:
- key: AssociatedDomains
title: Associated Domains
title: Associated domains
type: <array>
presence: optional
content: An array of domain names to associate with the app.
@@ -290,13 +276,13 @@ payloadkeys:
presence: required
content: A domain to be associated with the app.
- key: AssociatedDomainsEnableDirectDownloads
title: Associated Domains Enable Direct Downloads
title: Associated domains enable direct downloads
type: <boolean>
presence: optional
default: false
content: If `true`, the system enables direct downloads for the `AssociatedDomains`.
- key: CellularSliceUUID
title: Cellular Slice UUID
title: Cellular slice UUID
supportedOS:
visionOS:
introduced: n/a
@@ -307,12 +293,12 @@ payloadkeys:
carrier-provided DNN name. For app category, encode the value as "AppCategory:category",
where "category" is a carrier-provided string such as "Enterprise1".
- key: ContentFilterUUID
title: Content Filter UUID
title: Content filter UUID
type: <string>
presence: optional
content: The UUID of the content filter to associate with the app.
- key: DNSProxyUUID
title: DNS Proxy UUID
title: DNS proxy UUID
type: <string>
presence: optional
content: The UUID of the DNS proxy to associate with the app.
@@ -347,7 +333,7 @@ payloadkeys:
presence: optional
content: The UUID of the relay to associate with the app.
- key: TapToPayScreenLock
title: Tap to Pay Screen Lock
title: Tap to pay screen lock
supportedOS:
visionOS:
introduced: n/a
@@ -362,22 +348,19 @@ payloadkeys:
presence: optional
content: The UUID of the VPN to associate with the app.
- key: AppConfig
title: App Config
title: App config
supportedOS:
iOS:
introduced: '18.4'
macOS:
introduced: n/a
introduced: '27.0'
type: <dictionary>
presence: optional
content: |-
A dictionary of app config data and credentials.
Available only in iOS and visionOS.
content: A dictionary of app config data and credentials.
subkeytype: AppConfigDictionary
subkeys: &id001
- key: DataAssetReference
title: App/Extension Config Data Asset Reference
title: App/Extension config data asset reference
type: <string>
assettypes:
- com.apple.asset.data
@@ -392,7 +375,7 @@ payloadkeys:
type `com.apple.asset.data`. The referenced data needs to be a property list
file, and the asset's "ContentType" value set to match the data type.
- key: Passwords
title: Password App/Extension Configs.
title: Password App/Extension configs.
type: <array>
presence: optional
content: Provides passwords to the managed app or extension. Each element in the
@@ -401,19 +384,20 @@ payloadkeys:
subkeytype: CredentialConfig
subkeys:
- key: PasswordAppConfigItem
title: Password app config item
type: <dictionary>
presence: required
content: A dictionary of values associated with a credential config.
subkeys:
- key: Identifier
title: Password Identifier
title: Password identifier
type: <string>
presence: required
content: The app or extension uses this identifier to fetch the corresponding
password using the `ManagedApp` framework. App developers define the values
for these identifiers.
- key: AssetReference
title: Asset Reference
title: Asset reference
type: <string>
assettypes:
- com.apple.asset.credential.userpassword
@@ -422,7 +406,7 @@ payloadkeys:
and password. The `ManagedApp` framework makes the password available to
the app or extension. The `ManagedApp` framework ignores the username.
- key: Identities
title: Identity App/Extension Configs.
title: Identity App/Extension configs.
type: <array>
presence: optional
content: Provides identities to the managed app or extension. Each element in
@@ -431,19 +415,20 @@ payloadkeys:
subkeytype: CredentialConfig
subkeys:
- key: IdentityAppConfigItem
title: Identity app config item
type: <dictionary>
presence: required
content: A dictionary of values associated with a credential config.
subkeys:
- key: Identifier
title: Identity Identifier
title: Identity identifier
type: <string>
presence: required
content: The app or extension uses this identifier to fetch the corresponding
identity using the `ManagedApp` framework. App developers define the values
for these identifiers.
- key: AssetReference
title: Asset Reference
title: Asset reference
type: <string>
assettypes:
- com.apple.asset.credential.identity
@@ -452,7 +437,7 @@ payloadkeys:
presence: required
content: Specifies the identifier of an asset declaration containing an identity.
- key: Certificates
title: Certificate App/Extension Configs.
title: Certificate App/Extension configs.
type: <array>
presence: optional
content: Provides certificates to the managed app or extension. Each element in
@@ -461,53 +446,53 @@ payloadkeys:
subkeytype: CredentialConfig
subkeys:
- key: CertificateAppConfigItem
title: Certificate app config item
type: <dictionary>
presence: required
content: A dictionary of values associated with a credential config.
subkeys:
- key: Identifier
title: Certificate Identifier
title: Certificate identifier
type: <string>
presence: required
content: The app or extension uses this identifier to fetch the corresponding
certificate using the `ManagedApp` framework. App developers define the
values for these identifiers.
- key: AssetReference
title: Asset Reference
title: Asset reference
type: <string>
assettypes:
- com.apple.asset.credential.certificate
presence: required
content: Specifies the identifier of an asset declaration containing a certificate.
- key: ExtensionConfigs
title: Extension Configs
title: Extension configs
supportedOS:
iOS:
introduced: '18.4'
macOS:
introduced: n/a
introduced: '27.0'
type: <dictionary>
presence: optional
content: |-
A dictionary of extension config data and credentials.
Available only in iOS and visionOS.
content: A dictionary of extension config data and credentials.
subkeys:
- key: ANY
title: Extension Composed Identifier
title: Extension composed identifier
type: <dictionary>
presence: optional
content: A dictionary mapping extension composed identifiers to the extension
config data and credentials. The expected format is "Identifier (TeamIdentifier)".
content: |-
A dictionary mapping extension composed identifiers to the extension config data and credentials.
The format of the composed identifier is either "Bundle-ID" or "Bundle-ID (Team-ID)". "Bundle-ID" is the bundle identifier string of the provider. "Team-ID" is the team identifier from the provider's code signature. For example, "com.example.app" for the bundle ID format, or "com.example.app (ABCD1234)" for the team ID format.
subkeytype: AppConfigDictionary
subkeys: *id001
- key: LegacyAppConfigAssetReference
title: App Config MDMv1 Asset Reference
title: App config MDMv1 asset reference
supportedOS:
iOS:
introduced: '18.4'
macOS:
introduced: n/a
introduced: '27.0'
type: <string>
assettypes:
- com.apple.asset.data
@@ -520,9 +505,26 @@ payloadkeys:
content: |-
The identifier of an asset declaration containing a reference to the app config data. The device provides the app config data to the app using the MDMv1 behavior. The corresponding asset needs to be of type `com.apple.asset.data`. The referenced data needs to be a property list file, and the asset's "ContentType"
value set to match the data type.
Available only in iOS and visionOS.
related-status-items:
- status-items:
- app.managed.list
note: Each configuration has a corresponding status item.
examples:
title: Configuration examples
files:
- tab: App Store
description: This configuration installs an App Store app with `Required` install
behavior and a device license.
file: examples/declarative/declarations/configurations/app.managed/example1.json
- tab: Enterprise
description: This configuration installs an enterprise app with app attributes,
cellular downloads disallowed, and an update policy.
file: examples/declarative/declarations/configurations/app.managed/example2.json
- tab: Packaged
description: This configuration manages an app installed by a package using a
composed identifier to identify the app.
file: examples/declarative/declarations/configurations/app.managed/example3.json
- tab: Configuration
description: This configuration installs an enterprise app with declarative app
configuration for the app and an extension.
file: examples/declarative/declarations/configurations/app.managed/example4.json
@@ -0,0 +1,361 @@
title: App:Settings
description: The declaration to configure app settings.
payload:
declarationtype: com.apple.configuration.app.settings
supportedOS:
iOS:
introduced: '27.0'
allowed-enrollments:
- supervised
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- user
macOS:
introduced: '27.0'
allowed-enrollments:
- supervised
allowed-scopes:
- system
- user
tvOS:
introduced: '27.0'
allowed-enrollments:
- supervised
allowed-scopes:
- system
visionOS:
introduced: '27.0'
allowed-enrollments:
- supervised
allowed-scopes:
- system
watchOS:
introduced: n/a
apply: combined
payloadkeys:
- key: Allowed
title: Allowed apps
type: <dictionary>
presence: optional
content: The dictionary of allowed app settings.
subkeys:
- key: AllowedApps
title: Allowed apps
supportedOS:
macOS:
introduced: n/a
type: <array>
presence: optional
combinetype: set-intersection
content: If present, the device only shows or launches apps with bundle IDs in
the array. Include the value `com.apple.webapp` to allow all webclips. This
applies to App Store apps, marketplace apps, and locally installed apps (using
Configurator, Xcode, and so forth).
subkeys: &id001
- key: AppIdentifier
type: <string>
presence: required
content: String containing an identifier to match an app.
- key: DeniedApps
title: Denied apps
supportedOS:
macOS:
introduced: n/a
type: <array>
presence: optional
combinetype: set-union
content: |-
If present, the device prevents showing or launching apps with bundle IDs in the
array. Include the value `com.apple.webapp` to restrict all webclips. This applies to
App Store apps, marketplace apps, and locally installed apps (using Configurator,
Xcode, and so forth).
> Note:
> Denying system apps may disable other functionality. For example, denying the App
Store app may prevent users from accepting the terms and conditions for the user-based
Volume Purchase Program (VPP).
subkeys: *id001
- key: AllowedBinaries
title: Allowed binaries
supportedOS:
iOS:
introduced: n/a
macOS:
allowed-scopes:
- system
tvOS:
introduced: n/a
visionOS:
introduced: n/a
watchOS:
introduced: n/a
type: <array>
presence: optional
combinetype: set-intersection
content: If present, the device only allows binaries that match the binary identifier
properties to run. A binary only matches when all the binary identifiers match.
The device always runs system critical processes. Use "codesign -dvvv <path_to_binary>"
to show the information you need to generate these values.
subkeys: &id002
- key: BinaryIdentifier
title: Binary identifier
type: <dictionary>
presence: required
content: Dictionary containing one or more identifier fields to match a binary.
subkeys:
- key: CDHash
title: Code directory hash
type: <string>
presence: optional
content: The code signature code directory hash of the binary.
- key: SigningID
title: Signing ID
type: <string>
presence: optional
content: The code signature signing identifier of the binary.
- key: TeamID
title: Team ID
type: <string>
presence: optional
content: The code signature team identifier of the binary. Use the value "*APPLE*"
instead of an empty string for Apple binaries with an empty team identifier.
- key: PathPrefix
title: Path prefix
type: <string>
presence: optional
content: The file system path prefix to match binaries.
- key: SigningState
title: Signing state
type: <string>
presence: optional
rangelist:
- All
- TestFlight
- DeveloperID
- Enterprise
- AppStore
- Apple
default: All
combinetype: enum-last
content: The code signing state to match binaries.
- key: DeniedBinaries
title: Denied binaries
supportedOS:
iOS:
introduced: n/a
macOS:
allowed-scopes:
- system
tvOS:
introduced: n/a
visionOS:
introduced: n/a
watchOS:
introduced: n/a
type: <array>
presence: optional
combinetype: set-union
content: If present, the device doesn't allow binaries that match the binary identifier
properties to run. A binary only matches when all the binary identifiers match.
subkeys: *id002
- key: AlwaysAllowManagedApps
title: Always allow managed apps
supportedOS:
iOS:
introduced: n/a
macOS:
allowed-scopes:
- system
tvOS:
introduced: n/a
visionOS:
introduced: n/a
type: <boolean>
presence: optional
default: false
combinetype: boolean-or
content: If `true`, the device implicitly includes managed apps in the effective
allow list when `AllowedApps` or `AllowedBinaries` is present.
- key: Privacy
title: App privacy
supportedOS:
macOS:
allowed-scopes:
- user
tvOS:
introduced: n/a
visionOS:
introduced: n/a
watchOS:
introduced: n/a
type: <dictionary>
presence: optional
content: The dictionary of app settings.
subkeys:
- key: PermissionDefaults
title: App privacy permission defaults
type: <dictionary>
presence: optional
content: |-
The dictionary of app privacy permission defaults. Each key in the dictionary is an app identifier. The dictionary values represent the permission defaults that the device applies for each matching app.
In iOS, the app identifier is a bundle ID, for example, "com.example.app".
In macOS, the app identifier is a composed identifier. The format of the composed identifier is either "Bundle-ID", "Bundle-ID (Team-ID)", or "Bundle-ID {Designated-Requirement}". "Bundle-ID" is the bundle identifier string of the app. "Team-ID" is the team identifier from the app's code signature. "Designated-Requirement" is the designated requirement string from the code signature of the app. For example, "com.example.app" for the bundle ID format, "com.example.app (ABCD1234)" for the team ID format, or "com.example.app {anchor apple generic}" for the designated requirement format. The device only applies defaults for an app if its code signature matches the composed identifier.
subkeys:
- key: ANY
type: <dictionary>
presence: optional
content: The dictionary that defines the app privacy permission defaults. Each
key is an app identifier.
subkeytype: AppDictionary
subkeys:
- key: OrganizationJustification
title: Organization justification
type: <string>
presence: required
content: Text you provide that clearly explains to the user the reason why
the organization requires these app permission defaults. The device includes
this text in the permission consent prompt it displays when it launches
the app.
- key: Accessibility
title: Accessibility permission
supportedOS:
iOS:
introduced: n/a
type: <string>
presence: optional
rangelist:
- None
- Allow
combinetype: enum-last
content: |-
Controls whether an app privacy permission default is set.
* `None`: No app privacy permission default is set for use of accessibility.
* `Allow`: The app privacy permission default is set to allow use of accessibility.
- key: Bluetooth
title: Bluetooth permission
type: <string>
presence: optional
rangelist:
- None
- Allow
combinetype: enum-last
content: |-
Controls whether an app privacy permission default is set.
* `None`: No app privacy permission default is set for use of Bluetooth.
* `Allow`: The app privacy permission default is set to allow use of Bluetooth.
- key: Camera
title: Camera permission
type: <string>
presence: optional
rangelist:
- None
- Allow
combinetype: enum-last
content: |-
Controls whether an app privacy permission default is set.
* `None`: No app privacy permission default is set for use of the camera.
* `Allow`: The app privacy permission default is set to allow use of the camera.
- key: Dictation
title: Dictation permission
type: <string>
presence: optional
rangelist:
- None
- Allow
combinetype: enum-last
content: |-
Controls whether an app privacy permission default is set.
* `None`: No app privacy permission default is set for use of dictation.
* `Allow`: The app privacy permission default is set to allow use of dictation.
- key: LocalNetwork
title: Local network permission
type: <string>
presence: optional
rangelist:
- None
- Allow
combinetype: enum-last
content: |-
Controls whether an app privacy permission default is set.
* `None`: No app privacy permission default is set for use of the local network.
* `Allow`: The app privacy permission default is set to allow use of the local network.
- key: Location
title: Location permission
type: <string>
presence: optional
rangelist:
- None
- WhileUsing
- Always
combinetype: enum-last
content: |-
Controls whether an app privacy permission default is set.
* `None`: No app privacy permission default is set for access to location.
* `WhileUsing`: The app privacy permission default is set to allow access to location only while the user is using the app In macOS, this is equivalent to `Always`.
* `Always`: The app privacy permission default is set to allow access to location always.
- key: LocationAccuracy
title: Location accuracy permission
supportedOS:
macOS:
introduced: n/a
type: <string>
presence: optional
rangelist:
- None
- Approximate
- Precise
combinetype: enum-last
content: |-
Controls whether an app privacy permission default is set.
* `None`: No app privacy permission default is set for access to precise location.
* `Approximate`: The app privacy permission default is set to allow approximate access to location.
* `Precise`: The app privacy permission default is set to allow precise access to location.
- key: Microphone
title: Microphone permission
type: <string>
presence: optional
rangelist:
- None
- Allow
combinetype: enum-last
content: |-
Controls whether an app privacy permission default is set.
* `None`: No app privacy permission default is set for use of the microphone.
* `Allow`: The app privacy permission default is set to allow use of the microphone.
notes:
- title: Binary identifier rules
content: |-
The following combinations of binary identifiers are supported for each key:
* `AllowedBinaries`:
* Either `CDHash` or `TeamID` needs to be present.
* `SigningID`, `PathPrefix`, or `SigningState` may be present.
* `DeniedBinaries`:
* Either `CDHash` or `TeamID` or `SigningID` needs to be present.
* `PathPrefix` or `SigningState` may be present.
- title: Privacy permission defaults
content: |-
Privacy permission defaults allow an organization to suggest a set of privacy permissions for use with an app. When set, the app displays a consent prompt listing all the configured defaults. If the user accepts, the device applies those defaults for the app. If the user declines, no defaults are set and the device prompts the user in the normal way when the app requires permission.
The consent prompt only shows permissions that the user hasn't previously seen, and won't appear if the user has seen all permissions. The user can choose from one of two options in the prompt:
* `Allow`: this option sets the app privacy permissions for the specified sub-systems (camera, microphone, and so on) to "Allow". The device doesn't prompt the user when the app uses the sub-system.
* `Not Now`: this option ignores the app privacy permission defaults for the specified sub-systems (camera, microphone, and so on). The device prompts the user in the normal way when the app uses the sub-system.
The user can change the app permission privacy settings in Settings.app if they choose.
Only AppKit-based apps on macOS support this feature.
examples:
title: Configuration examples
files:
- tab: Allow various permission defaults for several apps in iOS
description: This configuration sets various privacy permission defaults for several
apps.
file: examples/declarative/declarations/configurations/app.settings/example1.json
- tab: Allow various permission defaults for several apps in macOS
description: This configuration sets various privacy permission defaults for several
apps.
file: examples/declarative/declarations/configurations/app.settings/example2.json
@@ -23,7 +23,7 @@ payload:
apply: combined
payloadkeys:
- key: TemporaryPairing
title: Temporary Pairing
title: Temporary pairing
type: <dictionary>
presence: optional
content: A dictionary that describes audio accessory temporary pairing behavior.
@@ -32,14 +32,14 @@ payloadkeys:
when temporary pairing is active.
subkeys:
- key: Disabled
title: Temporary Pairing Disabled
title: Temporary pairing disabled
type: <boolean>
presence: optional
default: false
combinetype: boolean-or
content: If `true`, temporary pairing of audio accessories is disabled.
- key: Configuration
title: Temporary Pairing Configuration
title: Temporary pairing configuration
type: <dictionary>
presence: optional
combinetype: first
@@ -47,14 +47,14 @@ payloadkeys:
if `Disabled` isn't present or is `false`.
subkeys:
- key: UnpairingTime
title: Temporary Pairing Unpairing Time
title: Temporary pairing unpairing time
type: <dictionary>
presence: required
content: A dictionary that describes when the device automatically unpairs temporarily
paired audio accessories.
subkeys:
- key: Policy
title: Unpairing Policy
title: Unpairing policy
type: <string>
presence: required
rangelist:
@@ -65,7 +65,7 @@ payloadkeys:
- `None`: The device doesn't automatically unpair. Use this only with a return to service device that you erase and reenroll when assigning it from one user to another.
- `Hour`: The device automatically unpairs temporarily paired audio accessories at the local time that the `Hour` key specifies.
- key: Hour
title: Hour of Unpairing
title: Hour of unpairing
type: <integer>
presence: optional
range:
@@ -81,3 +81,9 @@ notes:
- Pair and use audio accessories - the device records the pairing and synchronizes it to their iCloud account.
- Use the audio accessory AirPods Sharing feature.
examples:
title: Configuration example
files:
- description: This configuration enables temporary pairing and sets an unpairing
time of 6 pm.
file: examples/declarative/declarations/configurations/audio-accessory.settings/example1.json
@@ -0,0 +1,328 @@
title: Content Caching
description: The declaration to configure the Content Caching service.
payload:
declarationtype: com.apple.configuration.content-cache.settings
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '27.0'
allowed-enrollments:
- supervised
- local
allowed-scopes:
- system
tvOS:
introduced: n/a
visionOS:
introduced: n/a
watchOS:
introduced: n/a
apply: single
payloadkeys:
- key: AllowCacheDelete
title: Allow cache delete
type: <boolean>
presence: optional
default: true
content: If `true`, the system purges content from the cache automatically when
it needs disk space for other apps when free disk space runs low on the computer.
Set to `false` to maximize effectiveness of Content Caching.
- key: AllowPersonalCaching
title: Allow personal caching
type: <boolean>
presence: optional
default: true
content: |-
If `true`, the system caches the user's iCloud data. Changes to this value don't have an immediate effect. Clients may take some time to react to changes.
> Note:
> At least one of the `AllowPersonalCaching` or `AllowSharedCaching` keys need to be `true`.
- key: AllowSharedCaching
title: Allow shared caching
type: <boolean>
presence: optional
default: true
content: |-
If `true`, the system caches non-iCloud content, such as apps and software updates. Changes to this value don't have an immediate effect. Clients may take some time to react to changes.
> Note:
> At least one of the `AllowPersonalCaching` or `AllowSharedCaching` keys need to be `true`.
- key: AutoActivation
title: Auto activation
type: <boolean>
presence: optional
default: false
content: |-
If `true`, the system automatically activates the content cache when possible and prevents disabling it. If `allowContentCaching` is `false`, `AutoActivation` is also `false`.
Removing a profile that set `AutoActivation` to `true` doesn't deactivate the Content Cache.
- key: AutoEnableTetheredCaching
title: Auto enable tethered caching
type: <boolean>
presence: optional
default: false
content: If `true`, the system automatically enables Internet connection sharing
when possible and prevent disabling Internet connection sharing. `DenyTetheredCaching`
overrides `AutoEnableTetheredCaching`. Tethered caching requires Content Caching.
- key: CacheLimit
title: Cache limit
type: <integer>
presence: optional
default: 0
content: The maximum number of bytes of disk space to use for the content cache.
Set to `0` for unlimited disk space. Also serves as the upper bound to the `PersonalCacheLimit`.
- key: DataPath
title: Data path
type: <string>
presence: optional
default: /Library/Application Support/Apple/AssetCache/Data
content: |-
The path to the directory used to store cached content. Changing this setting manually doesn't automatically move cached content from the old location to the new one. To move content automatically, use the Sharing preference's Content Caching pane. The value must be (or end with) `/Library/Application Support/Apple/AssetCache/Data`.
The system creates a directory and its intermediates for the given data path if it doesn't already exist. The directory is owned by `_assetcache:_assetcache` and has mode 0750. Its immediate parent directory (`.../Library/Application Support/Apple/AssetCache`) is owned by `_assetcache:_assetcache` and has mode `0755`.
- key: DenyActivation
title: Deny activation
type: <boolean>
presence: optional
default: false
content: If `true`, the system disables Content Caching. This is the inverse of
the `allowContentCaching` restriction in MDM. It overrides the `AutoActivation`
key. Use this key to prevent launching the Content Caching service.
- key: DenyTetheredCaching
title: Deny tethered caching
type: <boolean>
presence: optional
default: false
content: If `true`, the system disables tethered caching.
- key: DeclarativeStatusInterval
title: Declarative status interval
type: <integer>
presence: optional
range:
min: 300
max: 86400
default: 0
content: The time interval in seconds the system uses to update the `StatusContentCacheInfo`
declarative status item. The reporting interval can't be less than 60 (1 per minute)
or larger than 86400 (1 per day), defaults to 0 (off)
- key: DisplayAlerts
title: Display alerts
type: <boolean>
presence: optional
default: false
content: If `true`, Content Caching displays exceptional conditions (alerts) as
system notifications in the upper corner of the screen.
- key: KeepAwake
title: Keep awake
type: <boolean>
presence: optional
default: false
content: If `true`, the system prevents the computer from sleeping as long as Content
Caching is on (System Preferences > Sharing > Content Caching is on). Customers
who want Content Caching to be as available as much as possible should turn this
setting on.
- key: ListenRanges
title: Listen ranges
type: <array>
presence: optional
content: An array of dictionaries that describe a range of client IP addresses to
serve.
subkeytype: RangesItem
subkeys: &id001
- key: RangesItem
title: Ranges item
type: <dictionary>
content: A range of IP addresses to cache.
subkeys:
- key: type
title: Type
type: <string>
presence: optional
rangelist:
- IPv4
- IPv6
default: IPv4
content: The IP address type.
- key: first
title: First
type: <string>
presence: required
content: The first IP address in the range.
- key: last
title: Last
type: <string>
presence: required
content: The last IP address in the range.
- key: ListenRangesOnly
title: Listen ranges only
type: <boolean>
presence: optional
default: false
content: If `true`, the content cache provides content to the clients in the `ListenRanges`.
- key: ListenWithPeersAndParents
title: Listen with peers and parents
type: <boolean>
presence: optional
default: true
content: If `true`, the content cache provides content to the clients in the union
of the `ListenRanges`, `PeerListenRanges` and `Parents`.
- key: LocalSubnetsOnly
title: Local subnets only
type: <boolean>
presence: optional
default: true
content: If `true`, the content cache offers content to clients only on the same
immediate local network only. The content cache offers no content to clients on
other networks reachable by the content cache. If `LocalSubnetsOnly` is `true`,
the system ignores `ListenRanges`.
- key: LogClientIdentity
title: Log client identity
type: <boolean>
presence: optional
default: false
content: If `true`, the Content Cache logs the IP address and port number of the
clients that request content.
- key: Parents
title: Parents
type: <array>
presence: optional
content: An array of the local IP addresses of other content caches that this cache
should download from or upload to, instead of downloading from or uploading to
Apple directly. The system ignores invalid addresses and addresses of computers
that aren't content caches. The system skips Parent caches that become unavailable.
If all parent content caches become unavailable, the content cache downloads from
or uploads to Apple directly, until a parent content cache becomes available again.
subkeys:
- key: ParentsItem
type: <string>
presence: required
content: An IP address.
- key: ParentSelectionPolicy
title: Parent selection policy
type: <string>
presence: optional
rangelist:
- first-available
- url-path-hash
- random
- round-robin
- sticky-available
default: round-robin
content: |-
The policy to implement when choosing among more than one configured parent content cache. With every policy, the system skips parent caches that are temporarily unavailable. Allowed values:
- `first-available`: Always use the first available parent in the Parents list. Use this policy to designate permanent primary, secondary, and subsequent parents.
- `url-path-hash`: Hash the path part of the requested URL so that the same parent is always used for the same URL. This is useful for maximizing the size of the combined caches of the parents.
- `random`: Choose a parent at random. Use this policy for load balancing.
- `round-robin`: Rotate through the parents in order. Use this policy for load balancing.
- `sticky-available`: Use the first available parent in the Parents list until it becomes unavailable, then advance to the next one. Use this policy for designating floating primary, secondary, and subsequent parents.
- key: PeerFilterRanges
title: Peer filter ranges
type: <array>
presence: optional
content: An array of dictionaries describing a range of peer IP addresses that the
content cache uses to filter its list of peers to query for content. The content
cache only queries peers in `PeerFilterRanges`. When `PeerFilterRanges` is an
empty array, the content cache doesn't query any peers.
subkeytype: RangesItem
subkeys: *id001
- key: PeerListenRanges
title: Peer listen ranges
type: <array>
presence: optional
content: An array of dictionaries describing a range of peer IP addresses the content
cache responds to. When `PeerListenRanges` is an empty array, the content cache
responds with an error to all cache queries.
subkeytype: RangesItem
subkeys: *id001
- key: PeerLocalSubnetsOnly
title: Peer local subnets only
type: <boolean>
presence: optional
default: true
content: If `true`, the content cache only peers with other content caches on the
same immediate local network, rather than with content caches that use the same
public IP address as the device. When `PeerLocalSubnetsOnly` is `true`, it overrides
the configuration of `PeerFilterRanges` and `PeerListenRanges`. If the network
changes, the local network peering restrictions update appropriately. If `false`,
the content cache defers to `PeerFilterRanges` and `PeerListenRanges` for configuring
the peering restrictions.
- key: PersonalCacheLimit
title: Personal cache limit
type: <integer>
presence: optional
default: 0
content: The maximum number of bytes of disk space to use for the personal content
cache. The content cache limits the maximum value to the `CacheLimit` value. Set
to `0` to use the overall `CacheLimit`.
- key: Port
title: Port
type: <integer>
presence: optional
default: 0
content: The TCP port number on which the content cache accepts requests for uploads
or downloads. Set to `0` to pick a random, available port.
- key: PublicRanges
title: Public ranges
type: <array>
presence: optional
content: An array of dictionaries describing a range of public IP addresses that
the cloud servers should use for matching clients to content caches.
subkeytype: RangesItem
subkeys: *id001
- key: ManagementStatusTarget
title: Management status target
type: <string>
presence: optional
content: The target URL the system uses to send management statistics using an HTTP
PUT request with a json dictionary as the payload. If the URL is an https URL
(recommended) the `ManagementSecurityConfig` defines how the system secures the
connection. The system sends the management statistics report to the target URL
at an interval set by the `ManagementReportingInterval` value.
- key: ManagementSecurityConfig
title: Management security config
type: <string>
presence: optional
rangelist:
- no-cert
- signedByCACert
- specificServerCert
default: no-cert
content: |-
If the `ManagementStatusTarget` is an https URL, the system uses this field to determine how the connection is secured.
- `no-cert`: The system uses regular https processing using the built-in anchor certificates.
- `signedByCACert`: The system requires the https connection's certificate to be signed by the certificate provided in the `ManagementStatusCertificateReference` field. If your organization has a CA infrastructure this is the best choice.
- `specificServerCert`: The system requires the https connection's certificate to match the certificate provided in the `ManagementStatusCertificateReference` field.
- key: ManagementReportingInterval
title: Management reporting interval
type: <integer>
presence: optional
range:
min: 60
max: 86400
default: 300
content: The reporting interval in seconds the system uses when `ManagementStatusTarget`
is present. The reporting interval can't be less than 60 (1 per minute) or larger
than 86400 (1 per day), and defaults to 300 (1 per 5 min).
- key: ManagementStatusCertificateReference
title: Management status certificate reference
type: <string>
assettypes:
- com.apple.asset.credential.certificate
presence: optional
content: The identifier of an asset declaration that contains the certificate the
system uses to verify the security of the status reporting https connection. Required
when `ManagementSecurityConfig` is set to `signedByCACert` or `specificServerCert`.
examples:
title: Configuration examples
files:
- tab: Basic caching
description: This configuration enables content caching for both personal and
shared content with automatic activation.
file: examples/declarative/declarations/configurations/content-cache.settings/example1.json
- tab: Advanced caching
description: This configuration sets up content caching with a parent cache server,
a restricted listen range, and a fixed port.
file: examples/declarative/declarations/configurations/content-cache.settings/example2.json
@@ -21,12 +21,13 @@ payload:
apply: combined
payloadkeys:
- key: Restrictions
title: Restrictions
type: <dictionary>
presence: optional
content: The restrictions for the disk.
subkeys:
- key: ExternalStorage
title: External Storage
title: External storage
type: <string>
presence: optional
rangelist:
@@ -37,11 +38,11 @@ payloadkeys:
content: |-
Specifies the mount policy for external storage:
- `Allowed`: The system can mount external storage that is read-write or read-only.
- `ReadOnly`: The system can only mount read-only external storage. Note that external storage that is read-write will not be mounted read-only.
- `Allowed`: The system can mount external storage that's read-write or read-only.
- `ReadOnly`: The system can only mount read-only external storage. Note that external storage that's read-write won't be mounted read-only.
- `Disallowed`: The system can't mount any external storage.
- key: NetworkStorage
title: Network Storage
title: Network storage
type: <string>
presence: optional
rangelist:
@@ -52,6 +53,12 @@ payloadkeys:
content: |-
Specifies the mount policy for network storage:
- `Allowed`: The system can mount network storage that is read-write or read-only.
- `ReadOnly`: The system can only mount read-only network storage. Note that network storage that is read-write will not be mounted read-only.
- `Allowed`: The system can mount network storage that's read-write or read-only.
- `ReadOnly`: The system can only mount read-only network storage. Note that network storage that's read-write won't be mounted read-only.
- `Disallowed`: The system can't mount any network storage.
examples:
title: Configuration example
files:
- description: This configuration prevents the use of external and network storage
devices.
file: examples/declarative/declarations/configurations/diskmanagement.settings/example1.json
@@ -0,0 +1,570 @@
title: Extensible SSO
description: The declaration to configure Extensible Single Sign-On.
payload:
declarationtype: com.apple.configuration.extensible-sso
supportedOS:
iOS:
introduced: '27.0'
allowed-enrollments:
- supervised
- device
- user
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- user
macOS:
introduced: '27.0'
allowed-enrollments:
- supervised
- user
allowed-scopes:
- system
- user
tvOS:
introduced: n/a
visionOS:
introduced: '27.0'
allowed-enrollments:
- supervised
- device
- user
allowed-scopes:
- system
watchOS:
introduced: n/a
apply: multiple
payloadkeys:
- key: ExtensionComposedIdentifier
title: Extension composed identifier
type: <string>
presence: required
content: |-
The identifier of the provider to use for this configuration. Useful for apps that contain more than one DNS proxy extension.
In iOS and visionOS, the identifier is a bundle ID, for example, "com.example.app.sso-extension".
In macOS, the identifier is a composed identifier. The format of the composed identifier is "Bundle-ID (Team-ID)". "Bundle-ID" is the bundle identifier string of the app extension. "Team-ID" is the team identifier from the app extension's code signature. For example, "com.example.app.sso-extension (ABCD1234)".
- key: Type
title: Type
type: <string>
presence: required
rangelist:
- Credential
- Redirect
content: The type of SSO.
- key: Realm
title: Realm
type: <string>
presence: optional
content: The realm name for `Credential` payloads. Use proper capitalization for
this value. Ignored for `Redirect` payloads.
- key: ExtensionData
title: Extension data
type: <dictionary>
presence: optional
content: A dictionary of arbitrary data passed through to the app extension.
subkeys:
- key: ANY
type: <any>
presence: optional
content: Keys and values to pass to the app extension.
- key: URLs
title: URLs
type: <array>
presence: optional
content: |-
An array of URL prefixes of identity providers where the app extension performs SSO.
Required for `Redirect` payloads. Ignored for `Credential` payloads.
The URLs need to begin with `http://` or `https://`.
The system:
- Matches scheme and host name case-insensitively
- Doesn't allow query parameters and URL fragments
- Requires that the URLs of all installed Extensible SSO payloads are unique
subkeys:
- key: URL
type: <string>
presence: required
content: An http or https URL prefix.
- key: Hosts
title: Hosts
type: <array>
presence: optional
content: |-
An array of host or domain names that apps can authenticate through the app extension.
Required for `Credential` payloads. Ignored for `Redirect` payloads.
The system:
- Matches host or domain names case-insensitively
- Requires that all the host and domain names of all installed Extensible SSO payloads are unique
> Note:
> Host names that begin with a "." are wildcard suffixes that match all subdomains; otherwise the host name needs be an exact match.
subkeys:
- key: hostname
type: <string>
presence: required
content: A host or domain name, with or without a leading dot.
- key: DeniedBundleIdentifiers
title: Denied bundle identifiers
type: <array>
presence: optional
content: An array of bundle identifiers of apps that don't use SSO provided by this
extension.
subkeys:
- key: bundleIdentifier
type: <string>
presence: required
content: The bundle identifier of the app.
- key: ScreenLockedBehavior
title: Screen locked behavior
type: <string>
presence: optional
rangelist:
- Cancel
- DoNotHandle
default: Cancel
content: If set to `Cancel`, the system cancels authentication requests when the
screen is locked. If set to `DoNotHandle`, the request continues without SSO instead.
This doesn't apply to requests where `userInterfaceEnabled` is `false`, or for
background `URLSession` requests.
- key: PlatformSSO
title: Platform SSO
supportedOS:
iOS:
introduced: n/a
visionOS:
introduced: n/a
type: <dictionary>
presence: optional
content: The dictionary to configure Platform SSO.
subkeys:
- key: AuthenticationMethod
title: Authentication method
type: <string>
presence: optional
rangelist:
- Password
- UserSecureEnclaveKey
- SmartCard
- OpenID
content: The Platform SSO authentication method to use with the extension. Requires
that the SSO Extension also support the method.
- key: RegistrationToken
title: Registration token
supportedOS:
iOS:
introduced: n/a
visionOS:
introduced: n/a
type: <string>
presence: optional
content: The token this device uses for registration with Platform SSO. Use it
for silent registration with the Identity Provider. Requires that `AuthenticationMethod`
in `PlatformSSO` isn't empty.
- key: UseSharedDeviceKeys
title: Use shared device keys
supportedOS:
macOS:
allowed-scopes:
- system
type: <boolean>
presence: optional
default: false
content: If `true`, the system uses the same signing and encryption keys for all
users.
- key: LoginFrequency
title: Login frequency
type: <integer>
presence: optional
range:
min: 3600
default: 64800
content: The duration, in seconds, until the system requires a full login instead
of a refresh. The default value is 64,800 (18 hours). The minimum value is 3600
(1 hour).
- key: AllowDeviceIdentifiersInAttestation
title: Allow device identifiers in attestation
type: <boolean>
presence: optional
default: false
content: If `true`, the system includes the device UDID and serial number in Platform
SSO attestations.
- key: Account
title: Account
type: <dictionary>
presence: optional
content: Account display and profile settings.
subkeys:
- key: DisplayName
title: Display name
type: <string>
presence: optional
content: The display name for the account in notifications and authentication
requests.
- key: SynchronizeProfilePicture
title: Synchronize profile picture
type: <boolean>
presence: optional
default: false
content: If `true`, the system requests the user's profile picture from the
SSO extension.
- key: UserCreation
title: User creation
type: <dictionary>
presence: optional
content: Settings for creating new users via Platform SSO.
subkeys:
- key: EnableAtLogin
title: Enable at login
type: <boolean>
presence: optional
default: false
content: Enables creating users at the Login Window with an `AuthenticationMethod`
of either `Password` or `SmartCard`. Requires that `UseSharedDeviceKeys` is
`true`.
- key: EnableFirstUserDuringSetup
title: Enable first user during setup
type: <boolean>
presence: optional
default: true
content: If `true`, the device uses Platform SSO to create the first user account
on the Mac during `Setup Assistant`.
- key: EnableRegistrationDuringSetup
title: Enable registration during setup
type: <boolean>
presence: optional
default: false
content: If `true`, the system enables the PlatformSSO registration process
during Setup Assistant on devices running macOS 26 and later. Set this key
to `true` when configuring PlatformSSO before enrollment using the `com.apple.psso.required`
error response.
- key: NewUserAuthenticationMethods
title: New user authentication methods
type: <array>
presence: optional
content: The set of authentication methods to use for newly created accounts
at login or during `Setup Assistant`. The system uses `Password` and `SmartCard`
if this key isn't present.
subkeys:
- key: NewUserAuthenticationMethod
type: <string>
presence: optional
rangelist:
- Password
- SmartCard
- AccessKey
- OpenID
content: |-
An authentication method to use for newly created accounts at login or during `Setup Assistant`. Allowed values:
* `Password`: The account uses a password for authentication.
* `SmartCard`: The account uses a smart card for authentication.
* `AccessKey`: The account uses an access key for authentication.
* `OpenID`: The account uses OpenID for authentication.
- key: NewUserAuthorizationMode
title: New user authorization mode
type: <string>
presence: optional
rangelist:
- Standard
- Admin
- Groups
- Temporary
content: |-
The permission to apply to newly created accounts at login. Allowed values:
* `Standard`: The account is a standard user.
* `Admin`: The system adds the account to the local administrators group.
* `Groups`: The system assigns groups to the account using `Authorization.AdministratorGroups`, `Authorization.AdditionalGroups`, or `Authorization.AuthorizationGroups`.
* `Temporary`: The system uses a temporary session configuration for newly created accounts at login.
- key: TokenToUserMapping
title: Token to user mapping
type: <dictionary>
presence: optional
content: The attribute mapping to use when creating users, or for authorization.
subkeys:
- key: AccountName
title: Account name
type: <string>
presence: optional
content: The claim name to use for the user's account name.
- key: FullName
title: Full name
type: <string>
presence: optional
content: The claim name to use for the user's full name.
- key: TemporarySessionQuickLogin
title: Temporary session quick login
type: <boolean>
presence: optional
default: false
content: If `true`, the system uses a quicker Authenticated Guest Mode login
to Mac behavior. The system erases user data from only select locations in
the user home directory after each session completes. Once every eight hours
the system erases the full user home directory after a session completes.
Turn this on for shared environments that have a high frequency of short sessions.
- key: Authorization
title: Authorization
type: <dictionary>
presence: optional
content: Settings for authorization prompts and group management.
subkeys:
- key: EnableIdentityProviderAccounts
title: Enable identity provider accounts
type: <boolean>
presence: optional
default: false
content: Enables using identity provider accounts at authorization prompts.
Requires that `UseSharedDeviceKeys` is `true`. The system assigns groups using
`AdministratorGroups`, `AdditionalGroups`, or `AuthorizationGroups`.
- key: UserAuthorizationMode
title: User authorization mode
type: <string>
presence: optional
rangelist:
- Standard
- Admin
- Groups
content: |-
The permission to apply to an account each time the user authenticates. Allowed values:
* `Standard`: The account is a standard user.
* `Admin`: The system adds the account to the local administrators group.
* `Groups`: The system assigns group to the account using `AdministratorGroups`, `AdditionalGroups`, or `AuthorizationGroups`.
- key: AdministratorGroups
title: Administrator groups
type: <array>
presence: optional
content: The list of groups to use for administrator access. The system requests
membership during authentication.
subkeys:
- key: Group
type: <string>
presence: optional
content: The group name.
- key: AdditionalGroups
title: Additional groups
type: <array>
presence: optional
content: The list of created groups that don't have administrator access.
subkeys:
- key: Group
type: <string>
presence: optional
content: The group name.
- key: AuthorizationGroups
title: Authorization groups
type: <dictionary>
presence: optional
content: The pairing of Authorization Rights to group names. When using this,
the system updates the Authorization Right to use the group.
subkeys:
- key: ANY
type: <string>
presence: optional
content: The key is an access right value, the value is the group to be associated
with that access right.
- key: AccessKey
title: Access key
type: <dictionary>
presence: optional
content: Settings for Access Key authentication.
subkeys:
- key: ReaderGroupIdentifier
title: Reader group identifier
type: <data>
presence: optional
content: The reader group identifier for use with the `AccessKey`. The value
needs to match the configured access key. Required if `UserCreation.AuthenticationMethods`
contains `AccessKey`.
- key: TerminalIdentityAssetReference
title: Terminal identity asset reference
type: <string>
assettypes:
- com.apple.asset.credential.identity
- com.apple.asset.credential.scep
- com.apple.asset.credential.acme
presence: optional
content: The identifier of an asset declaration that contains the identity to
use as the Terminal identity of the Access Key. The Access Key needs to trust
the identity. Required if `UserCreation.AuthenticationMethods` includes `AccessKey`.
- key: ReaderIssuerCertificateAssetReference
title: Reader issuer certificate asset reference
type: <string>
assettypes:
- com.apple.asset.credential.certificate
presence: optional
content: The identifier of an asset declaration that contains the certificate
for the issuer certificate of the `Terminal` identity of the access key. Other
specifications refer to the key as the "Reader CA Public Key". The key must
be an elliptic curve key. Required if `UserCreation.AuthenticationMethods`
includes `AccessKey`. The issuer of the Terminal identity of the access key
needs to match this certificate, otherwise the device fails the authentication.
- key: AllowExpressMode
title: Allow express mode
type: <boolean>
presence: optional
default: false
content: If `true`, the system uses the access key in express mode, and doesn't
require authentication before use.
- key: Policies
title: Policies
type: <dictionary>
presence: optional
content: Policies for login, unlock, and FileVault behavior.
subkeys:
- key: FileVault
title: FileVault
type: <array>
presence: optional
content: |-
The policy to apply when using Platform SSO at FileVault unlock on a Mac with Apple silicon. Applies when `AuthenticationMethod` is `Password`.
* `AttemptAuthentication`: The device attempts Platform SSO authentication before proceeding. If offline, unlock continues if the local account password matches. If online and the credential is incorrect, then the device requires a successful Platform SSO authentication is required, even if taken offline.
* `RequireAuthentication`: The device requires Platform SSO authentication before proceeding. If the device is offline and `AllowOfflineGracePeriod` is enabled, then the device uses the offline `OfflineGracePeriod` to determine if the user can proceed or not. If online and the credential is incorrect, then the device requires a valid Platform SSO authentication to proceed, regardless of the `OfflineGracePeriod`. If the account isn't registered for Platform SSO and `AllowAuthenticationGracePeriod` is enabled, then the device uses `AuthenticationGracePeriod` to determine if the user can proceed or not.
* `AllowOfflineGracePeriod`: The device allows the use of the `OfflineGracePeriod` when `RequireAuthentication` is enabled. If `AllowOfflineGracePeriod` isn't set, then the device denies offline access.
* `AllowAuthenticationGracePeriod`: The device allows the use of the `AuthenticationGracePeriod` for other local accounts when `RequireAuthentication` is enabled. The `AuthenticationGracePeriod` starts when any of the policies are updated. If `AllowAuthenticationGracePeriod` isn't set, then the device denies unregistered account access.
* `RequireTouchID`: The device requires the use of Touch ID (and not Apple Watch) for File Vault unlock.
* `RequireTouchIDOrWatch`: The device requires the use of Touch ID or Apple Watch for File Vault unlock.
* `AllowOpenIDForTouchIDFallback`: The device allows web login as a fallback if touchID fails or isn't available.
subkeys:
- key: policy
type: <string>
presence: required
rangelist:
- AttemptAuthentication
- RequireAuthentication
- AllowOfflineGracePeriod
- AllowAuthenticationGracePeriod
- RequireTouchID
- RequireTouchIDOrWatch
- AllowOpenIDForTouchIDFallback
content: The policy to apply.
- key: Login
title: Login
type: <array>
presence: optional
content: |-
The policy to apply when using Platform SSO at the Login Window. Applies when `AuthenticationMethod` is `Password`.
* `AttemptAuthentication`: The device attempts Platform SSO authentication before proceeding. If offline, login continues if the local account password matches. If online and the credential is incorrect, then the device requires a successful Platform SSO authentication to proceed, even if taken offline.
* `RequireAuthentication`: The device requires Platform SSO authentication before proceeding. If the device is offline and `AllowOfflineGracePeriod` is enabled, then the device uses the offline `OfflineGracePeriod` to determine if the user can proceed or not. If online and the credential is incorrect, then the device requires a valid Platform SSO authentication to proceed, regardless of the `OfflineGracePeriod`. If the account isn't registered for Platform SSO and `AllowAuthenticationGracePeriod` is enabled, then the device uses the `AuthenticationGracePeriod` to determine if the user can proceed or not.
* `AllowOfflineGracePeriod`: The device allows the use of the `OfflineGracePeriod` when `RequireAuthentication` is enabled. If `AllowOfflineGracePeriod` isn't set, then the device denies offline access. Applies to web login and all offline passwords.
* `AllowAuthenticationGracePeriod`: The device allows the use of the `AuthenticationGracePeriod` for other local accounts when `RequireAuthentication` is enabled. The `AuthenticationGracePeriod` starts when any of the policies have been updated. If `AllowAuthenticationGracePeriod` isn't set, then the device denies unregistered account access.
* `RequireTouchID`: The device requires the use of Touch ID (and not Apple Watch) for login.
* `RequireTouchIDOrWatch`: The device requires the use of Touch ID or Apple Watch for login.
* `AllowOpenIDForTouchIDFallback`: The device allows web login as fallback if touchID fails or isn't available.
subkeys:
- key: policy
type: <string>
presence: required
rangelist:
- AttemptAuthentication
- RequireAuthentication
- AllowOfflineGracePeriod
- AllowAuthenticationGracePeriod
- RequireTouchID
- RequireTouchIDOrWatch
- AllowOpenIDForTouchIDFallback
content: The policy to apply.
- key: Unlock
title: Unlock
type: <array>
presence: optional
content: |-
The policy to apply when using Platform SSO at screensaver unlock. Applies when `AuthenticationMethod` is `Password`. later.
* `AttemptAuthentication`: The device attempts Platform SSO authentication before proceeding. If offline, unlock will continue if the local account password matches. If online and the credential is incorrect, then the device requires a successful Platform SSO authentication to proceed, even if taken offline.
* `RequireAuthentication`: The device requires Platform SSO authentication before proceeding. If the device is offline and `AllowOfflineGracePeriod` is enabled, then the offline `OfflineGracePeriod` is used to determine if the user can proceed or not. If online and the credential is incorrect, then the device requires a valid Platform SSO authentication to proceed regardless of the `OfflineGracePeriod`. If the account isn't registered for Platform SSO and `AllowAuthenticationGracePeriod` is enabled, then the device uses `AuthenticationGracePeriod` to determine if the user can proceed or not.
* `AllowOfflineGracePeriod`: The device allows the use of the `OfflineGracePeriod` when `RequireAuthentication` is enabled. If `AllowOfflineGracePeriod` isn't set, then the device denies offline access.
* `AllowAuthenticationGracePeriod`: The device allows the use of the `AuthenticationGracePeriod` for other local accounts when `RequireAuthentication` is enabled. The `AuthenticationGracePeriod` starts when any of the policies have been updated. If `AllowAuthenticationGracePeriod` isn't set, then the device denies the unregistered account access.
* `AllowTouchIDOrWatchForUnlock`: The device allows TouchID or Watch to unlock the screensaver instead of Platform SSO authentication when `RequireAuthentication` is enabled.
* `RequireTouchID`: The device requires the use of Touch ID (and not Apple Watch) for unlock.
* `RequireTouchIDOrWatch`: RThe device requires the use of Touch ID or Apple Watch for unlock.
* `AllowOpenIDForTouchIDFallback`: The device allows web login as fallback if touchID fails or isn't available.
subkeys:
- key: policy
type: <string>
presence: required
rangelist:
- AttemptAuthentication
- RequireAuthentication
- AllowOfflineGracePeriod
- AllowAuthenticationGracePeriod
- AllowTouchIDOrWatchForUnlock
- RequireTouchID
- RequireTouchIDOrWatch
- AllowOpenIDForTouchIDFallback
content: The policy to apply.
- key: OfflineGracePeriod
title: Offline grace period
type: <integer>
presence: optional
content: The amount of time after the last successful Platform SSO login for
using a local account password offline. Required when setting `AllowOfflineGracePeriod`.
- key: AuthenticationGracePeriod
title: Authentication grace period
type: <integer>
presence: optional
content: The amount of time after receiving or updating a `Policies.FileVault`,
`Policies.Login`, or `Policies.Unlock` that the system can use unregistered
local accounts. Required when `AllowAuthenticationGracePeriod` is set.
- key: NonPlatformSSOAccounts
title: Non-platform SSO accounts
type: <array>
presence: optional
content: The list of local accounts that aren't subject to the `Policies.FileVault`,
`Policies.Login`, or `Policies.Unlock` policies. The accounts don't receive
a prompt to register for Platform SSO.
subkeys:
- key: username
type: <string>
presence: required
content: A local account username.
- key: WebAuthentication
title: Web authentication
supportedOS:
macOS:
introduced: '27.0'
type: <dictionary>
presence: optional
content: Settings for web authentication behavior.
subkeys:
- key: URLAllowList
title: URL allow list
type: <array>
presence: optional
content: The set of allowed hosts that the system can load in the PSSO web view.
Required if `AuthenticationMethod` is set to `OpenID`, or `UserCreation.AuthenticationMethods`
contains `OpenID`.
subkeys:
- key: Hosts
type: <string>
presence: optional
content: A host or host prefix.
- key: AllowPasswordSync
title: Allow password sync
type: <boolean>
presence: optional
default: false
content: If `true`, the system detects the password during web authentication
and synchronizes it to the local account password for the user.
examples:
title: Configuration examples
files:
- tab: Credential
description: This configuration sets up a Credential-type SSO extension that handles
authentication for hosts in the example.com domain.
file: examples/declarative/declarations/configurations/extensiblesso/example1.json
- tab: Redirect
description: This configuration sets up a Redirect-type SSO extension that intercepts
authentication requests to specific login URLs.
file: examples/declarative/declarations/configurations/extensiblesso/example2.json
@@ -29,24 +29,23 @@ payload:
watchOS:
introduced: n/a
apply: combined
content: Configures External Intelligence Integrations settings.
payloadkeys:
- key: Enabled
title: Allow External Intelligence Integrations
title: Allow external intelligence integrations
type: <boolean>
presence: optional
default: true
combinetype: boolean-and
content: If `false`, disables external intelligence integrations.
- key: AllowSignIn
title: Allow External Intelligence Integrations Sign In
title: Allow external intelligence integrations sign in
type: <boolean>
presence: optional
default: true
combinetype: boolean-and
content: If `false`, disables sign-in for external intelligence integrations.
- key: AllowedWorkspaceIDs
title: Allowed External Intelligence Workspace IDs
title: Allowed external intelligence workspace IDs
type: <array>
presence: optional
combinetype: set-intersection
@@ -57,5 +56,11 @@ payloadkeys:
operation.
subkeys:
- key: workspaceID
title: Allowed Workspace ID
title: Allowed workspace ID
type: <string>
examples:
title: Configuration examples
files:
- tab: External Intelligence Restrictions
description: This configuration restricts external intelligence integrations.
file: examples/declarative/declarations/configurations/external-intelligence.settings/example1.json
@@ -29,7 +29,6 @@ payload:
watchOS:
introduced: n/a
apply: combined
content: Configures Apple Intelligence settings.
payloadkeys:
- key: AllowAppleIntelligenceReport
title: Allow Apple Intelligence Report
@@ -99,6 +98,26 @@ payloadkeys:
presence: optional
content: If present, configures app-specific Intelligence features.
subkeys:
- key: Calendar
title: Calendar
supportedOS:
iOS:
introduced: '27.0'
macOS:
introduced: '27.0'
visionOS:
introduced: '27.0'
type: <dictionary>
presence: optional
content: If present, configures Calendar and Reminders Intelligence features.
subkeys:
- key: AllowNaturalLanguageEditing
title: Allow Natural Language Editing
type: <boolean>
presence: optional
default: true
combinetype: boolean-and
content: If `false`, disables Natural Language Editing in Calendar and Reminders.
- key: Mail
title: Mail
type: <dictionary>
@@ -177,3 +196,9 @@ payloadkeys:
default: false
combinetype: boolean-or
content: If `true`, forces On-Device Only Translation.
examples:
title: Configuration examples
files:
- tab: Intelligence Restrictions
description: This configuration restricts several Apple Intelligence features.
file: examples/declarative/declarations/configurations/intelligence.settings/example1.json
@@ -26,10 +26,9 @@ payload:
watchOS:
introduced: n/a
apply: combined
content: Configures keyboard settings.
payloadkeys:
- key: AllowAutoCorrection
title: Allow Auto-Correction
title: Allow auto-correction
supportedOS:
macOS:
introduced: n/a
@@ -39,21 +38,21 @@ payloadkeys:
combinetype: boolean-and
content: If `false`, disables auto-correction.
- key: AllowDefinitionLookup
title: Allow Definition Lookup
title: Allow definition lookup
type: <boolean>
presence: optional
default: true
combinetype: boolean-and
content: If `false`, disables definition lookup.
- key: AllowDictation
title: Allow Dictation
title: Allow dictation
type: <boolean>
presence: optional
default: true
combinetype: boolean-and
content: If `false`, disables dictation.
- key: AllowMathKeyboardSuggestions
title: Allow Math Keyboard Suggestions
title: Allow math keyboard suggestions
type: <boolean>
presence: optional
default: true
@@ -61,7 +60,7 @@ payloadkeys:
content: If `false`, disables keyboard suggestions that include math solutions.
This key is also supported by the math.settings configuration.
- key: AllowPredictiveText
title: Allow Predictive Text
title: Allow predictive text
supportedOS:
macOS:
introduced: n/a
@@ -71,7 +70,7 @@ payloadkeys:
combinetype: boolean-and
content: If `false`, disables predictive text.
- key: AllowSlideToType
title: Allow Slide to Type
title: Allow slide to type
supportedOS:
macOS:
introduced: n/a
@@ -81,7 +80,7 @@ payloadkeys:
combinetype: boolean-and
content: If `false`, disables slide to type.
- key: AllowSpellCheck
title: Allow Spell Check
title: Allow spell check
supportedOS:
macOS:
introduced: n/a
@@ -91,7 +90,7 @@ payloadkeys:
combinetype: boolean-and
content: If `false`, disables spell check.
- key: AllowTextReplacement
title: Allow Text Replacement
title: Allow text replacement
supportedOS:
macOS:
introduced: n/a
@@ -100,3 +99,9 @@ payloadkeys:
default: true
combinetype: boolean-and
content: If `false`, disables text replacement.
examples:
title: Configuration examples
files:
- tab: Keyboard Restrictions
description: This configuration restricts keyboard features.
file: examples/declarative/declarations/configurations/keyboard.settings/example1.json
@@ -43,13 +43,37 @@ payloadkeys:
- key: ProfileURL
title: Profile's URL.
type: <string>
presence: required
presence: optional
content: |-
The URL of the profile to download and install, which needs to start with `https://`, and must be hosted by the MDM server.
The URL of the profile to download and install, which needs to start with `https://`. The request uses MDM semantics, which includes the device-identity certificate, and any user authentication. This is equivalent to an MDM request made to the `CheckInURL` or `ServerURL`.
If a user enrollment triggers this configuration, the system silently ignores any MDMv1 payloads in macOS that are forbidden with user enrollment. In iOS, the system rejects the entire profile.
One of `ProfileURL` or `ProfileAssetReference` needs to be present.
- key: ProfileAssetReference
title: Profile asset reference
supportedOS:
iOS:
introduced: '27.0'
macOS:
introduced: '27.0'
tvOS:
introduced: '27.0'
visionOS:
introduced: '27.0'
type: <string>
assettypes:
- com.apple.asset.data
asset-content-types:
- application/plist
- application/x-plist
- application/xml
- text/xml
presence: optional
content: |-
The identifier of an asset declaration containing a reference to the profile data. The corresponding asset needs to be of type `com.apple.asset.data`. The referenced data needs to be a property list file, and the asset's "ContentType" value set to match the data type.
One of `ProfileURL` or `ProfileAssetReference` needs to be present.
- key: VisibleName
title: Configuration Visible Name
title: Configuration visible name
type: <string>
presence: required
content: The visible name of the configuration. This name needs to indicate the
@@ -63,3 +87,14 @@ notes:
- `com.apple.mdm`
- `com.apple.declarations`
If a user enrollment triggers this configuration: in macOS the system silently ignores any MDMv1 payloads in macOS where the User Enrollment Mode setting is `forbidden`; in iOS, tvOS, watchOS and visionOS, the system rejects the entire profile if any MDMv1 payload has its User Enrollment Mode setting set to `forbidden`.
examples:
title: Configuration examples
files:
- tab: URL
description: Downloads the profile from a URL on the MDM server.
file: examples/declarative/declarations/configurations/legacy.interactive/example1.json
- tab: Asset
description: Downloads the profile using an asset.
file: examples/declarative/declarations/configurations/legacy.interactive/example2.json
@@ -54,11 +54,37 @@ payloadkeys:
- key: ProfileURL
title: Profile's URL.
type: <string>
presence: required
presence: optional
content: |-
The URL of the profile to download and install, which needs to start with `https://`, and must be hosted by the MDM server.
The URL of the profile to download and install, which needs to start with `https://`. The request uses MDM semantics, which includes the device-identity certificate, and any user authentication. This is equivalent to an MDM request made to the `CheckInURL` or `ServerURL`.
If a user enrollment triggers this configuration, the system silently ignores any MDMv1 payloads in macOS where the User Enrollment Mode setting is `forbidden`. In iOS, the system rejects the entire profile.
One of `ProfileURL` or `ProfileAssetReference` needs to be present.
- key: ProfileAssetReference
title: Profile asset reference
supportedOS:
iOS:
introduced: '27.0'
macOS:
introduced: '27.0'
tvOS:
introduced: '27.0'
visionOS:
introduced: '27.0'
watchOS:
introduced: '27.0'
type: <string>
assettypes:
- com.apple.asset.data
asset-content-types:
- application/plist
- application/x-plist
- application/xml
- text/xml
presence: optional
content: |-
The identifier of an asset declaration containing a reference to the profile data. The corresponding asset needs to be of type `com.apple.asset.data`. The referenced data needs to be a property list file, and the asset's "ContentType" value set to match the data type.
One of `ProfileURL` or `ProfileAssetReference` needs to be present.
notes:
- title: ''
content: |-
@@ -68,3 +94,35 @@ notes:
- `com.apple.mdm`
- `com.apple.declarations`
If a user enrollment triggers this configuration: in macOS the system silently ignores any MDMv1 payloads in macOS where the User Enrollment Mode setting is `forbidden`; in iOS, tvOS, watchOS and visionOS, the system rejects the entire profile if any MDMv1 payload has its User Enrollment Mode setting set to `forbidden`.
- title: Transition profiles from MDM
content: |-
A declarative device management (DDM) legacy profile can take control of profiles installed via MDM. This avoids the need to first remove the MDM profile, before installing the DDM equivalent. DDM cannot take over control of non-MDM-installed profiles.
The rules for transitioning profiles are:
1. An existing MDM-installed profile is present (installed by MDM using the `Install-Profile-Command`).
2. DDM is enabled on the device.
3. The server sends a legacy profile configuration to the device and ensures it is "activated".
1. The DDM profile that the configuration applies needs to conform to the following requirements:
1. The DDM profile's `PayloadIdentifier` and `PayloadUUID` need to match that of the MDM profile.
2. The DDM profile needs to have the same number of payloads as the MDM profile.
3. The DDM profile payloads needs to have the same `PayloadType`, `PayloadIdentifier`, and `PayloadUUID`, in the same order as the profile payloads in the MDM profile.
2. If the DDM profile doesn't conform to the above requirements, the configuration isn't applied and its `valid` status is set to `invalid`.
3. The `Profile-List-Command` can be used to determine the "structure" of existing MDM profiles to satisfy the above requirements.
When DDM takes control of the MDM profile, the following occurs:
1. The system doesn't reinstall the profile. Instead, the MDM profile's existing system state remains unchanged. Thus system state won't include any differences between the MDM and DDM profiles (other than the structural items outlined above that must match).
2. Any attempt to install, update, or remove the profile using MDM commands fails (using the usual identifier and UUID matching rules). This holds true while the DDM profile is active.
3. Updates to the DDM configuration result in the system reapplying the profile which updates the system state with any new or changed settings.
examples:
title: Configuration examples
files:
- tab: URL
description: Downloads the profile from a URL on the MDM server.
file: examples/declarative/declarations/configurations/legacy/example1.json
- tab: Asset
description: Downloads the profile using an asset.
file: examples/declarative/declarations/configurations/legacy/example2.json
@@ -47,17 +47,24 @@ payload:
apply: combined
payloadkeys:
- key: StatusItems
title: Status Items
title: Status items
type: <array>
presence: required
combinetype: set-union
content: An array of status items that the device notifies subscribers about.
subkeys:
- key: StatusItem
title: Status item
type: <dictionary>
content: The declaration for configuring a specific status subscription.
subkeys:
- key: Name
title: Name
type: <string>
presence: required
content: The name of the status item to send to subscribers.
examples:
title: Configuration example
files:
- description: This configuration subscribes to a set of device status items.
file: examples/declarative/declarations/configurations/management.status-subscriptions/example1.json
@@ -1,5 +1,5 @@
title: Management:Test
description: The declaration to test declarative device management.
description: The declaration to configure a declarative device management test.
payload:
declarationtype: com.apple.configuration.management.test
supportedOS:
@@ -52,12 +52,12 @@ payload:
apply: multiple
payloadkeys:
- key: Echo
title: Status Echo
title: Status echo
type: <string>
presence: required
content: The string to echo back in a status response reason.
- key: EchoDataAssetReference
title: Status Echo from Asset
title: Status echo from asset
supportedOS:
iOS:
introduced: '17.0'
@@ -72,7 +72,7 @@ payloadkeys:
content: The string to read from a data asset to echo back in status response reason
description.
- key: ReturnStatus
title: Status to Return
title: Status to return
type: <string>
presence: optional
rangelist:
@@ -82,3 +82,9 @@ payloadkeys:
default: Installed
content: The status the system reports back when the device implements the configuration.
Use this to override the normal `success` result.
examples:
title: Configuration example
files:
- description: This configuration tests the management framework with a custom status
result.
file: examples/declarative/declarations/configurations/management.test/example1.json
@@ -25,20 +25,22 @@ payload:
watchOS:
introduced: n/a
apply: combined
content: Configures the built-in math and calculator app settings.
payloadkeys:
- key: Calculator
title: Calculator
type: <dictionary>
presence: optional
content: If present, configures the built-in Calculator app.
subkeys:
- key: BasicMode
title: Basic mode
type: <dictionary>
presence: optional
content: If present, configures the basic mode of the calculator. Basic mode is
always enabled.
subkeys:
- key: AddSquareRoot
title: Add square root
type: <boolean>
presence: required
combinetype: boolean-or
@@ -46,17 +48,20 @@ payloadkeys:
+/- button. Normally, the square root button is available in scientific mode,
so this key can be used to make it available when the scientific mode is restricted.
- key: ScientificMode
title: Scientific mode
type: <dictionary>
presence: optional
content: If present, configures the scientific mode of the calculator. If not
present, scientific mode is enabled.
subkeys:
- key: Enabled
title: Enabled
type: <boolean>
presence: required
combinetype: boolean-and
content: Controls whether the mode is enabled.
- key: ProgrammerMode
title: Programmer mode
supportedOS:
iOS:
introduced: n/a
@@ -66,33 +71,39 @@ payloadkeys:
present, programmer mode is enabled.
subkeys:
- key: Enabled
title: Enabled
type: <boolean>
presence: required
combinetype: boolean-and
content: Controls whether the mode is enabled.
- key: MathNotesMode
title: Math notes mode
type: <dictionary>
presence: optional
content: If present, configures the Math Notes mode of the calculator. If not
present, Math Notes mode is enabled.
subkeys:
- key: Enabled
title: Enabled
type: <boolean>
presence: required
combinetype: boolean-and
content: Controls whether the mode is enabled.
- key: InputModes
title: Input modes
type: <dictionary>
presence: optional
content: If present, controls global input options of the calculator. If not present,
all input modes are enabled.
subkeys:
- key: UnitConversion
title: Unit conversion
type: <boolean>
presence: required
combinetype: boolean-and
content: Configures whether unit conversions are enabled.
- key: RPN
title: RPN
supportedOS:
iOS:
introduced: n/a
@@ -101,18 +112,27 @@ payloadkeys:
combinetype: boolean-and
content: Configures whether RPN input is enabled.
- key: SystemBehavior
title: System behavior
type: <dictionary>
presence: optional
content: If present, configures math behavior in the system.
subkeys:
- key: KeyboardSuggestions
title: Keyboard suggestions
type: <boolean>
presence: required
combinetype: boolean-and
content: Controls whether keyboard suggestions include math solutions. This key
is also supported by the keyboard.settings configuration.
- key: MathNotes
title: Math notes
type: <boolean>
presence: required
combinetype: boolean-and
content: Controls whether Math Notes is allowed in other apps such as Notes.
examples:
title: Configuration example
files:
- description: This configuration prevents the use of scientific and programmer
modes in calculator app.
file: examples/declarative/declarations/configurations/math.settings/example1.json
@@ -18,14 +18,15 @@ payload:
watchOS:
introduced: n/a
apply: combined
content: Configures the managed migration functions of Migration Assistant.
payloadkeys:
- key: ShouldDoManagedMigration
title: Should do managed migration
type: <boolean>
presence: required
combinetype: boolean-or
content: If `true`, the device manages Migration Assistant.
- key: ExcludedAccounts
title: Excluded accounts
type: <array>
presence: optional
combinetype: set-union
@@ -35,6 +36,7 @@ payloadkeys:
- key: _Accounts
type: <string>
- key: ExcludedPaths
title: Excluded paths
type: <array>
presence: optional
combinetype: set-union
@@ -46,6 +48,7 @@ payloadkeys:
- key: _ExcludedPaths
type: <string>
- key: RequiredPaths
title: Required paths
type: <array>
presence: optional
combinetype: set-union
@@ -57,6 +60,7 @@ payloadkeys:
- key: _RequiredPaths
type: <string>
- key: ShouldMigrateSecurityPrivacySettings
title: Should migrate security privacy settings
type: <boolean>
presence: required
combinetype: boolean-or
@@ -69,3 +73,8 @@ notes:
Configure the device to use the `AwaitingConfiguration` state after it enrolls with the server. The server needs to send the configuration and verify the configuration as both active and valid using the Declarative Device Management status, before it sends the `DeviceConfiguredCommand` command to exit that state.
The device reports Migration Assistant progress using the `StatusMigrationAssistantState` status item, and provides a report when migration completes using the `StatusMigrationAssistantReport` status item.
examples:
title: Configuration example
files:
- description: This configuration provides settings for a Mac to Mac migration.
file: examples/declarative/declarations/configurations/migration-assistant.settings/example1.json
@@ -0,0 +1,84 @@
title: Network:DNS Proxy
description: The declaration to configure DNS proxy settings.
payload:
declarationtype: com.apple.configuration.network.dns-proxy
supportedOS:
iOS:
introduced: '27.0'
allowed-enrollments:
- supervised
- device
- user
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
macOS:
introduced: '27.0'
allowed-enrollments:
- supervised
- local
allowed-scopes:
- system
tvOS:
introduced: n/a
visionOS:
introduced: '27.0'
allowed-enrollments:
- supervised
- device
- user
allowed-scopes:
- system
watchOS:
introduced: n/a
apply: multiple
payloadkeys:
- key: VisibleName
title: Visible name
type: <string>
presence: required
content: The name of the DNS proxy configuration that the system displays on the
device.
- key: AppBundleIdentifier
title: App bundle identifier
type: <string>
presence: required
content: The bundle identifier of the app containing the DNS proxy network extension.
- key: ProviderComposedIdentifier
title: Provider composed identifier
type: <string>
presence: optional
content: |-
The identifier of the provider to use for this configuration. Useful for apps that contain more than one DNS proxy extension.
In iOS and visionOS, the identifier is a bundle ID, for example, "com.example.app".
In macOS, the identifier is a composed identifier. The format of the composed identifier is either "Bundle-ID" or "Bundle-ID {Designated-Requirement}". "Bundle-ID" is the bundle identifier string of the provider. "Designated-Requirement" is the designated requirement string from the code signature of the provider. For example, "com.example.app" for the bundle ID format, or "com.example.app {anchor apple generic}" for the designated requirement format.
- key: ProviderConfiguration
title: Provider configuration
type: <dictionary>
presence: optional
content: The dictionary of vendor-specific configuration items.
subkeys:
- key: ANY
type: <any>
presence: optional
content: Key/value pairs.
- key: DNSProxyUUID
title: DNS proxy UUID
supportedOS:
macOS:
introduced: n/a
type: <string>
presence: optional
content: A globally unique identifier for this DNS proxy configuration. The proxy
processes DNS lookups traffic for managed apps with the same `DNSProxyUUID` in
their app attributes. This key is required for user enrollment.
examples:
title: Configuration example
files:
- description: This configuration sets up a DNS proxy using a Network Extension
app.
file: examples/declarative/declarations/configurations/network.dns-proxy/example1.json
@@ -0,0 +1,254 @@
title: Network:DNS Settings
description: The declaration to configure encrypted DNS settings.
payload:
declarationtype: com.apple.configuration.network.dns-settings
supportedOS:
iOS:
introduced: '27.0'
allowed-enrollments:
- supervised
- device
- local
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
macOS:
introduced: '27.0'
allowed-enrollments:
- supervised
- local
allowed-scopes:
- system
tvOS:
introduced: n/a
visionOS:
introduced: '27.0'
allowed-enrollments:
- supervised
- device
- local
allowed-scopes:
- system
watchOS:
introduced: n/a
apply: multiple
payloadkeys:
- key: VisibleName
title: Visible name
type: <string>
presence: required
content: The name of the DNS settings that the system displays on the device.
- key: DNSSettings
title: DNS settings
type: <dictionary>
presence: required
content: A dictionary that defines a configuration for an encrypted DNS server.
subkeys:
- key: DNSProtocol
title: DNS protocol
type: <string>
presence: required
rangelist:
- HTTPS
- TLS
content: The encrypted transport protocol used to communicate with the DNS server.
- key: ServerURL
title: Server URL
type: <string>
presence: optional
content: The URI template of a DNS-over-HTTPS server, as defined in RFC 8484.
This URL needs to use the `https://` scheme, and the system uses the hostname
or address in the URL to validate the server certificate. If no `ServerAddresses`
are provided, the system uses the hostname or address in the URL to determine
the server addresses. Required if `DNSProtocol` is `HTTPS`.
- key: ServerName
title: Server name
type: <string>
presence: optional
content: The hostname of a DNS-over-TLS server used to validate the server certificate,
as defined in RFC 7858. If no `ServerAddresses` are provided, the system uses
the hostname to determine the server addresses. This key must be present only
if the DNSProtocol is `TLS`.
- key: ServerAddresses
title: DNS server addresses
type: <array>
presence: optional
content: An unordered list of DNS server IP address strings. These IP addresses
can be a mixture of IPv4 and IPv6 addresses.
subkeys:
- key: ServerAddressesElement
title: Server address element
type: <string>
- key: AllowFailover
title: Allow failover
type: <boolean>
presence: optional
default: false
content: If `true`, the device allows failover to the default system DNS resolver.
- key: IdentityAssetReference
title: Certificate identity asset reference
type: <string>
assettypes:
- com.apple.asset.credential.identity
- com.apple.asset.credential.scep
- com.apple.asset.credential.acme
presence: optional
content: Specifies the identifier of an asset declaration containing an identity
that the system uses to authenticate the user to the DNS resolver.
- key: SupplementalMatchDomains
title: Supplemental match domains
type: <array>
presence: optional
content: |-
A list of domain strings used to determine which DNS queries use the DNS server. If not set, all domains use the DNS server.
The system supports a single wildcard (`*`) prefix, but it's not required. For example, both `*.example.com` and `example.com` match against `mydomain.example.com` and `your.domain.example.com`, but don't match against `mydomain-example.com`.
subkeys:
- key: SupplementalMatchDomainsElement
title: Supplemental match domains element
type: <string>
- key: OnDemandRules
title: On demand rules
type: <array>
presence: optional
content: An array of rules that define the DNS settings. If not set, the system
always applies the DNS settings. These rules are identical to the `OnDemandRules`
array in VPN payloads.
subkeytype: OnDemandRulesElement
subkeys:
- key: OnDemandRulesElement
title: On demand rules element
type: <dictionary>
subkeys:
- key: Action
title: On demand action
type: <string>
presence: required
rangelist:
- Connect
- Disconnect
- EvaluateConnection
content: |-
The action to take if this dictionary matches the current network. Allowed values:
- `Connect`: Apply DNS Settings when the dictionary matches.
- `Disconnect`: Don't apply DNS Settings when the dictionary matches.
- `EvaluateConnection`: Apply DNS Settings with per-domain exceptions when the dictionary matches.
- key: ActionParameters
title: Action parameters
type: <array>
presence: optional
content: An array of dictionaries that provide per-connection rules. The system
uses this array only for settings where the `Action` value is `EvaluateConnection`.
subkeys:
- key: ActionParameter
title: Action parameter
type: <dictionary>
presence: optional
content: |-
A dictionary that provides per-connection rules.
The keys allowed in each dictionary are described below. Note: This array is only for dictionaries in which `EvaluateConnection` is the `Action` value.
subkeys:
- key: Domains
title: Domains
type: <array>
presence: required
content: The domains for which this evaluation applies.
subkeys:
- key: DomainsElement
title: Domains element
type: <string>
- key: DomainAction
title: Domain action
type: <string>
presence: required
rangelist:
- NeverConnect
- ConnectIfNeeded
content: |-
The DNS settings behavior for the specified domains. Allowed values:
* 'NeverConnect': Don't use the DNS Settings for the specified domains.
* 'ConnectIfNeeded': Allow using the DNS Settings for the specified domains.
- key: DNSDomainMatch
title: DNS domain match
type: <array>
presence: optional
content: |-
An array of domain names. This rule matches if any of the domain names in the specified list matches any domain in the device's search domains list.
The system supports a single wildcard (`*`) prefix, but it's not required. For example, both `*.example.com` and `example.com` match against `mydomain.example.com` and `your.domain.example.com`, but don't match against `mydomain-example.com`.
subkeys:
- key: DNSDomainMatchElement
title: DNS domain match element
type: <string>
- key: DNSServerAddressMatch
title: DNS server address match
type: <array>
presence: optional
content: |-
An array of IP addresses. This rule matches if any of the network's specified DNS servers match any entry in the array.
The system supports matching with a single wildcard. For example, `17.*` matches any DNS server in the 17.0.0.0/8 subnet.
subkeys:
- key: DNSServerAddressMatchElement
title: DNS server address match element
type: <string>
- key: InterfaceTypeMatch
title: Interface type match
type: <string>
presence: optional
rangelist:
- Ethernet
- WiFi
- Cellular
content: An interface type. If specified, this rule matches only if the primary
network interface hardware matches the specified type.
- key: SSIDMatch
title: SSID match
type: <array>
presence: optional
content: An array of SSIDs to match against the current network. If the network
isn't a Wi-Fi network or if the SSID doesn't appear in this array, the match
fails. Omit this key and the corresponding array to match against any SSID.
subkeys:
- key: SSIDMatchElement
title: SSID match element
type: <string>
- key: URLStringProbe
title: URL string probe
type: <string>
presence: optional
content: A URL to probe. This rule matches if this URL is successfully fetched
and returns a 200 HTTP status code without redirection.
- key: ProhibitDisablement
title: Prohibit disablement
supportedOS:
iOS:
allowed-enrollments:
- supervised
macOS:
allowed-enrollments:
- supervised
visionOS:
allowed-enrollments:
- supervised
type: <boolean>
presence: optional
default: false
content: If `true`, the system prohibits users from disabling DNS settings.
notes:
- title: ''
content: |-
The following rules determine which networks the settings apply to:
* For supervised enrollments, the settings apply to all networks.
* For device enrollments, the settings are limited to only managed networks.
* For local installs, the settings apply to all networks.
examples:
title: Configuration example
files:
- description: This configuration sets up encrypted DNS using DNS-over-HTTPS.
file: examples/declarative/declarations/configurations/network.dns-settings/example1.json
@@ -0,0 +1,190 @@
title: Network:Relay
description: The declaration to configure Network Relay settings.
payload:
declarationtype: com.apple.configuration.network.relay
supportedOS:
iOS:
introduced: '27.0'
allowed-enrollments:
- supervised
- device
- user
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- user
macOS:
introduced: '27.0'
allowed-enrollments:
- supervised
- user
allowed-scopes:
- system
tvOS:
introduced: n/a
visionOS:
introduced: '27.0'
allowed-enrollments:
- supervised
- device
- user
allowed-scopes:
- system
watchOS:
introduced: n/a
apply: multiple
payloadkeys:
- key: VisibleName
title: Visible name
type: <string>
presence: required
content: The name of the network relays that the system displays on the device.
- key: Relays
title: Relays
type: <array>
presence: required
content: An array of dictionaries that describe one or more relay servers that the
system can chain together.
subkeys:
- key: Relay
title: Network relay
type: <dictionary>
subkeys:
- key: HTTP3RelayURL
title: HTTP/3 relay URL
type: <string>
presence: optional
content: |-
The URL or URI template, as defined in RFC 9298, of a relay server that's reachable using HTTP/3 and supports proxying TCP and UDP using the CONNECT method.
Each relay needs to include either `HTTP2RelayURL` or `HTTP3RelayURL`, or it can include both.
- key: HTTP2RelayURL
title: HTTP/2 relay URL
type: <string>
presence: optional
content: |-
The URL or URI template, as defined in RFC 9298, of a relay server that's reachable using HTTP/2 and supports proxying TCP and UDP using the CONNECT method.
Each relay needs to include either `HTTP2RelayURL` or `HTTP3RelayURL`, or it can include both.
- key: AdditionalHTTPHeaderFields
title: Additional HTTP header fields
type: <dictionary>
presence: optional
content: A dictionary that contains custom HTTP header keys and values to add
to each request. The dictionary key name represents the HTTP header field
name to use, and the dictionary value is the string to use as the HTTP header
field value.
subkeys:
- key: ANY
type: <string>
presence: required
content: The HTTP header field value for the corresponding header field name.
- key: CredentialAssetReference
title: Credential asset reference
type: <string>
assettypes:
- com.apple.asset.credential.identity
- com.apple.asset.credential.scep
- com.apple.asset.credential.acme
presence: optional
content: The identifier of an asset declaration that contains the identity to
install.
- key: PublicKeyData
title: Public keys
type: <array>
assettypes:
- com.apple.asset.data
presence: optional
content: |-
An array of references to data assets containing DER-encoded public key data that the system uses to authenticate the server during a TLS handshake. The server needs to use one of the keys in the handshake to authenticate.
If this array is empty, the system uses the default TLS trust evaluation.
subkeys:
- key: PublicKeyDataAssetReference
title: Public key asset reference
type: <string>
- key: MatchDomains
title: Match domains
type: <array>
presence: optional
content: |-
A list of domain strings that the system uses to determine which connection to route through the servers in `Relays`.
Any connection that matches a domain in the list exactly or is a subdomain of the listed domain uses the relay servers, unless it matches a domain in `ExcludedDomains`.
If this list and `MatchFQDNs` are empty, the system routes traffic to all domains to the relay servers, except those that match an excluded domain or excluded FQDN.
subkeys:
- key: MatchDomainsElement
title: Match domains element
type: <string>
- key: ExcludedDomains
title: Excluded domains
type: <array>
presence: optional
content: A list of domain strings to exclude from routing through the servers in
`Relays`. Any connection that matches a domain in the list exactly or is a subdomain
of the listed domain won't use the relay server.
subkeys:
- key: ExcludedDomainsElement
title: Excluded domains element
type: <string>
- key: MatchFQDNs
title: Match FQDNs
type: <array>
presence: optional
content: A list of Fully Qualified Domain Names (FQDNs) to route through the servers
contained in `Relays`. Any connection that matches an FQDN in the list exactly
uses the relay servers. If this list and `MatchDomains` are empty, the system
routes traffic to all domains to the relay servers, except those that match an
excluded domain or excluded FQDN.
subkeys:
- key: MatchFQDNsElement
title: Match FQDNs element
type: <string>
- key: ExcludedFQDNs
title: Excluded FQDNs
type: <array>
presence: optional
content: A list of Fully Qualified Domain Names (FQDNs) to exclude from routing
through the servers contained in `Relays`. Any connection that matches an FQDN
in the list exactly won't use the relay server. When `MatchDomains` is also present,
any FQDN listed in the list should be a subdomain of at least one `MatchDomain`
value, otherwise it won't have any effect.
subkeys:
- key: ExcludedFQDNsElement
title: Excluded FQDNs element
type: <string>
- key: RelayUUID
title: Relay UUID
supportedOS:
macOS:
introduced: n/a
type: <string>
presence: optional
content: A globally unique identifier for this relay configuration. The system uses
this UUID to route managed apps through the servers in `Relays`. This key is required
for user enrollment.
- key: UIToggleEnabled
title: UI toggle enabled
type: <boolean>
presence: optional
default: true
content: If `true`, the device allows the user to disable this network relay configuration.
- key: AllowDNSFailover
title: Allow DNS failover
type: <boolean>
presence: optional
default: false
content: If `true`, the device allows the relay to failover to the default system
DNS resolver.
examples:
title: Configuration examples
files:
- tab: Single relay
description: This configuration routes traffic to two domains through a single
HTTP/2 relay with a custom authorization header.
file: examples/declarative/declarations/configurations/network.relay/example1.json
- tab: Chained relays
description: This configuration routes specific hostnames through two chained
relay hops supporting both HTTP/2 and HTTP/3.
file: examples/declarative/declarations/configurations/network.relay/example2.json
@@ -0,0 +1,975 @@
title: Network:VPN:AlwaysOn
description: The declaration to configure a VPN using the Always On sub-type.
payload:
declarationtype: com.apple.configuration.network.vpn.always-on
supportedOS:
iOS:
introduced: '27.0'
allowed-enrollments:
- supervised
- device
- local
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
macOS:
introduced: n/a
tvOS:
introduced: n/a
visionOS:
introduced: '27.0'
allowed-enrollments:
- supervised
- device
- local
allowed-scopes:
- system
watchOS:
introduced: n/a
apply: single
payloadkeys:
- key: VisibleName
title: Visible name
type: <string>
presence: required
content: The name of the VPN connection that the system displays on the device.
- key: UIToggleEnabled
title: UI toggle enabled
type: <boolean>
presence: optional
default: false
content: If `true`, allows the user to disable the VPN configuration.
- key: TunnelConfigurations
title: Tunnel configurations
type: <array>
presence: required
content: An array that contains an arbitrary number of tunnel configurations.
subkeys:
- key: TunnelConfigurationElement
title: A tunnel configuration element
type: <dictionary>
subkeys:
- key: ProtocolType
title: Protocol type
type: <string>
presence: required
rangelist:
- IKEv2
content: The type of connection, which needs to be `IKEv2`.
- key: Interfaces
title: Interfaces
type: <array>
presence: optional
content: The interfaces to apply this configuration to.
subkeys:
- key: InterfacesElement
title: Interfaces element
type: <string>
rangelist:
- Cellular
- WiFi
- key: IKEV2
title: IKEv2 configuration
type: <dictionary>
presence: optional
content: The IKEv2 configuration for this tunnel.
subkeys:
- key: HostName
title: Host name
type: <string>
presence: required
content: The IP address or hostname of the VPN server.
- key: LocalIdentifier
title: Local identifier
type: <string>
presence: required
content: Identifier of the IKEv2 client.
- key: RemoteIdentifier
title: Remote identifier
type: <string>
presence: required
content: The remote identifier.
- key: Authentication
title: Authentication details
type: <dictionary>
presence: required
content: Settings that control authentication.
subkeys:
- key: Method
title: Authentication method
type: <string>
presence: required
rangelist:
- None
- SharedSecret
- Certificate
content: |-
The type of authentication method for the VPN.
To enable EAP-only authentication, set this to `None` and `ExtendedAuthEnabled` to `true`. If this is `None` and the `ExtendedAuthEnabled` key isn't set, the authentication configuration defaults to `SharedSecret`.
- key: CredentialsAssetReference
title: Credentials asset reference
type: <string>
assettypes:
- com.apple.asset.credential.userpassword
presence: optional
content: The identifier of an asset declaration that contains the credentials
(password) to authenticate with the VPN server. Required when `Authentication.Method`
is set to `SharedSecret`.
- key: IdentityCertificateType
title: Certificate type
type: <string>
presence: optional
rangelist:
- RSA
- ECDSA256
- ECDSA384
- ECDSA521
- RSA-PSS
default: RSA
content: The type of key used by the identity set in the `IdentityAssetReference`
to use for IKEv2 machine authentication. If this key is included, the
system requires a value for `ServerCertificateIssuerCommonName`.
- key: IdentityAssetReference
title: Identity asset reference
type: <string>
assettypes:
- com.apple.asset.credential.acme
- com.apple.asset.credential.identity
- com.apple.asset.credential.scep
presence: optional
content: The identifier of a credential asset declaration that contains
the identity that this account requires to authenticate with the VPN server.
If the value of `AuthenticationMethod` is `Certificate`, the system sends
this certificate out for IKEv2 machine authentication. If extended authentication
(EAP) is used, the system sends this certificate out for EAP-TLS authentication.
Required when `Authentication.Method` is set to `Certificate`.
- key: ExtendedAuth
title: Extended authentication (EAP)
type: <dictionary>
presence: optional
content: Specifies details about how the VPN routes different types of network
traffic.
subkeys:
- key: Enabled
title: Enabled
type: <boolean>
presence: optional
default: false
content: If `true`, enables EAP-only authentication.
- key: CredentialsAssetReference
title: Credentials asset reference
type: <string>
assettypes:
- com.apple.asset.credential.userpassword
presence: optional
content: The identifier of an asset declaration that contains the credentials
(user name and password) to authenticate with the VPN server. Required
when `Enabled` is set to `true`. Implies the use of EAP-MSCHAPv2.
- key: ServerCertificateIssuerCommonName
title: Server certificate issuer common name
type: <string>
presence: optional
content: Common Name of the server certificate issuer. If set, this field
causes IKE to send a certificate request based on this certificate issuer
to the server. This key is required if the `IdentityCertificateType`
key is included and the `ExtendedAuth.Enabled` key is `true`.
- key: ServerCertificateCommonName
title: Server certificate common name
type: <string>
presence: optional
content: The common name of the server certificate. The system uses this
name to validate the certificate sent by the IKE server. If not set,
the system uses the remote identifier to validate the certificate.
- key: TLSMinimumVersion
title: TLS minimum version
type: <string>
presence: optional
rangelist:
- '1.0'
- '1.1'
- '1.2'
- '1.3'
default: '1.0'
content: The minimum TLS version to use with EAP-TLS authentication.
- key: TLSMaximumVersion
title: TLS maximum version
type: <string>
presence: optional
rangelist:
- '1.0'
- '1.1'
- '1.2'
- '1.3'
default: '1.2'
content: The maximum TLS version to use with EAP-TLS authentication.
- key: Provider
title: Provider details
type: <dictionary>
presence: optional
content: Specifies details about the provider.
subkeys:
- key: Type
title: Type
type: <string>
presence: optional
rangelist:
- packet-tunnel
- app-proxy
default: packet-tunnel
content: The type of VPN service. If the value is `app-proxy`, the service
tunnels traffic at the app level. If the value is `packet-tunnel`, the
service tunnels traffic at the IP layer.
- key: ComposedIdentifier
title: Composed identifier
type: <string>
presence: optional
content: |-
In iOS, tvOS, and visionOS, the identifier is a bundle ID, for example, "com.example.app".
In macOS, the identifier is a composed identifier. The format of the composed identifier is either "Bundle-ID", "Bundle-ID (Team-ID)", or "Bundle-ID {Designated-Requirement}". "Bundle-ID" is the bundle identifier string of the provider. "Team-ID" is the team identifier from the provider's code signature. "Designated-Requirement" is the designated requirement string from the code signature of the provider. For example, "com.example.app" for the bundle ID format, "com.example.app (ABCD1234)" for the team ID format, or "com.example.app {anchor apple generic}" for the designated requirement format.
- key: NetworkRouting
title: Network routing details
supportedOS:
tvOS:
introduced: n/a
type: <dictionary>
presence: optional
content: Specifies details about how the VPN routes different types of network
traffic.
subkeys:
- key: EnforceRoutes
title: Enforce routes
type: <boolean>
presence: optional
default: false
content: |-
If `true`, all the VPN's non-default routes take precedence over any locally defined routes.
If `IncludeAllNetworks` is `true`, the system ignores the value of `EnforceRoutes`.
- key: IncludeAllNetworks
title: Include all networks
type: <boolean>
presence: optional
default: false
content: |-
If `true`, routes all traffic through the VPN, with some exclusions. Several of the exclusions can be controlled with the `ExcludeLocalNetworks`, `ExcludeCellularServices`, `ExcludeAPNs` and `ExcludeDeviceCommunication` properties. The following traffic is always excluded from the tunnel:
- Traffic necessary for connecting and maintaining the device's network connection, such as DHCP.
- Traffic necessary for connecting to captive networks.
- Certain cellular services traffic that's not routable over the internet and is instead directly routed to the cellular network. See the ExcludeCellularServices property for more details.
- Network communication with a companion device such as a watchOS device.
- key: ExcludeLocalNetworks
title: Exclude local networks
type: <boolean>
presence: optional
content: If `true` and `IncludeAllNetworks` is `true`, routes all local
network traffic outside the VPN.
- key: ExcludeCellularServices
title: Exclude cellular services
type: <boolean>
presence: optional
default: true
content: If `true` and `IncludeAllNetworks` is `true`, then the system excludes
internet-routable network traffic for cellular services (VoLTE, Wi-Fi
Calling, IMS, MMS, Visual Voicemail, etc.) from the tunnel. Note that
some cellular carriers route cellular services traffic directly to the
carrier network, bypassing the internet. The device always excludes such
cellular services traffic from the tunnel.
- key: ExcludeAPNs
title: Exclude APNs
type: <boolean>
presence: optional
default: true
content: If `true` and `IncludeAllNetworks` is `true`, then the system excludes
the network traffic for the Apple Push Notification service (APNs) from
the tunnel.
- key: ExcludeDeviceCommunication
title: Exclude device communication
type: <boolean>
presence: optional
default: true
content: If set to `true` and `IncludeAllNetworks` is set to `true`, the
device excludes network traffic used for communicating with devices connected
via USB or Wi-Fi from the tunnel.
- key: Idle
title: Disconnect on idle settings.
type: <dictionary>
presence: optional
content: Specifies details about how the system handles idle VPN connections.
subkeys:
- key: Disconnect
title: Enable disconnect on idle
type: <boolean>
presence: optional
default: false
content: If `true`, disconnects after an on-demand connection idles.
- key: Timer
title: Disconnect on idle time
type: <integer>
presence: optional
content: The length of time to wait, in seconds, before disconnecting an
on-demand connection.
- key: DeadPeerDetectionRate
title: Dead peer detection rate
type: <string>
presence: optional
rangelist:
- None
- Low
- Medium
- High
default: Medium
content: |-
One of the following:
- `None`: No keepalive.
- `Low`: Send keepalive every 30 minutes.
- `Medium`: Send keepalive every 10 minutes.
- `High`: Send keepalive every 1 minute.
- key: OnDemand
title: On demand details
type: <dictionary>
presence: optional
content: Specifies details about how the system controls on-demand VPN.
subkeys:
- key: Enabled
title: Enable VPN on demand
type: <boolean>
presence: optional
default: false
content: If `true`, enables VPN On Demand.
- key: DisableUserOverride
title: Prevent users from toggling VPN on demand
supportedOS:
macOS:
introduced: n/a
type: <boolean>
presence: optional
default: false
content: If `true`, the Connect On Demand toggle in Settings is disabled
for this configuration.
- key: Rules
title: On demand rules
type: <array>
presence: optional
content: An array of dictionaries defining On Demand Rules.
subkeytype: RulesElement
subkeys:
- key: RulesElement
title: Rules element
type: <dictionary>
subkeys:
- key: Action
title: On demand action
type: <string>
presence: required
rangelist:
- Allow
- Connect
- Disconnect
- EvaluateConnection
- Ignore
content: |-
The action to take if this dictionary matches the current network. Possible values are:
- `Allow`: Deprecated. Allow VPN On Demand to connect if triggered.
- `Connect`: Unconditionally initiate a VPN connection on the next network attempt.
- `Disconnect`: Tear down the VPN connection and don't reconnect on demand as long as this dictionary matches.
- `EvaluateConnection`: Evaluate the ActionParameters array for each connection attempt.
- `Ignore`: Leave any existing VPN connection up, but don't reconnect on demand as long as this dictionary matches.
- key: ActionParameters
title: Action parameters
type: <array>
presence: optional
content: An array of dictionaries that provides rules similar to the
`OnDemandRules` dictionary, but evaluated on each connection instead
of when the network changes. This value is only for use with dictionaries
in which the `Action` value is `EvaluateConnection`. The system evaluates
these dictionaries in order and the first dictionary that matches
determines the behavior.
subkeys:
- key: ActionParameter
title: Action parameter
type: <dictionary>
presence: optional
content: |-
A dictionary that provides rules similar to the OnDemandRules dictionary, but evaluated on each connection instead of when the network changes. These dictionaries are evaluated in order, and the behavior is determined by the first dictionary that matches.
The keys allowed in each dictionary are described below. Note: This array is used only for dictionaries in which EvaluateConnection is the Action value.
subkeys:
- key: Domains
title: Domains
type: <array>
presence: required
content: The domains to apply this evaluation.
subkeys:
- key: DomainsElement
title: Domains element
type: <string>
- key: DomainAction
title: Domain action
type: <string>
presence: required
rangelist:
- ConnectIfNeeded
- NeverConnect
content: |-
Defines the VPN behavior for the specified domains. Allowed values are:
* 'ConnectIfNeeded': The specified domains should trigger a VPN connection attempt if domain name resolution fails, such as when the DNS server indicates that it can't resolve the domain, responds with a redirection to a different server, or fails to respond (timeout).
* 'NeverConnect': The specified domains should never trigger a VPN connection attempt.
- key: RequiredDNSServers
title: Required DNS servers
type: <array>
presence: optional
content: |-
An array of IP addresses of DNS servers to use for resolving the specified domains. These servers don't need to be part of the device's current network configuration. If these DNS servers aren't reachable, the system establishes a VPN connection. These DNS servers need to be either internal DNS servers or trusted external DNS servers.
This key is valid only if the value of 'DomainAction' is 'ConnectIfNeeded'.
subkeys:
- key: RequiredDNSServersElement
title: Required DNS servers element
type: <string>
- key: RequiredURLStringProbe
title: Required URL string probe
type: <string>
presence: optional
content: |-
An HTTP or HTTPS (preferred) URL to probe, using a GET request. If the URL's hostname can't be resolved, if the server is unreachable, or if the server doesn't respond with a 200 HTTP status code, a VPN connection is established in response.
This key is valid only if the value of 'DomainAction' is 'ConnectIfNeeded'.
- key: DNSDomainMatch
title: DNS domain match
type: <array>
presence: optional
content: |-
An array of domain names. This rule matches if any of the domain names in the specified list matches any domain in the device's search domains list.
The system supports a wildcard (`*`) prefix. For example, `*.example.com` matches against either `mydomain.example.com` or `yourdomain.example.com`.
subkeys:
- key: DNSDomainMatchElement
title: DNS domain match element
type: <string>
- key: DNSServerAddressMatch
title: DNS server address match
type: <array>
presence: optional
content: |-
An array of IP addresses. This rule matches if any of the network's specified DNS servers match any entry in the array.
The system supports matching with a single wildcard. For example, `17.*` matches any DNS server in the `17.0.0.0/8` subnet.
subkeys:
- key: DNSServerAddressMatchElement
title: DNS server address match element
type: <string>
- key: InterfaceTypeMatch
title: Interface type match
type: <string>
presence: optional
rangelist:
- Ethernet
- WiFi
- Cellular
content: An interface type. If specified, this rule matches only if
the primary network interface hardware matches the specified type.
- key: SSIDMatch
title: SSID match
type: <array>
presence: optional
content: |-
An array of SSIDs to match against the current network. If the network isn't a Wi-Fi network or if the SSID doesn't appear in this array, the match fails.
Omit this key and the corresponding array to match against any SSID.
subkeys:
- key: SSIDMatchElement
title: SSID match element
type: <string>
- key: URLStringProbe
title: URL string probe
type: <string>
presence: optional
content: A URL to probe. This rule matches when this URL is successfully
fetched (returns a `200` HTTP status code) without redirection.
- key: UseConfigurationAttributeInternalIPSubnet
title: Use IPv4 / IPv6 internal subnet attributes
type: <boolean>
presence: optional
default: false
content: If `true`, negotiations should use IKEv2 Configuration Attribute
`INTERNAL_IP4_SUBNET` and `INTERNAL_IP6_SUBNET`.
- key: DisableMOBIKE
title: Disable mobility and multihoming
type: <boolean>
presence: optional
default: false
content: If `true`, the system disables MOBIKE.
- key: DisableRedirect
title: Disable redirect
type: <boolean>
presence: optional
default: false
content: If `true`, the system disables IKEv2 redirect. If not set, the system
redirects an IKEv2 connection when it receives a redirect request from the
server.
- key: EnableNATKeepAliveOffload
title: Enable NAT keep alive offload
type: <boolean>
presence: optional
default: true
content: |-
If `true`, enables NAT keepalive offload for Always On VPN IKEv2 connections. The device sends keepalive packets to maintain NAT mappings for IKEv2 connections that have a NAT on the path. It sends keepalive packets at regular intervals when the device is awake. If `NATKeepAliveOffloadEnable` is `true`, the system offloads keepalive packets to hardware while the device is asleep.
NAT keepalive offload has an impact on the battery life due to the extra workload during sleep. The default interval for the keepalive offload packets is 20 seconds over Wi-Fi and 110 seconds over Cellular interface. The default NAT keepalive works well on networks with small NAT mapping timeouts but imposes a potential battery impact. If a network has larger NAT mapping timeouts, larger keepalive intervals may be safely used to minimize battery impact. Modify the keepalive interval through the `NATKeepAliveInterval` key.
- key: NATKeepAliveInterval
title: NAT keepalive interval
type: <integer>
presence: optional
default: 20
content: The NAT Keepalive interval for Always On VPN IKEv2 connections. This
value controls the interval that the device sends keepalive offload packets.
The minimum value is 20 seconds. If no key is specified, the default is
20 seconds over Wi-Fi and 110 seconds over a cellular interface.
- key: EnablePFS
title: Enable perfect forward secrecy
type: <boolean>
presence: optional
default: false
content: If `true`, enables Perfect Forward Secrecy (PFS) for IKEv2 Connections.
- key: EnableCertificateRevocationCheck
title: Enable certificate revocation check
type: <boolean>
presence: optional
default: false
content: If `true`, the system performs a certificate revocation check for
IKEv2 connections. This is a best-effort revocation check and server response
timeouts won't cause it to fail.
- key: EnableFallback
title: Enable fallback
supportedOS:
macOS:
introduced: n/a
type: <boolean>
presence: optional
default: false
content: |-
If `true`, the system enables a tunnel over cellular data to carry traffic that's eligible for Wi-Fi Assist and also requires VPN.
Enabling fallback requires that the server support multiple tunnels for a single user.
- key: MTU
title: Maximum transmission unit
type: <integer>
presence: optional
range:
min: 1280
max: 1400
default: 1280
content: The Maximum Transmission Unit (MTU) specifies the maximum size in
bytes of each packet that the system sends over the IKEv2 VPN interface.
- key: EnforceStrictAlgorithmSelection
title: Enforce strict algorithm selection
type: <boolean>
presence: optional
default: false
content: If set to `true`, the device doesn't allow DES, 3DES, and Diffie-Hellman
groups less than 14. Also the device requires the encryption algorithm specified
in `IKESecurityAssociationParameters` to be at least as cryptographically
strong as the algorithm specified in `ChildSecurityAssociationParameters`.
The device rejects this configuration if these requirements aren't met.
- key: PostQuantumKeyExchange
title: Post quantum key exchange
type: <dictionary>
presence: optional
content: Post Quantum Key Exchange settings.
subkeys:
- key: PPK
title: Post-quantum pre-shared key
type: <data>
presence: optional
content: The Post-quantum Pre-shared key (PPK) the device uses for this
VPN. This key is is used with VPN servers that support RFC 8784. If this
key is present `PPKIdentifier` must also be present.
- key: PPKIdentifier
title: Post-quantum pre-shared key identifier
type: <string>
presence: optional
content: The identifier for the Post-quantum Pre-shared key (PPK) the device
uses for this VPN. This key is is used with VPN servers that support RFC
8784. If this key is present `PPK` must also be present.
- key: PPKMandatory
title: Post-quantum pre-shared key mandatory
type: <boolean>
presence: optional
default: true
content: If set to `true`, the VPN doesn't establish a connection if the
server doesn't support RFC 8784 or doesn't accept the PPK identifier specified
in `PPKIdentifier`. The device ignores this key if `PPK` and `PPKIdentifier`
aren't present.
- key: AllowFallback
title: Allow post-quantum key exchange fallback
type: <boolean>
presence: optional
default: false
content: If set to `false`, the VPN doesn't establish a connection if the
server doesn't support or doesn't allow post-quantum key exchanges. Thd
device ignores this key if `PostQuantumKeyExchangeMethods` isn't present
in `IKESecurityAssociationParameters` or `ChildSecurityAssociationParameters`.
- key: IKESecurityAssociationParameters
title: IKE security association parameters
type: <dictionary>
presence: optional
content: These parameters apply to Child Security Association unless `ChildSecurityAssociationParameters`
is specified.
subkeytype: SecurityAssociationParameters
subkeys: &id001
- key: EncryptionAlgorithm
title: Encryption algorithm
type: <string>
presence: optional
rangelist:
- AES-128
- AES-256
- AES-128-GCM
- AES-256-GCM
- ChaCha20Poly1305
default: AES-256
content: |-
The encryption algorithm.
In tvOS the default value is `AES-256-GCM`.
- key: IntegrityAlgorithm
title: Integrity algorithm
type: <string>
presence: optional
rangelist:
- SHA2-256
- SHA2-384
- SHA2-512
default: SHA2-256
content: The integrity algorithm.
- key: DiffieHellmanGroup
title: Diffie hellman group
type: <integer>
presence: optional
rangelist:
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 31
- 32
default: 14
content: |-
The Diffie-Hellman group.
For `AlwaysOn` VPN, the minimum allowed value is `14`.
- key: PostQuantumKeyExchangeMethods
title: Post-quantum key exchange methods
type: <array>
presence: optional
content: An array of integers representing postquantum key exchange methods
the device uses during SA establishment and rekey. You can specify up
to seven items, which correspond to ADDKE1 - ADDKE7 from RFC 9370.
subkeys:
- key: PostQuantumKeyExchangeMethod
title: Post-quantum key exchange method
type: <integer>
rangelist:
- 0
- 36
- 37
- key: LifeTimeInMinutes
title: Life time in minutes
type: <integer>
presence: optional
range:
min: 10
max: 1440
default: 1440
content: The SA lifetime (rekey interval) in minutes.
- key: ChildSecurityAssociationParameters
title: Child security association parameters
type: <dictionary>
presence: optional
content: The `ChildSecurityAssociationParameters` dictionaries.
subkeytype: SecurityAssociationParameters
subkeys: *id001
- key: ServiceExceptions
title: Service exceptions
type: <array>
presence: optional
content: An array that contains an arbitrary number of service exceptions.
subkeys:
- key: ServiceExceptionElement
title: A service exception element
type: <dictionary>
subkeys:
- key: ServiceName
title: Service name
type: <string>
presence: required
rangelist:
- VoiceMail
- AirPrint
- CellularServices
- DeviceCommunication
content: |-
The name of a service that's exempt from Always On VPN.
`CellularServices` exempts `VoLTE`, `IMS`, `MMS`, and Wi-Fi calling.
`DeviceCommunication` exempts network traffic used for communicating with devices connected via USB or Wi-Fi.
- key: Action
title: Action
type: <string>
presence: required
rangelist:
- Allow
- Drop
content: The action to take with network connections from the named service.
- key: ApplicationExceptions
title: Application exceptions
type: <array>
presence: optional
content: An array that contains an arbitrary number of apps whose connections occur
outside the VPN.
subkeys:
- key: ApplicationExceptionElement
title: A application exception element
type: <dictionary>
subkeys:
- key: BundleIdentifier
title: Bundle identifier
type: <string>
presence: required
content: The app's bundle identifier.
- key: LimitToProtocols
title: Limit to protocols
type: <array>
presence: optional
content: Limit the exception to only the specified list of protocols, with support
for `UDP` only.
subkeys:
- key: LimitToProtocolElement
title: Limit to protocol element
type: <string>
rangelist:
- UDP
- key: AllowCaptiveWebSheet
title: Allow captive web sheet
type: <boolean>
presence: optional
default: false
content: If `true`, allows traffic from Captive Web Sheet outside the VPN tunnel.
- key: AllowAllCaptiveNetworkPlugins
title: Allow all captive network plugins
type: <boolean>
presence: optional
default: false
content: If `true`, allows traffic from all captive networking apps outside the
VPN tunnel to perform captive network handling.
- key: AllowedCaptiveNetworkPlugins
title: Allowed captive network plugins
type: <array>
presence: optional
content: The array of captive networking apps whose traffic is allowed outside the
VPN tunnel, to perform captive network handling. Used only when `AllowAllCaptiveNetworkPlugins`
is `false`.
subkeys:
- key: AllowedCaptiveNetworkPluginElement
title: An allowed captive network plugin element
type: <dictionary>
subkeys:
- key: BundleIdentifier
title: Bundle identifier
type: <string>
presence: required
content: The bundle identifier for the app that's allowed on the captive network.
- key: DNS
title: DNS
type: <dictionary>
presence: optional
content: A dictionary to use for all VPN types.
subkeys:
- key: Protocol
title: DNS protocol
type: <string>
presence: required
rangelist:
- Cleartext
- HTTPS
- TLS
content: The transport protocol to communicate with the DNS server.
- key: ServerURL
title: Server URL
type: <string>
presence: optional
content: The URI template of a DNS-over-HTTPS server, as defined in RFC 8484,
which needs to use the `https://` scheme. The system uses the hostname or address
in the URL to validate the server certificate. If `ServerAddresses` isn't specified,
the system uses the hostname or address in the URL to determine the server addresses.
This key is required if the `DNSProtocol` is `HTTPS`.
- key: ServerName
title: Server name
type: <string>
presence: optional
content: The hostname of a DNS-over-TLS server to validate the server certificate,
as defined in RFC 7858. If `ServerAddresses` isn't specified, the system uses
the hostname to determine the server addresses. This key is required if the
`DNSProtocol` is `TLS`.
- key: ServerAddresses
title: DNS server addresses
type: <array>
presence: required
content: The array of DNS server IP address strings. These IP addresses can be
a mixture of IPv4 and IPv6 addresses.
subkeys:
- key: ServerAddressesElement
title: Server address element
type: <string>
- key: SearchDomains
title: DNS search domains
type: <array>
presence: optional
content: The list of domain strings used to fully qualify single-label host names.
subkeys:
- key: SearchDomainsElement
title: Search domains element
type: <string>
- key: DomainName
title: Domain name
type: <string>
presence: optional
content: The primary domain of the tunnel.
- key: SupplementalMatchDomains
title: Supplemental match domains
type: <array>
presence: optional
content: |-
The list of domain strings used to determine which DNS queries use the DNS resolver settings in `ServerAddresses`. The system uses this key to create a split DNS configuration where it resolves only hosts in certain domains using the tunnel's DNS resolver. The system uses the default resolver for hosts that aren't in one of the domains in this list.
If `SupplementalMatchDomains` contains the empty string it becomes the default domain.
Split-tunnel configurations can direct all DNS queries to the VPN DNS servers before the primary DNS servers. If the VPN tunnel becomes the network's default route, the servers listed in `ServerAddresses` become the default resolver and the system ignores the `SupplementalMatchDomains` list.
subkeys: &id002
- key: SupplementalMatchDomainsElement
title: Supplemental match domains element
type: <string>
- key: SupplementalMatchDomainsNoSearch
title: Supplemental match domains no search
type: <boolean>
presence: optional
default: false
content: If `true`, don't append the domains in the `SupplementalMatchDomains`
list to the resolver's list of search domains.
- key: IdentityAssetReference
title: Identity asset reference
type: <string>
assettypes:
- com.apple.asset.credential.acme
- com.apple.asset.credential.identity
- com.apple.asset.credential.scep
presence: optional
content: The identifier of a credential asset declaration that contains the identity
that the system uses to authenticate the user to the DNS resolver.
- key: Proxies
title: Proxies
type: <dictionary>
presence: optional
content: The dictionary to use to configure `Proxies` for use with `VPN`.
subkeys:
- key: AutoConfigEnable
title: Proxy auto config enable
type: <boolean>
presence: optional
default: false
content: If `true`, enables automatic proxy configuration.
- key: AutoDiscoveryEnable
title: Proxy auto discovery enable
type: <boolean>
presence: optional
default: true
content: If `true`, enables proxy auto discovery.
- key: AutoConfigURLString
title: Proxy server URL
type: <string>
presence: optional
content: The URL to the location of the proxy auto-configuration file. Used only
when `ProxyAutoConfigEnable` is `true`.
- key: SupplementalMatchDomains
title: Supplemental match domains
type: <array>
presence: optional
content: An array of domains that defines which hosts use proxy settings for hosts.
subkeys: *id002
- key: Protocol
title: Protocol
type: <dictionary>
presence: optional
content: The dictionary to use to configure HTTP servers for `Proxies` for use
with `VPN`.
subkeys:
- key: HTTP
title: HTTP protocol
type: <dictionary>
presence: optional
content: The dictionary to use to configure the HTTP (non-TLS) server.
subkeys:
- key: Enable
title: Enable HTTP
type: <boolean>
presence: optional
default: false
content: If `true`, enables proxy for HTTP traffic.
- key: HostName
title: HTTP host name
type: <string>
presence: optional
content: The host name of the HTTP proxy.
- key: Port
title: HTTP port
type: <integer>
presence: optional
range:
min: 0
max: 65535
content: The port number of the HTTP proxy. This field is required if `HostName`
is specified.
- key: HTTPS
title: HTTPS protocol
type: <dictionary>
presence: optional
content: The dictionary to use to configure the HTTPS (TLS) server.
subkeys:
- key: Enable
title: Enable HTTPS
type: <boolean>
presence: optional
default: false
content: If `true`, enables proxy for HTTPS traffic.
- key: HostName
title: HTTPS host name
type: <string>
presence: optional
content: The host name of the HTTPS proxy.
- key: Port
title: HTTPS port
type: <integer>
presence: optional
range:
min: 0
max: 65535
content: The port number of the HTTPS proxy. This field is required if `HostName`
is specified.
- key: CredentialsAssetReference
title: Credentials asset reference
type: <string>
assettypes:
- com.apple.asset.credential.userpassword
presence: optional
content: The identifier of an asset declaration that contains the credentials
(user name and password) to authenticate with the proxy server.
examples:
title: Configuration example
files:
- description: This configuration sets up an always-on IKEv2 VPN for both Cellular
and Wi-Fi interfaces using certificate authentication.
file: examples/declarative/declarations/configurations/network.vpn.always-on/example1.json
@@ -0,0 +1,854 @@
title: Network:VPN:IKEV2
description: The declaration to configure a VPN using the IKEv2 sub-type.
payload:
declarationtype: com.apple.configuration.network.vpn.ikev2
supportedOS:
iOS:
introduced: '27.0'
allowed-enrollments:
- supervised
- device
- local
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
macOS:
introduced: '27.0'
allowed-enrollments:
- supervised
- local
allowed-scopes:
- system
- user
tvOS:
introduced: '27.0'
allowed-enrollments:
- supervised
- device
- local
allowed-scopes:
- system
visionOS:
introduced: '27.0'
allowed-enrollments:
- supervised
- device
- local
allowed-scopes:
- system
watchOS:
introduced: n/a
apply: multiple
payloadkeys:
- key: VisibleName
title: Visible name
type: <string>
presence: required
content: The name of the VPN connection that the system displays on the device.
- key: HostName
title: Host name
type: <string>
presence: required
content: The IP address or hostname of the VPN server.
- key: LocalIdentifier
title: Local identifier
type: <string>
presence: required
content: Identifier of the IKEv2 client.
- key: RemoteIdentifier
title: Remote identifier
type: <string>
presence: required
content: The remote identifier.
- key: Authentication
title: Authentication details
type: <dictionary>
presence: required
content: Settings that control authentication.
subkeys:
- key: Method
title: Authentication method
type: <string>
presence: required
rangelist:
- None
- SharedSecret
- Certificate
content: |-
The type of authentication method for the VPN.
To enable EAP-only authentication, set this to `None` and `ExtendedAuthEnabled` to `true`. If this is `None` and the `ExtendedAuthEnabled` key isn't set, the authentication configuration defaults to `SharedSecret`.
- key: CredentialsAssetReference
title: Credentials asset reference
type: <string>
assettypes:
- com.apple.asset.credential.userpassword
presence: optional
content: The identifier of an asset declaration that contains the credentials
(password) to authenticate with the VPN server. Required when `Authentication.Method`
is set to `SharedSecret`.
- key: IdentityCertificateType
title: Certificate type
type: <string>
presence: optional
rangelist:
- RSA
- ECDSA256
- ECDSA384
- ECDSA521
- RSA-PSS
default: RSA
content: The type of key used by the identity set in the `IdentityAssetReference`
to use for IKEv2 machine authentication. If this key is included, the system
requires a value for `ServerCertificateIssuerCommonName`.
- key: IdentityAssetReference
title: Identity asset reference
type: <string>
assettypes:
- com.apple.asset.credential.acme
- com.apple.asset.credential.identity
- com.apple.asset.credential.scep
presence: optional
content: The identifier of a credential asset declaration that contains the identity
that this account requires to authenticate with the VPN server. If the value
of `AuthenticationMethod` is `Certificate`, the system sends this certificate
out for IKEv2 machine authentication. If extended authentication (EAP) is used,
the system sends this certificate out for EAP-TLS authentication. Required when
`Authentication.Method` is set to `Certificate`.
- key: ExtendedAuth
title: Extended authentication (EAP)
type: <dictionary>
presence: optional
content: Specifies details about how the VPN routes different types of network
traffic.
subkeys:
- key: Enabled
title: Enabled
type: <boolean>
presence: optional
default: false
content: If `true`, enables EAP-only authentication.
- key: CredentialsAssetReference
title: Credentials asset reference
type: <string>
assettypes:
- com.apple.asset.credential.userpassword
presence: optional
content: The identifier of an asset declaration that contains the credentials
(user name and password) to authenticate with the VPN server. Required when
`Enabled` is set to `true`. Implies the use of EAP-MSCHAPv2.
- key: ServerCertificateIssuerCommonName
title: Server certificate issuer common name
type: <string>
presence: optional
content: Common Name of the server certificate issuer. If set, this field causes
IKE to send a certificate request based on this certificate issuer to the
server. This key is required if the `IdentityCertificateType` key is included
and the `ExtendedAuth.Enabled` key is `true`.
- key: ServerCertificateCommonName
title: Server certificate common name
type: <string>
presence: optional
content: The common name of the server certificate. The system uses this name
to validate the certificate sent by the IKE server. If not set, the system
uses the remote identifier to validate the certificate.
- key: TLSMinimumVersion
title: TLS minimum version
type: <string>
presence: optional
rangelist:
- '1.0'
- '1.1'
- '1.2'
- '1.3'
default: '1.0'
content: The minimum TLS version to use with EAP-TLS authentication.
- key: TLSMaximumVersion
title: TLS maximum version
type: <string>
presence: optional
rangelist:
- '1.0'
- '1.1'
- '1.2'
- '1.3'
default: '1.2'
content: The maximum TLS version to use with EAP-TLS authentication.
- key: Provider
title: Provider details
type: <dictionary>
presence: optional
content: Specifies details about the provider.
subkeys:
- key: Type
title: Type
type: <string>
presence: optional
rangelist:
- packet-tunnel
- app-proxy
default: packet-tunnel
content: The type of VPN service. If the value is `app-proxy`, the service tunnels
traffic at the app level. If the value is `packet-tunnel`, the service tunnels
traffic at the IP layer.
- key: ComposedIdentifier
title: Composed identifier
type: <string>
presence: optional
content: |-
In iOS, tvOS, and visionOS, the identifier is a bundle ID, for example, "com.example.app".
In macOS, the identifier is a composed identifier. The format of the composed identifier is either "Bundle-ID" or "Bundle-ID {Designated-Requirement}". "Bundle-ID" is the bundle identifier string of the provider. "Designated-Requirement" is the designated requirement string from the code signature of the provider. For example, "com.example.app" for the bundle ID format, or "com.example.app {anchor apple generic}" for the designated requirement format.
- key: NetworkRouting
title: Network routing details
supportedOS:
tvOS:
introduced: n/a
type: <dictionary>
presence: optional
content: Specifies details about how the VPN routes different types of network traffic.
subkeys:
- key: EnforceRoutes
title: Enforce routes
type: <boolean>
presence: optional
default: false
content: |-
If `true`, all the VPN's non-default routes take precedence over any locally defined routes.
If `IncludeAllNetworks` is `true`, the system ignores the value of `EnforceRoutes`.
- key: IncludeAllNetworks
title: Include all networks
type: <boolean>
presence: optional
default: false
content: |-
If `true`, routes all traffic through the VPN, with some exclusions. Several of the exclusions can be controlled with the `ExcludeLocalNetworks`, `ExcludeCellularServices`, `ExcludeAPNs` and `ExcludeDeviceCommunication` properties. The following traffic is always excluded from the tunnel:
- Traffic necessary for connecting and maintaining the device's network connection, such as DHCP.
- Traffic necessary for connecting to captive networks.
- Certain cellular services traffic that's not routable over the internet and is instead directly routed to the cellular network. See the ExcludeCellularServices property for more details.
- key: ExcludeLocalNetworks
title: Exclude local networks
type: <boolean>
presence: optional
content: If `true` and `IncludeAllNetworks` is `true`, routes all local network
traffic outside the VPN.
- key: ExcludeCellularServices
title: Exclude cellular services
type: <boolean>
presence: optional
default: true
content: If `true` and `IncludeAllNetworks` is `true`, then the system excludes
internet-routable network traffic for cellular services (VoLTE, Wi-Fi Calling,
IMS, MMS, Visual Voicemail, etc.) from the tunnel. Note that some cellular carriers
route cellular services traffic directly to the carrier network, bypassing the
internet. Such cellular services traffic is always excluded from the tunnel.
- key: ExcludeAPNs
title: Exclude APNs
type: <boolean>
presence: optional
default: true
content: If `true` and `IncludeAllNetworks` is `true`, then the system excludes
the network traffic for the Apple Push Notification service (APNs) from the
tunnel.
- key: ExcludeDeviceCommunication
title: Exclude device communication
type: <boolean>
presence: optional
default: true
content: If set to `true` and `IncludeAllNetworks` is set to `true`, the device
excludes network traffic used for communicating with devices connected via USB
or Wi-Fi from the tunnel.
- key: Idle
title: Disconnect on idle settings.
type: <dictionary>
presence: optional
content: Specifies details about how the system handles idle VPN connections.
subkeys:
- key: Disconnect
title: Enable disconnect on idle
type: <boolean>
presence: optional
default: false
content: If `true`, disconnects after an on-demand connection idles.
- key: Timer
title: Disconnect on idle time
type: <integer>
presence: optional
content: The length of time to wait, in seconds, before disconnecting an on-demand
connection.
- key: DeadPeerDetectionRate
title: Dead peer detection rate
type: <string>
presence: optional
rangelist:
- None
- Low
- Medium
- High
default: Medium
content: |-
One of the following:
- `None`: No keepalive.
- `Low`: Send keepalive every 30 minutes.
- `Medium`: Send keepalive every 10 minutes.
- `High`: Send keepalive every 1 minute.
- key: OnDemand
title: On demand details
type: <dictionary>
presence: optional
content: Specifies details about how the system controls on-demand VPN.
subkeys:
- key: Enabled
title: Enable VPN on demand
type: <boolean>
presence: optional
default: false
content: If `true`, enables VPN On Demand.
- key: DisableUserOverride
title: Prevent users from toggling VPN on demand
supportedOS:
macOS:
introduced: n/a
type: <boolean>
presence: optional
default: false
content: If `true`, the device disables the Connect On Demand toggle in Settings
for this configuration.
- key: Rules
title: On demand rules
type: <array>
presence: optional
content: An array of dictionaries defining On Demand Rules.
subkeytype: RulesElement
subkeys:
- key: RulesElement
title: Rules element
type: <dictionary>
subkeys:
- key: Action
title: On demand action
type: <string>
presence: required
rangelist:
- Allow
- Connect
- Disconnect
- EvaluateConnection
- Ignore
content: |-
The action to take if this dictionary matches the current network. Possible values are:
- `Allow`: Deprecated. Allow VPN On Demand to connect if triggered.
- `Connect`: Unconditionally initiate a VPN connection on the next network attempt.
- `Disconnect`: Tear down the VPN connection and don't reconnect on demand as long as this dictionary matches.
- `EvaluateConnection`: Evaluate the ActionParameters array for each connection attempt.
- `Ignore`: Leave any existing VPN connection up, but don't reconnect on demand as long as this dictionary matches.
- key: ActionParameters
title: Action parameters
type: <array>
presence: optional
content: An array of dictionaries that provides rules similar to the `OnDemandRules`
dictionary, but evaluated on each connection instead of when the network
changes. This value is only for use with dictionaries in which the `Action`
value is `EvaluateConnection`. The system evaluates these dictionaries in
order and the first dictionary that matches determines the behavior.
subkeys:
- key: ActionParameter
title: Action parameter
type: <dictionary>
presence: optional
content: |-
A dictionary that provides rules similar to the OnDemandRules dictionary, but evaluated on each connection instead of when the network changes. These dictionaries are evaluated in order, and the behavior is determined by the first dictionary that matches.
The keys allowed in each dictionary are described below. Note: This array is used only for dictionaries in which EvaluateConnection is the Action value.
subkeys:
- key: Domains
title: Domains
type: <array>
presence: required
content: The domains to apply this evaluation.
subkeys:
- key: DomainsElement
title: Domains element
type: <string>
- key: DomainAction
title: Domain action
type: <string>
presence: required
rangelist:
- ConnectIfNeeded
- NeverConnect
content: |-
Defines the VPN behavior for the specified domains. Allowed values are:
* 'ConnectIfNeeded': The specified domains should trigger a VPN connection attempt if domain name resolution fails, such as when the DNS server indicates that it can't resolve the domain, responds with a redirection to a different server, or fails to respond (timeout).
* 'NeverConnect': The specified domains should never trigger a VPN connection attempt.
- key: RequiredDNSServers
title: Required DNS servers
type: <array>
presence: optional
content: |-
An array of IP addresses of DNS servers to use for resolving the specified domains. These servers don't need to be part of the device's current network configuration. If these DNS servers aren't reachable, the system establishes a VPN connection. These DNS servers need to be either internal DNS servers or trusted external DNS servers.
This key is valid only if the value of 'DomainAction' is 'ConnectIfNeeded'.
subkeys:
- key: RequiredDNSServersElement
title: Required DNS servers element
type: <string>
- key: RequiredURLStringProbe
title: Required URL string probe
type: <string>
presence: optional
content: |-
An HTTP or HTTPS (preferred) URL to probe, using a GET request. If the URL's hostname can't be resolved, if the server is unreachable, or if the server doesn't respond with a 200 HTTP status code, a VPN connection is established in response.
This key is valid only if the value of 'DomainAction' is 'ConnectIfNeeded'.
- key: DNSDomainMatch
title: DNS domain match
type: <array>
presence: optional
content: |-
An array of domain names. This rule matches if any of the domain names in the specified list matches any domain in the device's search domains list.
The system supports a wildcard (`*`) prefix. For example, `*.example.com` matches against either `mydomain.example.com` or `yourdomain.example.com`.
subkeys:
- key: DNSDomainMatchElement
title: DNS domain match element
type: <string>
- key: DNSServerAddressMatch
title: DNS server address match
type: <array>
presence: optional
content: |-
An array of IP addresses. This rule matches if any of the network's specified DNS servers match any entry in the array.
The system supports matching with a single wildcard. For example, `17.*` matches any DNS server in the `17.0.0.0/8` subnet.
subkeys:
- key: DNSServerAddressMatchElement
title: DNS server address match element
type: <string>
- key: InterfaceTypeMatch
title: Interface type match
type: <string>
presence: optional
rangelist:
- Ethernet
- WiFi
- Cellular
content: An interface type. If specified, this rule matches only if the primary
network interface hardware matches the specified type.
- key: SSIDMatch
title: SSID match
type: <array>
presence: optional
content: |-
An array of SSIDs to match against the current network. If the network isn't a Wi-Fi network or if the SSID doesn't appear in this array, the match fails.
Omit this key and the corresponding array to match against any SSID.
subkeys:
- key: SSIDMatchElement
title: SSID match element
type: <string>
- key: URLStringProbe
title: URL string probe
type: <string>
presence: optional
content: A URL to probe. This rule matches when this URL is successfully fetched
(returns a `200` HTTP status code) without redirection.
- key: UseConfigurationAttributeInternalIPSubnet
title: Use IPv4 / IPv6 internal subnet attributes
type: <boolean>
presence: optional
default: false
content: If `true`, negotiations should use IKEv2 Configuration Attribute `INTERNAL_IP4_SUBNET`
and `INTERNAL_IP6_SUBNET`.
- key: DisableMOBIKE
title: Disable mobility and multihoming
type: <boolean>
presence: optional
default: false
content: If `true`, the system disables MOBIKE.
- key: DisableRedirect
title: Disable redirect
type: <boolean>
presence: optional
default: false
content: If `true`, the system disables IKEv2 redirect. If not set, the system redirects
an IKEv2 connection when it receives a redirect request from the server.
- key: EnableNATKeepAliveOffload
title: Enable NAT keep alive offload
type: <boolean>
presence: optional
default: true
content: |-
If `true`, enables NAT keepalive offload for Always On VPN IKEv2 connections. The device sends keepalive packets to maintain NAT mappings for IKEv2 connections that have a NAT on the path. It sends keepalive packets at regular intervals when the device is awake. If `NATKeepAliveOffloadEnable` is `true`, the system offloads keepalive packets to hardware while the device is asleep.
NAT keepalive offload has an impact on the battery life due to the extra workload during sleep. The default interval for the keepalive offload packets is 20 seconds over Wi-Fi and 110 seconds over Cellular interface. The default NAT keepalive works well on networks with small NAT mapping timeouts but imposes a potential battery impact. If a network has larger NAT mapping timeouts, larger keepalive intervals may be safely used to minimize battery impact. Modify the keepalive interval through the `NATKeepAliveInterval` key.
- key: NATKeepAliveInterval
title: NAT keepalive interval
type: <integer>
presence: optional
default: 20
content: The NAT Keepalive interval for Always On VPN IKEv2 connections. This value
controls the interval that the device sends keepalive offload packets. The minimum
value is 20 seconds. If no key is specified, the default is 20 seconds over Wi-Fi
and 110 seconds over a cellular interface.
- key: EnablePFS
title: Enable perfect forward secrecy
type: <boolean>
presence: optional
default: false
content: If `true`, enables Perfect Forward Secrecy (PFS) for IKEv2 Connections.
- key: EnableCertificateRevocationCheck
title: Enable certificate revocation check
type: <boolean>
presence: optional
default: false
content: If `true`, the system performs a certificate revocation check for IKEv2
connections. This is a best-effort revocation check and server response timeouts
won't cause it to fail.
- key: EnableFallback
title: Enable fallback
supportedOS:
macOS:
introduced: n/a
type: <boolean>
presence: optional
default: false
content: |-
If `true`, the system enables a tunnel over cellular data to carry traffic that's eligible for Wi-Fi Assist and also requires VPN.
Enabling fallback requires that the server support multiple tunnels for a single user.
- key: MTU
title: Maximum transmission unit
type: <integer>
presence: optional
range:
min: 1280
max: 1400
default: 1280
content: The Maximum Transmission Unit (MTU) specifies the maximum size in bytes
of each packet that the system sends over the IKEv2 VPN interface.
- key: EnforceStrictAlgorithmSelection
title: Enforce strict algorithm selection
type: <boolean>
presence: optional
default: false
content: If set to `true`, the device doesn't allow DES, 3DES, and Diffie-Hellman
groups less than 14. Also the device requires the encryption algorithm specified
in `IKESecurityAssociationParameters` to be at least as cryptographically strong
as the algorithm specified in `ChildSecurityAssociationParameters`. The device
rejects this configuration if these requirements aren't met.
- key: PostQuantumKeyExchange
title: Post quantum key exchange
type: <dictionary>
presence: optional
content: Post Quantum Key Exchange settings.
subkeys:
- key: PPK
title: Post-quantum pre-shared key
type: <data>
presence: optional
content: The Post-quantum Pre-shared key (PPK) the device uses for this VPN. This
key is is used with VPN servers that support RFC 8784. If this key is present
`PPKIdentifier` must also be present.
- key: PPKIdentifier
title: Post-quantum pre-shared key identifier
type: <string>
presence: optional
content: The identifier for the Post-quantum Pre-shared key (PPK) the device uses
for this VPN. This key is is used with VPN servers that support RFC 8784. If
this key is present `PPK` must also be present.
- key: PPKMandatory
title: Post-quantum pre-shared key mandatory
type: <boolean>
presence: optional
default: true
content: If set to `true`, the VPN doesn't establish a connection if the server
doesn't support RFC 8784 or doesn't accept the PPK identifier specified in `PPKIdentifier`.
The device ignores this key if `PPK` and `PPKIdentifier` aren't present.
- key: AllowFallback
title: Allow post-quantum key exchange fallback
type: <boolean>
presence: optional
default: false
content: If set to `false`, the VPN doesn't establish a connection if the server
doesn't support or doesn't allow post-quantum key exchanges. Thd device ignores
this key if `PostQuantumKeyExchangeMethods` isn't present in `IKESecurityAssociationParameters`
or `ChildSecurityAssociationParameters`.
- key: IKESecurityAssociationParameters
title: IKE security association parameters
type: <dictionary>
presence: optional
content: These parameters apply to Child Security Association unless `ChildSecurityAssociationParameters`
is specified.
subkeytype: SecurityAssociationParameters
subkeys: &id001
- key: EncryptionAlgorithm
title: Encryption algorithm
type: <string>
presence: optional
rangelist:
- AES-128
- AES-256
- AES-128-GCM
- AES-256-GCM
- ChaCha20Poly1305
default: AES-256
content: |-
The encryption algorithm.
On tvOS, the default value is `AES-256-GCM`.
- key: IntegrityAlgorithm
title: Integrity algorithm
type: <string>
presence: optional
rangelist:
- SHA2-256
- SHA2-384
- SHA2-512
default: SHA2-256
content: The integrity algorithm.
- key: DiffieHellmanGroup
title: Diffie hellman group
type: <integer>
presence: optional
rangelist:
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 31
- 32
default: 14
content: |-
The Diffie-Hellman group.
For `AlwaysOn` VPN, the minimum allowed value is `14`.
- key: PostQuantumKeyExchangeMethods
title: Post-quantum key exchange methods
type: <array>
presence: optional
content: An array of integers representing postquantum key exchange methods the
device uses during SA establishment and rekey. You can specify up to seven items,
which correspond to ADDKE1 - ADDKE7 from RFC 9370.
subkeys:
- key: PostQuantumKeyExchangeMethod
title: Post-quantum key exchange method
type: <integer>
rangelist:
- 0
- 36
- 37
- key: LifeTimeInMinutes
title: Life time in minutes
type: <integer>
presence: optional
range:
min: 10
max: 1440
default: 1440
content: The SA lifetime (rekey interval) in minutes.
- key: ChildSecurityAssociationParameters
title: Child security association parameters
type: <dictionary>
presence: optional
content: The `ChildSecurityAssociationParameters` dictionaries.
subkeytype: SecurityAssociationParameters
subkeys: *id001
- key: DNS
title: DNS
type: <dictionary>
presence: optional
content: A dictionary to use for all VPN types.
subkeys:
- key: Protocol
title: DNS protocol
type: <string>
presence: required
rangelist:
- Cleartext
- HTTPS
- TLS
content: The transport protocol to communicate with the DNS server.
- key: ServerURL
title: Server URL
type: <string>
presence: optional
content: The URI template of a DNS-over-HTTPS server, as defined in RFC 8484,
which needs to use the `https://` scheme. The system uses the hostname or address
in the URL to validate the server certificate. If `ServerAddresses` isn't specified,
the system uses the hostname or address in the URL to determine the server addresses.
This key is required if the `DNSProtocol` is `HTTPS`.
- key: ServerName
title: Server name
type: <string>
presence: optional
content: The hostname of a DNS-over-TLS server to validate the server certificate,
as defined in RFC 7858. If `ServerAddresses` isn't specified, the system uses
the hostname to determine the server addresses. This key is required if the
`DNSProtocol` is `TLS`.
- key: ServerAddresses
title: DNS server addresses
type: <array>
presence: required
content: The array of DNS server IP address strings. These IP addresses can be
a mixture of IPv4 and IPv6 addresses.
subkeys:
- key: ServerAddressesElement
title: Server address element
type: <string>
- key: SearchDomains
title: DNS search domains
type: <array>
presence: optional
content: The list of domain strings used to fully qualify single-label host names.
subkeys:
- key: SearchDomainsElement
title: Search domains element
type: <string>
- key: DomainName
title: Domain name
type: <string>
presence: optional
content: The primary domain of the tunnel.
- key: SupplementalMatchDomains
title: Supplemental match domains
type: <array>
presence: optional
content: |-
The list of domain strings used to determine which DNS queries use the DNS resolver settings in `ServerAddresses`. The system uses this key to create a split DNS configuration where it resolves only hosts in certain domains using the tunnel's DNS resolver. The system uses the default resolver for hosts that aren't in one of the domains in this list.
If `SupplementalMatchDomains` contains the empty string it becomes the default domain.
Split-tunnel configurations can direct all DNS queries to the VPN DNS servers before the primary DNS servers. If the VPN tunnel becomes the network's default route, the servers listed in `ServerAddresses` become the default resolver and the system ignores the `SupplementalMatchDomains` list.
subkeys: &id002
- key: SupplementalMatchDomainsElement
title: Supplemental match domains element
type: <string>
- key: SupplementalMatchDomainsNoSearch
title: Supplemental match domains no search
type: <boolean>
presence: optional
default: false
content: If `true`, don't append the domains in the `SupplementalMatchDomains`
list to the resolver's list of search domains.
- key: IdentityAssetReference
title: Identity asset reference
type: <string>
assettypes:
- com.apple.asset.credential.acme
- com.apple.asset.credential.identity
- com.apple.asset.credential.scep
presence: optional
content: The identifier of a credential asset declaration that contains the identity
that the system uses to authenticate the user to the DNS resolver.
- key: Proxies
title: Proxies
type: <dictionary>
presence: optional
content: The dictionary to use to configure `Proxies` for use with `VPN`.
subkeys:
- key: AutoConfigEnable
title: Proxy auto config enable
type: <boolean>
presence: optional
default: false
content: If `true`, enables automatic proxy configuration.
- key: AutoDiscoveryEnable
title: Proxy auto discovery enable
type: <boolean>
presence: optional
default: true
content: If `true`, enables proxy auto discovery.
- key: AutoConfigURLString
title: Proxy server URL
type: <string>
presence: optional
content: The URL to the location of the proxy auto-configuration file. Used only
when `ProxyAutoConfigEnable` is `true`.
- key: SupplementalMatchDomains
title: Supplemental match domains
type: <array>
presence: optional
content: An array of domains that defines which hosts use proxy settings for hosts.
subkeys: *id002
- key: Protocol
title: Protocol
type: <dictionary>
presence: optional
content: The dictionary to use to configure HTTP servers for `Proxies` for use
with `VPN`.
subkeys:
- key: HTTP
title: HTTP protocol
type: <dictionary>
presence: optional
content: The dictionary to use to configure the HTTP (non-TLS) server.
subkeys:
- key: Enable
title: Enable HTTP
type: <boolean>
presence: optional
default: false
content: If `true`, enables proxy for HTTP traffic.
- key: HostName
title: HTTP host name
type: <string>
presence: optional
content: The host name of the HTTP proxy.
- key: Port
title: HTTP port
type: <integer>
presence: optional
range:
min: 0
max: 65535
content: The port number of the HTTP proxy. This field is required if `HostName`
is specified.
- key: HTTPS
title: HTTPS protocol
type: <dictionary>
presence: optional
content: The dictionary to use to configure the HTTPS (TLS) server.
subkeys:
- key: Enable
title: Enable HTTPS
type: <boolean>
presence: optional
default: false
content: If `true`, enables proxy for HTTPS traffic.
- key: HostName
title: HTTPS host name
type: <string>
presence: optional
content: The host name of the HTTPS proxy.
- key: Port
title: HTTPS port
type: <integer>
presence: optional
range:
min: 0
max: 65535
content: The port number of the HTTPS proxy. This field is required if `HostName`
is specified.
- key: CredentialsAssetReference
title: Credentials asset reference
type: <string>
assettypes:
- com.apple.asset.credential.userpassword
presence: optional
content: The identifier of an asset declaration that contains the credentials
(user name and password) to authenticate with the proxy server.
examples:
title: Configuration examples
files:
- tab: Shared secret
description: This configuration sets up an IKEv2 VPN using a shared-secret credential
asset for authentication.
file: examples/declarative/declarations/configurations/network.vpn.ikev2/example1.json
- tab: Certificate
description: This configuration sets up an IKEv2 VPN using certificate-based machine
authentication and EAP-MSCHAPv2 for extended user authentication.
file: examples/declarative/declarations/configurations/network.vpn.ikev2/example2.json
@@ -0,0 +1,509 @@
title: Network:VPN:IPSec
description: The declaration to configure a VPN using the IPSec sub-type.
payload:
declarationtype: com.apple.configuration.network.vpn.ipsec
supportedOS:
iOS:
introduced: '27.0'
allowed-enrollments:
- supervised
- device
- local
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
macOS:
introduced: '27.0'
allowed-enrollments:
- supervised
- local
allowed-scopes:
- system
tvOS:
introduced: n/a
visionOS:
introduced: '27.0'
allowed-enrollments:
- supervised
- device
- local
allowed-scopes:
- system
watchOS:
introduced: n/a
apply: multiple
payloadkeys:
- key: VisibleName
title: Visible name
type: <string>
presence: required
content: The name of the VPN connection that the system displays on the device.
- key: HostName
title: Host name
type: <string>
presence: required
content: The IP address or hostname of the VPN server.
- key: OverridePrimary
title: Override primary connection
type: <boolean>
presence: optional
default: false
content: If `true`, the system sends all network traffic over VPN.
- key: Authentication
title: Authentication details
type: <dictionary>
presence: required
content: Settings that control authentication.
subkeys:
- key: Method
title: Authentication method
type: <string>
presence: required
rangelist:
- SharedSecret
- Certificate
content: The authentication method to use.
- key: CredentialsAssetReference
title: Credentials asset reference
type: <string>
assettypes:
- com.apple.asset.credential.userpassword
presence: optional
content: |-
The identifier of an asset declaration that contains the credentials
(password) to authenticate with the VPN servers.
Only use this with Cisco IPSec VPNs and if the `Authentication.Method` key is to `SharedSecret`.
- key: IdentityAssetReference
title: Identity asset reference
type: <string>
assettypes:
- com.apple.asset.credential.acme
- com.apple.asset.credential.identity
- com.apple.asset.credential.scep
presence: optional
content: |-
The identifier of a credential asset declaration that contains the identity
that this account requires to authenticate with the VPN servers.
Only use this with Cisco IPSec VPNs and if the `Authentication.Method` key is to `Certificate`.
- key: LocalIdentifier
title: Local identifier
type: <string>
presence: optional
content: |-
The name of the group. For hybrid authentication, the string needs to end with "hybrid".
Present only for Cisco IPSec if `Authentication.Method` is `SharedSecret`.
- key: LocalIdentifierType
title: Local identifier type
type: <string>
presence: optional
rangelist:
- KeyID
default: KeyID
content: Present only if `Authentication.Method` is `SharedSecret`. The value
is `KeyID`. The system uses this value for Cisco IPSec VPNs.
- key: PromptForVPNPIN
title: Prompt for PIN
type: <boolean>
presence: optional
default: false
content: If `true`, prompts for a PIN when connecting to Cisco IPSec VPNs.
- key: XAuth
title: XAuth details
type: <dictionary>
presence: optional
content: Settings that control XAuth.
subkeys:
- key: Enabled
title: XAuth enabled
type: <boolean>
presence: required
content: If `true`, enables Xauth for Cisco IPSec VPNs.
- key: CredentialsAssetReference
title: Credentials asset reference
type: <string>
assettypes:
- com.apple.asset.credential.userpassword
presence: optional
content: The identifier of an asset declaration that contains the credentials
(user name and password) required for XAuth. Required when `Enabled` key is
set to `true`.
- key: PasswordEncryption
title: XAuth password encryption
type: <string>
presence: optional
rangelist:
- Prompt
content: A string that either has the value `Prompt` or isn't present.
- key: Idle
title: Disconnect on idle settings.
type: <dictionary>
presence: optional
content: Specifies details about how the system handles idle VPN connections.
subkeys:
- key: Disconnect
title: Enable disconnect on idle
type: <boolean>
presence: optional
default: false
content: If `true`, disconnects after an on-demand connection idles.
- key: Timer
title: Disconnect on idle time
type: <integer>
presence: optional
content: The length of time to wait, in seconds, before disconnecting an on-demand
connection.
- key: OnDemand
title: On demand details
type: <dictionary>
presence: optional
content: Specifies details about how the system controls on-demand VPN.
subkeys:
- key: Enabled
title: Enable VPN on demand
type: <boolean>
presence: optional
default: false
content: If `true`, enables VPN On Demand.
- key: DisableUserOverride
title: Prevent users from toggling VPN on demand
supportedOS:
macOS:
introduced: n/a
type: <boolean>
presence: optional
default: false
content: If `true`, the device disables the Connect On Demand toggle in Settings
for this configuration.
- key: Rules
title: On demand rules
type: <array>
presence: optional
content: An array of dictionaries defining On Demand Rules.
subkeytype: RulesElement
subkeys:
- key: RulesElement
title: Rules element
type: <dictionary>
subkeys:
- key: Action
title: On demand action
type: <string>
presence: required
rangelist:
- Allow
- Connect
- Disconnect
- EvaluateConnection
- Ignore
content: |-
The action to take if this dictionary matches the current network. Possible values are:
- `Allow`: Deprecated. Allow VPN On Demand to connect if triggered.
- `Connect`: Unconditionally initiate a VPN connection on the next network attempt.
- `Disconnect`: Tear down the VPN connection and don't reconnect on demand as long as this dictionary matches.
- `EvaluateConnection`: Evaluate the ActionParameters array for each connection attempt.
- `Ignore`: Leave any existing VPN connection up, but don't reconnect on demand as long as this dictionary matches.
- key: ActionParameters
title: Action parameters
type: <array>
presence: optional
content: An array of dictionaries that provides rules similar to the `OnDemandRules`
dictionary, but evaluated on each connection instead of when the network
changes. This value is only for use with dictionaries in which the `Action`
value is `EvaluateConnection`. The system evaluates these dictionaries in
order and the first dictionary that matches determines the behavior.
subkeys:
- key: ActionParameter
title: Action parameter
type: <dictionary>
presence: optional
content: |-
A dictionary that provides rules similar to the OnDemandRules dictionary, but evaluated on each connection instead of when the network changes. These dictionaries are evaluated in order, and the behavior is determined by the first dictionary that matches.
The keys allowed in each dictionary are described below. Note: This array is used only for dictionaries in which EvaluateConnection is the Action value.
subkeys:
- key: Domains
title: Domains
type: <array>
presence: required
content: The domains to apply this evaluation.
subkeys:
- key: DomainsElement
title: Domains element
type: <string>
- key: DomainAction
title: Domain action
type: <string>
presence: required
rangelist:
- ConnectIfNeeded
- NeverConnect
content: |-
Defines the VPN behavior for the specified domains. Allowed values are:
* 'ConnectIfNeeded': The specified domains should trigger a VPN connection attempt if domain name resolution fails, such as when the DNS server indicates that it can't resolve the domain, responds with a redirection to a different server, or fails to respond (timeout).
* 'NeverConnect': The specified domains should never trigger a VPN connection attempt.
- key: RequiredDNSServers
title: Required DNS servers
type: <array>
presence: optional
content: |-
An array of IP addresses of DNS servers to use for resolving the specified domains. These servers don't need to be part of the device's current network configuration. If these DNS servers aren't reachable, the system establishes a VPN connection. These DNS servers need to be either internal DNS servers or trusted external DNS servers.
This key is valid only if the value of 'DomainAction' is 'ConnectIfNeeded'.
subkeys:
- key: RequiredDNSServersElement
title: Required DNS servers element
type: <string>
- key: RequiredURLStringProbe
title: Required URL string probe
type: <string>
presence: optional
content: |-
An HTTP or HTTPS (preferred) URL to probe, using a GET request. If the URL's hostname can't be resolved, if the server is unreachable, or if the server doesn't respond with a 200 HTTP status code, a VPN connection is established in response.
This key is valid only if the value of 'DomainAction' is 'ConnectIfNeeded'.
- key: DNSDomainMatch
title: DNS domain match
type: <array>
presence: optional
content: |-
An array of domain names. This rule matches if any of the domain names in the specified list matches any domain in the device's search domains list.
The system supports a wildcard (`*`) prefix. For example, `*.example.com` matches against either `mydomain.example.com` or `yourdomain.example.com`.
subkeys:
- key: DNSDomainMatchElement
title: DNS domain match element
type: <string>
- key: DNSServerAddressMatch
title: DNS server address match
type: <array>
presence: optional
content: |-
An array of IP addresses. This rule matches if any of the network's specified DNS servers match any entry in the array.
The system supports matching with a single wildcard. For example, `17.*` matches any DNS server in the `17.0.0.0/8` subnet.
subkeys:
- key: DNSServerAddressMatchElement
title: DNS server address match element
type: <string>
- key: InterfaceTypeMatch
title: Interface type match
type: <string>
presence: optional
rangelist:
- Ethernet
- WiFi
- Cellular
content: An interface type. If specified, this rule matches only if the primary
network interface hardware matches the specified type.
- key: SSIDMatch
title: SSID match
type: <array>
presence: optional
content: |-
An array of SSIDs to match against the current network. If the network isn't a Wi-Fi network or if the SSID doesn't appear in this array, the match fails.
Omit this key and the corresponding array to match against any SSID.
subkeys:
- key: SSIDMatchElement
title: SSID match element
type: <string>
- key: URLStringProbe
title: URL string probe
type: <string>
presence: optional
content: A URL to probe. This rule matches when this URL is successfully fetched
(returns a `200` HTTP status code) without redirection.
- key: DNS
title: DNS
type: <dictionary>
presence: optional
content: A dictionary to use for all VPN types.
subkeys:
- key: Protocol
title: DNS protocol
type: <string>
presence: required
rangelist:
- Cleartext
- HTTPS
- TLS
content: The transport protocol to communicate with the DNS server.
- key: ServerURL
title: Server URL
type: <string>
presence: optional
content: The URI template of a DNS-over-HTTPS server, as defined in RFC 8484,
which needs to use the `https://` scheme. The system uses the hostname or address
in the URL to validate the server certificate. If `ServerAddresses` isn't specified,
the system uses the hostname or address in the URL to determine the server addresses.
This key is required if the `DNSProtocol` is `HTTPS`.
- key: ServerName
title: Server name
type: <string>
presence: optional
content: The hostname of a DNS-over-TLS server to validate the server certificate,
as defined in RFC 7858. If `ServerAddresses` isn't specified, the system uses
the hostname to determine the server addresses. This key is required if the
`DNSProtocol` is `TLS`.
- key: ServerAddresses
title: DNS server addresses
type: <array>
presence: required
content: The array of DNS server IP address strings. These IP addresses can be
a mixture of IPv4 and IPv6 addresses.
subkeys:
- key: ServerAddressesElement
title: Server address element
type: <string>
- key: SearchDomains
title: DNS search domains
type: <array>
presence: optional
content: The list of domain strings used to fully qualify single-label host names.
subkeys:
- key: SearchDomainsElement
title: Search domains element
type: <string>
- key: DomainName
title: Domain name
type: <string>
presence: optional
content: The primary domain of the tunnel.
- key: SupplementalMatchDomains
title: Supplemental match domains
type: <array>
presence: optional
content: |-
The list of domain strings used to determine which DNS queries use the DNS resolver settings in `ServerAddresses`. The system uses this key to create a split DNS configuration where it resolves only hosts in certain domains using the tunnel's DNS resolver. The system uses the default resolver for hosts that aren't in one of the domains in this list.
If `SupplementalMatchDomains` contains the empty string it becomes the default domain.
Split-tunnel configurations can direct all DNS queries to the VPN DNS servers before the primary DNS servers. If the VPN tunnel becomes the network's default route, the servers listed in `ServerAddresses` become the default resolver and the system ignores the `SupplementalMatchDomains` list.
subkeys: &id001
- key: SupplementalMatchDomainsElement
title: Supplemental match domains element
type: <string>
- key: SupplementalMatchDomainsNoSearch
title: Supplemental match domains no search
type: <boolean>
presence: optional
default: false
content: If `true`, don't append the domains in the `SupplementalMatchDomains`
list to the resolver's list of search domains.
- key: IdentityAssetReference
title: Identity asset reference
type: <string>
assettypes:
- com.apple.asset.credential.acme
- com.apple.asset.credential.identity
- com.apple.asset.credential.scep
presence: optional
content: The identifier of a credential asset declaration that contains the identity
that the system uses to authenticate the user to the DNS resolver.
- key: Proxies
title: Proxies
type: <dictionary>
presence: optional
content: The dictionary to use to configure `Proxies` for use with `VPN`.
subkeys:
- key: AutoConfigEnable
title: Proxy auto config enable
type: <boolean>
presence: optional
default: false
content: If `true`, enables automatic proxy configuration.
- key: AutoDiscoveryEnable
title: Proxy auto discovery enable
type: <boolean>
presence: optional
default: true
content: If `true`, enables proxy auto discovery.
- key: AutoConfigURLString
title: Proxy server URL
type: <string>
presence: optional
content: The URL to the location of the proxy auto-configuration file. Used only
when `ProxyAutoConfigEnable` is `true`.
- key: SupplementalMatchDomains
title: Supplemental match domains
type: <array>
presence: optional
content: An array of domains that defines which hosts use proxy settings for hosts.
subkeys: *id001
- key: Protocol
title: Protocol
type: <dictionary>
presence: optional
content: The dictionary to use to configure HTTP servers for `Proxies` for use
with `VPN`.
subkeys:
- key: HTTP
title: HTTP protocol
type: <dictionary>
presence: optional
content: The dictionary to use to configure the HTTP (non-TLS) server.
subkeys:
- key: Enable
title: Enable HTTP
type: <boolean>
presence: optional
default: false
content: If `true`, enables proxy for HTTP traffic.
- key: HostName
title: HTTP host name
type: <string>
presence: optional
content: The host name of the HTTP proxy.
- key: Port
title: HTTP port
type: <integer>
presence: optional
range:
min: 0
max: 65535
content: The port number of the HTTP proxy. This field is required if `HostName`
is specified.
- key: HTTPS
title: HTTPS protocol
type: <dictionary>
presence: optional
content: The dictionary to use to configure the HTTPS (TLS) server.
subkeys:
- key: Enable
title: Enable HTTPS
type: <boolean>
presence: optional
default: false
content: If `true`, enables proxy for HTTPS traffic.
- key: HostName
title: HTTPS host name
type: <string>
presence: optional
content: The host name of the HTTPS proxy.
- key: Port
title: HTTPS port
type: <integer>
presence: optional
range:
min: 0
max: 65535
content: The port number of the HTTPS proxy. This field is required if `HostName`
is specified.
- key: CredentialsAssetReference
title: Credentials asset reference
type: <string>
assettypes:
- com.apple.asset.credential.userpassword
presence: optional
content: The identifier of an asset declaration that contains the credentials
(user name and password) to authenticate with the proxy server.
examples:
title: Configuration examples
files:
- tab: Shared secret
description: This configuration sets up an IPSec VPN using a shared secret and
group name for authentication.
file: examples/declarative/declarations/configurations/network.vpn.ipsec/example1.json
- tab: Certificate
description: This configuration sets up an IPSec VPN using a certificate identity
asset for authentication.
file: examples/declarative/declarations/configurations/network.vpn.ipsec/example2.json
@@ -0,0 +1,590 @@
title: Network:VPN:VPN Plugin
description: The declaration to configure a VPN using the VPN plugin sub-type.
payload:
declarationtype: com.apple.configuration.network.vpn.vpn-plugin
supportedOS:
iOS:
introduced: '27.0'
allowed-enrollments:
- supervised
- device
- local
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
macOS:
introduced: '27.0'
allowed-enrollments:
- supervised
- local
allowed-scopes:
- system
tvOS:
introduced: '27.0'
allowed-enrollments:
- supervised
- device
- local
allowed-scopes:
- system
visionOS:
introduced: '27.0'
allowed-enrollments:
- supervised
- device
- local
allowed-scopes:
- system
watchOS:
introduced: n/a
apply: multiple
payloadkeys:
- key: VisibleName
title: Visible name
type: <string>
presence: required
content: The name of the VPN connection that the system displays on the device.
- key: HostName
title: Host name
type: <string>
presence: required
content: The IP address or hostname of the VPN server.
- key: SubType
title: VPN subtype
type: <string>
presence: required
content: |-
An identifier for a vendor-specified configuration dictionary.
If the configuration targets a VPN solution that uses a VPN plugin, then this field contains the bundle identifier of the plugin. Here are some examples:
- Cisco AnyConnect: `com.cisco.anyconnect.applevpn.plugin`
- Juniper SSL: `net.juniper.sslvpn`
- F5 SSL: `com.f5.F5-Edge-Client.vpnplugin`
- SonicWALL Mobile Connect: `com.sonicwall.SonicWALL-SSLVPN.vpnplugin`
- ``Aruba VIA: `com.arubanetworks.aruba-via.vpnplugin`
If the configuration targets a VPN solution that uses a network extension provider, then this field contains the bundle identifier of the app that contains the provider. Contact the VPN solution vendor for the value of the identifier.
- key: VendorConfig
title: Vendor configuration dictionary
type: <dictionary>
presence: optional
content: The vendor-specific configuration dictionary, which the system reads only
when `SubType` has a value.
subkeys:
- key: Realm
title: Realm
type: <string>
presence: optional
content: The Kerberos realm name, which needs to be properly capitalized. Valid
only for Juniper SSL and Pulse Secure.
- key: Role
title: Role
type: <string>
presence: optional
content: The role to select when connecting to the server. Valid only for Juniper
SSL and Pulse Secure.
- key: Group
title: Group
type: <string>
presence: optional
content: The group to connect to on the head end. Valid for Cisco AnyConnect and
Cisco Legacy AnyConnect.
- key: LoginGroupOrDomain
title: Login group or domain
type: <string>
presence: optional
content: The login group or domain. Valid only for SonicWALL Mobile Connect.
- key: Authentication
title: Authentication details
type: <dictionary>
presence: required
content: Settings that control authentication.
subkeys:
- key: Method
title: Authentication method
type: <string>
presence: required
rangelist:
- Password
- Certificate
- Password+Certificate
content: The authentication method to use.
- key: CredentialsAssetReference
title: Credentials asset reference
type: <string>
assettypes:
- com.apple.asset.credential.userpassword
presence: optional
content: The identifier of an asset declaration that contains the credentials
(user name and password) to authenticate with the VPN server. Required when
`Authentication.Method` is set to `Password`.
- key: IdentityAssetReference
title: Identity asset reference
type: <string>
assettypes:
- com.apple.asset.credential.acme
- com.apple.asset.credential.identity
- com.apple.asset.credential.scep
presence: optional
content: The identifier of a credential asset declaration that contains the identity
that this account requires to authenticate with the VPN server. Required when
`Authentication.Method` is set to `Certificate`.
- key: Provider
title: Provider details
type: <dictionary>
presence: optional
content: Specifies details about the provider.
subkeys:
- key: Type
title: Type
type: <string>
presence: optional
rangelist:
- packet-tunnel
- app-proxy
default: packet-tunnel
content: The type of VPN service. If the value is `app-proxy`, the service tunnels
traffic at the app level. If the value is `packet-tunnel`, the service tunnels
traffic at the IP layer.
- key: ComposedIdentifier
title: Composed identifier
type: <string>
presence: optional
content: |-
If the `SubType` field contains the bundle identifier of an app that contains multiple VPN providers of the same type (app-proxy or packet-tunnel), then the system uses this field to choose which provider to use for this configuration. If the VPN provider is implemented as a System Extension, then this field is required.
In iOS, tvOS, and visionOS, the identifier is a bundle ID, for example, "com.example.app".
In macOS, the identifier is a composed identifier. The format of the composed identifier is either "Bundle-ID" or "Bundle-ID {Designated-Requirement}". "Bundle-ID" is the bundle identifier string of the provider. "Designated-Requirement" is the designated requirement string from the code signature of the provider. For example, "com.example.app" for the bundle ID format, or "com.example.app {anchor apple generic}" for the designated requirement format.
- key: NetworkRouting
title: Network routing details
supportedOS:
tvOS:
introduced: n/a
type: <dictionary>
presence: optional
content: Specifies details about how the VPN routes different types of network traffic.
subkeys:
- key: EnforceRoutes
title: Enforce routes
type: <boolean>
presence: optional
default: false
content: |-
If `true`, all the VPN's non-default routes take precedence over any locally defined routes.
If `IncludeAllNetworks` is `true`, the system ignores the value of `EnforceRoutes`.
- key: IncludeAllNetworks
title: Include all networks
type: <boolean>
presence: optional
default: false
content: |-
If `true`, routes all traffic through the VPN, with some exclusions. Several of the exclusions can be controlled with the `ExcludeLocalNetworks`, `ExcludeCellularServices`, `ExcludeAPNs` and `ExcludeDeviceCommunication` properties. The following traffic is always excluded from the tunnel:
- Traffic necessary for connecting and maintaining the device's network connection, such as DHCP.
- Traffic necessary for connecting to captive networks.
- Certain cellular services traffic that's not routable over the internet and is instead directly routed to the cellular network. See the ExcludeCellularServices property for more details.
- key: ExcludeLocalNetworks
title: Exclude local networks
type: <boolean>
presence: optional
content: If `true` and `IncludeAllNetworks` is `true`, routes all local network
traffic outside the VPN.
- key: ExcludeCellularServices
title: Exclude cellular services
type: <boolean>
presence: optional
default: true
content: If `true` and `IncludeAllNetworks` is `true`, then the system excludes
internet-routable network traffic for cellular services (VoLTE, Wi-Fi Calling,
IMS, MMS, Visual Voicemail, etc.) from the tunnel. Note that some cellular carriers
route cellular services traffic directly to the carrier network, bypassing the
internet. Such cellular services traffic is always excluded from the tunnel.
- key: ExcludeAPNs
title: Exclude APNs
type: <boolean>
presence: optional
default: true
content: If `true` and `IncludeAllNetworks` is `true`, then the system excludes
the network traffic for the Apple Push Notification service (APNs) from the
tunnel.
- key: ExcludeDeviceCommunication
title: Exclude device communication
type: <boolean>
presence: optional
default: true
content: If set to `true` and `IncludeAllNetworks` is set to `true`, the device
excludes network traffic used for communicating with devices connected via USB
or Wi-Fi from the tunnel.
- key: Idle
title: Disconnect on idle settings.
type: <dictionary>
presence: optional
content: Specifies details about how the system handles idle VPN connections.
subkeys:
- key: Disconnect
title: Enable disconnect on idle
type: <boolean>
presence: optional
default: false
content: If `true`, disconnects after an on-demand connection idles.
- key: Timer
title: Disconnect on idle time
type: <integer>
presence: optional
content: The length of time to wait, in seconds, before disconnecting an on-demand
connection.
- key: OnDemand
title: On demand details
type: <dictionary>
presence: optional
content: Specifies details about how the system controls on-demand VPN.
subkeys:
- key: Enabled
title: Enable VPN on demand
type: <boolean>
presence: optional
default: false
content: If `true`, enables VPN On Demand.
- key: DisableUserOverride
title: Prevent users from toggling VPN on demand
supportedOS:
macOS:
introduced: n/a
type: <boolean>
presence: optional
default: false
content: If `true`, the device disables the Connect On Demand toggle in Settings
for this configuration.
- key: Rules
title: On demand rules
type: <array>
presence: optional
content: An array of dictionaries defining On Demand Rules.
subkeytype: RulesElement
subkeys:
- key: RulesElement
title: Rules element
type: <dictionary>
subkeys:
- key: Action
title: On demand action
type: <string>
presence: required
rangelist:
- Allow
- Connect
- Disconnect
- EvaluateConnection
- Ignore
content: |-
The action to take if this dictionary matches the current network. Possible values are:
- `Allow`: Deprecated. Allow VPN On Demand to connect if triggered.
- `Connect`: Unconditionally initiate a VPN connection on the next network attempt.
- `Disconnect`: Tear down the VPN connection and don't reconnect on demand as long as this dictionary matches.
- `EvaluateConnection`: Evaluate the ActionParameters array for each connection attempt.
- `Ignore`: Leave any existing VPN connection up, but don't reconnect on demand as long as this dictionary matches.
- key: ActionParameters
title: Action parameters
type: <array>
presence: optional
content: An array of dictionaries that provides rules similar to the `OnDemandRules`
dictionary, but evaluated on each connection instead of when the network
changes. This value is only for use with dictionaries in which the `Action`
value is `EvaluateConnection`. The system evaluates these dictionaries in
order and the first dictionary that matches determines the behavior.
subkeys:
- key: ActionParameter
title: Action parameter
type: <dictionary>
presence: optional
content: |-
A dictionary that provides rules similar to the OnDemandRules dictionary, but evaluated on each connection instead of when the network changes. These dictionaries are evaluated in order, and the behavior is determined by the first dictionary that matches.
The keys allowed in each dictionary are described below. Note: This array is used only for dictionaries in which EvaluateConnection is the Action value.
subkeys:
- key: Domains
title: Domains
type: <array>
presence: required
content: The domains to apply this evaluation.
subkeys:
- key: DomainsElement
title: Domains element
type: <string>
- key: DomainAction
title: Domain action
type: <string>
presence: required
rangelist:
- ConnectIfNeeded
- NeverConnect
content: |-
Defines the VPN behavior for the specified domains. Allowed values are:
* 'ConnectIfNeeded': The specified domains should trigger a VPN connection attempt if domain name resolution fails, such as when the DNS server indicates that it can't resolve the domain, responds with a redirection to a different server, or fails to respond (timeout).
* 'NeverConnect': The specified domains should never trigger a VPN connection attempt.
- key: RequiredDNSServers
title: Required DNS servers
type: <array>
presence: optional
content: |-
An array of IP addresses of DNS servers to use for resolving the specified domains. These servers don't need to be part of the device's current network configuration. If these DNS servers aren't reachable, the system establishes a VPN connection. These DNS servers need to be either internal DNS servers or trusted external DNS servers.
This key is valid only if the value of 'DomainAction' is 'ConnectIfNeeded'.
subkeys:
- key: RequiredDNSServersElement
title: Required DNS servers element
type: <string>
- key: RequiredURLStringProbe
title: Required URL string probe
type: <string>
presence: optional
content: |-
An HTTP or HTTPS (preferred) URL to probe, using a GET request. If the URL's hostname can't be resolved, if the server is unreachable, or if the server doesn't respond with a 200 HTTP status code, a VPN connection is established in response.
This key is valid only if the value of 'DomainAction' is 'ConnectIfNeeded'.
- key: DNSDomainMatch
title: DNS domain match
type: <array>
presence: optional
content: |-
An array of domain names. This rule matches if any of the domain names in the specified list matches any domain in the device's search domains list.
The system supports a wildcard (`*`) prefix. For example, `*.example.com` matches against either `mydomain.example.com` or `yourdomain.example.com`.
subkeys:
- key: DNSDomainMatchElement
title: DNS domain match element
type: <string>
- key: DNSServerAddressMatch
title: DNS server address match
type: <array>
presence: optional
content: |-
An array of IP addresses. This rule matches if any of the network's specified DNS servers match any entry in the array.
The system supports matching with a single wildcard. For example, `17.*` matches any DNS server in the `17.0.0.0/8` subnet.
subkeys:
- key: DNSServerAddressMatchElement
title: DNS server address match element
type: <string>
- key: InterfaceTypeMatch
title: Interface type match
type: <string>
presence: optional
rangelist:
- Ethernet
- WiFi
- Cellular
content: An interface type. If specified, this rule matches only if the primary
network interface hardware matches the specified type.
- key: SSIDMatch
title: SSID match
type: <array>
presence: optional
content: |-
An array of SSIDs to match against the current network. If the network isn't a Wi-Fi network or if the SSID doesn't appear in this array, the match fails.
Omit this key and the corresponding array to match against any SSID.
subkeys:
- key: SSIDMatchElement
title: SSID match element
type: <string>
- key: URLStringProbe
title: URL string probe
type: <string>
presence: optional
content: A URL to probe. This rule matches when this URL is successfully fetched
(returns a `200` HTTP status code) without redirection.
- key: DNS
title: DNS
type: <dictionary>
presence: optional
content: A dictionary to use for all VPN types.
subkeys:
- key: Protocol
title: DNS protocol
type: <string>
presence: required
rangelist:
- Cleartext
- HTTPS
- TLS
content: The transport protocol to communicate with the DNS server.
- key: ServerURL
title: Server URL
type: <string>
presence: optional
content: The URI template of a DNS-over-HTTPS server, as defined in RFC 8484,
which needs to use the `https://` scheme. The system uses the hostname or address
in the URL to validate the server certificate. If `ServerAddresses` isn't specified,
the system uses the hostname or address in the URL to determine the server addresses.
This key is required if the `DNSProtocol` is `HTTPS`.
- key: ServerName
title: Server name
type: <string>
presence: optional
content: The hostname of a DNS-over-TLS server to validate the server certificate,
as defined in RFC 7858. If `ServerAddresses` isn't specified, the system uses
the hostname to determine the server addresses. This key is required if the
`DNSProtocol` is `TLS`.
- key: ServerAddresses
title: DNS server addresses
type: <array>
presence: required
content: The array of DNS server IP address strings. These IP addresses can be
a mixture of IPv4 and IPv6 addresses.
subkeys:
- key: ServerAddressesElement
title: Server address element
type: <string>
- key: SearchDomains
title: DNS search domains
type: <array>
presence: optional
content: The list of domain strings used to fully qualify single-label host names.
subkeys:
- key: SearchDomainsElement
title: Search domains element
type: <string>
- key: DomainName
title: Domain name
type: <string>
presence: optional
content: The primary domain of the tunnel.
- key: SupplementalMatchDomains
title: Supplemental match domains
type: <array>
presence: optional
content: |-
The list of domain strings used to determine which DNS queries use the DNS resolver settings in `ServerAddresses`. The system uses this key to create a split DNS configuration where it resolves only hosts in certain domains using the tunnel's DNS resolver. The system uses the default resolver for hosts that aren't in one of the domains in this list.
If `SupplementalMatchDomains` contains the empty string it becomes the default domain.
Split-tunnel configurations can direct all DNS queries to the VPN DNS servers before the primary DNS servers. If the VPN tunnel becomes the network's default route, the servers listed in `ServerAddresses` become the default resolver and the system ignores the `SupplementalMatchDomains` list.
subkeys: &id001
- key: SupplementalMatchDomainsElement
title: Supplemental match domains element
type: <string>
- key: SupplementalMatchDomainsNoSearch
title: Supplemental match domains no search
type: <boolean>
presence: optional
default: false
content: If `true`, don't append the domains in the `SupplementalMatchDomains`
list to the resolver's list of search domains.
- key: IdentityAssetReference
title: Identity asset reference
type: <string>
assettypes:
- com.apple.asset.credential.acme
- com.apple.asset.credential.identity
- com.apple.asset.credential.scep
presence: optional
content: The identifier of a credential asset declaration that contains the identity
that the system uses to authenticate the user to the DNS resolver.
- key: Proxies
title: Proxies
type: <dictionary>
presence: optional
content: The dictionary to use to configure `Proxies` for use with `VPN`.
subkeys:
- key: AutoConfigEnable
title: Proxy auto config enable
type: <boolean>
presence: optional
default: false
content: If `true`, enables automatic proxy configuration.
- key: AutoDiscoveryEnable
title: Proxy auto discovery enable
type: <boolean>
presence: optional
default: true
content: If `true`, enables proxy auto discovery.
- key: AutoConfigURLString
title: Proxy server URL
type: <string>
presence: optional
content: The URL to the location of the proxy auto-configuration file. Used only
when `ProxyAutoConfigEnable` is `true`.
- key: SupplementalMatchDomains
title: Supplemental match domains
type: <array>
presence: optional
content: An array of domains that defines which hosts use proxy settings for hosts.
subkeys: *id001
- key: Protocol
title: Protocol
type: <dictionary>
presence: optional
content: The dictionary to use to configure HTTP servers for `Proxies` for use
with `VPN`.
subkeys:
- key: HTTP
title: HTTP protocol
type: <dictionary>
presence: optional
content: The dictionary to use to configure the HTTP (non-TLS) server.
subkeys:
- key: Enable
title: Enable HTTP
type: <boolean>
presence: optional
default: false
content: If `true`, enables proxy for HTTP traffic.
- key: HostName
title: HTTP host name
type: <string>
presence: optional
content: The host name of the HTTP proxy.
- key: Port
title: HTTP port
type: <integer>
presence: optional
range:
min: 0
max: 65535
content: The port number of the HTTP proxy. This field is required if `HostName`
is specified.
- key: HTTPS
title: HTTPS protocol
type: <dictionary>
presence: optional
content: The dictionary to use to configure the HTTPS (TLS) server.
subkeys:
- key: Enable
title: Enable HTTPS
type: <boolean>
presence: optional
default: false
content: If `true`, enables proxy for HTTPS traffic.
- key: HostName
title: HTTPS host name
type: <string>
presence: optional
content: The host name of the HTTPS proxy.
- key: Port
title: HTTPS port
type: <integer>
presence: optional
range:
min: 0
max: 65535
content: The port number of the HTTPS proxy. This field is required if `HostName`
is specified.
- key: CredentialsAssetReference
title: Credentials asset reference
type: <string>
assettypes:
- com.apple.asset.credential.userpassword
presence: optional
content: The identifier of an asset declaration that contains the credentials
(user name and password) to authenticate with the proxy server.
examples:
title: Configuration examples
files:
- tab: Password
description: This configuration sets up a VPN plugin using username and password
credentials from an asset.
file: examples/declarative/declarations/configurations/network.vpn.vpn-plugin/example1.json
- tab: Certificate
description: This configuration sets up a VPN plugin using a certificate identity
asset for authentication.
file: examples/declarative/declarations/configurations/network.vpn.vpn-plugin/example2.json
@@ -1,5 +1,5 @@
title: Package
description: The declaration to install a package.
description: The declaration to configure a package.
payload:
declarationtype: com.apple.configuration.package
supportedOS:
@@ -27,7 +27,7 @@ payloadkeys:
The manifest is returned as a `ManifestURL` property list. The `url` property
of the manifest must point to the package (.pkg) file to install.
- key: InstallBehavior
title: Install Behavior
title: Install behavior
type: <dictionary>
presence: optional
content: A dictionary that describes how and when to install the package.
@@ -45,8 +45,29 @@ payloadkeys:
- `Optional`: The user can install the package after the system activates the configuration.
- `Required`: The system installs the package after it activates the configuration.
- key: UninstallBehavior
title: Uninstall behavior
supportedOS:
macOS:
introduced: '27.0'
type: <dictionary>
presence: optional
content: A dictionary that describes how to uninstall the package.
subkeys:
- key: Remove
title: Remove
type: <boolean>
presence: optional
default: false
content: If `true`, the system removes the files that the package installs when
removing the configuration.
notes:
- title: ''
content: This declaration installs a package on a device. Packages can contain apps,
fonts, documents, and other items. Apps that a package installs aren't automatically
managed; you can manage them using the `AppManaged` declaration.
examples:
title: Configuration example
files:
- description: This configuration installs a required package.
file: examples/declarative/declarations/configurations/package/example1.json
@@ -43,7 +43,7 @@ payload:
apply: combined
payloadkeys:
- key: RequirePasscode
title: Require Passcode on Device
title: Require passcode on device
type: <boolean>
presence: optional
default: false
@@ -52,7 +52,7 @@ payloadkeys:
about the length or quality of the passcode. The presence of any other keys implicitly
requires a passcode, and overrides this key's value.
- key: RequireAlphanumericPasscode
title: Require Alphanumeric Passcode
title: Require alphanumeric passcode
supportedOS:
iOS:
introduced: '16.2'
@@ -67,7 +67,7 @@ payloadkeys:
content: If `true`, the passcode needs to consist of at least one alphabetic character
and at least one number.
- key: RequireComplexPasscode
title: Require Complex Passcode
title: Require complex passcode
type: <boolean>
presence: optional
default: false
@@ -76,7 +76,7 @@ payloadkeys:
one that doesn't contain repeated characters or increasing or decreasing characters
(such as 123 or CBA).
- key: MinimumLength
title: Minimum Passcode Length
title: Minimum passcode length
type: <integer>
presence: optional
range:
@@ -86,7 +86,7 @@ payloadkeys:
combinetype: number-max
content: The minimum number of characters a passcode can contain.
- key: MinimumComplexCharacters
title: Minimum Complex Characters
title: Minimum complex characters
supportedOS:
iOS:
introduced: '16.2'
@@ -105,7 +105,7 @@ payloadkeys:
character is a character other than a number or a letter, such as `&`, `%`, `$`,
and `#`.
- key: MaximumFailedAttempts
title: Maximum Number of Failed Attempts
title: Maximum number of failed attempts
type: <integer>
presence: optional
range:
@@ -118,7 +118,7 @@ payloadkeys:
After the final failed attempt, the system locks a macOS device, or securely erases all data and settings from an iOS, visionOS, or watchOS device.
- key: FailedAttemptsResetInMinutes
title: Failed Attempts Reset
title: Failed attempts reset
supportedOS:
iOS:
introduced: n/a
@@ -135,7 +135,7 @@ payloadkeys:
of failed attempts. Also set the `MaximumFailedAttempts` key for this to take
effect.
- key: MaximumGracePeriodInMinutes
title: Maximum Grace Period
title: Maximum grace period
type: <integer>
presence: optional
combinetype: number-min
@@ -144,7 +144,7 @@ payloadkeys:
requires a passcode immediately. In the absence of this key, the user can select
any period. In macOS, the system translates this to screensaver settings.
- key: MaximumInactivityInMinutes
title: Automatic Device Lock
title: Automatic device lock
type: <integer>
presence: optional
range:
@@ -157,7 +157,7 @@ payloadkeys:
the absence of this key, the user can select any period. In macOS, the system
translates this to screensaver settings.
- key: MaximumPasscodeAgeInDays
title: Maximum Passcode Age
title: Maximum passcode age
supportedOS:
iOS:
introduced: '16.2'
@@ -173,7 +173,7 @@ payloadkeys:
After this number of days, the system forces the user to change the passcode before
it unlocks the device.
- key: PasscodeReuseLimit
title: Passcode Reuse Limit
title: Passcode reuse limit
type: <integer>
presence: optional
range:
@@ -185,7 +185,7 @@ payloadkeys:
passcode within the specified passcode history range. In the absence of this key,
the system performs no historical check.
- key: ChangeAtNextAuth
title: Change At Next Auth
title: Change at next auth
supportedOS:
iOS:
introduced: n/a
@@ -204,6 +204,7 @@ payloadkeys:
channel), the setting takes effect for all users, and admin authentication may
fail until the admin user password is also reset.
- key: CustomRegex
title: Custom regex
supportedOS:
iOS:
introduced: n/a
@@ -228,6 +229,7 @@ payloadkeys:
whether it complies with a policy. The regular expression uses the ICU syntax.
The string can't exceed 2048 characters in length.
- key: Description
title: Description
type: <dictionary>
presence: optional
content: A dictionary with supported OS language IDs for the keys (such as `en-US`),
@@ -255,3 +257,12 @@ notes:
- `RequireComplexPasscode`: always set to `true`
- `MinimumLength`: always set to `6`
- `MaximumInactivityInMinutes`: if this key is present its value is ignored, but the `never` option is removed in the Settings UI.
examples:
title: Configuration examples
files:
- tab: Complex
description: This configuration applies a complex passcode policy.
file: examples/declarative/declarations/configurations/passcode.settings/example1.json
- tab: Regular expression
description: This configuration applies a passcode policy using a regular expression.
file: examples/declarative/declarations/configurations/passcode.settings/example2.json
@@ -33,12 +33,13 @@ payload:
apply: combined
payloadkeys:
- key: ManagedBookmarks
title: Managed Bookmarks
title: Managed bookmarks
type: <array>
presence: optional
content: A dictionary that specifies a set of managed bookmarks.
subkeys:
- key: BookmarkGroup
title: Bookmark group
type: <dictionary>
presence: required
content: A group of managed bookmarks.
@@ -67,6 +68,7 @@ payloadkeys:
subkeytype: BookmarksItem
subkeys:
- key: bookmarks-item
title: Bookmarks item
type: <dictionary>
presence: required
content: A bookmark that specifies a title, and either a URL for the bookmark,
@@ -96,8 +98,15 @@ payloadkeys:
subkeytype: BookmarksItem
subkeys:
- key: folder-item
title: Folder item
type: <dictionary>
presence: required
content: A bookmark that specifies a title, and either a URL for the bookmark,
or a nested folder of bookmarks.
subkeys: *id001
examples:
title: Configuration example
files:
- description: 'This configuration applies a set of managed bookmarks: two bookmarks
and one bookmarks folder, which contains two more bookmarks.'
file: examples/declarative/declarations/configurations/safari.bookmarks/example1.json
@@ -31,7 +31,7 @@ payload:
apply: combined
payloadkeys:
- key: ManagedExtensions
title: Managed Extensions
title: Managed extensions
type: <dictionary>
presence: optional
content: |-
@@ -57,12 +57,12 @@ payloadkeys:
- AlwaysOff
combinetype: enum-last
content: |-
Controls whether an extension is allowed.
Controls whether an extension is allowed. The device uses this key when the extension identifier is a composed identifier or a single "*" character.
* `Allowed` - The user is allowed to turn the extension on or off.
* `AlwaysOn` - The extension will always be on.
* `AlwaysOff` - The extension will always be off.
- key: PrivateBrowsing
title: Private Browsing state
title: Private browsing state
type: <string>
presence: optional
rangelist:
@@ -71,7 +71,7 @@ payloadkeys:
- AlwaysOff
combinetype: enum-last
content: |-
Controls whether an extension is allowed in Private Browsing.
Controls whether an extension is allowed in Private Browsing. The device uses this key when the extension identifier is a composed identifier or a single "*" character.
* `Allowed` - The user is allowed to turn the extension on or off in Private Browsing.
* `AlwaysOn` - The extension will always be on in Private Browsing if the extension is on outside of Private Browsing.
* `AlwaysOff` - The extension will never be on in Private Browsing.
@@ -80,8 +80,8 @@ payloadkeys:
type: <array>
presence: optional
combinetype: set-union
content: Controls the domains and sub-domains the extension is granted access
to.
content: Controls the domains and sub-domains the extension can access. The
device ignores this key when the extension identifier is a single "*" character.
subkeys:
- key: Domain
title: Domain
@@ -93,7 +93,8 @@ payloadkeys:
presence: optional
combinetype: set-union
content: Controls the domains and sub-domains the extension isn't allowed to
access.
access. The device uses this key when the extension identifier is a composed
identifier or a single "*" character.
subkeys:
- key: Domain
title: Domain
@@ -144,3 +145,21 @@ notes:
"AllowedDomains": ["public.example.com"],
"DeniedDomains": ["*example.com"]
```
examples:
title: Configuration examples
files:
- tab: Disallow all
description: This configuration disables all Safari extensions.
file: examples/declarative/declarations/configurations/safari.extensions.settings/example1.json
- tab: Allow one
description: This configuration disables all Safari extensions, except for one
that it requires.
file: examples/declarative/declarations/configurations/safari.extensions.settings/example2.json
- tab: Disallow private browsing
description: This configuration allows all Safari extensions, but one isn't allowed
in private browsing.
file: examples/declarative/declarations/configurations/safari.extensions.settings/example3.json
- tab: Disallow domain
description: This configuration allows all Safari extensions, but one isn't allowed
for use with a domain and its sub-domains.
file: examples/declarative/declarations/configurations/safari.extensions.settings/example4.json
@@ -33,7 +33,7 @@ payload:
apply: combined
payloadkeys:
- key: AcceptCookies
title: Accept Cookies
title: Accept cookies
supportedOS:
iOS:
allowed-enrollments:
@@ -59,7 +59,7 @@ payloadkeys:
- `VisitedWebsites`: Safari allows cookies only from visited websites.
- `Always`: Safari always allows cookies.
- key: AllowDisablingFraudWarning
title: Allow Disabling Fraud Warning
title: Allow disabling fraud warning
supportedOS:
iOS:
allowed-enrollments:
@@ -74,7 +74,7 @@ payloadkeys:
combinetype: boolean-and
content: If `false`, the system forces fraud warnings on in Safari.
- key: AllowHistoryClearing
title: Allow History Clearing
title: Allow history clearing
supportedOS:
iOS:
allowed-enrollments:
@@ -103,7 +103,7 @@ payloadkeys:
combinetype: boolean-and
content: If `false`, the system disables JavaScript in Safari.
- key: AllowPrivateBrowsing
title: Allow Private Browsing
title: Allow private browsing
supportedOS:
iOS:
allowed-enrollments:
@@ -117,7 +117,7 @@ payloadkeys:
combinetype: boolean-and
content: If `false`, the system disables private browsing in Safari.
- key: AllowPopups
title: Allow Popups
title: Allow popups
supportedOS:
iOS:
allowed-enrollments:
@@ -132,7 +132,7 @@ payloadkeys:
combinetype: boolean-and
content: If `false`, the system disables popups in Safari.
- key: AllowSummary
title: Allow Summary
title: Allow summary
supportedOS:
iOS:
allowed-enrollments:
@@ -146,12 +146,13 @@ payloadkeys:
combinetype: boolean-and
content: If `false`, the system disables summarization of content in Safari.
- key: NewTabStartPage
title: New Tab Start Page
title: New tab start page
type: <dictionary>
presence: optional
content: Sets the start page for new tabs in Safari.
subkeys:
- key: PageType
title: Page type
type: <string>
presence: required
rangelist:
@@ -177,3 +178,109 @@ payloadkeys:
content: The composed identifier of the extension that provides the start page.
The required format is "Identifier (TeamIdentifier)", for example "com.example.app
(ABCD1234)". Required when setting `PageType` to `Extension`.
- key: Privacy
title: Website privacy
supportedOS:
iOS:
introduced: '27.0'
allowed-enrollments:
- supervised
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- user
macOS:
introduced: '27.0'
allowed-enrollments:
- supervised
allowed-scopes:
- user
visionOS:
introduced: n/a
type: <dictionary>
presence: optional
content: The dictionary of website privacy settings.
subkeys:
- key: PermissionDefaults
title: Website privacy permission defaults
type: <dictionary>
presence: optional
content: |-
The dictionary of website permission defaults. Each key in the dictionary represents a single website, or a website and its sub-domains. The dictionary values represent the permission defaults that Safari applies for each website that matches the key.
Safari supports the following patterns for the website key:
- A specific domain such as "example.com" or "www.example.com". The permission defaults apply to that website only.
- A wildcard domain that uses a single "\*" character as a prefix for the domain, such as "\*example.com". The permission defaults apply to both the exact domain "example.com", and any sub-domains such as "www.example.com". It won't match other domains with a similar string suffix such as "myexample.com".
When multiple patterns match a website, Safari uses the most precise pattern. For example, for the website "www.example.com", if rules "www.example.com" and "*example.com" match, Safari uses the former.
subkeys:
- key: ANY
type: <dictionary>
presence: optional
content: The dictionary that defines the website privacy permission defaults.
Each key represents a website.
subkeytype: WebsiteDictionary
subkeys:
- key: OrganizationJustification
title: Organization justification
type: <string>
presence: required
content: Text that clearly explains to the Safari user the reason why the
organization requires these website privacy permission defaults. Safari
includes this text in the permission consent prompt it displays when it
first displays the website.
- key: Camera
title: Camera permission
type: <string>
presence: optional
rangelist:
- None
- Allow
combinetype: enum-last
content: |-
Controls whether a website privacy permission default is set.
* `None`: Safari sets no website privacy permission default for use of the camera.
* `Allow`: Safari sets the website privacy permission default to allow use of the camera.
- key: Microphone
title: Microphone permission
type: <string>
presence: optional
rangelist:
- None
- Allow
combinetype: enum-last
content: |-
Controls whether a website privacy permission default is set.
* `None`: Safari sets no website privacy permission default for use of the microphone.
* `Allow`: Safari sets the website privacy permission default to allow use of the microphone.
notes:
- title: Privacy permission defaults
content: |-
Privacy permission defaults allow an organization to suggest a set of privacy permissions for use on a website. When set, Safari displays a consent prompt listing all the configured defaults. If the user accepts, the system applies those defaults for the website. If the user declines, no defaults are set and Safari prompts the user in the normal way when the website requires permission.
The consent prompt only shows permissions that the user hasn't previously seen, and won't appear if the user has seen all permissions. The user can choose from one of two options in the prompt:
* `Allow`: this option sets the website privacy permissions for the specified sub-systems (camera or microphone) to "Allow". Safari doesn't prompt the user when the website uses the sub-system.
* `Not Now`: this option ignores the website privacy permission defaults for the specified sub-systems (camera or microphone). Safari prompts the user in the normal way when the website uses the sub-system.
The user can change the website privacy permission settings in Safari settings if they choose.
examples:
title: Configuration examples
files:
- tab: Start page
description: This configuration sets the Safari start page to show a specific
website.
file: examples/declarative/declarations/configurations/safari.settings/example1.json
- tab: Restrictions
description: This configuration restricts several Safari features.
file: examples/declarative/declarations/configurations/safari.settings/example2.json
- tab: Website privacy (1)
description: This configuration sets the camera permission default in Safari for
one specific website.
file: examples/declarative/declarations/configurations/safari.settings/example3.json
- tab: Website privacy (2)
description: This configuration sets the camera and microphone permission defaults
in Safari for a specific website and its child websites.
file: examples/declarative/declarations/configurations/safari.settings/example4.json
@@ -23,26 +23,32 @@ payload:
apply: multiple
payloadkeys:
- key: ConnectionGroupUUID
title: Unique Identifier
title: Unique identifier
type: <string>
presence: required
content: A unique identifier for this connection group.
- key: GroupName
title: Group Name
title: Group name
type: <string>
presence: required
content: The name of the connection group.
- key: Members
title: Group Members
title: Group members
type: <array>
presence: required
content: An array of `ConnectionUUID`s that represent connections declared in `ScreenSharingConnection`
configurations that are members of this group.
subkeys:
- key: ConnectionUUID
title: Connection UUID
type: <string>
related-status-items:
- status-items:
- screensharing.connection.group.unresolved-connection
note: Any unresolved connection groups in the configuration will appear in the corresponding
status item.
examples:
title: Configuration example
files:
- description: This configuration defines a group of screen-sharing connections.
file: examples/declarative/declarations/configurations/screensharing.connection.group/example1.json
@@ -23,7 +23,7 @@ payload:
apply: multiple
payloadkeys:
- key: ConnectionUUID
title: Unique Identifier
title: Unique identifier
type: <string>
presence: required
content: A unique identifier for this connection when it's in a connection group.
@@ -33,22 +33,23 @@ payloadkeys:
presence: required
content: The name of the connection.
- key: HostName
title: Host Name
title: Host name
type: <string>
presence: required
content: The host name or IP address of the Mac that hosts the screen-sharing connection.
- key: Port
title: TCP Port
title: TCP port
type: <integer>
presence: optional
content: The TCP port number on the host to initiate the connection.
- key: DisplayConfiguration
title: Display Configuration
title: Display configuration
type: <dictionary>
presence: required
content: The display configuration for this connection.
subkeys:
- key: DisplayType
title: Display type
type: <string>
presence: required
rangelist:
@@ -60,7 +61,7 @@ payloadkeys:
- `Virtual1`: Create one virtual display.
- `Virtual2`: Create two virtual displays.
- key: AuthenticationCredentialsAssetReference
title: Authentication Credentials Asset Reference
title: Authentication credentials asset reference
type: <string>
assettypes:
- com.apple.asset.credential.userpassword
@@ -68,3 +69,9 @@ payloadkeys:
content: The identifier of an asset declaration that contains the required credentials
for this connection to authenticate with the screen-sharing server. Set the corresponding
asset type to `com.apple.asset.credential.userpassword`.
examples:
title: Configuration example
files:
- description: This configuration sets up a screen-sharing connection to a remote
Mac.
file: examples/declarative/declarations/configurations/screensharing.connection/example1.json
@@ -21,7 +21,7 @@ payload:
apply: single
payloadkeys:
- key: MaximumVirtualDisplays
title: Maximum number of Virtual Displays
title: Maximum number of virtual displays
type: <integer>
presence: optional
range:
@@ -29,7 +29,7 @@ payloadkeys:
max: 2
content: The maximum number of virtual displays to make available to clients.
- key: PortBase
title: UDP Port base
title: UDP port base
type: <integer>
presence: optional
range:
@@ -54,9 +54,14 @@ payloadkeys:
content: If `true`, the system prevents users from copying files to the screen-sharing
host.
- key: PreventHighPerformanceConnections
title: Prevent High Performance connections
title: Prevent high performance connections
type: <boolean>
presence: optional
default: false
content: If `true`, the system prevents clients from establishing high-performance
connections to the host.
examples:
title: Configuration example
files:
- description: This configuration manages screen-sharing host settings and restrictions.
file: examples/declarative/declarations/configurations/screensharing.host.settings/example1.json
@@ -1,5 +1,5 @@
title: Security:Certificate
description: The declaration to add a certificate to the device.
description: The declaration to configure a certificate.
payload:
declarationtype: com.apple.configuration.security.certificate
supportedOS:
@@ -63,3 +63,8 @@ related-status-items:
- status-items:
- security.certificate.list
note: Each configuration will have a corresponding status item.
examples:
title: Configuration example
files:
- description: This configuration installs a certificate on the device.
file: examples/declarative/declarations/configurations/security.certificate/example1.json
@@ -1,5 +1,5 @@
title: Security:Identity
description: The declaration to install an identity on the device.
description: The declaration to configure an identity.
payload:
declarationtype: com.apple.configuration.security.identity
supportedOS:
@@ -94,3 +94,8 @@ related-status-items:
- status-items:
- security.certificate.list
note: Each configuration will have a corresponding status item.
examples:
title: Configuration example
files:
- description: This configuration installs a certificate identity on the device.
file: examples/declarative/declarations/configurations/security.identity/example1.json
@@ -56,3 +56,9 @@ payloadkeys:
- key: RelyingParty
title: Relying party
type: <string>
examples:
title: Configuration example
files:
- description: This configuration enables enterprise passkey attestation for a relying
party.
file: examples/declarative/declarations/configurations/security.passkey.attestation/example1.json
@@ -20,19 +20,19 @@ payload:
apply: multiple
payloadkeys:
- key: TaskType
title: Task Type
title: Task type
type: <string>
presence: required
content: The unique identifier of the set of background tasks managed with this
configuration. This should be a reverse DNS style identifier. The system uses
this identifier to differentiate between tasks in different configurations.
- key: TaskDescription
title: Task Description
title: Task description
type: <string>
presence: optional
content: A description of the set of background tasks managed by this configuration.
- key: ExecutableAssetReference
title: Executable Asset Reference
title: Executable asset reference
type: <string>
assettypes:
- com.apple.asset.data
@@ -46,18 +46,19 @@ payloadkeys:
This file should contain background task executables, scripts, and configuration files, but not the `launchd` configuration files.
- key: LaunchdConfigurations
title: Launchd Configurations
title: Launchd configurations
type: <array>
presence: optional
content: An array of `launchd` configuration files used to run the background tasks.
subkeys:
- key: launchd-item
title: Launchd item
type: <dictionary>
presence: required
content: A dictionary of launchd configurations.
subkeys:
- key: FileAssetReference
title: File Asset Reference
title: File asset reference
type: <string>
assettypes:
- com.apple.asset.data
@@ -73,14 +74,14 @@ payloadkeys:
The asset's "ContentType" and "Hash-SHA-256" keys in the "Reference" key are
required.
- key: Context
title: Launchd Context
title: Launchd context
type: <string>
presence: required
rangelist:
- daemon
- agent
content: Indicates whether the launchd configuration file is applied to the
system daemon, or system agent domain.
content: Indicates whether the system applies the launchd configuration file
to the system daemon or system agent domain.
related-status-items:
- status-items:
- services.background-task
@@ -99,3 +100,8 @@ notes:
> Note:
> If an executable is an app, the system can't manage the app as it can only manage apps installed in `/Applications`. Also, the system can't use system extensions in the app as it only loads them from apps installed in `/Applications`.
examples:
title: Configuration example
files:
- description: This configuration sets up a background task using a launchd daemon.
file: examples/declarative/declarations/configurations/services.background-tasks/example1.json
@@ -1,5 +1,5 @@
title: Services Configuration Files
description: The managed configuration files for services.
description: The declaration to configure managed configuration files for services.
payload:
declarationtype: com.apple.configuration.services.configuration-files
supportedOS:
@@ -20,13 +20,13 @@ payload:
apply: multiple
payloadkeys:
- key: ServiceType
title: Service Type
title: Service type
type: <string>
presence: required
content: The identifier of the system service with managed configuration files.
Use a reverse DNS style for this identifier.
- key: DataAssetReference
title: Data Asset Reference
title: Data asset reference
type: <string>
assettypes:
- com.apple.asset.data
@@ -87,3 +87,8 @@ notes:
> Important:
> The system reserves the `com.apple` prefix for built-in services.
examples:
title: Configuration example
files:
- description: This configuration deploys configuration files for a system service.
file: examples/declarative/declarations/configurations/services.configuration-files/example1.json
@@ -20,7 +20,11 @@ payload:
- system
- user
tvOS:
introduced: n/a
introduced: '27.0'
allowed-enrollments:
- supervised
allowed-scopes:
- system
visionOS:
introduced: '26.4'
allowed-enrollments:
@@ -34,7 +38,6 @@ payload:
allowed-scopes:
- system
apply: combined
content: Configures Siri settings.
payloadkeys:
- key: Enabled
title: Enabled
@@ -47,10 +50,12 @@ payloadkeys:
combinetype: boolean-and
content: If `false`, disables Siri.
- key: AllowUserGeneratedContent
title: Allow User Generated Content
title: Allow user generated content
supportedOS:
macOS:
introduced: n/a
tvOS:
introduced: n/a
visionOS:
introduced: n/a
type: <boolean>
@@ -59,10 +64,12 @@ payloadkeys:
combinetype: boolean-and
content: If `false`, disables Siri user-generated content.
- key: AllowWhileLocked
title: Allow While Locked
title: Allow while locked
supportedOS:
macOS:
introduced: n/a
tvOS:
introduced: n/a
visionOS:
introduced: n/a
type: <boolean>
@@ -71,8 +78,10 @@ payloadkeys:
combinetype: boolean-and
content: If `false`, disables Siri while locked.
- key: ForceProfanityFilter
title: Force Profanity Filter
title: Force profanity filter
supportedOS:
tvOS:
introduced: n/a
visionOS:
introduced: n/a
watchOS:
@@ -82,3 +91,9 @@ payloadkeys:
default: false
combinetype: boolean-or
content: If `true`, forces Siri profanity filter.
examples:
title: Configuration examples
files:
- tab: Siri Restrictions
description: This configuration restricts Siri features.
file: examples/declarative/declarations/configurations/siri.settings/example1.json
@@ -1,5 +1,6 @@
title: Software Update:Enforcement:Specific
description: A software update enforcement policy for a specific OS release.
description: The declaration to configure a software update enforcement policy for
a specific OS release.
payload:
declarationtype: com.apple.configuration.softwareupdate.enforcement.specific
supportedOS:
@@ -38,13 +39,13 @@ payload:
apply: multiple
payloadkeys:
- key: TargetOSVersion
title: Target OS Version
title: Target OS version
type: <string>
presence: required
content: The target OS version to update the device to by the appropriate time.
This is the OS version number, for example, `16.1`.
- key: TargetBuildVersion
title: Target Build Version
title: Target build version
type: <string>
presence: optional
content: The target build version to update the device to by the appropriate time,
@@ -52,13 +53,13 @@ payloadkeys:
The build version can include a supplemental version identifier, for example,
`20A242a`.
- key: TargetLocalDateTime
title: Target Local Date Time
title: Target local date time
type: <string>
presence: required
content: The local date time value that specifies when to force install the software
update. Use the format `yyyy-mm-ddThh:mm:ss`, which is derived from RFC3339 but
doesn't include a time zone offset. If the user doesn't trigger the software update
before this time, the device force installs it.
update. Use the format `yyyy-mm-ddThh:mm:ss`, which is derived from RFC 3339 but
doesn't include a time zone offset or fractional seconds. If the user doesn't
trigger the software update before this time, the device force installs it.
- key: DetailsURL
title: Details URL
type: <string>
@@ -79,8 +80,14 @@ notes:
To determine available software updates to show to an admin, a device management service uses the Apple GDMF service via `https://gdmf.apple.com/v2/pmv`. Configurations only enforce a software update if GDMF has the corresponding OS version or build available. So device management services need to regularly check available versions, and adjust the list shown to admins, and also remove any deployed configurations that use OS versions or builds that are no longer available. Device management services should check GDMF no more than once a day.
If the `TargetOSVersion` is an OS version that includes both a minor and patch version, the system installs that specific version, for example, `16.1.1`. If the minor version doesn't include a patch version, the system installs the latest available patch version. For example, if the `TargetOSVersion` is `16.1` and a `.1` patch is available, the system installs `16.1.1`.
The system installs the specific version set in the `TargetOSVersion`, and it won't install a patch version if only a minor version is set.
The system can only install a supplemental software update on a device that already has the base OS version installed. For example, the system can only install a `16.1`(a) update on a device that currently has `16.1` installed, but it can't install that update on a device that has only `16.0` installed. To update to a supplemental version from an older base version, use two configurations. Use the first configuration to update to the new base version, and the second configuration to update the new base version to its supplemental version.
If the device isn't running at the target date-time, the system enforces the software update 1 hour after restarting, or when the device meets all required conditions, such as minimum battery level.
examples:
title: Configuration example
files:
- description: This configuration enforces a software update to a specific OS version
and build at a specified time.
file: examples/declarative/declarations/configurations/softwareupdate.enforcement.specific/example1.json
@@ -38,7 +38,7 @@ payload:
apply: combined
payloadkeys:
- key: Notifications
title: Software Update Notifications
title: Software update notifications
type: <boolean>
presence: optional
default: true
@@ -48,7 +48,7 @@ payloadkeys:
If set to `false`, the device only shows notifications triggered one hour before the enforcement deadline, and the restart countdown notification.
- key: Deferrals
title: Software Update Deferrals
title: Software update deferrals
supportedOS:
iOS:
allowed-enrollments:
@@ -65,7 +65,7 @@ payloadkeys:
Improvements aren't considered in `Major`, `Minor`, or `System` deferral mechanism.
subkeys:
- key: CombinedPeriodInDays
title: Combined Major/Minor Update Deferral Period
title: Combined major/minor update deferral period
supportedOS:
macOS:
introduced: n/a
@@ -77,9 +77,9 @@ payloadkeys:
combinetype: number-max
content: Specifies the number of days to defer a major or minor OS software update
on the device. When set, software updates only appear after the specified delay,
following the release of the software update. Available in iOS 18 and later.
following the release of the software update.
- key: MajorPeriodInDays
title: Major Update Deferral Period
title: Major update deferral period
supportedOS:
iOS:
introduced: n/a
@@ -95,9 +95,9 @@ payloadkeys:
combinetype: number-max
content: Specifies the number of days to defer a major OS software update on the
device. When set, software updates only appear after the specified delay, following
the release of the software update. Available in macOS 15 and later.
the release of the software update.
- key: MinorPeriodInDays
title: Minor Update Deferral Period
title: Minor update deferral period
supportedOS:
iOS:
introduced: n/a
@@ -114,9 +114,8 @@ payloadkeys:
content: Specifies the number of days to defer a minor OS software update on the
device. It also defers major updates for iOS. When set, software updates only
appear after the specified delay, following the release of the software update.
Available in macOS 15 and later.
- key: SystemPeriodInDays
title: System Update Deferral Period
title: System update deferral period
supportedOS:
iOS:
introduced: n/a
@@ -132,9 +131,9 @@ payloadkeys:
combinetype: number-max
content: Specifies the number of days to defer system or non-OS updates. When
set, updates only appear after the specified delay, following the release of
the update. Available in macOS 15 and later.
the update.
- key: RecommendedCadence
title: Software Update Recommended Cadence
title: Software update recommended cadence
supportedOS:
macOS:
introduced: n/a
@@ -154,7 +153,7 @@ payloadkeys:
- `Oldest` - Shows only the oldest (lower numbered) software update version.
- `Newest` - Shows only the newest (highest numbered) software update version.
- key: AutomaticActions
title: Automatic Software Update Settings
title: Automatic software update settings
supportedOS:
iOS:
allowed-enrollments:
@@ -204,6 +203,9 @@ payloadkeys:
- `Allowed` - the user can enable or disable automatic installation.
- `AlwaysOn` - automatic installations are always enabled.
- `AlwaysOff` - automatic installations are always disabled.
> Note:
> The device uses this only with automatic downloads enabled.
- key: InstallSecurityUpdate
title: Automatic installs of available security updates.
supportedOS:
@@ -223,8 +225,11 @@ payloadkeys:
- `Allowed` - the user can enable or disable automatic installation.
- `AlwaysOn` - automatic installations are always enabled.
- `AlwaysOff` - automatic installations are always disabled.
> Note:
> The device uses this only with automatic downloads enabled.
- key: RapidSecurityResponse
title: Background Security Improvement Settings
title: Background Security Improvements settings
supportedOS:
iOS:
allowed-enrollments:
@@ -239,7 +244,7 @@ payloadkeys:
Improvement.
subkeys:
- key: Enable
title: Enable Background Security Improvement Installation
title: Enable Background Security Improvements installation
type: <boolean>
presence: optional
default: true
@@ -249,7 +254,7 @@ payloadkeys:
If set to `true`, the system offers Background Security Improvements to the user.
- key: EnableRollback
title: Enable Background Security Improvement Rollbacks
title: Enable Background Security Improvements rollbacks
type: <boolean>
presence: optional
default: true
@@ -259,7 +264,7 @@ payloadkeys:
If set to `true`, the system offers Background Security Improvement rollbacks to the user.
- key: AllowStandardUserOSUpdates
title: Allow Standard User OS Updates
title: Allow standard user OS updates
supportedOS:
iOS:
introduced: n/a
@@ -276,6 +281,7 @@ payloadkeys:
If set to `false`, only administrators can perform Major and Minor Software Updates.
- key: Beta
title: Beta
supportedOS:
macOS:
introduced: '15.4'
@@ -292,6 +298,7 @@ payloadkeys:
content: This object configures the beta program settings for a device.
subkeys:
- key: ProgramEnrollment
title: Program enrollment
supportedOS:
iOS:
allowed-enrollments:
@@ -308,9 +315,10 @@ payloadkeys:
Specifies whether the user can control beta program enrollment in the software update settings UI:
- `Allowed` - the user can enroll in any applicable beta programs associated with their logged in Apple Account. If the `OfferPrograms` key is present, then the programs listed in that key are also presented to the user.
- `AlwaysOn` - the beta programs specified by the organization are used, and the user isn't able to enroll in a beta program using their logged in Apple Account. The device is automatically enrolled into the beta program specified by the `RequireProgram` key if it's present. Otherwise, the system presents the programs listed in the `OfferPrograms` key to the user to choose which to enroll with.
- `AlwaysOn` - the device uses the beta programs the organization specifies, and the user isn't able to enroll in a beta program using their logged in Apple Account. The device is automatically enrolled into the beta program specified by the `RequireProgram` key if it's present. Otherwise, the system presents the programs listed in the `OfferPrograms` key to the user to choose which to enroll with.
- `AlwaysOff` - The device isn't allowed to enroll in any beta programs. The system removes the device from any beta programs, if already enrolled.
- key: OfferPrograms
title: Offer programs
type: <array>
presence: optional
combinetype: set-union
@@ -321,21 +329,25 @@ payloadkeys:
but is implicitly set to `Allowed`.
subkeys:
- key: Program
title: Program
type: <dictionary>
presence: required
content: The name and token associated with a specific beta program to be allowed.
subkeys:
- key: Description
title: Description
type: <string>
presence: required
content: A human readable description of the beta program.
- key: Token
title: Token
type: <string>
presence: required
content: The Apple Business Manager or Apple School Manager seeding service
token for the organization the MDM server is part of. The system uses this
token to enroll the device in the corresponding beta program.
content: The Apple School Manager or Apple Business seeding service token
for the organization the MDM server is part of. The system uses this token
to enroll the device in the corresponding beta program.
- key: RequireProgram
title: Require program
supportedOS:
iOS:
allowed-enrollments:
@@ -348,16 +360,24 @@ payloadkeys:
key must not be present if this key is present.
subkeys:
- key: Description
title: Description
type: <string>
presence: required
content: A human readable description of the beta program.
- key: Token
title: Token
type: <string>
presence: required
content: The Apple Business Manager or Apple School Manager seeding service
token for the organization the MDM server is part of. The system uses this
token to enroll the device in the corresponding beta program.
content: The Apple School Manager or Apple Business seeding service token for
the organization the MDM server is part of. The system uses this token to
enroll the device in the corresponding beta program.
related-status-items:
- status-items:
- softwareupdate.beta-enrollment
- softwareupdate.pending-version
examples:
title: Configuration example
files:
- description: This configuration manages software update behavior and deferral
settings.
file: examples/declarative/declarations/configurations/softwareupdate.settings/example1.json
@@ -22,7 +22,7 @@ payload:
apply: single
payloadkeys:
- key: EnrollmentProfileURL
title: Watch Enrollment Profile's URL.
title: Watch enrollment profile's URL.
type: <string>
presence: required
content: The URL of the profile that the Apple Watch downloads and installs if the
@@ -31,7 +31,7 @@ payloadkeys:
and the profile contains an MDM payload. Apple Watch attempts to install each
payload that the profile contains.
- key: AnchorCertificateAssetReferences
title: Anchor Certificate Asset References.
title: Anchor certificate asset references.
type: <array>
assettypes:
- com.apple.asset.credential.certificate
@@ -47,3 +47,8 @@ payloadkeys:
type: <string>
content: Specifies the identifier of an asset declaration containing the anchor
certificate to be used.
examples:
title: Configuration example
files:
- description: This configuration enrolls an Apple Watch using a profile URL.
file: examples/declarative/declarations/configurations/watch.enrollment/example1.json
@@ -0,0 +1,280 @@
title: WebContentFilter:Plugin
description: The declaration to configure a WebContent Filter that uses a plugin.
payload:
declarationtype: com.apple.configuration.webcontent-filter.plugin
supportedOS:
iOS:
introduced: '27.0'
allowed-enrollments:
- supervised
- device
- user
- local
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
macOS:
introduced: '27.0'
allowed-enrollments:
- supervised
- local
allowed-scopes:
- system
tvOS:
introduced: n/a
visionOS:
introduced: '27.0'
allowed-enrollments:
- supervised
- device
- user
- local
allowed-scopes:
- system
watchOS:
introduced: n/a
apply: multiple
payloadkeys:
- key: VisibleName
title: Visible name
type: <string>
presence: required
content: The name of the web content filter that the system displays on the device.
- key: PluginBundleID
title: Plugin bundle ID
type: <string>
presence: required
content: The bundle ID of the plug-in that provides filtering service. Consult your
filtering solution vendor to determine what to specify for this value.
- key: ContentFilterUUID
title: Content filter UUID
supportedOS:
macOS:
introduced: n/a
type: <string>
presence: optional
content: A globally unique identifier for this content filter configuration. The
content filter processes network traffic for managed apps with the same `ContentFilterUUID`
in their app attributes. This key must be present for unsupervised devices and
user enrollment.
- key: ServerAddress
title: Server address
type: <string>
presence: optional
content: The server address, which may be the IP address, hostname, or URL.
- key: Organization
title: Organization
type: <string>
presence: optional
content: The organization string to pass to the third-party plug-in.
- key: VendorConfig
title: Vendor config
type: <dictionary>
presence: optional
content: The custom dictionary that the filtering service plug-in needs.
subkeys:
- key: ANY
type: <any>
presence: required
content: The custom key/value pairs for the filtering service.
- key: Authentication
title: Authentication details
type: <dictionary>
presence: optional
content: Settings that control authentication.
subkeys:
- key: CredentialsAssetReference
title: Credentials asset reference
type: <string>
assettypes:
- com.apple.asset.credential.userpassword
presence: optional
content: The identifier of an asset declaration that contains the credentials
(user name and password) to authenticate with the service.
- key: IdentityAssetReference
title: Identity asset reference
type: <string>
assettypes:
- com.apple.asset.credential.acme
- com.apple.asset.credential.identity
- com.apple.asset.credential.scep
presence: optional
content: The identifier of a credential asset declaration that contains the identity
that this account requires to authenticate with the service.
- key: Filter
title: Filter details
type: <dictionary>
presence: optional
content: Settings that control authentication.
subkeys:
- key: Grade
title: Filter grade
supportedOS:
iOS:
introduced: n/a
visionOS:
introduced: n/a
type: <string>
presence: optional
rangelist:
- firewall
- inspector
default: firewall
content: The system uses this value to derive the relative order of content filters.
Filters with a grade of `firewall` see network traffic before filters with a
grade of `inspector`. However, the system doesn't define the order of filters
within a grade.
- key: Browsers
title: Browser filter details
supportedOS:
macOS:
introduced: n/a
type: <dictionary>
presence: optional
content: Settings that control the browser filter. If not present, the system
doesn't use browser filtering.
subkeys:
- key: Enabled
title: Enable browser filter
type: <boolean>
presence: required
content: If `true`, the system enables filtering WebKit traffic.
- key: Sockets
title: Socket filter details
type: <dictionary>
presence: optional
content: Settings that control the socket filter. If not present, the system doesn't
use socket filtering.
subkeys:
- key: Enabled
title: Enable socket filter
type: <boolean>
presence: required
content: If `true`, enables the filtering of socket traffic.
- key: ProviderComposedIdentifier
title: Data provider composed identifier
type: <string>
presence: optional
content: |-
The data provider identifier. This string identifies the filter data provider when the filter starts running. Required when Enabled is true.
In iOS and visionOS, the identifier is a bundle ID, for example, "com.example.app".
In macOS, the identifier is a composed identifier. The format of the composed identifier is "Bundle-ID {Designated-Requirement}". "Bundle-ID" is the bundle identifier string of the provider. "Designated-Requirement" is the designated requirement string from the code signature of the provider. For example, "com.example.app {anchor apple generic}".
- key: Packets
title: Packet filter details
supportedOS:
iOS:
introduced: n/a
visionOS:
introduced: n/a
type: <dictionary>
presence: optional
content: Settings that control the packet filter. If not present, the system doesn't
use packet filtering.
subkeys:
- key: Enabled
title: Enable packet filter
type: <boolean>
presence: required
content: If `true`, the system enables filtering network packets.
- key: ProviderComposedIdentifier
title: Packet provider composed identifier
type: <string>
presence: optional
content: |-
The packet provider identifier. This string identifies the filter data provider when the filter starts running. Required when Enabled is true.
The identifier is a composed identifier. The format of the composed identifier is "Bundle-ID {Designated-Requirement}". "Bundle-ID" is the bundle identifier string of the provider. "Designated-Requirement" is the designated requirement string from the code signature of the provider. For example, "com.example.app {anchor apple generic}".
- key: URLs
title: URL filter details
supportedOS:
visionOS:
introduced: n/a
type: <dictionary>
presence: optional
content: Settings that control the URL filter. If not present, the system doesn't
use URL filtering.
subkeys:
- key: Enabled
title: Enable URL filter
type: <boolean>
presence: required
content: If `true`, the system filters URL requests.
- key: Parameters
title: URL filter parameters.
type: <dictionary>
presence: optional
content: A dictionary containing URL filter parameters. Required when `Enabled`
is `true`.
subkeys:
- key: ProviderComposedIdentifier
title: Control provider composed identifier
type: <string>
presence: required
content: |-
The URL filter control provider identifier. This string identifies the filter data provider when the filter starts running. Required when Enabled is true.
In iOS, the identifier is a bundle ID, for example, "com.example.app".
In macOS, the identifier is a composed identifier. The format of the composed identifier is "Bundle-ID {Designated-Requirement}". "Bundle-ID" is the bundle identifier string of the provider. "Designated-Requirement" is the designated requirement string from the code signature of the provider. For example, "com.example.app {anchor apple generic}".
- key: PIR
title: Private information retrieval server settings.
type: <dictionary>
presence: required
content: A dictionary containing Private Information Retrieval server settings.
subkeys:
- key: ServerURL
title: Private information retrieval server URL
type: <string>
presence: required
content: The URL containing the domain name of the private information retrieval
server.
- key: PrivacyPassIssuerURL
title: Privacy pass issuer URL
type: <string>
presence: required
content: The URL containing the domain name of Privacy Pass Issuer.
- key: AuthenticationTokenAssetReference
title: Authentication token asset reference
type: <string>
assettypes:
- com.apple.asset.credential.userpassword
presence: optional
content: The identifier of an asset declaration containing the HTTP bearer
token required to authenticate with the service. The bearer token is provided
in the `Password` field of the asset data. The system uses this token
to attest that it's a valid user when requesting anonymous authentication
tokens for PIR exchanges.
- key: FailClosed
title: URL filter fail closed
type: <boolean>
presence: optional
default: false
content: If `true`, the system blocks URLs if the filter is enabled, but it
fails to make any filtering decision; for example, if there's a communication
failure with the PIR server. If `false`, the system allows URLs if the filter
is enabled, but it fails to make any filtering decision.
- key: PrefilterFetchFrequency
title: Prefilter fetch frequency
type: <integer>
presence: optional
range:
min: 2700
default: 86400
content: The time interval in seconds that the system uses to periodically
run the `NEURLFilterControlProvider` app extension. The default value is
86400 seconds (1 day). The minimum allowed value is 2700 seconds (45 minutes).
The system allows `NEURLFilterControlProvider` implementations to download
prefilter Bloom filter data onto the device periodically at the specified
interval. Implementations need to allow for a slight difference between
the scheduled time and the actual runtime of the task, due to the scheduling
mechanism on the system.
examples:
title: Configuration example
files:
- description: This configuration sets up a web content filter using a Network Extension
plugin bundle.
file: examples/declarative/declarations/configurations/network.webcontent-filter.plugin/example1.json
@@ -15,20 +15,24 @@ payload:
introduced: '10.0'
payloadkeys:
- key: Type
title: Type
type: <string>
presence: required
content: A string specifying the type of this declaration.
- key: Identifier
title: Identifier
type: <string>
presence: required
content: A string uniquely identifying this declaration. The size of this string
should not exceed 64 octets. A UUID string value is a good choice.
shouldn't exceed 64 octets. A UUID string value is a good choice.
- key: ServerToken
title: Server token
type: <string>
presence: required
content: A unique token generated by the server specifying a particular revision
of the declaration. The size of this string should not exceed 64 octets.
of the declaration. The size of this string shouldn't exceed 64 octets.
- key: Payload
title: Payload
type: <dictionary>
presence: required
content: The payload describing this declaration.
@@ -15,12 +15,12 @@ payload:
introduced: '10.0'
payloadkeys:
- key: Name
title: Organization Name
title: Organization name
type: <string>
presence: required
content: The name of the organization.
- key: Email
title: Organization Email Address
title: Organization email address
type: <string>
presence: optional
content: The email address of the contact person for the organization.
@@ -30,15 +30,19 @@ payloadkeys:
presence: optional
content: The website of the organization to contact for support.
- key: Proof
title: Organization Identity
title: Organization identity
type: <dictionary>
presence: optional
content: The additional properties that verify the identity and authenticity of
the organization.
subkeys:
- key: IdentityToken
title: Organization Identity Token
title: Organization identity token
type: <string>
presence: optional
content: A token that verifies the identity of the organization when using this
service.
examples:
title: Management declaration example
files:
- file: examples/declarative/declarations/management/organization-info/example1.json
@@ -19,3 +19,7 @@ payloadkeys:
type: <any>
presence: optional
content: Each entry represents a property key/value.
examples:
title: Management declaration example
files:
- file: examples/declarative/declarations/management/properties/example1.json
@@ -15,12 +15,12 @@ payload:
introduced: '10.0'
payloadkeys:
- key: Version
title: Protocol Version
title: Protocol version
type: <string>
presence: required
content: The server's protocol version.
- key: SupportedFeatures
title: Supported Features
title: Supported features
type: <dictionary>
presence: required
content: |-
@@ -32,3 +32,7 @@ payloadkeys:
type: <any>
presence: optional
content: Additional keys may be present.
examples:
title: Management declaration example
files:
- file: examples/declarative/declarations/management/server-capabilities/example1.json
@@ -15,7 +15,7 @@ payload:
introduced: '10.0'
payloadkeys:
- key: Declarations
title: Manifest Declaration Items
title: Manifest declaration items
type: <dictionary>
presence: required
content: The set of available declarations on the server.
@@ -28,18 +28,18 @@ payloadkeys:
subkeytype: DeclarationItem
subkeys:
- key: _Activations
title: Manifest Declaration
title: Manifest declaration
type: <dictionary>
content: Information about an available declaration on the server.
subkeytype: DeclarationItem
subkeys: &id001
- key: Identifier
title: Declaration Identifier
title: Declaration identifier
type: <string>
presence: required
content: The declaration's identifier.
- key: ServerToken
title: Declaration Server Token
title: Declaration server token
type: <string>
presence: required
content: |-
@@ -53,7 +53,7 @@ payloadkeys:
subkeytype: DeclarationItem
subkeys:
- key: _Configurations
title: Manifest Declaration
title: Manifest declaration
type: <dictionary>
content: Information about an available declaration on the server.
subkeytype: DeclarationItem
@@ -66,7 +66,7 @@ payloadkeys:
subkeytype: DeclarationItem
subkeys:
- key: _Assets
title: Manifest Declaration
title: Manifest declaration
type: <dictionary>
content: Information about an available declaration on the server.
subkeytype: DeclarationItem
@@ -79,13 +79,13 @@ payloadkeys:
subkeytype: DeclarationItem
subkeys:
- key: _Management
title: Manifest Declaration
title: Manifest declaration
type: <dictionary>
content: Information about an available declaration on the server.
subkeytype: DeclarationItem
subkeys: *id001
- key: DeclarationsToken
title: Declarations Token
title: Declarations token
type: <string>
presence: required
content: The current value of the declarations token. Clients use this to detect
+9 -9
View File
@@ -15,7 +15,7 @@ payload:
introduced: '10.0'
payloadkeys:
- key: StatusItems
title: Status Items
title: Status items
type: <dictionary>
presence: required
content: The status items for this report.
@@ -31,40 +31,40 @@ payloadkeys:
content: Error information for a status item that cannot be returned.
subkeys:
- key: StatusItem
title: Status Item
title: Status item
type: <string>
presence: required
content: The status item that this error pertains to.
- key: Reasons
title: Status Reasons
title: Status reasons
type: <array>
presence: optional
content: An array of reasons for the error.
subkeytype: StatusReason
subkeys:
- key: _Reasons
title: Status Reason
title: Status reason
type: <dictionary>
content: Information about a status error.
subkeytype: StatusReason
subkeys:
- key: Code
title: Error Code
title: Error code
type: <string>
presence: required
content: The error code for this error.
- key: Description
title: Error Description
title: Error description
type: <string>
presence: optional
content: The description for this error.
- key: Details
title: Error Details
title: Error details
type: <dictionary>
presence: optional
content: A dictionary that contains further details about this error.
- key: FullReport
title: Full Report
title: Full report
supportedOS:
iOS:
introduced: '17.0'
@@ -76,7 +76,7 @@ payloadkeys:
presence: optional
default: false
content: The system sets this to `true` to indicate that the status report contains
the full set of current status, and is not an incremental report. A full status
the full set of current status, and isn't an incremental report. A full status
report includes the full set of items in any status array item, not just the changes.
Servers use this to replace their entire status for the device, rather than do
an incremental update to the existing status. The system sets this to `true` when
+1 -1
View File
@@ -15,7 +15,7 @@ payload:
introduced: '10.0'
payloadkeys:
- key: SyncTokens
title: Synchronization Tokens
title: Synchronization tokens
type: <dictionary>
presence: required
content: A dictionary of synchronization tokens that describes the state of different
+15 -5
View File
@@ -1,5 +1,5 @@
title: Status Account List CalDAV
description: A status report of the client's Calendar accounts.
description: The status item that lists the devices's Calendar accounts.
payload:
statusitemtype: account.list.caldav
supportedOS:
@@ -45,8 +45,9 @@ payloadkeys:
subkeytype: Account
subkeys:
- key: status_value
title: Status value
type: <dictionary>
content: A status report of the client's Calendar account details.
content: A Calendar account.
subkeys:
- key: identifier
title: Unique identifier of the account.
@@ -58,8 +59,8 @@ payloadkeys:
type: <boolean>
presence: optional
default: false
content: If `true`, the account is removed and the status item object only contains
this key and the `identifier` key.
content: If `true`, the device has removed the account and the status item object
only contains this key and the `identifier` key.
- key: declaration-identifier
title: Identifier of the declaration that installed the account.
type: <string>
@@ -77,7 +78,7 @@ payloadkeys:
presence: optional
content: The server host name for the account.
- key: port
title: Server Port
title: Server port
type: <integer>
presence: optional
content: The server port for the account.
@@ -97,3 +98,12 @@ payloadkeys:
type: <boolean>
presence: optional
content: If `true`, the Reminders app is displaying reminders for the account.
examples:
title: Status item example
files:
- tab: New or updated account
description: Reports a new or updated account.
file: data/docc-examples/remotemanagementmodel/status/account.list.caldav/example1.json
- tab: Removed account
description: Reports a removed account.
file: data/docc-examples/remotemanagementmodel/status/account.list.caldav/example2.json
+15 -5
View File
@@ -1,5 +1,5 @@
title: Status Account List CardDAV
description: A status report of the client's Contacts accounts.
description: The status item that lists the devices's Contacts accounts.
payload:
statusitemtype: account.list.carddav
supportedOS:
@@ -45,8 +45,9 @@ payloadkeys:
subkeytype: Account
subkeys:
- key: status_value
title: Status value
type: <dictionary>
content: A status report of the client's Contacts account details.
content: A Contacts account.
subkeys:
- key: identifier
title: Unique identifier of the account.
@@ -58,8 +59,8 @@ payloadkeys:
type: <boolean>
presence: optional
default: false
content: If `true`, the account is removed and the status item object only contains
this key and the `identifier` key.
content: If `true`, the device has removed the account and the status item object
only contains this key and the `identifier` key.
- key: declaration-identifier
title: Identifier of the declaration that installed the account.
type: <string>
@@ -77,7 +78,7 @@ payloadkeys:
presence: optional
content: The server host name for the account.
- key: port
title: Server Port
title: Server port
type: <integer>
presence: optional
content: The server port for the account.
@@ -86,3 +87,12 @@ payloadkeys:
type: <string>
presence: optional
content: The user name for the account.
examples:
title: Status item example
files:
- tab: New or updated account
description: Reports a new or updated account.
file: data/docc-examples/remotemanagementmodel/status/account.list.carddav/example1.json
- tab: Removed account
description: Reports a removed account.
file: data/docc-examples/remotemanagementmodel/status/account.list.carddav/example2.json
+15 -5
View File
@@ -1,5 +1,5 @@
title: Status Account List Exchange
description: A status report of the client's Exchange accounts.
description: The status item that lists the devices's Exchange accounts.
payload:
statusitemtype: account.list.exchange
supportedOS:
@@ -45,8 +45,9 @@ payloadkeys:
subkeytype: Account
subkeys:
- key: status_value
title: Status value
type: <dictionary>
content: A status report of the client's Exchange account details.
content: An Exchange account.
subkeys:
- key: identifier
title: Unique identifier of the account.
@@ -58,8 +59,8 @@ payloadkeys:
type: <boolean>
presence: optional
default: false
content: If `true`, the account is removed and the status item object only contains
this key and the `identifier` key.
content: If `true`, the device has removed the account and the status item object
only contains this key and the `identifier` key.
- key: declaration-identifier
title: Identifier of the declaration that installed the account.
type: <string>
@@ -77,7 +78,7 @@ payloadkeys:
presence: optional
content: The server host name for the account.
- key: port
title: Server Port
title: Server port
type: <integer>
presence: optional
content: The server port for the account.
@@ -116,3 +117,12 @@ payloadkeys:
presence: optional
content: A Boolean value that indicates whether the Reminders app displays reminders
for this account.
examples:
title: Status item example
files:
- tab: New or updated account
description: Reports a new or updated account.
file: data/docc-examples/remotemanagementmodel/status/account.list.exchange/example1.json
- tab: Removed account
description: Reports a removed account.
file: data/docc-examples/remotemanagementmodel/status/account.list.exchange/example2.json
+14 -4
View File
@@ -1,5 +1,5 @@
title: Status Account List Google
description: A status report of the client's Google accounts.
description: The status item that lists the client's Google accounts.
payload:
statusitemtype: account.list.google
supportedOS:
@@ -45,8 +45,9 @@ payloadkeys:
subkeytype: Account
subkeys:
- key: status_value
title: Status value
type: <dictionary>
content: A status report of the client's Google account details.
content: A Google account.
subkeys:
- key: identifier
title: Unique identifier of the account.
@@ -58,8 +59,8 @@ payloadkeys:
type: <boolean>
presence: optional
default: false
content: If `true`, the account is removed and the status item object only contains
this key and the `identifier` key.
content: If `true`, the device removed the account and the status item object
only contains this key and the `identifier` key.
- key: declaration-identifier
title: Identifier of the declaration that installed the account.
type: <string>
@@ -100,3 +101,12 @@ payloadkeys:
presence: optional
content: A Boolean value that indicates whether the Notes app displays notes
for this account.
examples:
title: Status item example
files:
- tab: New or updated account
description: Reports a new or updated account.
file: data/docc-examples/remotemanagementmodel/status/account.list.google/example1.json
- tab: Removed account
description: Reports a removed account.
file: data/docc-examples/remotemanagementmodel/status/account.list.google/example2.json
+16 -6
View File
@@ -1,6 +1,6 @@
title: Status Account List LDAP
description: A status report of the client's Lightweight Directory Access Protocol
(LDAP) accounts.
description: The status item that lists the devices's Lightweight Directory Access
Protocol (LDAP) accounts.
payload:
statusitemtype: account.list.ldap
supportedOS:
@@ -46,8 +46,9 @@ payloadkeys:
subkeytype: Account
subkeys:
- key: status_value
title: Status value
type: <dictionary>
content: A status report of the client's LDAP account details.
content: An LDAP account.
subkeys:
- key: identifier
title: Unique identifier of the account.
@@ -59,8 +60,8 @@ payloadkeys:
type: <boolean>
presence: optional
default: false
content: If `true`, the account is removed and the status item object only contains
this key and the `identifier` key.
content: If `true`, the device removed the account and the status item object
only contains this key and the `identifier` key.
- key: declaration-identifier
title: Identifier of the declaration that installed the account.
type: <string>
@@ -78,7 +79,7 @@ payloadkeys:
presence: optional
content: The server host name for the account.
- key: port
title: Server Port
title: Server port
type: <integer>
presence: optional
content: The server port for the account.
@@ -93,3 +94,12 @@ payloadkeys:
presence: optional
content: A Boolean value that indicates whether the account is enabled for use
with the Contacts app.
examples:
title: Status item example
files:
- tab: New or updated account
description: Reports a new or updated account.
file: data/docc-examples/remotemanagementmodel/status/account.list.ldap/example1.json
- tab: Removed account
description: Reports a removed account.
file: data/docc-examples/remotemanagementmodel/status/account.list.ldap/example2.json
@@ -1,5 +1,5 @@
title: Status Account List Mail Incoming
description: A status report of the client's incoming Mail accounts.
description: The status item that lists the devices's incoming Mail accounts.
payload:
statusitemtype: account.list.mail.incoming
supportedOS:
@@ -45,8 +45,9 @@ payloadkeys:
subkeytype: Account
subkeys:
- key: status_value
title: Status value
type: <dictionary>
content: A status report of the client's incoming Mail account details.
content: An incoming Mail account.
subkeys:
- key: identifier
title: Unique identifier of the account.
@@ -58,8 +59,8 @@ payloadkeys:
type: <boolean>
presence: optional
default: false
content: If `true`, the account is removed and the status item object only contains
this key and the `identifier` key.
content: If `true`, the device removed the account and the status item object
only contains this key and the `identifier` key.
- key: declaration-identifier
title: Identifier of the declaration that installed the account.
type: <string>
@@ -77,7 +78,7 @@ payloadkeys:
presence: optional
content: The server host name for the account.
- key: port
title: Server Port
title: Server port
type: <integer>
presence: optional
content: The server port for the account.
@@ -98,3 +99,12 @@ payloadkeys:
presence: optional
content: A Boolean value that indicates whether the Notes app displays notes
for this account.
examples:
title: Status item example
files:
- tab: New or updated account
description: Reports a new or updated account.
file: data/docc-examples/remotemanagementmodel/status/account.list.mail.incoming/example1.json
- tab: Removed account
description: Reports a removed account.
file: data/docc-examples/remotemanagementmodel/status/account.list.mail.incoming/example2.json
@@ -1,5 +1,5 @@
title: Status Account List Mail Outgoing
description: A status report of the client's outgoing Mail accounts.
description: The status item that lists the devices's outgoing Mail accounts.
payload:
statusitemtype: account.list.mail.outgoing
supportedOS:
@@ -45,8 +45,9 @@ payloadkeys:
subkeytype: Account
subkeys:
- key: status_value
title: Status value
type: <dictionary>
content: A status report of the client's outgoing Mail account details.
content: An outgoing Mail account.
subkeys:
- key: identifier
title: Unique identifier of the account.
@@ -58,8 +59,8 @@ payloadkeys:
type: <boolean>
presence: optional
default: false
content: If `true`, the account is removed and the status item object only contains
this key and the `identifier` key.
content: If `true`, the device removed the account and the status item object
only contains this key and the `identifier` key.
- key: declaration-identifier
title: Identifier of the declaration that installed the account.
type: <string>
@@ -77,7 +78,7 @@ payloadkeys:
presence: optional
content: The server host name for the account.
- key: port
title: Server Port
title: Server port
type: <integer>
presence: optional
content: The server port for the account.
@@ -86,3 +87,12 @@ payloadkeys:
type: <string>
presence: optional
content: The user name for the account.
examples:
title: Status item example
files:
- tab: New or updated account
description: Reports a new or updated account.
file: data/docc-examples/remotemanagementmodel/status/account.list.mail.outgoing/example1.json
- tab: Removed account
description: Reports a removed account.
file: data/docc-examples/remotemanagementmodel/status/account.list.mail.outgoing/example2.json
@@ -1,5 +1,5 @@
title: Status Account List Subscribed Calendar
description: A status report of the client's subscribed calendars.
description: The status item that lists the devices's subscribed calendars.
payload:
statusitemtype: account.list.subscribed-calendar
supportedOS:
@@ -45,8 +45,9 @@ payloadkeys:
subkeytype: Account
subkeys:
- key: status_value
title: Status value
type: <dictionary>
content: A status report of the client's subscribed calendar details.
content: A subscribed calendar.
subkeys:
- key: identifier
title: Unique identifier of the subscribed calendar.
@@ -58,8 +59,8 @@ payloadkeys:
type: <boolean>
presence: optional
default: false
content: If `true`, the subscribed calendar is removed and the status item object
only contains this key and the `identifier` key.
content: If `true`, the device removed the subscribed calendar and the status
item object only contains this key and the `identifier` key.
- key: declaration-identifier
title: Identifier of the declaration that installed the subscribed calendar.
type: <string>
@@ -87,3 +88,12 @@ payloadkeys:
presence: optional
content: A Boolean value that indicates whether the Calendar app displays this
subscribed calendar.
examples:
title: Status item example
files:
- tab: New or updated account
description: Reports a new or updated account.
file: data/docc-examples/remotemanagementmodel/status/account.list.subscribed-calendar/example1.json
- tab: Removed account
description: Reports a removed account.
file: data/docc-examples/remotemanagementmodel/status/account.list.subscribed-calendar/example2.json
+26 -13
View File
@@ -1,5 +1,5 @@
title: Status App Managed List
description: The device's declarative managed apps.
description: The status item that lists the device's declarative managed apps.
payload:
statusitemtype: app.managed.list
supportedOS:
@@ -44,8 +44,9 @@ payloadkeys:
subkeytype: App
subkeys:
- key: status_value
title: Status value
type: <dictionary>
content: A dictionary that describes a declarative managed app.
content: A managed app.
subkeys:
- key: identifier
title: Unique identifier of the app.
@@ -74,7 +75,7 @@ payloadkeys:
type: <integer>
presence: optional
content: |-
The app's external version identifier. You can also retrieve this value from the App Store. For more information, see `Apps and Books for Organizations`.
The app's external version identifier. You can also retrieve this value from the App Store. For more information, see `Apps and books metadata for organizations`.
If the current external version identifier of an app on the App Store doesn't match the external version identifier reported by the device, there may be an app update available for the device.
- key: version
@@ -108,7 +109,7 @@ payloadkeys:
- `optional`: The app is optional and the user has to trigger its installation.
- `queued`: The system has started installation of the app.
- `not-present`: Management of the app occurs after it is installed.
- `not-present`: Management of the app occurs after it's installed.
- `prompting-for-consent`: The system is displaying a prompt to the user to proceed with app installation.
- `prompting-for-login`: The system is displaying an App Store sign-in prompt to the user to allow app installation.
- `prompting-for-management`: The system is displaying a prompt to the user to allow changing the installed app to a managed app.
@@ -144,7 +145,7 @@ payloadkeys:
iOS:
introduced: '18.4'
macOS:
introduced: n/a
introduced: '27.0'
type: <dictionary>
presence: optional
content: The status of app or extension managed configurations. This key is
@@ -170,9 +171,9 @@ payloadkeys:
- valid
content: |-
The managed configuration status.
- `unknown`: The managed configuration has not been read
- `invalid`: The managed configuration was read and deemed to be invalid
- `valid`: The managed configuration was read and deemed to be valid
- `unknown`: The device hasn't read the managed configuration.
- `invalid`: The device read the managed configuration and found it to be invalid.
- `valid`: The device read the managed configuration and found it to be valid.
- key: extension-config-state
title: Extensions managed configuration status
type: <dictionary>
@@ -189,7 +190,7 @@ payloadkeys:
subkeytype: ManagedConfigurationState
subkeys: *id001
- key: reasons
title: Status Reasons
title: Status reasons
type: <array>
presence: optional
content: An array that contains additional details about the app state, including
@@ -197,23 +198,23 @@ payloadkeys:
subkeytype: StatusReason
subkeys:
- key: _reasons
title: Status Reason
title: Status reason
type: <dictionary>
content: Information about a status error.
subkeytype: StatusReason
subkeys:
- key: code
title: Error Code
title: Error code
type: <string>
presence: required
content: A code for the state.
- key: description
title: Error Description
title: Error description
type: <string>
presence: optional
content: A description of the state.
- key: details
title: Error Details
title: Error details
type: <dictionary>
presence: optional
content: A dictionary that contains additional details about the state.
@@ -230,6 +231,7 @@ reasons:
details:
- key: Timestamp
type: <string>
valuetype: timestamp
description: The RFC 3339 timestamp of the last download failure.
- value: Error.DuplicateConfiguredApp
description: The app is already being managed.
@@ -238,6 +240,7 @@ reasons:
details:
- key: Timestamp
type: <string>
valuetype: timestamp
description: The RFC 3339 timestamp of the last install failure.
- value: Error.InvalidAppID
description: The app id could not be found.
@@ -263,4 +266,14 @@ reasons:
details:
- key: Timestamp
type: <string>
valuetype: timestamp
description: The RFC 3339 timestamp of the last update failure.
examples:
title: Status item example
files:
- tab: New or updated app
description: Reports a new or updated app.
file: data/docc-examples/remotemanagementmodel/status/app.managed.list/example1.json
- tab: Removed app
description: Reports a removed app.
file: data/docc-examples/remotemanagementmodel/status/app.managed.list/example2.json
+100
View File
@@ -0,0 +1,100 @@
title: Status Content Cache Info
description: The status item that reports information about the Content Cache service.
payload:
statusitemtype: content-cache.info
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '27.0'
allowed-enrollments:
- supervised
- local
allowed-scopes:
- system
tvOS:
introduced: n/a
visionOS:
introduced: n/a
watchOS:
introduced: n/a
payloadkeys:
- key: content-cache.info
title: Cache info
type: <dictionary>
presence: required
content: A dictionary that contains info about the usage of the Content Cache on
the device
subkeys:
- key: cache-details
title: Cache details
type: <array>
presence: optional
content: The amount of disk space that various categories of cached content use.
Apple defines these categories and they're subject to change.
subkeys:
- key: detail-item
title: Example file category
type: <string>
presence: required
content: The amount of disk space in bytes, that this category of cached content
uses.
- key: cache-free
title: Cache free space
type: <integer>
presence: optional
content: The amount of disk space in bytes, available to the Content Cache.
- key: cache-limit
title: Cache limit
type: <integer>
presence: optional
content: The maximum amount of disk space in bytes, available to the Content Cache.
A value of `0` indicates an unlimited amount. This value corresponds to `CacheLimit`
in the installed `ContentCaching` configuration.
- key: cache-status
title: Cache status
type: <string>
presence: optional
rangelist:
- LOWSPACE
- OK
content: The level of cache pressure. `LOWSPACE` means cache pressure is high.
- key: cache-used
title: Cache used
type: <integer>
presence: optional
content: The amount of disk space in bytes, cached content uses. The Content Cache
allocates space in its cache for entire files even when it stores only part
of those files in its cache.
- key: max-cache-pressure-last-hour
title: Maximum cache pressure
type: <real>
presence: optional
range:
min: 0.0
max: 1.0
content: A floating-point number between `0.0` and `1.0` that represents how often
the cache needed more disk space over the last hour of operation. A lower value
is better.
- key: personal-cache-free
title: Personal cache free
type: <integer>
presence: optional
content: The amount of disk space in bytes, available to the Content Cache for
personal iCloud content.
- key: personal-cache-limit
title: Personal cache limit
type: <integer>
presence: optional
content: The maximum amount of disk space in bytes, available to the Content Cache
for personal iCloud content. A value of `0` indicates an unlimited amount.
- key: personal-cache-used
title: Personal cache used
type: <integer>
presence: optional
content: The amount of disk space, in bytes, available to the Content Cache for
personal iCloud content.
examples:
title: Status item example
files:
- file: data/docc-examples/remotemanagementmodel/status/content-cache.info/example1.json
@@ -0,0 +1,76 @@
title: Status Content Cache Parents
description: The status item that reports information about the Content Cache service
parent caches.
payload:
statusitemtype: content-cache.parents
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '27.0'
allowed-enrollments:
- supervised
- local
allowed-scopes:
- system
tvOS:
introduced: n/a
visionOS:
introduced: n/a
watchOS:
introduced: n/a
payloadkeys:
- key: content-cache.parents
title: Content cache parents
type: <array>
presence: optional
content: An array of dictionaries that describes parent Content Caches.
subkeys:
- key: parents-item
title: Parent item
type: <dictionary>
presence: optional
content: A parent Content Cache.
subkeys:
- key: identifier
title: Parent GUID
type: <string>
presence: required
content: The unique identifier of the parent Content Cache.
- key: _removed
title: Indicates removal of the entry.
type: <boolean>
presence: optional
default: false
content: If `true`, the system removed the parent entry and only this key and
the `identifier` key are present in the status item object.
- key: address
title: IP address
type: <string>
presence: required
content: The local IPv4 address of the parent Content Cache.
- key: port
title: Port
type: <integer>
presence: required
content: The IP port number the parent Content Cache listens to for requests.
- key: healthy
title: Cache health
type: <boolean>
presence: required
content: If `true,` the parent Content Cache is able to respond to requests
from this Content Cache.
- key: version
title: Version
type: <string>
presence: required
content: The version number of the parent Content Cache software.
examples:
title: Status item example
files:
- tab: New or updated parent
description: Reports a new or updated parent.
file: data/docc-examples/remotemanagementmodel/status/content-cache.parents/example1.json
- tab: Removed parent
description: Reports a removed parent.
file: data/docc-examples/remotemanagementmodel/status/content-cache.parents/example2.json
@@ -0,0 +1,82 @@
title: Status Content Cache Peers
description: The status item that reports information about the Content Cache service
peer caches.
payload:
statusitemtype: content-cache.peers
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '27.0'
allowed-enrollments:
- supervised
- local
allowed-scopes:
- system
tvOS:
introduced: n/a
visionOS:
introduced: n/a
watchOS:
introduced: n/a
payloadkeys:
- key: content-cache.peers
title: Content cache peers
type: <array>
presence: required
content: An array of dictionaries that describes peer Content Caches.
subkeys:
- key: peer-item
title: Peer item
type: <dictionary>
presence: optional
content: A peer Content Cache.
subkeys:
- key: identifier
title: Peer GUID
type: <string>
presence: required
content: The unique identifier of the peer Content Cache.
- key: _removed
title: Indicates removal of the entry.
type: <boolean>
presence: optional
default: false
content: If `true`, the system removed the peer entry and only this key and
the `identifier` key are present in the status item object.
- key: address
title: IP address
type: <string>
presence: required
content: The local IPv4 address of the peer Content Cache.
- key: port
title: Port
type: <integer>
presence: required
content: The IP port number the peer Content Cache listens to for requests.
- key: friendly
title: Friendly
type: <boolean>
presence: required
content: If `true`, the peer Content Cache is willing to respond to requests
from this Content Cache.
- key: healthy
title: Cache health
type: <boolean>
presence: required
content: If `true`, the peer Content Cache is able to respond to requests from
this Content Cache.
- key: version
title: Version
type: <string>
presence: required
content: The version number of the peer Content Cache software.
examples:
title: Status item example
files:
- tab: New or updated peer
description: Reports a new or updated peer.
file: data/docc-examples/remotemanagementmodel/status/content-cache.peers/example1.json
- tab: Removed peer
description: Reports a removed peer.
file: data/docc-examples/remotemanagementmodel/status/content-cache.peers/example2.json
@@ -0,0 +1,159 @@
title: Status Content Cache Service
description: The status item that reports the status of the Content Cache service.
payload:
statusitemtype: content-cache.status
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '27.0'
allowed-enrollments:
- supervised
- local
allowed-scopes:
- system
tvOS:
introduced: n/a
visionOS:
introduced: n/a
watchOS:
introduced: n/a
payloadkeys:
- key: content-cache.status
title: Status of the content cache service
type: <dictionary>
presence: required
content: The basic set of AssetCache status items
subkeys:
- key: server-guid
title: Server GUID
type: <string>
presence: required
content: The unique identifier of the Content Cache.
- key: activated
title: Activated
type: <boolean>
presence: optional
default: false
content: If `true`, the device has enabled the Content Cache. Enabling the Content
Caching doesn't guarantee service. See the `Active` key for the readiness of
the Content Cache to serve requests.
- key: active
title: Active
type: <boolean>
presence: optional
default: false
content: If `true`, the Content Cache is ready to serve requests.
- key: cache-status
title: Cache status
type: <string>
presence: optional
rangelist:
- LOWSPACE
- OK
content: The level of cache pressure. `LOWSPACE` means cache pressure is high.
- key: private-addresses
title: Private addresses
type: <array>
presence: optional
content: An array of the Content Cache's local IP addresses.
subkeys:
- key: private-address-item
title: Private address
type: <string>
presence: required
content: Local IP address at which the Content Cache listens for requests from
clients, peers, and children.
- key: public-address
title: Public address
type: <string>
presence: optional
content: The public IP address of the Content Cache.
- key: port
title: Port
type: <integer>
presence: optional
content: The IP port number the Content Cache listens to for requests from clients,
peers, and children.
- key: registration-status
title: Registration status
type: <integer>
presence: optional
rangelist:
- -1
- 0
- 1
content: |-
The status of the Content Cache's registration with Apple, which is one of the following values:
- `-1`: The registration failed.
- `0`: The registration is pending.
- `1`: The registration succeeded.
- key: registration-started
title: Registration timestamp
type: <string>
presence: optional
content: The RFC 3339 timestamp for when the Content Cache began registering itself
with Apple. This value is only available during registration attempts.
- key: registration-response-code
title: Registration response code
type: <integer>
presence: optional
content: If present, the HTTP response code that the Content Cache received when
it failed to register itself with Apple.
- key: registration-error
title: Registration error
type: <string>
presence: optional
content: If present, the reason the Content Cache failed to register itself with
Apple.
- key: startup-status
title: Startup status
type: <string>
presence: optional
rangelist:
- FAILED
- MIGRATING_DATA
- OK
- PENDING
content: The status of the Content Cache's registration with Apple.
- key: tetherator-status
title: Tetherator status
type: <integer>
presence: optional
rangelist:
- -1
- 0
- 1
content: |-
The status of tethered caching, which is the Content Cache with a shared internet connection, which is one of the following values:
- '-1' : Unknown
- '0' : Disabled
- '1' : Enabled
- key: sending-reports
title: Sending metrics reports
type: <boolean>
presence: optional
content: When present, a value of `true` indicates that the cache is sending metrics
reports to the URL specified in the `ManagementStatusTarget` key in the installed
`ContentCaching` configuration.
- key: report-response-code
title: Metrics report response code
type: <integer>
presence: optional
content: When present, contains the HTTP response code that the Content Cache
received when it failed to send the metrics report to the target URL.
- key: report-error
title: Metrics report error
type: <string>
presence: optional
content: When present, indicates why the Content Cache failed to send the metrics.
- key: version
title: Version
type: <string>
presence: required
content: The version number of the Content Cache software.
examples:
title: Status item example
files:
- file: data/docc-examples/remotemanagementmodel/status/content-cache.status/example1.json
@@ -1,5 +1,5 @@
title: Status Device Serial Number
description: A status report of the device's serial number.
description: The status item that reports the device's serial number.
payload:
statusitemtype: device.identifier.serial-number
supportedOS:
@@ -52,3 +52,7 @@ payloadkeys:
type: <string>
presence: required
content: The device's serial number.
examples:
title: Status item example
files:
- file: data/docc-examples/remotemanagementmodel/status/device.identifier.serial-number/example1.json
@@ -1,5 +1,5 @@
title: Status Device UDID
description: A status report of the device's UDID.
description: The status item that reports the device's UDID.
payload:
statusitemtype: device.identifier.udid
supportedOS:
@@ -54,3 +54,7 @@ payloadkeys:
content: The device's UDID. This value is always available on the device channel.
This value is only available on user channels whose organization matches that
of the device channel.
examples:
title: Status item example
files:
- file: data/docc-examples/remotemanagementmodel/status/device.identifier.udid/example1.json
+5 -1
View File
@@ -1,5 +1,5 @@
title: Status Device Model Family
description: A status report of the device's hardware family.
description: The status item that reports the device's hardware model family.
payload:
statusitemtype: device.model.family
supportedOS:
@@ -55,3 +55,7 @@ payloadkeys:
type: <string>
presence: required
content: The hardware family of the device, such as `Mac`, `iPhone`, or `iPad`.
examples:
title: Status item example
files:
- file: data/docc-examples/remotemanagementmodel/status/device.model.family/example1.json
@@ -1,5 +1,5 @@
title: Status Device Model Identifier
description: A status report of the device's hardware identifier.
description: The status item that reports the device's hardware model identifier.
payload:
statusitemtype: device.model.identifier
supportedOS:
@@ -59,3 +59,7 @@ payloadkeys:
model's version is a comma-separated number where the first part of the number
is the version, and the second part is a variant, such as `MacBookPro15,1` or
`iPhone13,2`.
examples:
title: Status item example
files:
- file: data/docc-examples/remotemanagementmodel/status/device.model.identifier/example1.json
@@ -1,5 +1,5 @@
title: Status Device Model Marketing Name
description: A status report of the device's marketing name.
description: The status item that reports the device's model marketing name.
payload:
statusitemtype: device.model.marketing-name
supportedOS:
@@ -56,3 +56,7 @@ payloadkeys:
presence: required
content: The device's marketing name, such as `iPhone 12`. This value may not always
be available.
examples:
title: Status item example
files:
- file: data/docc-examples/remotemanagementmodel/status/device.model.marketing-name/example1.json
+5 -1
View File
@@ -1,5 +1,5 @@
title: Status Device Model Number
description: A status report of the device's hardware number.
description: The status item that reports the device's hardware number.
payload:
statusitemtype: device.model.number
supportedOS:
@@ -55,3 +55,7 @@ payloadkeys:
type: <string>
presence: required
content: The device's model number.
examples:
title: Status item example
files:
- file: data/docc-examples/remotemanagementmodel/status/device.model.number/example1.json
@@ -1,5 +1,5 @@
title: Status Device Operating System Build Version
description: A status report of the device's software build identifier.
description: The status item that reports the device's operating system build version.
payload:
statusitemtype: device.operating-system.build-version
supportedOS:
@@ -55,3 +55,7 @@ payloadkeys:
type: <string>
presence: required
content: The operating system's build version on the device, such as `18F132`.
examples:
title: Status item example
files:
- file: data/docc-examples/remotemanagementmodel/status/device.operating-system.build-version/example1.json
@@ -1,5 +1,5 @@
title: Status Device Operating System Family
description: A status report of the device's operating system family.
description: The status item that reports the device's operating system family.
payload:
statusitemtype: device.operating-system.family
supportedOS:
@@ -55,3 +55,7 @@ payloadkeys:
type: <string>
presence: required
content: The operating system family in use on the device, such as `macOS` or `iOS`.
examples:
title: Status item example
files:
- file: data/docc-examples/remotemanagementmodel/status/device.operating-system.family/example1.json
@@ -1,5 +1,6 @@
title: Status Device Operating System Marketing Name
description: A status report of the device's operating system marketing name.
description: The status item that reports the device's operating system marketing
name.
payload:
statusitemtype: device.operating-system.marketing-name
supportedOS:
@@ -55,3 +56,7 @@ payloadkeys:
type: <string>
presence: required
content: The operating system's marketing name in use on the device, such as `Catalina`.
examples:
title: Status item example
files:
- file: data/docc-examples/remotemanagementmodel/status/device.operating-system.marketing-name/example1.json
@@ -1,5 +1,6 @@
title: Status Device Operating System Supplemental Build Version
description: A status report of the device's operating system supplemental build identifier.
description: The status item that reports the device's operating system supplemental
build version and Background Security Improvement version.
payload:
statusitemtype: device.operating-system.supplemental.build-version
supportedOS:
@@ -56,3 +57,7 @@ payloadkeys:
presence: required
content: The operating system's build and Background Security Improvement versions
in use on the device, for example, `20A123a` or `20B27c`.
examples:
title: Status item example
files:
- file: data/docc-examples/remotemanagementmodel/status/device.operating-system.supplemental.build-version/example1.json
@@ -1,6 +1,6 @@
title: Status Device Operating System Supplemental Extra Version
description: A status report of the device's operating system's Background Security
Improvement identifier.
description: The status item that reports the device's operating system Background
Security Improvement version.
payload:
statusitemtype: device.operating-system.supplemental.extra-version
supportedOS:
@@ -57,3 +57,7 @@ payloadkeys:
presence: required
content: The operating system's Background Security Improvement version in use on
the device, for example, `a`.
examples:
title: Status item example
files:
- file: data/docc-examples/remotemanagementmodel/status/device.operating-system.supplemental.extra-version/example1.json
@@ -1,5 +1,5 @@
title: Status Device Operating System Version
description: A status report of the device's operating system version.
description: The status item that reports the device's operating system version.
payload:
statusitemtype: device.operating-system.version
supportedOS:
@@ -55,3 +55,7 @@ payloadkeys:
type: <string>
presence: required
content: The operating system's version in use on the device, such as `15.0`.
examples:
title: Status item example
files:
- file: data/docc-examples/remotemanagementmodel/status/device.operating-system.version/example1.json
@@ -1,5 +1,5 @@
title: Status Device Battery Health
description: The device's battery health.
description: The status item that reports the device's battery health.
payload:
statusitemtype: device.power.battery-health
supportedOS:
@@ -47,7 +47,7 @@ payloadkeys:
- `unknown`: The system couldn't determine battery health information.
- `unsupported`: The device doesn't support battery health reporting.
Available in iOS 17 and later on iPhone, iPadOS 18.4 and later on supported iPad models, and macOS 14.4 and later on a Mac with Apple silicon.
Supported on iPhones, specific iPad models, and Mac computers with Apple silicon.
notes:
- title: ''
content: |-
@@ -56,3 +56,7 @@ notes:
- [iPhone devices](https://support.apple.com/101575)
- [iPad devices](https://support.apple.com/117759)
- [macOS devices](https://support.apple.com/108376)
examples:
title: Status item example
files:
- file: data/docc-examples/remotemanagementmodel/status/device.power.battery-health/example1.json
@@ -0,0 +1,128 @@
title: Status Device System Health
description: The status item that reports the device's system health.
payload:
statusitemtype: device.system.health
supportedOS:
iOS:
introduced: '27.0'
allowed-enrollments:
- supervised
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
macOS:
introduced: n/a
tvOS:
introduced: n/a
visionOS:
introduced: n/a
watchOS:
introduced: n/a
payloadkeys:
- key: device.system.health
title: Status item value.
type: <dictionary>
presence: required
content: |-
A dictionary where each key represents a hardware component name and each value is a string indicating the component's health status, which has the following values:
- `ok`: The component is operating normally.
- `error`: The component has a detected error or failure.
- `non-genuine`: The component isn't a genuine Apple component.
Not all keys are supported on each device. The dictionary includes only components that are present and reportable on the device.
subkeys:
- key: Baseband
title: Baseband health status
type: <string>
presence: optional
rangelist:
- ok
- error
content: |-
The baseband health status, which has the following values:
- `ok`: The component is operating normally.
- `error`: The component has a detected error or failure.
- key: Camera
title: Camera health status
type: <string>
presence: optional
rangelist:
- ok
- error
- non-genuine
content: |-
The camera health status, which has the following values:
- `ok`: The component is operating normally.
- `error`: The component has a detected error or failure.
- `non-genuine`: The component isn't a genuine Apple component.
- key: Display
title: Display health status
type: <string>
presence: optional
rangelist:
- ok
- error
- non-genuine
content: |-
The display health status, which has the following values:
- `ok`: The component is operating normally.
- `error`: The component has a detected error or failure.
- `non-genuine`: The component isn't a genuine Apple component.
- key: FaceID
title: Face ID health status
type: <string>
presence: optional
rangelist:
- ok
- error
content: |-
The Face ID health status, which has the following values:
- `ok`: The component is operating normally.
- `error`: The component has a detected error or failure.
- key: NFC
title: NFC health status
type: <string>
presence: optional
rangelist:
- ok
- error
content: |-
The NFC (Near Field Communication) health status, which has the following values:
- `ok`: The component is operating normally.
- `error`: The component has a detected error or failure.
- key: TouchID
title: Touch ID health status
type: <string>
presence: optional
rangelist:
- ok
- error
content: |-
The Touch ID health status, which has the following values:
- `ok`: The component is operating normally.
- `error`: The component has a detected error or failure.
- key: UWB
title: Ultra-wideband radio health status
type: <string>
presence: optional
rangelist:
- ok
- error
content: |-
The UWB (Ultra-Wideband) radio health status, which has the following values:
- `ok`: The component is operating normally.
- `error`: The component has a detected error or failure.
examples:
title: Status item example
files:
- file: data/docc-examples/remotemanagementmodel/status/device.system.health/example1.json
@@ -1,5 +1,5 @@
title: Status Disk Management File Vault Enabled
description: The enabled status of the File Vault.
description: The status item that reports whether FileVault is enabled.
payload:
statusitemtype: diskmanagement.filevault.enabled
supportedOS:
@@ -24,3 +24,7 @@ payloadkeys:
type: <boolean>
presence: required
content: A Boolean value that specifies the File Vault enabled status on the device.
examples:
title: Status item example
files:
- file: data/docc-examples/remotemanagementmodel/status/diskmanagement.filevault.enabled/example1.json
@@ -0,0 +1,42 @@
title: Status Enhanced Logging AppleCare Token
description: The status item that reports the device's enhanced log collection session
AppleCare token.
payload:
statusitemtype: enhanced-logging.applecare-token
supportedOS:
iOS:
introduced: '27.0'
allowed-enrollments:
- supervised
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
macOS:
introduced: '27.0'
allowed-enrollments:
- supervised
allowed-scopes:
- user
tvOS:
introduced: '27.0'
allowed-enrollments:
- supervised
allowed-scopes:
- system
visionOS:
introduced: n/a
watchOS:
introduced: n/a
payloadkeys:
- key: enhanced-logging.applecare-token
title: AppleCare token value.
type: <string>
presence: optional
content: The current enhanced log collection session AppleCare token. The device
returns an empty string if there's no session status to report.
examples:
title: Status item example
files:
- file: data/docc-examples/remotemanagementmodel/status/enhanced-logging.applecare-token/example1.json
@@ -0,0 +1,64 @@
title: Status Enhanced Logging
description: The status item that reports the device's enhanced log collection session
status.
payload:
statusitemtype: enhanced-logging.status
supportedOS:
iOS:
introduced: '27.0'
allowed-enrollments:
- supervised
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
macOS:
introduced: '27.0'
allowed-enrollments:
- supervised
allowed-scopes:
- user
tvOS:
introduced: '27.0'
allowed-enrollments:
- supervised
allowed-scopes:
- system
visionOS:
introduced: n/a
watchOS:
introduced: n/a
payloadkeys:
- key: enhanced-logging.status
title: Status item value.
type: <string>
presence: required
rangelist:
- none
- waiting-for-consent
- collecting
- follow-up-question
- upload-consent
- uploading
- finished
- failed
- cancelled
- declined
content: |-
The enhanced log collection session status, which has the following values:
- `none`: The device has never run an enhanced log collection session.
- `waiting-for-consent`: The device is waiting for the user to consent to the enhanced log collection.
- `collecting`: The enhanced log collection is in progress.
- `follow-up-question`: The device is waiting for follow-up response from the user.
- `upload-consent`: The device is waiting for the user to approve upload of the enhanced logs.
- `uploading`: The device is uploading the enhanced logs.
- `finished`: The device completed the enhanced log collection session.
- `failed`: The device failed to complete the enhanced log collection session.
- `cancelled` - The device management service cancelled the enhanced log collection session.
- `declined` - The user declined the enhanced log collection session.
examples:
title: Status item example
files:
- file: data/docc-examples/remotemanagementmodel/status/enhanced-logging.status/example1.json
@@ -0,0 +1,43 @@
title: Status Enhanced Logging Timestamp
description: The status item that reports the device's enhanced log collection session
timestamp.
payload:
statusitemtype: enhanced-logging.timestamp
supportedOS:
iOS:
introduced: '27.0'
allowed-enrollments:
- supervised
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
macOS:
introduced: '27.0'
allowed-enrollments:
- supervised
allowed-scopes:
- user
tvOS:
introduced: '27.0'
allowed-enrollments:
- supervised
allowed-scopes:
- system
visionOS:
introduced: n/a
watchOS:
introduced: n/a
payloadkeys:
- key: enhanced-logging.timestamp
title: Timestamp value.
type: <string>
presence: optional
content: The enhanced log collection session RFC 3339 timestamp that the device
reports for the last session status change. The device returns an empty string
if there's no session status to report.
examples:
title: Status item example
files:
- file: data/docc-examples/remotemanagementmodel/status/enhanced-logging.timestamp/example1.json
@@ -1,5 +1,5 @@
title: Status Management Client Capabilities
description: A status report of the client's protocol capabilities.
description: The status item that reports the devices's protocol capabilities.
payload:
statusitemtype: management.client-capabilities
supportedOS:
@@ -56,17 +56,17 @@ payloadkeys:
subkeytype: Capabilities
subkeys:
- key: supported-versions
title: Supported Protocol Versions
title: Supported protocol versions
type: <array>
presence: required
content: A list of protocol versions that the client supports.
subkeys:
- key: _supported-versions
title: Supported Protocol Version
title: Supported protocol version
type: <string>
content: A protocol version supported by the client.
- key: supported-features
title: Supported Features
title: Supported features
type: <dictionary>
presence: required
content: A set of optional protocol features that the client supports. Each object's
@@ -78,67 +78,71 @@ payloadkeys:
presence: optional
content: Optional protocol features supported by the client.
- key: supported-payloads
title: Supported Payloads
title: Supported payloads
type: <dictionary>
presence: required
content: A set of declaration and status items that the client supports.
subkeys:
- key: declarations
title: Supported Declarations
title: Supported declarations
type: <dictionary>
presence: required
content: A set of declarations that the client supports.
subkeys:
- key: activations
title: Supported Activations
title: Supported activations
type: <array>
presence: optional
content: An array of strings that represents the activation types that the
client supports.
subkeys:
- key: _activations
title: Activation Type
title: Activation type
type: <string>
content: Supported activation type.
- key: assets
title: Supported Assets
title: Supported assets
type: <array>
presence: optional
content: An array of strings that represents the assets that the client supports.
subkeys:
- key: _assets
title: Asset Type
title: Asset type
type: <string>
content: Supported asset type.
- key: configurations
title: Supported Configurations
title: Supported configurations
type: <array>
presence: optional
content: An array of strings that represents the configuration types that
the client supports.
subkeys:
- key: _configurations
title: Configuration Type
title: Configuration type
type: <string>
content: Supported configuration type.
- key: management
title: Supported Management Declarations
title: Supported management declarations
type: <array>
presence: optional
content: An array of strings that represents the declaration types that the
client supports.
subkeys:
- key: _management
title: Management Declaration Type
title: Management declaration type
type: <string>
content: Supported management declaration type.
- key: status-items
title: Supported Status Items
title: Supported status items
type: <array>
presence: required
content: A list of status items that the client supports.
subkeys:
- key: _status_items
title: Status Item
title: Status item
type: <string>
content: Supported status item.
examples:
title: Status item example
files:
- file: data/docc-examples/remotemanagementmodel/status/management.client-capabilities/example1.json

Some files were not shown because too many files have changed in this diff Show More