From 9468f879c31663a83ff7734d3ebf4cf4422e7c6b Mon Sep 17 00:00:00 2001 From: Cyrus Daboo Date: Mon, 8 Jun 2026 10:27:51 -0400 Subject: [PATCH] Seed1 --- CHANGES.md | 151 +++ README.md | 18 +- .../declarations/activations/simple.yaml | 13 + .../declarations/assets/credential.acme.yaml | 17 +- .../assets/credential.certificate.yaml | 16 +- .../assets/credential.identity.yaml | 17 +- .../declarations/assets/credential.scep.yaml | 17 +- .../assets/credential.userpassword.yaml | 16 +- .../declarations/assets/credentials/acme.yaml | 30 +- .../assets/credentials/identity.yaml | 6 + .../declarations/assets/credentials/scep.yaml | 26 +- .../credentials/usernameandpassword.yaml | 6 + declarative/declarations/assets/data.yaml | 16 +- .../declarations/assets/useridentity.yaml | 8 +- .../configurations/account.caldav.yaml | 17 +- .../configurations/account.carddav.yaml | 16 +- .../configurations/account.exchange.yaml | 64 +- .../configurations/account.google.yaml | 12 +- .../configurations/account.ldap.yaml | 22 +- .../configurations/account.mail.yaml | 59 +- .../account.subscribed-calendar.yaml | 11 +- .../configurations/app.managed.yaml | 140 +-- .../configurations/app.settings.yaml | 361 +++++++ .../audio-accessory.settings.yaml | 18 +- .../content-cache.settings.yaml | 328 ++++++ .../diskmanagement.settings.yaml | 19 +- .../configurations/extensible-sso.yaml | 570 ++++++++++ .../external-intelligence.settings.yaml | 15 +- .../configurations/intelligence.settings.yaml | 27 +- .../configurations/keyboard.settings.yaml | 23 +- .../configurations/legacy.interactive.yaml | 43 +- .../declarations/configurations/legacy.yaml | 64 +- .../management.status-subscriptions.yaml | 9 +- .../configurations/management.test.yaml | 14 +- .../configurations/math.settings.yaml | 22 +- .../migration-assistant.settings.yaml | 11 +- .../configurations/network.dns-proxy.yaml | 84 ++ .../configurations/network.dns-settings.yaml | 254 +++++ .../configurations/network.relay.yaml | 190 ++++ .../configurations/network.vpn.always-on.yaml | 975 ++++++++++++++++++ .../configurations/network.vpn.ikev2.yaml | 854 +++++++++++++++ .../configurations/network.vpn.ipsec.yaml | 509 +++++++++ .../network.vpn.vpn-plugin.yaml | 590 +++++++++++ .../declarations/configurations/package.yaml | 25 +- .../configurations/passcode.settings.yaml | 35 +- .../configurations/safari.bookmarks.yaml | 11 +- .../safari.extensions.settings.yaml | 33 +- .../configurations/safari.settings.yaml | 121 ++- .../screensharing.connection.group.yaml | 12 +- .../screensharing.connection.yaml | 17 +- .../screensharing.host.settings.yaml | 11 +- .../configurations/security.certificate.yaml | 7 +- .../configurations/security.identity.yaml | 7 +- .../security.passkey.attestation.yaml | 6 + .../services.background-tasks.yaml | 22 +- .../services.configuration-files.yaml | 11 +- .../configurations/siri.settings.yaml | 25 +- .../softwareupdate.enforcement.specific.yaml | 23 +- .../softwareupdate.settings.yaml | 66 +- .../configurations/watch.enrollment.yaml | 9 +- .../webcontent-filter.plugin.yaml | 280 +++++ declarative/declarations/declarationbase.yaml | 8 +- .../management/organization-info.yaml | 12 +- .../declarations/management/properties.yaml | 4 + .../management/server-capabilities.yaml | 8 +- .../protocol/declarationitemsresponse.yaml | 16 +- declarative/protocol/statusreport.yaml | 18 +- declarative/protocol/tokensresponse.yaml | 2 +- declarative/status/account.list.caldav.yaml | 20 +- declarative/status/account.list.carddav.yaml | 20 +- declarative/status/account.list.exchange.yaml | 20 +- declarative/status/account.list.google.yaml | 18 +- declarative/status/account.list.ldap.yaml | 22 +- .../status/account.list.mail.incoming.yaml | 20 +- .../status/account.list.mail.outgoing.yaml | 20 +- .../account.list.subscribed-calendar.yaml | 18 +- declarative/status/app.managed.list.yaml | 39 +- declarative/status/content-cache.info.yaml | 100 ++ declarative/status/content-cache.parents.yaml | 76 ++ declarative/status/content-cache.peers.yaml | 82 ++ declarative/status/content-cache.status.yaml | 159 +++ .../device.identifier.serial-number.yaml | 6 +- .../status/device.identifier.udid.yaml | 6 +- declarative/status/device.model.family.yaml | 6 +- .../status/device.model.identifier.yaml | 6 +- .../status/device.model.marketing-name.yaml | 6 +- declarative/status/device.model.number.yaml | 6 +- ...device.operating-system.build-version.yaml | 6 +- .../device.operating-system.family.yaml | 6 +- ...evice.operating-system.marketing-name.yaml | 7 +- ...ing-system.supplemental.build-version.yaml | 7 +- ...ing-system.supplemental.extra-version.yaml | 8 +- .../device.operating-system.version.yaml | 6 +- .../status/device.power.battery-health.yaml | 8 +- declarative/status/device.system.health.yaml | 128 +++ .../diskmanagement.filevault.enabled.yaml | 6 +- .../enhanced-logging.applecare-token.yaml | 42 + .../status/enhanced-logging.status.yaml | 64 ++ .../status/enhanced-logging.timestamp.yaml | 43 + .../management.client-capabilities.yaml | 36 +- .../status/management.declarations.yaml | 30 +- declarative/status/mdm.app.yaml | 18 +- declarative/status/mdm.enrollment-type.yaml | 67 ++ .../status/mdm.is-awaiting-configuration.yaml | 53 + .../status/mdm.is-return-to-service.yaml | 43 + declarative/status/mdm.is-shared-ipad.yaml | 35 + declarative/status/mdm.push-magic.yaml | 57 + declarative/status/mdm.push-token.yaml | 57 + .../status/migration-assistant.report.yaml | 26 +- .../status/migration-assistant.state.yaml | 10 +- declarative/status/package.list.yaml | 24 +- declarative/status/passcode.is-compliant.yaml | 6 +- declarative/status/passcode.is-present.yaml | 6 +- ...onnection.group.unresolved-connection.yaml | 22 +- .../status/security.certificate.list.yaml | 22 +- .../status/security.lockdown-mode.yaml | 39 + .../status/services.background-task.yaml | 26 +- .../softwareupdate.beta-enrollment.yaml | 6 +- .../status/softwareupdate.device-id.yaml | 6 +- .../status/softwareupdate.failure-reason.yaml | 6 +- .../status/softwareupdate.install-reason.yaml | 6 +- .../status/softwareupdate.install-state.yaml | 7 +- .../softwareupdate.pending-version.yaml | 6 +- declarative/status/statusreason.yaml | 10 +- declarative/status/test.array-value.yaml | 9 +- declarative/status/test.boolean-value.yaml | 4 + declarative/status/test.dictionary-value.yaml | 8 +- declarative/status/test.error-value.yaml | 4 + declarative/status/test.integer-value.yaml | 4 + declarative/status/test.real-value.yaml | 4 + declarative/status/test.string-value.yaml | 4 + docs/errata.md | 26 + docs/schema.md | 1 + docs/schema.yaml | 35 + .../activations/simple/example1.json | 10 + .../activations/simple/example2.json | 12 + .../assets/credential.acme/example1.json | 11 + .../credential.certificate/example1.json | 11 + .../assets/credential.identity/example1.json | 11 + .../assets/credential.scep/example1.json | 11 + .../credential.userpassword/example1.json | 11 + .../assets/credentials/acme/example1.json | 19 + .../assets/credentials/identity/example1.json | 4 + .../assets/credentials/scep/example1.json | 17 + .../usernameandpassword/example1.json | 4 + .../declarations/assets/data/example1.json | 14 + .../assets/useridentity/example1.json | 9 + .../account.caldav/example1.json | 12 + .../account.carddav/example1.json | 12 + .../account.exchange/example1.json | 18 + .../account.google/example1.json | 9 + .../configurations/account.ldap/example1.json | 16 + .../configurations/account.mail/example1.json | 20 + .../account.subscribed-calendar/example1.json | 9 + .../configurations/app.managed/example1.json | 14 + .../configurations/app.managed/example2.json | 29 + .../configurations/app.managed/example3.json | 11 + .../configurations/app.managed/example4.json | 39 + .../configurations/app.settings/example1.json | 22 + .../configurations/app.settings/example2.json | 22 + .../audio-accessory.settings/example1.json | 15 + .../content-cache.settings/example1.json | 12 + .../content-cache.settings/example2.json | 22 + .../diskmanagement.settings/example1.json | 11 + .../extensiblesso/example1.json | 17 + .../extensiblesso/example2.json | 15 + .../example1.json | 12 + .../intelligence.settings/example1.json | 29 + .../keyboard.settings/example1.json | 15 + .../legacy.interactive/example1.json | 9 + .../legacy.interactive/example2.json | 9 + .../configurations/legacy/example1.json | 8 + .../configurations/legacy/example2.json | 8 + .../example1.json | 30 + .../management.test/example1.json | 8 + .../math.settings/example1.json | 15 + .../example1.json | 18 + .../network.dns-proxy/example1.json | 15 + .../network.dns-settings/example1.json | 19 + .../network.relay/example1.json | 19 + .../network.relay/example2.json | 21 + .../network.vpn.always-on/example1.json | 27 + .../network.vpn.ikev2/example1.json | 15 + .../network.vpn.ikev2/example2.json | 22 + .../network.vpn.ipsec/example1.json | 15 + .../network.vpn.ipsec/example2.json | 13 + .../network.vpn.vpn-plugin/example1.json | 14 + .../network.vpn.vpn-plugin/example2.json | 14 + .../example1.json | 11 + .../configurations/package/example1.json | 11 + .../passcode.settings/example1.json | 11 + .../passcode.settings/example2.json | 15 + .../safari.bookmarks/example1.json | 36 + .../safari.extensions.settings/example1.json | 12 + .../safari.extensions.settings/example2.json | 15 + .../safari.extensions.settings/example3.json | 13 + .../safari.extensions.settings/example4.json | 14 + .../safari.settings/example1.json | 11 + .../safari.settings/example2.json | 14 + .../safari.settings/example3.json | 15 + .../safari.settings/example4.json | 16 + .../example1.json | 13 + .../screensharing.connection/example1.json | 13 + .../screensharing.host.settings/example1.json | 12 + .../security.certificate/example1.json | 8 + .../security.identity/example1.json | 8 + .../example1.json | 11 + .../services.background-tasks/example1.json | 16 + .../example1.json | 9 + .../siri.settings/example1.json | 11 + .../example1.json | 10 + .../softwareupdate.settings/example1.json | 24 + .../watch.enrollment/example1.json | 11 + .../organization-info/example1.json | 10 + .../management/properties/example1.json | 14 + .../server-capabilities/example1.json | 13 + .../account.configuration/example1.plist | 55 + .../account.configuration/example2.plist | 12 + .../example1.plist | 17 + .../example2.plist | 69 ++ .../example1.plist | 13 + .../example2.plist | 55 + .../example1.plist | 17 + .../example2.plist | 14 + .../application.install/example1.plist | 17 + .../application.install/example2.plist | 16 + .../application.install/example3.plist | 22 + .../application.install/example4.plist | 16 + .../application.installed.list/example1.plist | 15 + .../application.installed.list/example2.plist | 43 + .../application.installed.list/example3.plist | 15 + .../application.installed.list/example4.plist | 85 ++ .../example1.plist | 17 + .../example2.plist | 14 + .../application.managed.list/example1.plist | 13 + .../application.managed.list/example2.plist | 30 + .../application.redemptioncode/example1.plist | 17 + .../application.redemptioncode/example2.plist | 12 + .../application.remove/example1.plist | 15 + .../application.remove/example2.plist | 12 + .../application.validate/example1.plist | 13 + .../application.validate/example2.plist | 12 + .../commands/certificate.list/example1.plist | 15 + .../commands/certificate.list/example2.plist | 98 ++ .../example1.plist | 19 + .../example2.plist | 14 + .../classroom.mirroring.stop/example1.plist | 13 + .../classroom.mirroring.stop/example2.plist | 12 + .../classroom.user.delete/example1.plist | 17 + .../classroom.user.delete/example2.plist | 12 + .../classroom.user.list/example1.plist | 13 + .../classroom.user.list/example2.plist | 27 + .../classroom.user.logout/example1.plist | 13 + .../classroom.user.logout/example2.plist | 12 + .../classroom.user.unlock/example1.plist | 15 + .../classroom.user.unlock/example2.plist | 12 + .../declarativemanagement/example1.plist | 23 + .../declarativemanagement/example2.plist | 12 + .../example1.plist | 13 + .../example2.plist | 14 + .../example1.plist | 13 + .../example2.plist | 12 + .../commands/device.configured/example1.plist | 13 + .../commands/device.configured/example2.plist | 12 + .../mdm/commands/device.erase/example1.plist | 17 + .../mdm/commands/device.erase/example2.plist | 12 + .../mdm/commands/device.esim/example1.plist | 15 + .../mdm/commands/device.esim/example2.plist | 12 + .../mdm/commands/device.lock/example1.plist | 17 + .../mdm/commands/device.lock/example2.plist | 14 + .../device.lostmode.disable/example1.plist | 13 + .../device.lostmode.disable/example2.plist | 12 + .../device.lostmode.enable/example1.plist | 19 + .../device.lostmode.enable/example2.plist | 12 + .../device.lostmode.location/example1.plist | 13 + .../device.lostmode.location/example2.plist | 28 + .../device.lostmode.playsound/example1.plist | 13 + .../device.lostmode.playsound/example2.plist | 12 + .../commands/device.restart/example1.plist | 13 + .../commands/device.restart/example2.plist | 12 + .../example1.plist | 13 + .../example2.plist | 12 + .../device.restrictions.list/example1.plist | 15 + .../device.restrictions.list/example2.plist | 23 + .../commands/device.shutdown/example1.plist | 13 + .../commands/device.shutdown/example2.plist | 12 + .../information.device/example1.plist | 89 ++ .../information.device/example2.plist | 167 +++ .../information.security/example1.plist | 13 + .../information.security/example2.plist | 32 + .../commands/lom.devicerequest/example1.plist | 29 + .../commands/lom.devicerequest/example2.plist | 21 + .../commands/lom.setuprequest/example1.plist | 13 + .../commands/lom.setuprequest/example2.plist | 17 + .../example1.plist | 17 + .../example2.plist | 24 + .../example1.plist | 17 + .../example2.plist | 24 + .../example1.plist | 19 + .../example2.plist | 24 + .../mdm/commands/media.install/example1.plist | 27 + .../mdm/commands/media.install/example2.plist | 20 + .../mdm/commands/media.install/example3.plist | 17 + .../mdm/commands/media.install/example4.plist | 18 + .../media.managed.list/example1.plist | 13 + .../media.managed.list/example2.plist | 29 + .../mdm/commands/media.remove/example1.plist | 12 + .../mdm/commands/media.remove/example2.plist | 12 + .../commands/passcode.clear/example1.plist | 42 + .../commands/passcode.clear/example2.plist | 12 + .../passcode.firmware.set/example1.plist | 19 + .../passcode.firmware.set/example2.plist | 17 + .../passcode.firmware.verify/example1.plist | 15 + .../passcode.firmware.verify/example2.plist | 17 + .../passcode.recovery.set/example1.plist | 13 + .../passcode.recovery.set/example2.plist | 12 + .../passcode.recovery.verify/example1.plist | 13 + .../passcode.recovery.verify/example2.plist | 14 + .../commands/profile.install/example1.plist | 41 + .../commands/profile.install/example2.plist | 12 + .../mdm/commands/profile.list/example1.plist | 15 + .../mdm/commands/profile.list/example2.plist | 82 ++ .../example1.plist | 66 ++ .../example2.plist | 12 + .../profile.provisioning.list/example1.plist | 15 + .../profile.provisioning.list/example2.plist | 23 + .../example1.plist | 15 + .../example2.plist | 12 + .../commands/profile.remove/example1.plist | 15 + .../commands/profile.remove/example2.plist | 12 + .../remotedesktop.disable/example1.plist | 13 + .../remotedesktop.disable/example2.plist | 12 + .../remotedesktop.enable/example1.plist | 13 + .../remotedesktop.enable/example2.plist | 12 + .../rotate.file.vault.key/example1.plist | 39 + .../rotate.file.vault.key/example2.plist | 29 + .../rotate.file.vault.key/example3.plist | 39 + .../rotate.file.vault.key/example4.plist | 14 + .../set.auto.admin.password/example1.plist | 34 + .../set.auto.admin.password/example2.plist | 12 + examples/mdm/commands/settings/example1.plist | 22 + examples/mdm/commands/settings/example2.plist | 21 + .../system.update.available/example1.plist | 13 + .../system.update.available/example2.plist | 37 + .../system.update.scan/example1.plist | 15 + .../system.update.scan/example2.plist | 16 + .../system.update.schedule/example1.plist | 24 + .../system.update.schedule/example2.plist | 23 + .../system.update.status/example1.plist | 13 + .../system.update.status/example2.plist | 25 + .../profiles/GlobalPreferences/example1.plist | 35 + .../example1.plist | 41 + .../example1.plist | 50 + .../com.apple.Dictionary/example1.plist | 31 + .../example1.plist | 35 + .../com.apple.DiscRecording/example1.plist | 31 + .../com.apple.MCX(Accounts)/example1.plist | 31 + .../com.apple.MCX(EnergySaver)/example1.plist | 97 ++ .../com.apple.MCX(FileVault2)/example1.plist | 31 + .../com.apple.MCX(Mobility)/example1.plist | 31 + .../com.apple.MCX(TimeServer)/example1.plist | 33 + .../com.apple.MCX(WiFi)/example1.plist | 35 + .../com.apple.MCX.FileVault2/example1.plist | 41 + .../com.apple.MCX.TimeMachine/example1.plist | 45 + .../example1.plist | 45 + .../com.apple.NSExtension/example1.plist | 41 + .../example1.plist | 47 + .../com.apple.SoftwareUpdate/example1.plist | 31 + .../example1.plist | 44 + .../example1.plist | 47 + .../com.apple.airplay.security/example1.plist | 35 + .../profiles/com.apple.airplay/example1.plist | 45 + .../com.apple.airprint/example1.plist | 42 + .../com.apple.app.lock/example1.plist | 34 + .../example1.plist | 54 + .../example1.plist | 37 + .../com.apple.appstore/example1.plist | 35 + .../profiles/com.apple.asam/example1.plist | 38 + .../example1.plist | 40 + .../com.apple.caldav.account/example1.plist | 41 + .../com.apple.carddav.account/example1.plist | 41 + .../com.apple.cellular/example1.plist | 34 + .../example1.plist | 52 + .../example1.plist | 31 + .../example1.plist | 68 ++ .../com.apple.declarations/example1.plist | 58 ++ .../profiles/com.apple.desktop/example1.plist | 33 + .../com.apple.dnsProxy.managed/example1.plist | 41 + .../profiles/com.apple.dock/example1.plist | 77 ++ .../profiles/com.apple.domains/example1.plist | 41 + .../com.apple.eas.account/example1.plist | 71 ++ .../com.apple.education/example1.plist | 203 ++++ .../com.apple.ews.account/example1.plist | 49 + .../example1.plist | 46 + .../com.apple.extensiblesso/example1.plist | 45 + .../example1.plist | 54 + .../example1.plist | 67 ++ .../com.apple.fileproviderd/example1.plist | 39 + .../profiles/com.apple.finder/example1.plist | 49 + .../example1.plist | 60 ++ .../example1.plist | 60 ++ .../profiles/com.apple.font/example1.plist | 33 + .../profiles/com.apple.gamed/example1.plist | 31 + .../example1.plist | 60 ++ .../com.apple.google-oauth/example1.plist | 35 + .../com.apple.homescreenlayout/example1.plist | 133 +++ .../com.apple.ldap.account/example1.plist | 48 + .../example1.plist | 38 + .../com.apple.loginwindow/example1.plist | 77 ++ .../mdm/profiles/com.apple.lom/example1.plist | 266 +++++ .../com.apple.mail.managed/example1.plist | 75 ++ .../com.apple.mcxMenuExtras/example1.plist | 35 + .../com.apple.mcxloginscripts/example1.plist | 42 + .../com.apple.mcxprinting/example1.plist | 71 ++ .../mdm/profiles/com.apple.mdm/example1.plist | 150 +++ .../example1.plist | 47 + .../example1.plist | 42 + .../example1.plist | 42 + .../example1.plist | 31 + .../example1.plist | 31 + .../example1.plist | 33 + .../example1.plist | 41 + .../com.apple.screensaver.user/example1.plist | 33 + .../com.apple.screensaver/example1.plist | 41 + .../example1.plist | 60 ++ .../example1.plist | 60 ++ .../example1.plist | 97 ++ .../com.apple.security.acme/example1.plist | 71 ++ .../example1.plist | 35 + .../example1.plist | 42 + .../example1.plist | 46 + .../example1.plist | 40 + .../example1.plist | 163 +++ .../com.apple.security.pem/example1.plist | 63 ++ .../com.apple.security.pkcs1/example1.plist | 54 + .../com.apple.security.pkcs12/example1.plist | 101 ++ .../com.apple.security.root/example1.plist | 75 ++ .../com.apple.security.scep/example1.plist | 72 ++ .../example1.plist | 41 + .../example1.plist | 70 ++ .../example1.plist | 33 + .../mdm/profiles/com.apple.sso/example1.plist | 46 + .../example1.plist | 35 + .../example1.plist | 46 + .../example1.plist | 33 + .../com.apple.systemmigration/example1.plist | 49 + .../example1.plist | 33 + .../example1.plist | 31 + .../example1.plist | 33 + .../example1.plist | 37 + .../example1.plist | 60 ++ .../example1.plist | 60 ++ .../com.apple.tvremote/example1.plist | 38 + .../com.apple.universalaccess/example1.plist | 31 + .../example1.plist | 191 ++++ .../example1.plist | 104 ++ .../com.apple.vpn.managed/example1.plist | 65 ++ .../com.apple.webClip.managed/example1.plist | 41 + .../example1.plist | 45 + .../com.apple.wifi.managed/example1.plist | 52 + .../com.apple.xsan.preferences/example1.plist | 47 + .../profiles/com.apple.xsan/example1.plist | 39 + .../mdm/profiles/loginwindow/example1.plist | 31 + examples/other/manifesturl/example1.plist | 39 + mdm/checkin/authenticate.yaml | 6 +- mdm/checkin/checkout.yaml | 6 +- mdm/checkin/declarativemanagement.yaml | 8 +- mdm/checkin/gettoken.yaml | 20 +- mdm/checkin/returntoservice.yaml | 19 +- mdm/checkin/tokenupdate.yaml | 12 +- mdm/commands/account.configuration.yaml | 25 +- .../application.extensions.listactive.yaml | 5 + .../application.extensions.mappings.yaml | 5 + .../application.install.enterprise.yaml | 17 +- mdm/commands/application.install.yaml | 63 +- mdm/commands/application.installed.list.yaml | 68 +- mdm/commands/application.invitetoprogram.yaml | 5 + mdm/commands/application.managed.list.yaml | 28 +- mdm/commands/application.redemptioncode.yaml | 5 + mdm/commands/application.remove.yaml | 7 +- mdm/commands/application.validate.yaml | 5 + .../cancel.enhanced.log.collection.yaml | 33 + mdm/commands/certificate.list.yaml | 8 +- mdm/commands/declarativemanagement.yaml | 5 + .../device.activationlock.bypasscode.yaml | 7 +- ...device.activationlock.clearbypasscode.yaml | 5 + mdm/commands/device.configured.yaml | 11 +- mdm/commands/device.erase.yaml | 34 +- mdm/commands/device.esim.yaml | 5 + mdm/commands/device.lock.yaml | 15 +- mdm/commands/device.lostmode.disable.yaml | 5 + mdm/commands/device.lostmode.enable.yaml | 5 + mdm/commands/device.lostmode.location.yaml | 5 + mdm/commands/device.lostmode.playsound.yaml | 5 + mdm/commands/device.restart.yaml | 16 +- .../device.restrictions.clearpassword.yaml | 5 + mdm/commands/device.restrictions.list.yaml | 14 +- mdm/commands/device.shutdown.yaml | 5 + mdm/commands/information.device.yaml | 362 +++---- mdm/commands/information.security.yaml | 65 +- mdm/commands/lom.devicerequest.yaml | 5 + mdm/commands/lom.setuprequest.yaml | 5 + .../managed.application.attributes.yaml | 44 +- .../managed.application.configuration.yaml | 9 +- .../managed.application.feedback.yaml | 5 + mdm/commands/media.install.yaml | 28 +- mdm/commands/media.managed.list.yaml | 7 +- mdm/commands/media.remove.yaml | 5 + mdm/commands/mirroring.request.yaml | 5 + mdm/commands/mirroring.stop.yaml | 5 + mdm/commands/passcode.clear.yaml | 5 + mdm/commands/passcode.firmware.set.yaml | 5 + mdm/commands/passcode.firmware.verify.yaml | 5 + mdm/commands/passcode.recovery.set.yaml | 7 +- mdm/commands/passcode.recovery.verify.yaml | 5 + mdm/commands/profile.install.yaml | 5 + mdm/commands/profile.list.yaml | 12 +- .../profile.provisioning.install.yaml | 5 + mdm/commands/profile.provisioning.list.yaml | 6 +- mdm/commands/profile.provisioning.remove.yaml | 5 + mdm/commands/profile.remove.yaml | 5 + mdm/commands/remotedesktop.disable.yaml | 5 + mdm/commands/remotedesktop.enable.yaml | 5 + mdm/commands/rotate.file.vault.key.yaml | 13 +- mdm/commands/set.auto.admin.password.yaml | 11 +- mdm/commands/settings.yaml | 155 ++- mdm/commands/system.update.available.yaml | 39 +- mdm/commands/system.update.scan.yaml | 10 +- mdm/commands/system.update.schedule.yaml | 30 +- mdm/commands/system.update.status.yaml | 36 +- .../trigger.enhanced.log.collection.yaml | 68 ++ mdm/commands/user.configured.yaml | 4 +- mdm/commands/user.delete.yaml | 14 +- mdm/commands/user.list.yaml | 33 +- mdm/commands/user.logout.yaml | 5 + mdm/commands/user.unlock.yaml | 5 + mdm/errors/unrecognized.device.yaml | 4 +- mdm/profiles/GlobalPreferences.yaml | 4 + mdm/profiles/TopLevel.yaml | 5 +- .../com.apple.ADCertificate.managed.yaml | 40 +- mdm/profiles/com.apple.AIM.account.yaml | 12 +- .../com.apple.AssetCache.managed.yaml | 35 +- mdm/profiles/com.apple.Dictionary.yaml | 4 + .../com.apple.DirectoryService.managed.yaml | 4 + mdm/profiles/com.apple.DiscRecording.yaml | 10 +- mdm/profiles/com.apple.MCX(Accounts).yaml | 4 + mdm/profiles/com.apple.MCX(EnergySaver).yaml | 4 + mdm/profiles/com.apple.MCX(FileVault2).yaml | 4 + ...lty).yaml => com.apple.MCX(Mobility).yaml} | 4 + mdm/profiles/com.apple.MCX(TimeServer).yaml | 4 + mdm/profiles/com.apple.MCX(WiFi).yaml | 4 + mdm/profiles/com.apple.MCX.FileVault2.yaml | 8 +- mdm/profiles/com.apple.MCX.TimeMachine.yaml | 4 + .../com.apple.ManagedClient.preferences.yaml | 4 + mdm/profiles/com.apple.NSExtension.yaml | 4 + .../com.apple.SetupAssistant.managed.yaml | 7 +- mdm/profiles/com.apple.ShareKitHelper.yaml | 2 +- mdm/profiles/com.apple.SoftwareUpdate.yaml | 14 +- .../com.apple.SystemConfiguration.yaml | 4 + ...pple.TCC.configuration-profile-policy.yaml | 54 +- mdm/profiles/com.apple.airplay.security.yaml | 14 +- mdm/profiles/com.apple.airplay.yaml | 15 +- mdm/profiles/com.apple.airprint.yaml | 14 +- mdm/profiles/com.apple.app.lock.yaml | 26 +- .../com.apple.applicationaccess.new.yaml | 56 +- mdm/profiles/com.apple.applicationaccess.yaml | 522 ++++++---- mdm/profiles/com.apple.appstore.yaml | 15 +- mdm/profiles/com.apple.asam.yaml | 4 + .../com.apple.associated-domains.yaml | 6 +- mdm/profiles/com.apple.caldav.account.yaml | 15 +- mdm/profiles/com.apple.carddav.account.yaml | 19 +- mdm/profiles/com.apple.cellular.yaml | 23 +- ....apple.cellularprivatenetwork.managed.yaml | 4 + .../com.apple.conferenceroomdisplay.yaml | 4 + ...e.configurationprofile.identification.yaml | 4 + mdm/profiles/com.apple.declarations.yaml | 6 +- mdm/profiles/com.apple.desktop.yaml | 4 + mdm/profiles/com.apple.dnsProxy.managed.yaml | 24 +- .../com.apple.dnsSettings.managed.yaml | 61 +- mdm/profiles/com.apple.dock.yaml | 24 +- mdm/profiles/com.apple.domains.yaml | 43 +- mdm/profiles/com.apple.eas.account.yaml | 69 +- mdm/profiles/com.apple.education.yaml | 20 +- mdm/profiles/com.apple.ews.account.yaml | 10 +- .../com.apple.extensiblesso(kerberos).yaml | 70 +- mdm/profiles/com.apple.extensiblesso.yaml | 185 ++-- ...om.apple.familycontrols.contentfilter.yaml | 6 +- ...om.apple.familycontrols.timelimits.v2.yaml | 4 + mdm/profiles/com.apple.fileproviderd.yaml | 8 +- mdm/profiles/com.apple.finder.yaml | 4 + ...com.apple.firstactiveethernet.managed.yaml | 10 +- .../com.apple.firstethernet.managed.yaml | 10 +- mdm/profiles/com.apple.font.yaml | 12 +- mdm/profiles/com.apple.gamed.yaml | 4 + .../com.apple.globalethernet.managed.yaml | 10 +- mdm/profiles/com.apple.google-oauth.yaml | 17 +- mdm/profiles/com.apple.homescreenlayout.yaml | 10 +- mdm/profiles/com.apple.jabber.account.yaml | 12 +- mdm/profiles/com.apple.ldap.account.yaml | 21 +- .../com.apple.loginitems.managed.yaml | 4 + mdm/profiles/com.apple.loginwindow.yaml | 23 +- mdm/profiles/com.apple.lom.yaml | 8 +- mdm/profiles/com.apple.mail.managed.yaml | 47 +- mdm/profiles/com.apple.mcxMenuExtras.yaml | 4 + mdm/profiles/com.apple.mcxloginscripts.yaml | 4 + mdm/profiles/com.apple.mcxprinting.yaml | 4 + mdm/profiles/com.apple.mdm.yaml | 44 +- ...com.apple.mobiledevice.passwordpolicy.yaml | 36 +- mdm/profiles/com.apple.networkusagerules.yaml | 4 + .../com.apple.notificationsettings.yaml | 74 +- mdm/profiles/com.apple.osxserver.account.yaml | 16 +- .../com.apple.preference.security.yaml | 4 + mdm/profiles/com.apple.preferences.users.yaml | 4 + .../com.apple.profileRemovalPassword.yaml | 6 +- mdm/profiles/com.apple.proxy.http.global.yaml | 18 +- mdm/profiles/com.apple.relay.managed.yaml | 44 +- mdm/profiles/com.apple.screensaver.user.yaml | 4 + mdm/profiles/com.apple.screensaver.yaml | 17 +- ...om.apple.secondactiveethernet.managed.yaml | 10 +- .../com.apple.secondethernet.managed.yaml | 10 +- ...m.apple.security.FDERecoveryKeyEscrow.yaml | 4 + ...om.apple.security.FDERecoveryRedirect.yaml | 6 +- mdm/profiles/com.apple.security.acme.yaml | 41 +- ....apple.security.certificatepreference.yaml | 4 + ....apple.security.certificaterevocation.yaml | 6 +- ...pple.security.certificatetransparency.yaml | 8 +- mdm/profiles/com.apple.security.firewall.yaml | 15 +- ...com.apple.security.identitypreference.yaml | 4 + mdm/profiles/com.apple.security.pem.yaml | 8 +- mdm/profiles/com.apple.security.pkcs1.yaml | 8 +- mdm/profiles/com.apple.security.pkcs12.yaml | 13 +- mdm/profiles/com.apple.security.root.yaml | 8 +- mdm/profiles/com.apple.security.scep.yaml | 38 +- .../com.apple.security.smartcard.yaml | 23 +- mdm/profiles/com.apple.servicemanagement.yaml | 10 +- .../com.apple.shareddeviceconfiguration.yaml | 8 +- mdm/profiles/com.apple.sso.yaml | 4 + .../com.apple.subscribedcalendar.account.yaml | 5 +- ...ple.syspolicy.kernel-extension-policy.yaml | 10 +- .../com.apple.system-extension-policy.yaml | 19 +- mdm/profiles/com.apple.system.logging.yaml | 58 -- mdm/profiles/com.apple.systemmigration.yaml | 4 + .../com.apple.systempolicy.control.yaml | 4 + .../com.apple.systempolicy.managed.yaml | 4 + mdm/profiles/com.apple.systempolicy.rule.yaml | 12 +- mdm/profiles/com.apple.systempreferences.yaml | 6 +- mdm/profiles/com.apple.systemuiserver.yaml | 2 +- ...com.apple.thirdactiveethernet.managed.yaml | 10 +- .../com.apple.thirdethernet.managed.yaml | 10 +- mdm/profiles/com.apple.tvremote.yaml | 4 + mdm/profiles/com.apple.universalaccess.yaml | 4 + .../com.apple.vpn.managed.applayer.yaml | 22 +- .../com.apple.vpn.managed.appmapping.yaml | 4 + mdm/profiles/com.apple.vpn.managed.yaml | 407 ++++---- mdm/profiles/com.apple.webClip.managed.yaml | 18 +- mdm/profiles/com.apple.webcontent-filter.yaml | 40 +- mdm/profiles/com.apple.wifi.managed.yaml | 84 +- mdm/profiles/com.apple.xsan.preferences.yaml | 4 + mdm/profiles/com.apple.xsan.yaml | 6 +- mdm/profiles/loginwindow.yaml | 4 + other/esso.yaml | 16 +- other/machineinfo.yaml | 61 +- other/manifesturl.yaml | 43 +- other/skipkeys.yaml | 47 +- 664 files changed, 20746 insertions(+), 2407 deletions(-) create mode 100644 CHANGES.md create mode 100644 declarative/declarations/configurations/app.settings.yaml create mode 100644 declarative/declarations/configurations/content-cache.settings.yaml create mode 100644 declarative/declarations/configurations/extensible-sso.yaml create mode 100644 declarative/declarations/configurations/network.dns-proxy.yaml create mode 100644 declarative/declarations/configurations/network.dns-settings.yaml create mode 100644 declarative/declarations/configurations/network.relay.yaml create mode 100644 declarative/declarations/configurations/network.vpn.always-on.yaml create mode 100644 declarative/declarations/configurations/network.vpn.ikev2.yaml create mode 100644 declarative/declarations/configurations/network.vpn.ipsec.yaml create mode 100644 declarative/declarations/configurations/network.vpn.vpn-plugin.yaml create mode 100644 declarative/declarations/configurations/webcontent-filter.plugin.yaml create mode 100644 declarative/status/content-cache.info.yaml create mode 100644 declarative/status/content-cache.parents.yaml create mode 100644 declarative/status/content-cache.peers.yaml create mode 100644 declarative/status/content-cache.status.yaml create mode 100644 declarative/status/device.system.health.yaml create mode 100644 declarative/status/enhanced-logging.applecare-token.yaml create mode 100644 declarative/status/enhanced-logging.status.yaml create mode 100644 declarative/status/enhanced-logging.timestamp.yaml create mode 100644 declarative/status/mdm.enrollment-type.yaml create mode 100644 declarative/status/mdm.is-awaiting-configuration.yaml create mode 100644 declarative/status/mdm.is-return-to-service.yaml create mode 100644 declarative/status/mdm.is-shared-ipad.yaml create mode 100644 declarative/status/mdm.push-magic.yaml create mode 100644 declarative/status/mdm.push-token.yaml create mode 100644 declarative/status/security.lockdown-mode.yaml create mode 100644 examples/declarative/declarations/activations/simple/example1.json create mode 100644 examples/declarative/declarations/activations/simple/example2.json create mode 100644 examples/declarative/declarations/assets/credential.acme/example1.json create mode 100644 examples/declarative/declarations/assets/credential.certificate/example1.json create mode 100644 examples/declarative/declarations/assets/credential.identity/example1.json create mode 100644 examples/declarative/declarations/assets/credential.scep/example1.json create mode 100644 examples/declarative/declarations/assets/credential.userpassword/example1.json create mode 100644 examples/declarative/declarations/assets/credentials/acme/example1.json create mode 100644 examples/declarative/declarations/assets/credentials/identity/example1.json create mode 100644 examples/declarative/declarations/assets/credentials/scep/example1.json create mode 100644 examples/declarative/declarations/assets/credentials/usernameandpassword/example1.json create mode 100644 examples/declarative/declarations/assets/data/example1.json create mode 100644 examples/declarative/declarations/assets/useridentity/example1.json create mode 100644 examples/declarative/declarations/configurations/account.caldav/example1.json create mode 100644 examples/declarative/declarations/configurations/account.carddav/example1.json create mode 100644 examples/declarative/declarations/configurations/account.exchange/example1.json create mode 100644 examples/declarative/declarations/configurations/account.google/example1.json create mode 100644 examples/declarative/declarations/configurations/account.ldap/example1.json create mode 100644 examples/declarative/declarations/configurations/account.mail/example1.json create mode 100644 examples/declarative/declarations/configurations/account.subscribed-calendar/example1.json create mode 100644 examples/declarative/declarations/configurations/app.managed/example1.json create mode 100644 examples/declarative/declarations/configurations/app.managed/example2.json create mode 100644 examples/declarative/declarations/configurations/app.managed/example3.json create mode 100644 examples/declarative/declarations/configurations/app.managed/example4.json create mode 100644 examples/declarative/declarations/configurations/app.settings/example1.json create mode 100644 examples/declarative/declarations/configurations/app.settings/example2.json create mode 100644 examples/declarative/declarations/configurations/audio-accessory.settings/example1.json create mode 100644 examples/declarative/declarations/configurations/content-cache.settings/example1.json create mode 100644 examples/declarative/declarations/configurations/content-cache.settings/example2.json create mode 100644 examples/declarative/declarations/configurations/diskmanagement.settings/example1.json create mode 100644 examples/declarative/declarations/configurations/extensiblesso/example1.json create mode 100644 examples/declarative/declarations/configurations/extensiblesso/example2.json create mode 100644 examples/declarative/declarations/configurations/external-intelligence.settings/example1.json create mode 100644 examples/declarative/declarations/configurations/intelligence.settings/example1.json create mode 100644 examples/declarative/declarations/configurations/keyboard.settings/example1.json create mode 100644 examples/declarative/declarations/configurations/legacy.interactive/example1.json create mode 100644 examples/declarative/declarations/configurations/legacy.interactive/example2.json create mode 100644 examples/declarative/declarations/configurations/legacy/example1.json create mode 100644 examples/declarative/declarations/configurations/legacy/example2.json create mode 100644 examples/declarative/declarations/configurations/management.status-subscriptions/example1.json create mode 100644 examples/declarative/declarations/configurations/management.test/example1.json create mode 100644 examples/declarative/declarations/configurations/math.settings/example1.json create mode 100644 examples/declarative/declarations/configurations/migration-assistant.settings/example1.json create mode 100644 examples/declarative/declarations/configurations/network.dns-proxy/example1.json create mode 100644 examples/declarative/declarations/configurations/network.dns-settings/example1.json create mode 100644 examples/declarative/declarations/configurations/network.relay/example1.json create mode 100644 examples/declarative/declarations/configurations/network.relay/example2.json create mode 100644 examples/declarative/declarations/configurations/network.vpn.always-on/example1.json create mode 100644 examples/declarative/declarations/configurations/network.vpn.ikev2/example1.json create mode 100644 examples/declarative/declarations/configurations/network.vpn.ikev2/example2.json create mode 100644 examples/declarative/declarations/configurations/network.vpn.ipsec/example1.json create mode 100644 examples/declarative/declarations/configurations/network.vpn.ipsec/example2.json create mode 100644 examples/declarative/declarations/configurations/network.vpn.vpn-plugin/example1.json create mode 100644 examples/declarative/declarations/configurations/network.vpn.vpn-plugin/example2.json create mode 100644 examples/declarative/declarations/configurations/network.webcontent-filter.plugin/example1.json create mode 100644 examples/declarative/declarations/configurations/package/example1.json create mode 100644 examples/declarative/declarations/configurations/passcode.settings/example1.json create mode 100644 examples/declarative/declarations/configurations/passcode.settings/example2.json create mode 100644 examples/declarative/declarations/configurations/safari.bookmarks/example1.json create mode 100644 examples/declarative/declarations/configurations/safari.extensions.settings/example1.json create mode 100644 examples/declarative/declarations/configurations/safari.extensions.settings/example2.json create mode 100644 examples/declarative/declarations/configurations/safari.extensions.settings/example3.json create mode 100644 examples/declarative/declarations/configurations/safari.extensions.settings/example4.json create mode 100644 examples/declarative/declarations/configurations/safari.settings/example1.json create mode 100644 examples/declarative/declarations/configurations/safari.settings/example2.json create mode 100644 examples/declarative/declarations/configurations/safari.settings/example3.json create mode 100644 examples/declarative/declarations/configurations/safari.settings/example4.json create mode 100644 examples/declarative/declarations/configurations/screensharing.connection.group/example1.json create mode 100644 examples/declarative/declarations/configurations/screensharing.connection/example1.json create mode 100644 examples/declarative/declarations/configurations/screensharing.host.settings/example1.json create mode 100644 examples/declarative/declarations/configurations/security.certificate/example1.json create mode 100644 examples/declarative/declarations/configurations/security.identity/example1.json create mode 100644 examples/declarative/declarations/configurations/security.passkey.attestation/example1.json create mode 100644 examples/declarative/declarations/configurations/services.background-tasks/example1.json create mode 100644 examples/declarative/declarations/configurations/services.configuration-files/example1.json create mode 100644 examples/declarative/declarations/configurations/siri.settings/example1.json create mode 100644 examples/declarative/declarations/configurations/softwareupdate.enforcement.specific/example1.json create mode 100644 examples/declarative/declarations/configurations/softwareupdate.settings/example1.json create mode 100644 examples/declarative/declarations/configurations/watch.enrollment/example1.json create mode 100644 examples/declarative/declarations/management/organization-info/example1.json create mode 100644 examples/declarative/declarations/management/properties/example1.json create mode 100644 examples/declarative/declarations/management/server-capabilities/example1.json create mode 100644 examples/mdm/commands/account.configuration/example1.plist create mode 100644 examples/mdm/commands/account.configuration/example2.plist create mode 100644 examples/mdm/commands/application.extensions.listactive/example1.plist create mode 100644 examples/mdm/commands/application.extensions.listactive/example2.plist create mode 100644 examples/mdm/commands/application.extensions.mappings/example1.plist create mode 100644 examples/mdm/commands/application.extensions.mappings/example2.plist create mode 100644 examples/mdm/commands/application.install.enterprise/example1.plist create mode 100644 examples/mdm/commands/application.install.enterprise/example2.plist create mode 100644 examples/mdm/commands/application.install/example1.plist create mode 100644 examples/mdm/commands/application.install/example2.plist create mode 100644 examples/mdm/commands/application.install/example3.plist create mode 100644 examples/mdm/commands/application.install/example4.plist create mode 100644 examples/mdm/commands/application.installed.list/example1.plist create mode 100644 examples/mdm/commands/application.installed.list/example2.plist create mode 100644 examples/mdm/commands/application.installed.list/example3.plist create mode 100644 examples/mdm/commands/application.installed.list/example4.plist create mode 100644 examples/mdm/commands/application.invitetoprogram/example1.plist create mode 100644 examples/mdm/commands/application.invitetoprogram/example2.plist create mode 100644 examples/mdm/commands/application.managed.list/example1.plist create mode 100644 examples/mdm/commands/application.managed.list/example2.plist create mode 100644 examples/mdm/commands/application.redemptioncode/example1.plist create mode 100644 examples/mdm/commands/application.redemptioncode/example2.plist create mode 100644 examples/mdm/commands/application.remove/example1.plist create mode 100644 examples/mdm/commands/application.remove/example2.plist create mode 100644 examples/mdm/commands/application.validate/example1.plist create mode 100644 examples/mdm/commands/application.validate/example2.plist create mode 100644 examples/mdm/commands/certificate.list/example1.plist create mode 100644 examples/mdm/commands/certificate.list/example2.plist create mode 100644 examples/mdm/commands/classroom.mirroring.request/example1.plist create mode 100644 examples/mdm/commands/classroom.mirroring.request/example2.plist create mode 100644 examples/mdm/commands/classroom.mirroring.stop/example1.plist create mode 100644 examples/mdm/commands/classroom.mirroring.stop/example2.plist create mode 100644 examples/mdm/commands/classroom.user.delete/example1.plist create mode 100644 examples/mdm/commands/classroom.user.delete/example2.plist create mode 100644 examples/mdm/commands/classroom.user.list/example1.plist create mode 100644 examples/mdm/commands/classroom.user.list/example2.plist create mode 100644 examples/mdm/commands/classroom.user.logout/example1.plist create mode 100644 examples/mdm/commands/classroom.user.logout/example2.plist create mode 100644 examples/mdm/commands/classroom.user.unlock/example1.plist create mode 100644 examples/mdm/commands/classroom.user.unlock/example2.plist create mode 100644 examples/mdm/commands/declarativemanagement/example1.plist create mode 100644 examples/mdm/commands/declarativemanagement/example2.plist create mode 100644 examples/mdm/commands/device.activationlock.bypasscode/example1.plist create mode 100644 examples/mdm/commands/device.activationlock.bypasscode/example2.plist create mode 100644 examples/mdm/commands/device.activationlock.clearbypasscode/example1.plist create mode 100644 examples/mdm/commands/device.activationlock.clearbypasscode/example2.plist create mode 100644 examples/mdm/commands/device.configured/example1.plist create mode 100644 examples/mdm/commands/device.configured/example2.plist create mode 100644 examples/mdm/commands/device.erase/example1.plist create mode 100644 examples/mdm/commands/device.erase/example2.plist create mode 100644 examples/mdm/commands/device.esim/example1.plist create mode 100644 examples/mdm/commands/device.esim/example2.plist create mode 100644 examples/mdm/commands/device.lock/example1.plist create mode 100644 examples/mdm/commands/device.lock/example2.plist create mode 100644 examples/mdm/commands/device.lostmode.disable/example1.plist create mode 100644 examples/mdm/commands/device.lostmode.disable/example2.plist create mode 100644 examples/mdm/commands/device.lostmode.enable/example1.plist create mode 100644 examples/mdm/commands/device.lostmode.enable/example2.plist create mode 100644 examples/mdm/commands/device.lostmode.location/example1.plist create mode 100644 examples/mdm/commands/device.lostmode.location/example2.plist create mode 100644 examples/mdm/commands/device.lostmode.playsound/example1.plist create mode 100644 examples/mdm/commands/device.lostmode.playsound/example2.plist create mode 100644 examples/mdm/commands/device.restart/example1.plist create mode 100644 examples/mdm/commands/device.restart/example2.plist create mode 100644 examples/mdm/commands/device.restrictions.clearpassword/example1.plist create mode 100644 examples/mdm/commands/device.restrictions.clearpassword/example2.plist create mode 100644 examples/mdm/commands/device.restrictions.list/example1.plist create mode 100644 examples/mdm/commands/device.restrictions.list/example2.plist create mode 100644 examples/mdm/commands/device.shutdown/example1.plist create mode 100644 examples/mdm/commands/device.shutdown/example2.plist create mode 100644 examples/mdm/commands/information.device/example1.plist create mode 100644 examples/mdm/commands/information.device/example2.plist create mode 100644 examples/mdm/commands/information.security/example1.plist create mode 100644 examples/mdm/commands/information.security/example2.plist create mode 100644 examples/mdm/commands/lom.devicerequest/example1.plist create mode 100644 examples/mdm/commands/lom.devicerequest/example2.plist create mode 100644 examples/mdm/commands/lom.setuprequest/example1.plist create mode 100644 examples/mdm/commands/lom.setuprequest/example2.plist create mode 100644 examples/mdm/commands/managed.application.attributes/example1.plist create mode 100644 examples/mdm/commands/managed.application.attributes/example2.plist create mode 100644 examples/mdm/commands/managed.application.configuration/example1.plist create mode 100644 examples/mdm/commands/managed.application.configuration/example2.plist create mode 100644 examples/mdm/commands/managed.application.feedback/example1.plist create mode 100644 examples/mdm/commands/managed.application.feedback/example2.plist create mode 100644 examples/mdm/commands/media.install/example1.plist create mode 100644 examples/mdm/commands/media.install/example2.plist create mode 100644 examples/mdm/commands/media.install/example3.plist create mode 100644 examples/mdm/commands/media.install/example4.plist create mode 100644 examples/mdm/commands/media.managed.list/example1.plist create mode 100644 examples/mdm/commands/media.managed.list/example2.plist create mode 100644 examples/mdm/commands/media.remove/example1.plist create mode 100644 examples/mdm/commands/media.remove/example2.plist create mode 100644 examples/mdm/commands/passcode.clear/example1.plist create mode 100644 examples/mdm/commands/passcode.clear/example2.plist create mode 100644 examples/mdm/commands/passcode.firmware.set/example1.plist create mode 100644 examples/mdm/commands/passcode.firmware.set/example2.plist create mode 100644 examples/mdm/commands/passcode.firmware.verify/example1.plist create mode 100644 examples/mdm/commands/passcode.firmware.verify/example2.plist create mode 100644 examples/mdm/commands/passcode.recovery.set/example1.plist create mode 100644 examples/mdm/commands/passcode.recovery.set/example2.plist create mode 100644 examples/mdm/commands/passcode.recovery.verify/example1.plist create mode 100644 examples/mdm/commands/passcode.recovery.verify/example2.plist create mode 100644 examples/mdm/commands/profile.install/example1.plist create mode 100644 examples/mdm/commands/profile.install/example2.plist create mode 100644 examples/mdm/commands/profile.list/example1.plist create mode 100644 examples/mdm/commands/profile.list/example2.plist create mode 100644 examples/mdm/commands/profile.provisioning.install/example1.plist create mode 100644 examples/mdm/commands/profile.provisioning.install/example2.plist create mode 100644 examples/mdm/commands/profile.provisioning.list/example1.plist create mode 100644 examples/mdm/commands/profile.provisioning.list/example2.plist create mode 100644 examples/mdm/commands/profile.provisioning.remove/example1.plist create mode 100644 examples/mdm/commands/profile.provisioning.remove/example2.plist create mode 100644 examples/mdm/commands/profile.remove/example1.plist create mode 100644 examples/mdm/commands/profile.remove/example2.plist create mode 100644 examples/mdm/commands/remotedesktop.disable/example1.plist create mode 100644 examples/mdm/commands/remotedesktop.disable/example2.plist create mode 100644 examples/mdm/commands/remotedesktop.enable/example1.plist create mode 100644 examples/mdm/commands/remotedesktop.enable/example2.plist create mode 100644 examples/mdm/commands/rotate.file.vault.key/example1.plist create mode 100644 examples/mdm/commands/rotate.file.vault.key/example2.plist create mode 100644 examples/mdm/commands/rotate.file.vault.key/example3.plist create mode 100644 examples/mdm/commands/rotate.file.vault.key/example4.plist create mode 100644 examples/mdm/commands/set.auto.admin.password/example1.plist create mode 100644 examples/mdm/commands/set.auto.admin.password/example2.plist create mode 100644 examples/mdm/commands/settings/example1.plist create mode 100644 examples/mdm/commands/settings/example2.plist create mode 100644 examples/mdm/commands/system.update.available/example1.plist create mode 100644 examples/mdm/commands/system.update.available/example2.plist create mode 100644 examples/mdm/commands/system.update.scan/example1.plist create mode 100644 examples/mdm/commands/system.update.scan/example2.plist create mode 100644 examples/mdm/commands/system.update.schedule/example1.plist create mode 100644 examples/mdm/commands/system.update.schedule/example2.plist create mode 100644 examples/mdm/commands/system.update.status/example1.plist create mode 100644 examples/mdm/commands/system.update.status/example2.plist create mode 100644 examples/mdm/profiles/GlobalPreferences/example1.plist create mode 100644 examples/mdm/profiles/com.apple.ADCertificate.managed/example1.plist create mode 100644 examples/mdm/profiles/com.apple.AssetCache.managed/example1.plist create mode 100644 examples/mdm/profiles/com.apple.Dictionary/example1.plist create mode 100644 examples/mdm/profiles/com.apple.DirectoryService.managed/example1.plist create mode 100644 examples/mdm/profiles/com.apple.DiscRecording/example1.plist create mode 100644 examples/mdm/profiles/com.apple.MCX(Accounts)/example1.plist create mode 100644 examples/mdm/profiles/com.apple.MCX(EnergySaver)/example1.plist create mode 100644 examples/mdm/profiles/com.apple.MCX(FileVault2)/example1.plist create mode 100644 examples/mdm/profiles/com.apple.MCX(Mobility)/example1.plist create mode 100644 examples/mdm/profiles/com.apple.MCX(TimeServer)/example1.plist create mode 100644 examples/mdm/profiles/com.apple.MCX(WiFi)/example1.plist create mode 100644 examples/mdm/profiles/com.apple.MCX.FileVault2/example1.plist create mode 100644 examples/mdm/profiles/com.apple.MCX.TimeMachine/example1.plist create mode 100644 examples/mdm/profiles/com.apple.ManagedClient.preferences/example1.plist create mode 100644 examples/mdm/profiles/com.apple.NSExtension/example1.plist create mode 100644 examples/mdm/profiles/com.apple.SetupAssistant.managed/example1.plist create mode 100644 examples/mdm/profiles/com.apple.SoftwareUpdate/example1.plist create mode 100644 examples/mdm/profiles/com.apple.SystemConfiguration/example1.plist create mode 100644 examples/mdm/profiles/com.apple.TCC.configuration-profile-policy/example1.plist create mode 100644 examples/mdm/profiles/com.apple.airplay.security/example1.plist create mode 100644 examples/mdm/profiles/com.apple.airplay/example1.plist create mode 100644 examples/mdm/profiles/com.apple.airprint/example1.plist create mode 100644 examples/mdm/profiles/com.apple.app.lock/example1.plist create mode 100644 examples/mdm/profiles/com.apple.applicationaccess.new/example1.plist create mode 100644 examples/mdm/profiles/com.apple.applicationaccess/example1.plist create mode 100644 examples/mdm/profiles/com.apple.appstore/example1.plist create mode 100644 examples/mdm/profiles/com.apple.asam/example1.plist create mode 100644 examples/mdm/profiles/com.apple.associated-domains/example1.plist create mode 100644 examples/mdm/profiles/com.apple.caldav.account/example1.plist create mode 100644 examples/mdm/profiles/com.apple.carddav.account/example1.plist create mode 100644 examples/mdm/profiles/com.apple.cellular/example1.plist create mode 100644 examples/mdm/profiles/com.apple.cellularprivatenetwork.managed/example1.plist create mode 100644 examples/mdm/profiles/com.apple.conferenceroomdisplay/example1.plist create mode 100644 examples/mdm/profiles/com.apple.configurationprofile.identification/example1.plist create mode 100644 examples/mdm/profiles/com.apple.declarations/example1.plist create mode 100644 examples/mdm/profiles/com.apple.desktop/example1.plist create mode 100644 examples/mdm/profiles/com.apple.dnsProxy.managed/example1.plist create mode 100644 examples/mdm/profiles/com.apple.dock/example1.plist create mode 100644 examples/mdm/profiles/com.apple.domains/example1.plist create mode 100644 examples/mdm/profiles/com.apple.eas.account/example1.plist create mode 100644 examples/mdm/profiles/com.apple.education/example1.plist create mode 100644 examples/mdm/profiles/com.apple.ews.account/example1.plist create mode 100644 examples/mdm/profiles/com.apple.extensiblesso(kerberos)/example1.plist create mode 100644 examples/mdm/profiles/com.apple.extensiblesso/example1.plist create mode 100644 examples/mdm/profiles/com.apple.familycontrols.contentfilter/example1.plist create mode 100644 examples/mdm/profiles/com.apple.familycontrols.timelimits.v2/example1.plist create mode 100644 examples/mdm/profiles/com.apple.fileproviderd/example1.plist create mode 100644 examples/mdm/profiles/com.apple.finder/example1.plist create mode 100644 examples/mdm/profiles/com.apple.firstactiveethernet.managed/example1.plist create mode 100644 examples/mdm/profiles/com.apple.firstethernet.managed/example1.plist create mode 100644 examples/mdm/profiles/com.apple.font/example1.plist create mode 100644 examples/mdm/profiles/com.apple.gamed/example1.plist create mode 100644 examples/mdm/profiles/com.apple.globalethernet.managed/example1.plist create mode 100644 examples/mdm/profiles/com.apple.google-oauth/example1.plist create mode 100644 examples/mdm/profiles/com.apple.homescreenlayout/example1.plist create mode 100644 examples/mdm/profiles/com.apple.ldap.account/example1.plist create mode 100644 examples/mdm/profiles/com.apple.loginitems.managed/example1.plist create mode 100644 examples/mdm/profiles/com.apple.loginwindow/example1.plist create mode 100644 examples/mdm/profiles/com.apple.lom/example1.plist create mode 100644 examples/mdm/profiles/com.apple.mail.managed/example1.plist create mode 100644 examples/mdm/profiles/com.apple.mcxMenuExtras/example1.plist create mode 100644 examples/mdm/profiles/com.apple.mcxloginscripts/example1.plist create mode 100644 examples/mdm/profiles/com.apple.mcxprinting/example1.plist create mode 100644 examples/mdm/profiles/com.apple.mdm/example1.plist create mode 100644 examples/mdm/profiles/com.apple.mobiledevice.passwordpolicy/example1.plist create mode 100644 examples/mdm/profiles/com.apple.networkusagerules/example1.plist create mode 100644 examples/mdm/profiles/com.apple.notificationsettings/example1.plist create mode 100644 examples/mdm/profiles/com.apple.preference.security/example1.plist create mode 100644 examples/mdm/profiles/com.apple.preferences.users/example1.plist create mode 100644 examples/mdm/profiles/com.apple.profileRemovalPassword/example1.plist create mode 100644 examples/mdm/profiles/com.apple.proxy.http.global/example1.plist create mode 100644 examples/mdm/profiles/com.apple.screensaver.user/example1.plist create mode 100644 examples/mdm/profiles/com.apple.screensaver/example1.plist create mode 100644 examples/mdm/profiles/com.apple.secondactiveethernet.managed/example1.plist create mode 100644 examples/mdm/profiles/com.apple.secondethernet.managed/example1.plist create mode 100644 examples/mdm/profiles/com.apple.security.FDERecoveryKeyEscrow/example1.plist create mode 100644 examples/mdm/profiles/com.apple.security.acme/example1.plist create mode 100644 examples/mdm/profiles/com.apple.security.certificatepreference/example1.plist create mode 100644 examples/mdm/profiles/com.apple.security.certificaterevocation/example1.plist create mode 100644 examples/mdm/profiles/com.apple.security.certificatetransparency/example1.plist create mode 100644 examples/mdm/profiles/com.apple.security.firewall/example1.plist create mode 100644 examples/mdm/profiles/com.apple.security.identitypreference/example1.plist create mode 100644 examples/mdm/profiles/com.apple.security.pem/example1.plist create mode 100644 examples/mdm/profiles/com.apple.security.pkcs1/example1.plist create mode 100644 examples/mdm/profiles/com.apple.security.pkcs12/example1.plist create mode 100644 examples/mdm/profiles/com.apple.security.root/example1.plist create mode 100644 examples/mdm/profiles/com.apple.security.scep/example1.plist create mode 100644 examples/mdm/profiles/com.apple.security.smartcard/example1.plist create mode 100644 examples/mdm/profiles/com.apple.servicemanagement/example1.plist create mode 100644 examples/mdm/profiles/com.apple.shareddeviceconfiguration/example1.plist create mode 100644 examples/mdm/profiles/com.apple.sso/example1.plist create mode 100644 examples/mdm/profiles/com.apple.subscribedcalendar.account/example1.plist create mode 100644 examples/mdm/profiles/com.apple.syspolicy.kernel-extension-policy/example1.plist create mode 100644 examples/mdm/profiles/com.apple.system-extension-policy/example1.plist create mode 100644 examples/mdm/profiles/com.apple.systemmigration/example1.plist create mode 100644 examples/mdm/profiles/com.apple.systempolicy.control/example1.plist create mode 100644 examples/mdm/profiles/com.apple.systempolicy.managed/example1.plist create mode 100644 examples/mdm/profiles/com.apple.systempolicy.rule/example1.plist create mode 100644 examples/mdm/profiles/com.apple.systempreferences/example1.plist create mode 100644 examples/mdm/profiles/com.apple.thirdactiveethernet.managed/example1.plist create mode 100644 examples/mdm/profiles/com.apple.thirdethernet.managed/example1.plist create mode 100644 examples/mdm/profiles/com.apple.tvremote/example1.plist create mode 100644 examples/mdm/profiles/com.apple.universalaccess/example1.plist create mode 100644 examples/mdm/profiles/com.apple.vpn.managed.applayer/example1.plist create mode 100644 examples/mdm/profiles/com.apple.vpn.managed.appmapping/example1.plist create mode 100644 examples/mdm/profiles/com.apple.vpn.managed/example1.plist create mode 100644 examples/mdm/profiles/com.apple.webClip.managed/example1.plist create mode 100644 examples/mdm/profiles/com.apple.webcontent-filter/example1.plist create mode 100644 examples/mdm/profiles/com.apple.wifi.managed/example1.plist create mode 100644 examples/mdm/profiles/com.apple.xsan.preferences/example1.plist create mode 100644 examples/mdm/profiles/com.apple.xsan/example1.plist create mode 100644 examples/mdm/profiles/loginwindow/example1.plist create mode 100644 examples/other/manifesturl/example1.plist create mode 100644 mdm/commands/cancel.enhanced.log.collection.yaml create mode 100644 mdm/commands/trigger.enhanced.log.collection.yaml rename mdm/profiles/{com.apple.MCX(Mobililty).yaml => com.apple.MCX(Mobility).yaml} (94%) delete mode 100644 mdm/profiles/com.apple.system.logging.yaml diff --git a/CHANGES.md b/CHANGES.md new file mode 100644 index 0000000..703d295 --- /dev/null +++ b/CHANGES.md @@ -0,0 +1,151 @@ +# Changes + +Significant changes in this release. + +--- + +## declarative/declarations/configurations + +### New Objects + +- New: declarative/declarations/configurations/app.settings.yaml +- New: declarative/declarations/configurations/content-cache.settings.yaml +- New: declarative/declarations/configurations/extensible-sso.yaml +- New: declarative/declarations/configurations/network.dns-proxy.yaml +- New: declarative/declarations/configurations/network.dns-settings.yaml +- New: declarative/declarations/configurations/network.relay.yaml +- New: declarative/declarations/configurations/network.vpn.always-on.yaml +- New: declarative/declarations/configurations/network.vpn.ikev2.yaml +- New: declarative/declarations/configurations/network.vpn.ipsec.yaml +- New: declarative/declarations/configurations/network.vpn.vpn-plugin.yaml +- New: declarative/declarations/configurations/webcontent-filter.plugin.yaml + +### New Payload Keys + +- New: declarative/declarations/configurations/intelligence.settings.yaml/Apps/Calendar +- New: declarative/declarations/configurations/legacy.interactive.yaml/ProfileAssetReference +- New: declarative/declarations/configurations/legacy.yaml/ProfileAssetReference +- New: declarative/declarations/configurations/package.yaml/UninstallBehavior +- New: declarative/declarations/configurations/safari.settings.yaml/Privacy + +### Objects with New OS Support + +- Changed: declarative/declarations/configurations/siri.settings.yaml [tvOS 27.0] + +### Payload Keys with New OS Support + +- Changed: declarative/declarations/configurations/app.managed.yaml/AppConfig [macOS 27.0] +- Changed: declarative/declarations/configurations/app.managed.yaml/ExtensionConfigs [macOS 27.0] +- Changed: declarative/declarations/configurations/app.managed.yaml/LegacyAppConfigAssetReference [macOS 27.0] + +--- + +## declarative/status + +### New Objects + +- New: declarative/status/content-cache.info.yaml +- New: declarative/status/content-cache.parents.yaml +- New: declarative/status/content-cache.peers.yaml +- New: declarative/status/content-cache.status.yaml +- New: declarative/status/device.system.health.yaml +- New: declarative/status/enhanced-logging.applecare-token.yaml +- New: declarative/status/enhanced-logging.status.yaml +- New: declarative/status/enhanced-logging.timestamp.yaml +- New: declarative/status/mdm.enrollment-type.yaml +- New: declarative/status/mdm.is-awaiting-configuration.yaml +- New: declarative/status/mdm.is-return-to-service.yaml +- New: declarative/status/mdm.is-shared-ipad.yaml +- New: declarative/status/mdm.push-magic.yaml +- New: declarative/status/mdm.push-token.yaml +- New: declarative/status/security.lockdown-mode.yaml + +### Payload Keys with New OS Support + +- Changed: declarative/status/app.managed.list.yaml/app.managed.list/status_value/config-state [macOS 27.0] + +--- + +## mdm/checkin + +### New Payload Keys + +- New: mdm/checkin/returntoservice.yaml/ReturnToService/ShouldRetryEnrollment + +--- + +## mdm/commands + +### New Objects + +- New: mdm/commands/cancel.enhanced.log.collection.yaml +- New: mdm/commands/trigger.enhanced.log.collection.yaml + +### New Payload Keys + +- New: mdm/commands/device.erase.yaml/ReturnToService/ShouldRetryEnrollment + +### Removed Objects + +- Removed: mdm/commands/system.update.available.yaml +- Removed: mdm/commands/system.update.scan.yaml +- Removed: mdm/commands/system.update.schedule.yaml +- Removed: mdm/commands/system.update.status.yaml + +### Removed Payload Keys + +- Removed: mdm/commands/information.device.yaml/Queries/OSUpdateSettings +- Removed: mdm/commands/information.device.yaml/Queries/SoftwareUpdateDeviceID +- Removed: mdm/commands/information.device.yaml/Queries/SoftwareUpdateSettings +- Removed: mdm/commands/information.device.yaml/QueryResponses/SoftwareUpdateDeviceID +- Removed: mdm/commands/information.device.yaml/QueryResponses/SoftwareUpdateSettings +- Removed: mdm/commands/settings.yaml/Settings/SoftwareUpdateSettings + +--- + +## mdm/profiles + +### New Payload Keys + +- New: mdm/profiles/com.apple.applicationaccess.yaml/ForceCaptivePortalConnectionFromLockScreen +- New: mdm/profiles/com.apple.applicationaccess.yaml/ForceWifiConfigurationOnLockScreen +- New: mdm/profiles/com.apple.extensiblesso.yaml/PlatformSSO/AllowWebLoginPasswordSync +- New: mdm/profiles/com.apple.extensiblesso.yaml/PlatformSSO/WebLoginURLAllowList + +### Payload Keys with New OS Support + +- Changed: mdm/profiles/com.apple.applicationaccess.yaml/allowAutomaticAppDownloads [visionOS 27.0] +- Changed: mdm/profiles/com.apple.applicationaccess.yaml/allowCamera [visionOS 27.0] +- Changed: mdm/profiles/com.apple.applicationaccess.yaml/allowListedAppBundleIDs [visionOS 27.0] +- Changed: mdm/profiles/com.apple.applicationaccess.yaml/blockedAppBundleIDs [visionOS 27.0] + +### Removed Objects + +- Removed: mdm/profiles/com.apple.SoftwareUpdate.yaml + +### Removed Payload Keys + +- Removed: mdm/profiles/com.apple.applicationaccess.yaml/allowRapidSecurityResponseInstallation +- Removed: mdm/profiles/com.apple.applicationaccess.yaml/allowRapidSecurityResponseRemoval +- Removed: mdm/profiles/com.apple.applicationaccess.yaml/enforcedSoftwareUpdateDelay +- Removed: mdm/profiles/com.apple.applicationaccess.yaml/enforcedSoftwareUpdateMajorOSDeferredInstallDelay +- Removed: mdm/profiles/com.apple.applicationaccess.yaml/enforcedSoftwareUpdateMinorOSDeferredInstallDelay +- Removed: mdm/profiles/com.apple.applicationaccess.yaml/enforcedSoftwareUpdateNonOSDeferredInstallDelay +- Removed: mdm/profiles/com.apple.applicationaccess.yaml/forceDelayedAppSoftwareUpdates +- Removed: mdm/profiles/com.apple.applicationaccess.yaml/forceDelayedMajorSoftwareUpdates +- Removed: mdm/profiles/com.apple.applicationaccess.yaml/forceDelayedSoftwareUpdates + +--- + +## mdm/errors + +No changes. + +--- + +## other + +### New Payload Keys + +- New: other/skipkeys.yaml/AccessibilityAppearance +- New: other/skipkeys.yaml/LiquidGlass diff --git a/README.md b/README.md index 5def0b7..7006122 100644 --- a/README.md +++ b/README.md @@ -8,11 +8,13 @@ This release corresponds to the following OS versions | OS | Version | |----------|---------| -| iOS | 26.4 | -| macOS | 26.4 | -| tvOS | 26.4 | -| visionOS | 26.4 | -| watchOS | 26.4 | +| iOS | 27.0 | +| macOS | 27.0 | +| tvOS | 27.0 | +| visionOS | 27.0 | +| watchOS | 27.0 | + +See [Changes](CHANGES.md) for the significant changes in this release. ## What's Available @@ -29,6 +31,12 @@ The following schema items are available: * Other device management data formats +* Examples for schema items - `examples` + * This directory contains `declarative`, `mdm`, and `other` directories. + * Each sub-directory contains directories and files that mirror the structure of the corresponding schema directories. + * Each schema item has its own directory containing the example files for the schema object. + * Each YAML schema file contains an `examples` key that includes relative file paths to its example files. + ## YAML Schema Definition See [YAML Schema](docs/schema.md). diff --git a/declarative/declarations/activations/simple.yaml b/declarative/declarations/activations/simple.yaml index fb54592..e94418c 100644 --- a/declarative/declarations/activations/simple.yaml +++ b/declarative/declarations/activations/simple.yaml @@ -15,6 +15,7 @@ payload: introduced: '10.0' payloadkeys: - key: StandardConfigurations + title: Standard configurations type: presence: required content: An array of strings that specify the identifiers of configurations to install. @@ -22,10 +23,22 @@ payloadkeys: from installing. subkeys: - key: StandardConfigurationsItems + title: Standard configurations items type: - key: Predicate + title: Predicate type: presence: optional content: A predicate format string as [Apple's Predicate Programming](https://developer.apple.com/library/archive/documentation/Cocoa/Conceptual/Predicates/AdditionalChapters/Introduction.html) describes. The activation only installs when the predicate evaluates to `true` or isn't present. +examples: + title: Activation examples + files: + - tab: One configuration + description: This activation applies one configuration. + file: examples/declarative/declarations/activations/simple/example1.json + - tab: Predicate + description: This activation applies two configurations and uses a predicate to + limit those to only apply on an Apple TV device. + file: examples/declarative/declarations/activations/simple/example2.json diff --git a/declarative/declarations/assets/credential.acme.yaml b/declarative/declarations/assets/credential.acme.yaml index 1126f1a..a99d486 100644 --- a/declarative/declarations/assets/credential.acme.yaml +++ b/declarative/declarations/assets/credential.acme.yaml @@ -15,6 +15,7 @@ payload: introduced: '10.0' payloadkeys: - key: Reference + title: External reference type: asset-content-types: - application/json @@ -26,22 +27,26 @@ payloadkeys: - Uses a media type of `application/json`, and if it includes a `ContentType` sub-key, that sub-key media type is also `application/json` subkeys: - key: DataURL + title: Data URL type: presence: required content: The URL to retrieve data, which needs to start with `https://`. - key: ContentType + title: Content type type: presence: optional content: The media type that describes the data. If present, the system checks the actual media type of the downloaded data, and an error occurs if the values don't match. - key: Size + title: Size type: presence: optional content: The size of the data. Set the size to `0` if there's no expectation of a response body. If present, the system checks the actual size of the downloaded data, and an error occurs if the values don't match. - key: Hash-SHA-256 + title: SHA-256 hash type: presence: optional content: A SHA-256 hash of the data stored at the `DataURL`. Don't set this value @@ -49,11 +54,14 @@ payloadkeys: the actual hash of the downloaded data, and an error occurs if the values don't match. - key: Authentication + title: Server authentication type: presence: optional - content: The server authentication details. + content: The server authentication details. If this key is absent, the default authentication + type is MDM. subkeys: - key: Type + title: Authentication type type: presence: required rangelist: @@ -63,7 +71,10 @@ payloadkeys: The type of authentication, which has these allowed values: - `MDM`: A request that uses MDM semantics, which includes the device-identity certificate, and any user authentication. This is equivalent to an MDM request made to the `CheckInURL` or `ServerURL`. This option is only available through declarative device management. - `None`: A standard GET request. + + If the `Authentication` dictionary is absent, the default authentication type is MDM. - key: Accessible + title: Accessible type: presence: optional rangelist: @@ -75,3 +86,7 @@ payloadkeys: - `Default`: The most restrictive accessibility that still satisfies all uses of the asset by configurations that reference it. - `AfterFirstUnlock`: The keychain item is only available after the first unlock of the device. +examples: + title: Asset example + files: + - file: examples/declarative/declarations/assets/credential.acme/example1.json diff --git a/declarative/declarations/assets/credential.certificate.yaml b/declarative/declarations/assets/credential.certificate.yaml index 0b69b38..4715bdb 100644 --- a/declarative/declarations/assets/credential.certificate.yaml +++ b/declarative/declarations/assets/credential.certificate.yaml @@ -15,6 +15,7 @@ payload: introduced: '10.0' payloadkeys: - key: Reference + title: External reference type: asset-content-types: - application/pkcs1 @@ -26,22 +27,26 @@ payloadkeys: corresponding media type. subkeys: - key: DataURL + title: Data URL type: presence: required content: The URL to retrieve data, which needs to start with `https://`. - key: ContentType + title: Content type type: presence: optional content: The media type that describes the data. If present, the system checks the actual media type of the downloaded data, and an error occurs if the values don't match. - key: Size + title: Size type: presence: optional content: The size of the data. Set the size to `0` if there's no expectation of a response body. If present, the system checks the actual size of the downloaded data, and an error occurs if the values don't match. - key: Hash-SHA-256 + title: SHA-256 hash type: presence: optional content: A SHA-256 hash of the data stored at the `DataURL`. Don't set this value @@ -49,11 +54,14 @@ payloadkeys: the actual hash of the downloaded data, and an error occurs if the values don't match. - key: Authentication + title: Server authentication type: presence: optional - content: The server authentication details. + content: The server authentication details. If this key is absent, the default authentication + type is MDM. subkeys: - key: Type + title: Authentication type type: presence: required rangelist: @@ -63,3 +71,9 @@ payloadkeys: The type of authentication, which has these allowed values: - `MDM`: A request that uses MDM semantics, which includes the device-identity certificate, and any user authentication. This is equivalent to an MDM request made to the `CheckInURL` or `ServerURL`. This option is only available through declarative device management. - `None`: A standard GET request. + + If the `Authentication` dictionary is absent, the default authentication type is MDM. +examples: + title: Asset example + files: + - file: examples/declarative/declarations/assets/credential.certificate/example1.json diff --git a/declarative/declarations/assets/credential.identity.yaml b/declarative/declarations/assets/credential.identity.yaml index f8d0313..055e9b0 100644 --- a/declarative/declarations/assets/credential.identity.yaml +++ b/declarative/declarations/assets/credential.identity.yaml @@ -15,6 +15,7 @@ payload: introduced: '10.0' payloadkeys: - key: Reference + title: External reference type: asset-content-types: - application/json @@ -26,22 +27,26 @@ payloadkeys: - Uses a media type of `application/json`, and if it includes a `ContentType` sub-key, that sub-key media type is also `application/json` subkeys: - key: DataURL + title: Data URL type: presence: required content: The URL to retrieve data, which needs to start with `https://`. - key: ContentType + title: Content type type: presence: optional content: The media type that describes the data. If present, the system checks the actual media type of the downloaded data, and an error occurs if the values don't match. - key: Size + title: Size type: presence: optional content: The size of the data. Set the size to `0` if there's no expectation of a response body. If present, the system checks the actual size of the downloaded data, and an error occurs if the values don't match. - key: Hash-SHA-256 + title: SHA-256 hash type: presence: optional content: A SHA-256 hash of the data stored at the `DataURL`. Don't set this value @@ -49,11 +54,14 @@ payloadkeys: the actual hash of the downloaded data, and an error occurs if the values don't match. - key: Authentication + title: Server authentication type: presence: optional - content: The server authentication details. + content: The server authentication details. If this key is absent, the default authentication + type is MDM. subkeys: - key: Type + title: Authentication type type: presence: required rangelist: @@ -63,7 +71,10 @@ payloadkeys: The type of authentication, which has these allowed values: - `MDM`: A request that uses MDM semantics, which includes the device-identity certificate, and any user authentication. This is equivalent to an MDM request made to the `CheckInURL` or `ServerURL`. This option is only available through declarative device management. - `None`: A standard GET request. + + If the `Authentication` dictionary is absent, the default authentication type is MDM. - key: Accessible + title: Accessible type: presence: optional rangelist: @@ -75,3 +86,7 @@ payloadkeys: - `Default`: The most restrictive accessibility that still satisfies all uses of the asset by configurations that reference it. - `AfterFirstUnlock`: The keychain item is only available after the first unlock of the device. +examples: + title: Asset example + files: + - file: examples/declarative/declarations/assets/credential.identity/example1.json diff --git a/declarative/declarations/assets/credential.scep.yaml b/declarative/declarations/assets/credential.scep.yaml index 77f917d..bcab31e 100644 --- a/declarative/declarations/assets/credential.scep.yaml +++ b/declarative/declarations/assets/credential.scep.yaml @@ -15,6 +15,7 @@ payload: introduced: '10.0' payloadkeys: - key: Reference + title: External reference type: asset-content-types: - application/json @@ -26,22 +27,26 @@ payloadkeys: - Uses a media type of `application/json`, and if it includes a `ContentType` sub-key, that sub-key media type is also `application/json` subkeys: - key: DataURL + title: Data URL type: presence: required content: The URL to retrieve data, which needs to start with `https://`. - key: ContentType + title: Content type type: presence: optional content: The media type that describes the data. If present, the system checks the actual media type of the downloaded data, and an error occurs if the values don't match. - key: Size + title: Size type: presence: optional content: The size of the data. Set the size to `0` if there's no expectation of a response body. If present, the system checks the actual size of the downloaded data, and an error occurs if the values don't match. - key: Hash-SHA-256 + title: SHA-256 hash type: presence: optional content: A SHA-256 hash of the data stored at the `DataURL`. Don't set this value @@ -49,11 +54,14 @@ payloadkeys: the actual hash of the downloaded data, and an error occurs if the values don't match. - key: Authentication + title: Server authentication type: presence: optional - content: The server authentication details. + content: The server authentication details. If this key is absent, the default authentication + type is MDM. subkeys: - key: Type + title: Authentication type type: presence: required rangelist: @@ -63,7 +71,10 @@ payloadkeys: The type of authentication, which has these allowed values: - `MDM`: A request that uses MDM semantics, which includes the device-identity certificate, and any user authentication. This is equivalent to an MDM request made to the `CheckInURL` or `ServerURL`. This option is only available through declarative device management. - `None`: A standard GET request. + + If the `Authentication` dictionary is absent, the default authentication type is MDM. - key: Accessible + title: Accessible type: presence: optional rangelist: @@ -75,3 +86,7 @@ payloadkeys: - `Default`: The most restrictive accessibility that still satisfies all uses of the asset by configurations that reference it. - `AfterFirstUnlock`: The keychain item is only available after the first unlock of the device. +examples: + title: Asset example + files: + - file: examples/declarative/declarations/assets/credential.scep/example1.json diff --git a/declarative/declarations/assets/credential.userpassword.yaml b/declarative/declarations/assets/credential.userpassword.yaml index 33f6d8e..721e961 100644 --- a/declarative/declarations/assets/credential.userpassword.yaml +++ b/declarative/declarations/assets/credential.userpassword.yaml @@ -16,6 +16,7 @@ payload: introduced: '10.0' payloadkeys: - key: Reference + title: External reference type: asset-content-types: - application/json @@ -27,22 +28,26 @@ payloadkeys: - Uses a media type of `application/json`, and if it includes a `ContentType` sub-key, that sub-key media type is also `application/json` subkeys: - key: DataURL + title: Data URL type: presence: required content: The URL to retrieve data, which needs to start with `https://`. - key: ContentType + title: Content type type: presence: optional content: The media type that describes the data. If present, the system checks the actual media type of the downloaded data, and an error occurs if the values don't match. - key: Size + title: Size type: presence: optional content: The size of the data. Set the size to `0` if there's no expectation of a response body. If present, the system checks the actual size of the downloaded data, and an error occurs if the values don't match. - key: Hash-SHA-256 + title: SHA-256 hash type: presence: optional content: A SHA-256 hash of the data stored at the `DataURL`. Don't set this value @@ -50,6 +55,7 @@ payloadkeys: the actual hash of the downloaded data, and an error occurs if the values don't match. - key: Authentication + title: Server authentication supportedOS: iOS: introduced: '17.0' @@ -61,9 +67,11 @@ payloadkeys: introduced: '10.0' type: presence: optional - content: The server authentication details. + content: The server authentication details. If this key is absent, the default authentication + type is MDM. subkeys: - key: Type + title: Authentication type type: presence: required rangelist: @@ -73,3 +81,9 @@ payloadkeys: The type of authentication, which has these allowed values: - `MDM`: A request that uses MDM semantics, which includes the device-identity certificate, and any user authentication. This is equivalent to an MDM request made to the `CheckInURL` or `ServerURL`. This option is only available through declarative device management. - `None`: A standard GET request. + + If the `Authentication` dictionary is absent, the default authentication type is MDM. +examples: + title: Asset example + files: + - file: examples/declarative/declarations/assets/credential.userpassword/example1.json diff --git a/declarative/declarations/assets/credentials/acme.yaml b/declarative/declarations/assets/credentials/acme.yaml index cb4ff1b..975ee6f 100644 --- a/declarative/declarations/assets/credentials/acme.yaml +++ b/declarative/declarations/assets/credentials/acme.yaml @@ -31,13 +31,13 @@ payloadkeys: relatively weak indication because of the risk that an attacker may intercept and duplicate the client identifier. - key: KeySize - title: Key Size + title: Key size type: presence: required content: The valid values for `KeySize` depend on the values of `KeyType` and `HardwareBound`. See those keys for specific requirements. - key: KeyType - title: Key Type + title: Key type type: presence: required rangelist: @@ -53,7 +53,7 @@ payloadkeys: > Note: > The key size is `521`, not `512`, even though the other key sizes are multiples of `64`. - key: HardwareBound - title: Hardware Bound + title: Hardware bound type: presence: required content: |- @@ -78,22 +78,22 @@ payloadkeys: You can represent OIDs as dotted numbers or use shortcuts for country (`C`), locality (`L`), state (`ST`), organization (`O`), organizational unit (`OU`), and common name (`CN`). subkeys: - key: ACMESubjectArrayInnerArray - title: Array Inside ACME Subject Array + title: Array inside ACME subject array type: subkeys: - key: ACMESubjectArrayPair - title: Subject Array Pair + title: Subject array pair type: subkeys: - key: ACMESubjectArrayPairItem - title: ACME Subject Array Pair Item + title: ACME subject array pair item type: repetition: min: 2 max: 2 content: One item in the array representing a pair of OID and value - key: SubjectAltName - title: Subject Alt Name + title: Subject alt name type: presence: optional content: Specifies the subject's alternative name that the device requests for the @@ -101,12 +101,12 @@ payloadkeys: this field in the certificate it issues. subkeys: - key: rfc822Name - title: RFC 822 Name + title: RFC 822 name type: presence: optional content: The RFC 822 email address. - key: dNSName - title: DNS Name + title: DNS name type: presence: optional content: The DNS name. @@ -116,12 +116,12 @@ payloadkeys: presence: optional content: The uniform resource identifier. - key: ntPrincipalName - title: NT Principal Name + title: NT principal name type: presence: optional content: The NT principal name. Use an other name OID set to `1.3.6.1.4.1.311.20.2.3`. - key: UsageFlags - title: Key Usage + title: Key usage type: presence: optional content: |- @@ -129,7 +129,7 @@ payloadkeys: The value is a bit field. Bit `0x01` indicates digital signature, and bit `0x04` indicates key encipherment. - key: ExtendedKeyUsage - title: Extended Key Usage + title: Extended key usage type: presence: optional content: |- @@ -168,4 +168,8 @@ notes: | Attest key support | iPhone, iPad | Mac | Apple TV | Apple Watch | Vision Pro | |--------------------|--------------------------------------|----------------|-------------------------|----------------|------------| | Ignored | A10x Fusion and earlier | Intel | A10x Fusion and earlier | S3 and earlier | none | - | Supported | A11 Bionic and later
All M series | Apple Silicon | A12 Bionic and later | S4 and later | All | + | Supported | A11 Bionic and later
All M series | Apple silicon | A12 Bionic and later | S4 and later | All | +examples: + title: Credential example + files: + - file: examples/declarative/declarations/assets/credentials/acme/example1.json diff --git a/declarative/declarations/assets/credentials/identity.yaml b/declarative/declarations/assets/credentials/identity.yaml index ae669bd..67981e9 100644 --- a/declarative/declarations/assets/credentials/identity.yaml +++ b/declarative/declarations/assets/credentials/identity.yaml @@ -15,10 +15,16 @@ payload: introduced: '10.0' payloadkeys: - key: Password + title: Password type: presence: required content: 'The password required to decrypt the PKCS #12 identity data.' - key: Identity + title: Identity type: presence: required content: 'The PKCS #12 identity data.' +examples: + title: Credential example + files: + - file: examples/declarative/declarations/assets/credentials/identity/example1.json diff --git a/declarative/declarations/assets/credentials/scep.yaml b/declarative/declarations/assets/credentials/scep.yaml index 9b8a337..f515b18 100644 --- a/declarative/declarations/assets/credentials/scep.yaml +++ b/declarative/declarations/assets/credentials/scep.yaml @@ -38,15 +38,15 @@ payloadkeys: You can represent OIDs as dotted numbers or use shortcuts for country (`C`), locality (`L`), state (`ST`), organization (`O`), organizational unit (`OU`), and common name (`CN`). subkeys: - key: SCEPSubjectArrayInnerArray - title: Array Inside SCEP Subject Array + title: Array inside SCEP subject array type: subkeys: - key: SCEPSubjectArrayPair - title: Subject Array Pair + title: Subject array pair type: subkeys: - key: SCEPSubjectArrayPairItem - title: SCEP Subject Array Pair Item + title: SCEP subject array pair item type: repetition: min: 2 @@ -58,7 +58,7 @@ payloadkeys: presence: optional content: A preshared secret. - key: Keysize - title: Key Size + title: Key size type: presence: optional rangelist: @@ -68,13 +68,13 @@ payloadkeys: default: 1024 content: The key size in bits, either `1024`, `2048`, or `4096`. - key: Key Type - title: Key Type + title: Key type type: presence: optional default: RSA content: The key type, which always has the value `RSA`. - key: Key Usage - title: Key Usage + title: Key usage type: presence: optional default: 0 @@ -94,25 +94,25 @@ payloadkeys: content: The number of times the device should retry if the server sends a `PENDING` response. - key: RetryDelay - title: Retry Delay + title: Retry delay type: presence: optional default: 10 content: The number of seconds to wait between subsequent retries. The system makes the first retry without this delay. - key: SubjectAltName - title: Subject Alt Name + title: Subject alt name type: presence: optional content: The subject's alternative name for the certificate. subkeys: - key: rfc822Name - title: RFC 822 Name + title: RFC 822 name type: presence: optional content: The RFC 822 email address. - key: dNSName - title: DNS Name + title: DNS name type: presence: optional content: The DNS name. @@ -122,7 +122,11 @@ payloadkeys: presence: optional content: The uniform resource identifier. - key: ntPrincipalName - title: NT Principal Name + title: NT principal name type: presence: optional content: The NT principal name. Use an other name OID set to `1.3.6.1.4.1.311.20.2.3`. +examples: + title: Credential example + files: + - file: examples/declarative/declarations/assets/credentials/scep/example1.json diff --git a/declarative/declarations/assets/credentials/usernameandpassword.yaml b/declarative/declarations/assets/credentials/usernameandpassword.yaml index 48cd46d..d822b3c 100644 --- a/declarative/declarations/assets/credentials/usernameandpassword.yaml +++ b/declarative/declarations/assets/credentials/usernameandpassword.yaml @@ -15,10 +15,16 @@ payload: introduced: '10.0' payloadkeys: - key: UserName + title: User name type: presence: required content: The user name for this credential. - key: Password + title: Password type: presence: optional content: The password for this credential. +examples: + title: Credential example + files: + - file: examples/declarative/declarations/assets/credentials/usernameandpassword/example1.json diff --git a/declarative/declarations/assets/data.yaml b/declarative/declarations/assets/data.yaml index abe9467..c05e5ae 100644 --- a/declarative/declarations/assets/data.yaml +++ b/declarative/declarations/assets/data.yaml @@ -15,27 +15,32 @@ payload: introduced: '10.0' payloadkeys: - key: Reference + title: External reference type: presence: required content: The external reference. subkeys: - key: DataURL + title: Data URL type: presence: required content: The URL to retrieve data, which needs to start with `https://`. - key: ContentType + title: Content type type: presence: optional content: The media type that describes the data. If present, the system checks the actual media type of the downloaded data, and an error occurs if the values don't match. - key: Size + title: Size type: presence: optional content: The size of the data. Set the size to `0` if there's no expectation of a response body. If present, the system checks the actual size of the downloaded data, and an error occurs if the values don't match. - key: Hash-SHA-256 + title: SHA-256 hash type: presence: optional content: A SHA-256 hash of the data stored at the `DataURL`. Don't set this value @@ -43,11 +48,14 @@ payloadkeys: the actual hash of the downloaded data, and an error occurs if the values don't match. - key: Authentication + title: Server authentication type: presence: optional - content: The server authentication details. + content: The server authentication details. If this key is absent, the default authentication + type is MDM. subkeys: - key: Type + title: Authentication type type: presence: required rangelist: @@ -57,3 +65,9 @@ payloadkeys: The type of authentication, which has these allowed values: - `MDM`: A request that uses MDM semantics, which includes the device-identity certificate, and any user authentication. This is equivalent to an MDM request made to the `CheckInURL` or `ServerURL`. This option is only available through declarative device management. - `None`: A standard GET request. + + If the `Authentication` dictionary is absent, the default authentication type is MDM. +examples: + title: Asset example + files: + - file: examples/declarative/declarations/assets/data/example1.json diff --git a/declarative/declarations/assets/useridentity.yaml b/declarative/declarations/assets/useridentity.yaml index 32ed445..091e02f 100644 --- a/declarative/declarations/assets/useridentity.yaml +++ b/declarative/declarations/assets/useridentity.yaml @@ -15,12 +15,16 @@ payload: introduced: '10.0' payloadkeys: - key: FullName - title: Full Name + title: Full name type: presence: optional content: The user's full name. - key: EmailAddress - title: Email Address + title: Email address type: presence: optional content: The email address of the user. +examples: + title: Asset example + files: + - file: examples/declarative/declarations/assets/useridentity/example1.json diff --git a/declarative/declarations/configurations/account.caldav.yaml b/declarative/declarations/configurations/account.caldav.yaml index d32cc4f..390676d 100644 --- a/declarative/declarations/configurations/account.caldav.yaml +++ b/declarative/declarations/configurations/account.caldav.yaml @@ -37,32 +37,30 @@ payload: watchOS: introduced: n/a apply: multiple - content: A CalDAV configuration defines a CalDAV calendar and reminders account - for a user. payloadkeys: - key: VisibleName - title: Account Name + title: Account name type: presence: optional content: The name that apps show to the user for this calendar account. If not present, the system generates a suitable default. - key: HostName - title: Server Host Name + title: Server host name type: presence: required content: The hostname or IP address of the CalDAV server. - key: Port - title: Server Port + title: Server port type: presence: optional content: The port number for the CalDAV server. - key: Path - title: Server Path + title: Server path type: presence: optional content: The path for the CalDAV server. - key: AuthenticationCredentialsAssetReference - title: Authentication Credentials Asset Reference + title: Authentication credentials asset reference type: assettypes: - com.apple.asset.credential.userpassword @@ -73,3 +71,8 @@ related-status-items: - status-items: - account.list.caldav note: Each configuration will have a corresponding status item. +examples: + title: Configuration example + files: + - description: This configuration sets up a CalDAV account for calendars. + file: examples/declarative/declarations/configurations/account.caldav/example1.json diff --git a/declarative/declarations/configurations/account.carddav.yaml b/declarative/declarations/configurations/account.carddav.yaml index 90d5417..0af5162 100644 --- a/declarative/declarations/configurations/account.carddav.yaml +++ b/declarative/declarations/configurations/account.carddav.yaml @@ -37,31 +37,30 @@ payload: watchOS: introduced: n/a apply: multiple - content: A CardDAV configuration defines a CardDAV contacts account for a user. payloadkeys: - key: VisibleName - title: Account Name + title: Account name type: presence: optional content: The name that apps show to the user for this address book account. If not present, the system generates a suitable default. - key: HostName - title: Server Host Name + title: Server host name type: presence: required content: The hostname or IP address of the CardDAV server. - key: Port - title: Server Port + title: Server port type: presence: optional content: The port number for the CardDAV server. - key: Path - title: Server Path + title: Server path type: presence: optional content: The path for the CardDAV server. - key: AuthenticationCredentialsAssetReference - title: Authentication Credentials Asset Reference + title: Authentication credentials asset reference type: assettypes: - com.apple.asset.credential.userpassword @@ -72,3 +71,8 @@ related-status-items: - status-items: - account.list.carddav note: Each configuration will have a corresponding status item. +examples: + title: Configuration example + files: + - description: This configuration sets up a CardDAV account for contacts. + file: examples/declarative/declarations/configurations/account.carddav/example1.json diff --git a/declarative/declarations/configurations/account.exchange.yaml b/declarative/declarations/configurations/account.exchange.yaml index 2ca12c5..23ce380 100644 --- a/declarative/declarations/configurations/account.exchange.yaml +++ b/declarative/declarations/configurations/account.exchange.yaml @@ -37,16 +37,15 @@ payload: watchOS: introduced: n/a apply: multiple - content: This payload configures an Exchange ActiveSync account on an iOS device. payloadkeys: - key: VisibleName - title: Account Name + title: Account name type: presence: optional content: The name that apps show to the user for this Exchange account. If not present, the system generates a suitable default. - key: EnabledProtocolTypes - title: Enabled Protocol Types + title: Enabled protocol types type: presence: required content: |- @@ -66,7 +65,7 @@ payloadkeys: - EAS - EWS - key: UserIdentityAssetReference - title: User Identity Asset Reference + title: User identity asset reference type: assettypes: - com.apple.asset.useridentity @@ -74,12 +73,12 @@ payloadkeys: content: The identifier of an asset declaration that contains the user identity for this account. The corresponding asset must be of type `UserIdentity`. - key: HostName - title: Server Host Name + title: Server host name type: presence: optional content: The IP address or fully qualified domain name (FQDN) of the Exchange host. - key: Port - title: Server Port + title: Server port supportedOS: iOS: introduced: n/a @@ -90,7 +89,7 @@ payloadkeys: content: The port number of the EWS server. The system uses this only when this declaration has a `HostName` value. - key: Path - title: Server Path + title: Server path supportedOS: iOS: introduced: n/a @@ -101,7 +100,7 @@ payloadkeys: content: The path of the EWS server. The system uses this only when this declaration has a `HostName` value. - key: ExternalHostName - title: Server External Host Name + title: Server external host name supportedOS: iOS: introduced: n/a @@ -111,7 +110,7 @@ payloadkeys: presence: optional content: The external hostname of the EWS server (or IP address). - key: ExternalPort - title: Server External Port + title: Server external port supportedOS: iOS: introduced: n/a @@ -122,7 +121,7 @@ payloadkeys: content: The external port number of the EWS server. The system uses this only when this declaration has a `ExternalHostName` value. - key: External Path - title: Server External Path + title: Server external path supportedOS: iOS: introduced: n/a @@ -144,6 +143,7 @@ payloadkeys: presence: required content: If `true`, enables OAuth for this account. - key: SignInURL + title: Sign in URL type: presence: optional content: The URL that this account uses for signing in with OAuth. The system @@ -151,6 +151,7 @@ payloadkeys: when a declaration contains this URL, so the declaration must also contain a `HostName`. - key: TokenRequestURL + title: Token request URL supportedOS: macOS: introduced: n/a @@ -159,7 +160,7 @@ payloadkeys: content: The URL that this account uses for token requests with OAuth. The system ignores this value unless `Enabled` is `true`. - key: AuthenticationCredentialsAssetReference - title: Authentication Credentials Asset Reference + title: Authentication credentials asset reference type: assettypes: - com.apple.asset.credential.userpassword @@ -168,7 +169,7 @@ payloadkeys: this account to authenticate with an Exchange server. Set the corresponding asset type to `CredentialUserNameAndPassword`. - key: AuthenticationIdentityAssetReference - title: Authentication Identity Asset Reference + title: Authentication identity asset reference type: assettypes: - com.apple.asset.credential.acme @@ -178,7 +179,7 @@ payloadkeys: content: The identifier of a credential asset declaration that contains the identity that this account requires to authenticate with the Exchange server. - key: SMIME - title: S/MIME Settings + title: S/MIME settings supportedOS: iOS: introduced: '17.0' @@ -189,18 +190,18 @@ payloadkeys: content: Settings for S/MIME. subkeys: - key: Signing - title: S/MIME Signing Settings + title: S/MIME signing settings type: presence: optional content: Settings for S/MIME signing. subkeys: - key: Enabled - title: Signing Enabled + title: Signing enabled type: presence: required content: If `true`, the system enables S/MIME signing. - key: IdentityAssetReference - title: S/MIME Signing Identity Asset Reference + title: S/MIME signing identity asset reference type: assettypes: - com.apple.asset.credential.acme @@ -210,31 +211,31 @@ payloadkeys: content: Specifies the identifier of an asset declaration containing the identity required for S/MIME signing of messages sent from this account. - key: UserOverrideable - title: Signing User Overrideable + title: Signing user overrideable type: presence: optional default: false content: If `true`, the user can turn S/MIME signing on or off in Settings. - key: IdentityUserOverrideable - title: Signing Identity User Overrideable + title: Signing identity user overrideable type: presence: optional default: false content: If `true`, the user can select an S/MIME signing identity in Settings. - key: Encryption - title: S/MIME Encryption Settings + title: S/MIME encryption settings type: presence: optional content: Settings for S/MIME encryption. subkeys: - key: Enabled - title: Encryption By Default Enabled + title: Encryption by default enabled type: presence: required content: If `true`, the system enables S/MIME encryption by default, which the user can't override if `PerMessageSwitchEnabled` is `false`. - key: IdentityAssetReference - title: S/MIME Encryption Identity Asset Reference + title: S/MIME encryption identity asset reference type: assettypes: - com.apple.asset.credential.acme @@ -247,31 +248,33 @@ payloadkeys: sends encrypted mail, the system uses the public certificate to encrypt the copy of the mail in their Sent mailbox. - key: UserOverrideable - title: Encryption By Default User Overrideable + title: Encryption by default user overrideable type: presence: optional default: false content: If `true`, the user can turn S/MIME encryption by default on or off in Settings. - key: IdentityUserOverrideable - title: Encryption Identity User Overrideable + title: Encryption identity user overrideable type: presence: optional default: false content: If `true`, the user can select an S/MIME signing identity in Settings. - key: PerMessageSwitchEnabled - title: Per Message Switch Enabled + title: Per message switch enabled type: presence: optional default: false content: If `true`, the system enables the per-message encryption switch in the compose view. - key: MailServiceActive + title: Mail service active type: presence: optional default: true content: If `true`, the system activates the mail service for this account. - key: LockMailService + title: Lock mail service supportedOS: macOS: introduced: n/a @@ -281,11 +284,13 @@ payloadkeys: content: If `true`, the system prevents the user from changing the status of the mail service for this account. - key: ContactsServiceActive + title: Contacts service active type: presence: optional default: true content: If `true`, activates the address book service for this account. - key: LockContactsService + title: Lock contacts service supportedOS: macOS: introduced: n/a @@ -295,11 +300,13 @@ payloadkeys: content: If `true`, the system prevents the user from changing the status of the address book service for this account. - key: CalendarServiceActive + title: Calendar service active type: presence: optional default: true content: If `true`, activates the calendar service for this account. - key: LockCalendarService + title: Lock calendar service supportedOS: macOS: introduced: n/a @@ -309,11 +316,13 @@ payloadkeys: content: If `true`, the system prevents the user from changing the status of the calendar service for this account. - key: RemindersServiceActive + title: Reminders service active type: presence: optional default: true content: If `true`, the system activates the reminders service for this account. - key: LockRemindersService + title: Lock reminders service supportedOS: macOS: introduced: n/a @@ -323,11 +332,13 @@ payloadkeys: content: If `true`, the system prevents the user from changing the status of the reminders service for this account. - key: NotesServiceActive + title: Notes service active type: presence: optional default: true content: If `true`, the system activates the notes service for this account. - key: LockNotesService + title: Lock notes service supportedOS: macOS: introduced: n/a @@ -340,3 +351,8 @@ related-status-items: - status-items: - account.list.exchange note: Each configuration will have a corresponding status item. +examples: + title: Configuration example + files: + - description: This configuration sets up a Microsoft Exchange account. + file: examples/declarative/declarations/configurations/account.exchange/example1.json diff --git a/declarative/declarations/configurations/account.google.yaml b/declarative/declarations/configurations/account.google.yaml index b6f7854..2823674 100644 --- a/declarative/declarations/configurations/account.google.yaml +++ b/declarative/declarations/configurations/account.google.yaml @@ -37,18 +37,15 @@ payload: watchOS: introduced: n/a apply: multiple - content: A Google configuration defines a Google account for a user. The user will - be prompted to enter their credentials shortly after the configuration successfully - installs. payloadkeys: - key: VisibleName - title: Account Name + title: Account name type: presence: optional content: The name that apps show to the user for this Google account. If not present, the system generates a suitable default. - key: UserIdentityAssetReference - title: User Identity Asset Reference + title: User identity asset reference type: assettypes: - com.apple.asset.useridentity @@ -61,3 +58,8 @@ related-status-items: - status-items: - account.list.google note: Each configuration will have a corresponding status item. +examples: + title: Configuration example + files: + - description: This configuration sets up a Google account. + file: examples/declarative/declarations/configurations/account.google/example1.json diff --git a/declarative/declarations/configurations/account.ldap.yaml b/declarative/declarations/configurations/account.ldap.yaml index 4a41e7d..ab2f78e 100644 --- a/declarative/declarations/configurations/account.ldap.yaml +++ b/declarative/declarations/configurations/account.ldap.yaml @@ -38,26 +38,25 @@ payload: watchOS: introduced: n/a apply: multiple - content: An LDAP configuration defines an LDAP directory account for a user. payloadkeys: - key: VisibleName - title: Account Name + title: Account name type: presence: optional content: The name that apps show to the user for this LDAP account. If not present, the system generates a suitable default. - key: HostName - title: Server Host Name + title: Server host name type: presence: required content: The hostname or IP address of the LDAP server. - key: Port - title: Server Port + title: Server port type: presence: optional content: The port number or IP address of the LDAP server. - key: AuthenticationCredentialsAssetReference - title: Authentication Credentials Asset Reference + title: Authentication credentials asset reference type: assettypes: - com.apple.asset.credential.userpassword @@ -65,7 +64,7 @@ payloadkeys: content: The identifier of an asset declaration that contains the credentials for this account. Set the corresponding asset type to `CredentialUserNameAndPassword`. - key: SearchSettings - title: Search Settings + title: Search settings type: presence: optional content: The array of nodes to start LDAP searches from. There must be at least @@ -73,17 +72,17 @@ payloadkeys: other items in the array. subkeys: - key: SearchSettingsItem - title: An LDAP Search Setting + title: An LDAP search setting type: subkeys: - key: VisibleDescription - title: Visible Description + title: Visible description type: presence: optional content: The description of this search setting in the Contacts and Settings apps. If not present, the apps display no name. - key: SearchBase - title: Search Base + title: Search base type: presence: required content: The path to the node where a search starts. For example, `ou=people,o=example @@ -107,3 +106,8 @@ related-status-items: - status-items: - account.list.ldap note: Each configuration will have a corresponding status item. +examples: + title: Configuration example + files: + - description: This configuration sets up an LDAP directory account. + file: examples/declarative/declarations/configurations/account.ldap/example1.json diff --git a/declarative/declarations/configurations/account.mail.yaml b/declarative/declarations/configurations/account.mail.yaml index 4a030f6..3fcb016 100644 --- a/declarative/declarations/configurations/account.mail.yaml +++ b/declarative/declarations/configurations/account.mail.yaml @@ -37,16 +37,15 @@ payload: watchOS: introduced: n/a apply: multiple - content: An email configuration defines an email account for a user. payloadkeys: - key: VisibleName - title: Account Name + title: Account name type: presence: optional content: The name that apps show to the user for this mail account. If not present, the system generates a suitable default. - key: UserIdentityAssetReference - title: User Identity Asset Reference + title: User identity asset reference type: assettypes: - com.apple.asset.useridentity @@ -54,13 +53,13 @@ payloadkeys: content: The identifier of an asset declaration that contains the user identity for this account. Set the corresponding asset type to `UserIdentity`. - key: IncomingServer - title: Incoming Server Settings + title: Incoming server settings type: presence: required content: The settings for the incoming mail server for this account. subkeys: - key: ServerType - title: Server Type + title: Server type type: presence: required rangelist: @@ -68,17 +67,17 @@ payloadkeys: - POP content: The mail protocol this account uses. - key: HostName - title: Server Host Name + title: Server host name type: presence: required content: The host name for the incoming mail server. - key: Port - title: Server Port + title: Server port type: presence: optional content: The port number for the incoming mail server. - key: AuthenticationMethod - title: Server Authentication Method + title: Server authentication method type: presence: required rangelist: @@ -89,7 +88,7 @@ payloadkeys: - HTTPMD5 content: The authentication method for the incoming mail server. - key: AuthenticationCredentialsAssetReference - title: Authentication Credentials Asset Reference + title: Authentication credentials asset reference type: assettypes: - com.apple.asset.credential.userpassword @@ -99,29 +98,29 @@ payloadkeys: If the `AuthenticationMethod` is `None`, this field must be blank. Otherwise, the declaration must contain this field. - key: IMAPPathPrefix - title: IMAP Path Prefix + title: IMAP path prefix type: presence: optional content: The path prefix for the IMAP server. The system uses this only when `ServerType` is `IMAP`. - key: OutgoingServer - title: Outgoing Server Settings + title: Outgoing server settings type: presence: required content: The settings for the outgoing mail server for this account. subkeys: - key: HostName - title: Server Host Name + title: Server host name type: presence: required content: The host name for the outgoing mail server. - key: Port - title: Server Port + title: Server port type: presence: optional content: The port number for the outgoing mail server. - key: AuthenticationMethod - title: Server Authentication Method + title: Server authentication method type: presence: required rangelist: @@ -132,7 +131,7 @@ payloadkeys: - HTTPMD5 content: The authentication method for the outgoing mail server. - key: AuthenticationCredentialsAssetReference - title: Authentication Credentials Asset Reference + title: Authentication credentials asset reference type: assettypes: - com.apple.asset.credential.userpassword @@ -142,7 +141,7 @@ payloadkeys: If the `AuthenticationMethod` is `None`, this field must be blank. Otherwise, the declaration must contain this field. - key: SMIME - title: S/MIME Settings + title: S/MIME settings supportedOS: iOS: introduced: '17.0' @@ -153,18 +152,18 @@ payloadkeys: content: Settings for S/MIME. subkeys: - key: Signing - title: S/MIME Signing Settings + title: S/MIME signing settings type: presence: optional content: Settings for S/MIME signing. subkeys: - key: Enabled - title: Signing Enabled + title: Signing enabled type: presence: required content: If `true`, the system enables S/MIME signing. - key: IdentityAssetReference - title: S/MIME Signing Identity Asset Reference + title: S/MIME signing identity asset reference type: assettypes: - com.apple.asset.credential.acme @@ -174,31 +173,31 @@ payloadkeys: content: Specifies the identifier of an asset declaration containing the identity required for S/MIME signing of messages sent from this account. - key: UserOverrideable - title: Signing User Overrideable + title: Signing user overrideable type: presence: optional default: false content: If `true`, the user can turn S/MIME signing on or off in Settings. - key: IdentityUserOverrideable - title: Signing Identity User Overrideable + title: Signing identity user overrideable type: presence: optional default: false content: If `true`, the user can select an S/MIME signing identity in Settings. - key: Encryption - title: S/MIME Encryption Settings + title: S/MIME encryption settings type: presence: optional content: Settings for S/MIME encryption. subkeys: - key: Enabled - title: Encryption By Default Enabled + title: Encryption by default enabled type: presence: required content: If `true`, the system enables S/MIME encryption by default, which the user can't override if `PerMessageSwitchEnabled` is `false`. - key: IdentityAssetReference - title: S/MIME Encryption Identity Asset Reference + title: S/MIME encryption identity asset reference type: assettypes: - com.apple.asset.credential.acme @@ -211,20 +210,20 @@ payloadkeys: sends encrypted mail, the system uses the public certificate to encrypt the copy of the mail in their Sent mailbox. - key: UserOverrideable - title: Encryption By Default User Overrideable + title: Encryption by default user overrideable type: presence: optional default: false content: If `true`, the user can set the default value for S/MIME encryption to on or off in Settings. - key: IdentityUserOverrideable - title: Encryption Identity User Overrideable + title: Encryption identity user overrideable type: presence: optional default: false content: If `true`, the user can select an S/MIME signing identity in Settings. - key: PerMessageSwitchEnabled - title: Per Message Switch Enabled + title: Per message switch enabled type: presence: optional default: false @@ -236,3 +235,9 @@ related-status-items: - account.list.mail.outgoing note: Each configuration will have a corresponding status item for incoming and outgoing accounts. +examples: + title: Configuration example + files: + - description: This configuration sets up an IMAP email account with SMTP outgoing + mail. + file: examples/declarative/declarations/configurations/account.mail/example1.json diff --git a/declarative/declarations/configurations/account.subscribed-calendar.yaml b/declarative/declarations/configurations/account.subscribed-calendar.yaml index 1627b5d..a97e536 100644 --- a/declarative/declarations/configurations/account.subscribed-calendar.yaml +++ b/declarative/declarations/configurations/account.subscribed-calendar.yaml @@ -37,11 +37,9 @@ payload: watchOS: introduced: n/a apply: multiple - content: A subscribed calendar configuration defines a subscribed calendar for a - user. payloadkeys: - key: VisibleName - title: Account Name + title: Account name type: presence: optional content: The name that apps show to the user for this calendar account. If not present, @@ -52,7 +50,7 @@ payloadkeys: presence: required content: The URL of the subscribed calendar, which needs to start with `https://`. - key: AuthenticationCredentialsAssetReference - title: Authentication Credentials Asset Reference + title: Authentication credentials asset reference type: assettypes: - com.apple.asset.credential.userpassword @@ -64,3 +62,8 @@ related-status-items: - status-items: - account.list.subscribed-calendar note: Each configuration will have a corresponding status item. +examples: + title: Configuration example + files: + - description: This configuration subscribes to a calendar feed. + file: examples/declarative/declarations/configurations/account.subscribed-calendar/example1.json diff --git a/declarative/declarations/configurations/app.managed.yaml b/declarative/declarations/configurations/app.managed.yaml index f3d4947..44cd6e5 100644 --- a/declarative/declarations/configurations/app.managed.yaml +++ b/declarative/declarations/configurations/app.managed.yaml @@ -41,7 +41,7 @@ payloadkeys: type: presence: optional content: |- - The App Store ID of the managed app that is downloaded from the App Store. + The App Store ID of the managed app that's downloaded from the App Store. Only one of `AppStoreID`, `BundleID`, `ManifestURL`, or `AppComposedIdentifier` needs to be present. - key: BundleID @@ -49,7 +49,7 @@ payloadkeys: type: presence: optional content: |- - The bundle ID of the managed app that is downloaded from the App Store. + The bundle ID of the managed app that's downloaded from the App Store. Only one of `AppStoreID`, `BundleID`, `ManifestURL`, or `AppComposedIdentifier` needs to be present. - key: ManifestURL @@ -60,13 +60,11 @@ payloadkeys: type: presence: optional content: |- - The URL of the manifest for the managed app that the device downloads from a web site. The manifest is returned as a `ManifestURL` property list. + The URL of the manifest for the managed app that the device downloads from a web site. The manifest is a `ManifestURL` property list. Only one of `AppStoreID`, `BundleID`, `ManifestURL`, or `AppComposedIdentifier` needs to be present. - - Available only in iOS and visionOS. - key: AppComposedIdentifier - title: App Composed Identifier + title: App composed identifier supportedOS: iOS: introduced: n/a @@ -77,20 +75,18 @@ payloadkeys: type: presence: optional content: |- - A string that specifies the composed identifier of an existing app that needs to be managed. The device uses this to take over management of an app installed by some other process, for example installed manually by the user, or via a package configuration. If the app isn't present when the device applies the configuration, the device takes over management of it when it does install. + A string that specifies the composed identifier of an existing app that needs to be managed. The device uses this to take over management of an app installed by some other process, for example installed manually by the user, or via a package configuration. If the app isn't present when the device applies the configuration, the device takes over management of it when it does install. Management of the app occurs only if its code signature matches the composed identifier. The following rules apply when the device takes over management: - If the `InstallBehavior.Install` key is set to `Required`, the device takes over management of the app. - If the `InstallBehavior.Install` key is set to `Optional`, the device takes over management of the app when the user "installs" it using an MDM management app. - The format of the composed identifier is either "Bundle-ID (Team-ID)" or "Bundle-ID {Designated-Requirement}". For example, `com.example.app (ABCD1234)` for the team ID format, or `com.example.app {anchor apple generic}` for the designated requirement format. Management of the app occurs only if its code signature matches the composed identifier. + The format of the composed identifier is either "Bundle-ID" or "Bundle-ID (Team-ID)". "Bundle-ID" is the bundle identifier string of the provider. "Team-ID" is the team identifier from the provider's code signature. For example, "com.example.app" for the bundle ID format, or "com.example.app (ABCD1234)" for the team ID format. In macOS, only one of `AppStoreID`, `BundleID`, or `AppComposedIdentifier` needs to be present. - - Available only in macOS. - key: iOSApp - title: iOS App + title: iOS app supportedOS: iOS: introduced: n/a @@ -101,12 +97,10 @@ payloadkeys: type: presence: optional default: false - content: |- - If `true`, the device installs an iOS or iPadOS app that runs on a Mac with Apple Silicon. This is only used when the app is an App Store app. - - Available only in macOS. + content: If `true`, the device installs an iOS or iPadOS app that runs on a Mac + with Apple silicon. This is only used when the app is an App Store app. - key: InstallBehavior - title: Install Behavior + title: Install behavior type: presence: optional content: A dictionary that describes how and when to install the app. @@ -147,7 +141,7 @@ payloadkeys: This key needs to be present for App Store apps, when either `AppStoreID` or `BundleID` are present in the configuration. - key: VPPType - title: VPP Type + title: VPP type supportedOS: iOS: removed: '18.0' @@ -179,7 +173,7 @@ payloadkeys: type: presence: optional content: |- - The App Store external version identifier (EVID) of the version of the app the device installs. You can retrieve this value from the App Store. For more information, see `Apps and Books for Organizations`. This key is ignored if the app isn't an App Store app. + The App Store external version identifier (EVID) of the version of the app the device installs. You can retrieve this value from the App Store. For more information, see `Apps and books metadata for organizations`. This key is ignored if the app isn't an App Store app. The following rules apply when the device applies or updates the configuration: @@ -196,7 +190,7 @@ payloadkeys: > Note: > The device never installs an older version of the app over a newer version. - key: AllowDownloadsOverCellular - title: Allow Downloads Over Cellular + title: Allow downloads over cellular supportedOS: iOS: introduced: '26.0' @@ -221,10 +215,8 @@ payloadkeys: - `StoreSettings`: The device uses the settings for the corresponding store when downloading apps. The device always uses the store settings to download apps when the install or update operation is user initiated. - - Available only in iOS. - key: UpdateBehavior - title: Update Behavior + title: Update behavior supportedOS: iOS: introduced: '26.0' @@ -237,7 +229,7 @@ payloadkeys: content: A dictionary that specifies how the device updates apps. subkeys: - key: AutomaticAppUpdates - title: Automatic App Updates + title: Automatic app updates type: presence: required rangelist: @@ -251,35 +243,29 @@ payloadkeys: - `AlwaysOff`: The device never automatically updates the app. - `StoreSettings`: The device uses the settings for the corresponding store to determine when to automatically update the app. For Enterprise apps, this setting behaves the same as `AlwaysOff`. - When the `InstallBehavior.Version` key is specified, the device ignores this key and Automatic App Updates are disabled. + When you specify the `InstallBehavior.Version` key, the device ignores this key and Automatic App Updates are disabled. In macOS, the device ignores this setting if the `AppComposedIdentifier` key is set in the configuration. - key: IncludeInBackup - title: Include in Backup + title: Include in backup supportedOS: macOS: introduced: n/a type: presence: optional default: true - content: |- - If `true`, backups contain the app and its data. - - Available only in iOS and visionOS. + content: If `true`, backups contain the app and its data. - key: Attributes - title: App Attributes + title: App attributes supportedOS: macOS: introduced: n/a type: presence: optional - content: |- - A dictionary of values to associate with the app. - - Available only in iOS and visionOS. + content: A dictionary of values to associate with the app. subkeys: - key: AssociatedDomains - title: Associated Domains + title: Associated domains type: presence: optional content: An array of domain names to associate with the app. @@ -290,13 +276,13 @@ payloadkeys: presence: required content: A domain to be associated with the app. - key: AssociatedDomainsEnableDirectDownloads - title: Associated Domains Enable Direct Downloads + title: Associated domains enable direct downloads type: presence: optional default: false content: If `true`, the system enables direct downloads for the `AssociatedDomains`. - key: CellularSliceUUID - title: Cellular Slice UUID + title: Cellular slice UUID supportedOS: visionOS: introduced: n/a @@ -307,12 +293,12 @@ payloadkeys: carrier-provided DNN name. For app category, encode the value as "AppCategory:category", where "category" is a carrier-provided string such as "Enterprise1". - key: ContentFilterUUID - title: Content Filter UUID + title: Content filter UUID type: presence: optional content: The UUID of the content filter to associate with the app. - key: DNSProxyUUID - title: DNS Proxy UUID + title: DNS proxy UUID type: presence: optional content: The UUID of the DNS proxy to associate with the app. @@ -347,7 +333,7 @@ payloadkeys: presence: optional content: The UUID of the relay to associate with the app. - key: TapToPayScreenLock - title: Tap to Pay Screen Lock + title: Tap to pay screen lock supportedOS: visionOS: introduced: n/a @@ -362,22 +348,19 @@ payloadkeys: presence: optional content: The UUID of the VPN to associate with the app. - key: AppConfig - title: App Config + title: App config supportedOS: iOS: introduced: '18.4' macOS: - introduced: n/a + introduced: '27.0' type: presence: optional - content: |- - A dictionary of app config data and credentials. - - Available only in iOS and visionOS. + content: A dictionary of app config data and credentials. subkeytype: AppConfigDictionary subkeys: &id001 - key: DataAssetReference - title: App/Extension Config Data Asset Reference + title: App/Extension config data asset reference type: assettypes: - com.apple.asset.data @@ -392,7 +375,7 @@ payloadkeys: type `com.apple.asset.data`. The referenced data needs to be a property list file, and the asset's "ContentType" value set to match the data type. - key: Passwords - title: Password App/Extension Configs. + title: Password App/Extension configs. type: presence: optional content: Provides passwords to the managed app or extension. Each element in the @@ -401,19 +384,20 @@ payloadkeys: subkeytype: CredentialConfig subkeys: - key: PasswordAppConfigItem + title: Password app config item type: presence: required content: A dictionary of values associated with a credential config. subkeys: - key: Identifier - title: Password Identifier + title: Password identifier type: presence: required content: The app or extension uses this identifier to fetch the corresponding password using the `ManagedApp` framework. App developers define the values for these identifiers. - key: AssetReference - title: Asset Reference + title: Asset reference type: assettypes: - com.apple.asset.credential.userpassword @@ -422,7 +406,7 @@ payloadkeys: and password. The `ManagedApp` framework makes the password available to the app or extension. The `ManagedApp` framework ignores the username. - key: Identities - title: Identity App/Extension Configs. + title: Identity App/Extension configs. type: presence: optional content: Provides identities to the managed app or extension. Each element in @@ -431,19 +415,20 @@ payloadkeys: subkeytype: CredentialConfig subkeys: - key: IdentityAppConfigItem + title: Identity app config item type: presence: required content: A dictionary of values associated with a credential config. subkeys: - key: Identifier - title: Identity Identifier + title: Identity identifier type: presence: required content: The app or extension uses this identifier to fetch the corresponding identity using the `ManagedApp` framework. App developers define the values for these identifiers. - key: AssetReference - title: Asset Reference + title: Asset reference type: assettypes: - com.apple.asset.credential.identity @@ -452,7 +437,7 @@ payloadkeys: presence: required content: Specifies the identifier of an asset declaration containing an identity. - key: Certificates - title: Certificate App/Extension Configs. + title: Certificate App/Extension configs. type: presence: optional content: Provides certificates to the managed app or extension. Each element in @@ -461,53 +446,53 @@ payloadkeys: subkeytype: CredentialConfig subkeys: - key: CertificateAppConfigItem + title: Certificate app config item type: presence: required content: A dictionary of values associated with a credential config. subkeys: - key: Identifier - title: Certificate Identifier + title: Certificate identifier type: presence: required content: The app or extension uses this identifier to fetch the corresponding certificate using the `ManagedApp` framework. App developers define the values for these identifiers. - key: AssetReference - title: Asset Reference + title: Asset reference type: assettypes: - com.apple.asset.credential.certificate presence: required content: Specifies the identifier of an asset declaration containing a certificate. - key: ExtensionConfigs - title: Extension Configs + title: Extension configs supportedOS: iOS: introduced: '18.4' macOS: - introduced: n/a + introduced: '27.0' type: presence: optional - content: |- - A dictionary of extension config data and credentials. - - Available only in iOS and visionOS. + content: A dictionary of extension config data and credentials. subkeys: - key: ANY - title: Extension Composed Identifier + title: Extension composed identifier type: presence: optional - content: A dictionary mapping extension composed identifiers to the extension - config data and credentials. The expected format is "Identifier (TeamIdentifier)". + content: |- + A dictionary mapping extension composed identifiers to the extension config data and credentials. + + The format of the composed identifier is either "Bundle-ID" or "Bundle-ID (Team-ID)". "Bundle-ID" is the bundle identifier string of the provider. "Team-ID" is the team identifier from the provider's code signature. For example, "com.example.app" for the bundle ID format, or "com.example.app (ABCD1234)" for the team ID format. subkeytype: AppConfigDictionary subkeys: *id001 - key: LegacyAppConfigAssetReference - title: App Config MDMv1 Asset Reference + title: App config MDMv1 asset reference supportedOS: iOS: introduced: '18.4' macOS: - introduced: n/a + introduced: '27.0' type: assettypes: - com.apple.asset.data @@ -520,9 +505,26 @@ payloadkeys: content: |- The identifier of an asset declaration containing a reference to the app config data. The device provides the app config data to the app using the MDMv1 behavior. The corresponding asset needs to be of type `com.apple.asset.data`. The referenced data needs to be a property list file, and the asset's "ContentType" value set to match the data type. - - Available only in iOS and visionOS. related-status-items: - status-items: - app.managed.list note: Each configuration has a corresponding status item. +examples: + title: Configuration examples + files: + - tab: App Store + description: This configuration installs an App Store app with `Required` install + behavior and a device license. + file: examples/declarative/declarations/configurations/app.managed/example1.json + - tab: Enterprise + description: This configuration installs an enterprise app with app attributes, + cellular downloads disallowed, and an update policy. + file: examples/declarative/declarations/configurations/app.managed/example2.json + - tab: Packaged + description: This configuration manages an app installed by a package using a + composed identifier to identify the app. + file: examples/declarative/declarations/configurations/app.managed/example3.json + - tab: Configuration + description: This configuration installs an enterprise app with declarative app + configuration for the app and an extension. + file: examples/declarative/declarations/configurations/app.managed/example4.json diff --git a/declarative/declarations/configurations/app.settings.yaml b/declarative/declarations/configurations/app.settings.yaml new file mode 100644 index 0000000..1daf4da --- /dev/null +++ b/declarative/declarations/configurations/app.settings.yaml @@ -0,0 +1,361 @@ +title: App:Settings +description: The declaration to configure app settings. +payload: + declarationtype: com.apple.configuration.app.settings + supportedOS: + iOS: + introduced: '27.0' + allowed-enrollments: + - supervised + allowed-scopes: + - system + sharedipad: + allowed-scopes: + - user + macOS: + introduced: '27.0' + allowed-enrollments: + - supervised + allowed-scopes: + - system + - user + tvOS: + introduced: '27.0' + allowed-enrollments: + - supervised + allowed-scopes: + - system + visionOS: + introduced: '27.0' + allowed-enrollments: + - supervised + allowed-scopes: + - system + watchOS: + introduced: n/a + apply: combined +payloadkeys: +- key: Allowed + title: Allowed apps + type: + presence: optional + content: The dictionary of allowed app settings. + subkeys: + - key: AllowedApps + title: Allowed apps + supportedOS: + macOS: + introduced: n/a + type: + presence: optional + combinetype: set-intersection + content: If present, the device only shows or launches apps with bundle IDs in + the array. Include the value `com.apple.webapp` to allow all webclips. This + applies to App Store apps, marketplace apps, and locally installed apps (using + Configurator, Xcode, and so forth). + subkeys: &id001 + - key: AppIdentifier + type: + presence: required + content: String containing an identifier to match an app. + - key: DeniedApps + title: Denied apps + supportedOS: + macOS: + introduced: n/a + type: + presence: optional + combinetype: set-union + content: |- + If present, the device prevents showing or launching apps with bundle IDs in the + array. Include the value `com.apple.webapp` to restrict all webclips. This applies to + App Store apps, marketplace apps, and locally installed apps (using Configurator, + Xcode, and so forth). + > Note: + > Denying system apps may disable other functionality. For example, denying the App + Store app may prevent users from accepting the terms and conditions for the user-based + Volume Purchase Program (VPP). + subkeys: *id001 + - key: AllowedBinaries + title: Allowed binaries + supportedOS: + iOS: + introduced: n/a + macOS: + allowed-scopes: + - system + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a + type: + presence: optional + combinetype: set-intersection + content: If present, the device only allows binaries that match the binary identifier + properties to run. A binary only matches when all the binary identifiers match. + The device always runs system critical processes. Use "codesign -dvvv " + to show the information you need to generate these values. + subkeys: &id002 + - key: BinaryIdentifier + title: Binary identifier + type: + presence: required + content: Dictionary containing one or more identifier fields to match a binary. + subkeys: + - key: CDHash + title: Code directory hash + type: + presence: optional + content: The code signature code directory hash of the binary. + - key: SigningID + title: Signing ID + type: + presence: optional + content: The code signature signing identifier of the binary. + - key: TeamID + title: Team ID + type: + presence: optional + content: The code signature team identifier of the binary. Use the value "*APPLE*" + instead of an empty string for Apple binaries with an empty team identifier. + - key: PathPrefix + title: Path prefix + type: + presence: optional + content: The file system path prefix to match binaries. + - key: SigningState + title: Signing state + type: + presence: optional + rangelist: + - All + - TestFlight + - DeveloperID + - Enterprise + - AppStore + - Apple + default: All + combinetype: enum-last + content: The code signing state to match binaries. + - key: DeniedBinaries + title: Denied binaries + supportedOS: + iOS: + introduced: n/a + macOS: + allowed-scopes: + - system + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a + type: + presence: optional + combinetype: set-union + content: If present, the device doesn't allow binaries that match the binary identifier + properties to run. A binary only matches when all the binary identifiers match. + subkeys: *id002 + - key: AlwaysAllowManagedApps + title: Always allow managed apps + supportedOS: + iOS: + introduced: n/a + macOS: + allowed-scopes: + - system + tvOS: + introduced: n/a + visionOS: + introduced: n/a + type: + presence: optional + default: false + combinetype: boolean-or + content: If `true`, the device implicitly includes managed apps in the effective + allow list when `AllowedApps` or `AllowedBinaries` is present. +- key: Privacy + title: App privacy + supportedOS: + macOS: + allowed-scopes: + - user + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a + type: + presence: optional + content: The dictionary of app settings. + subkeys: + - key: PermissionDefaults + title: App privacy permission defaults + type: + presence: optional + content: |- + The dictionary of app privacy permission defaults. Each key in the dictionary is an app identifier. The dictionary values represent the permission defaults that the device applies for each matching app. + + In iOS, the app identifier is a bundle ID, for example, "com.example.app". + + In macOS, the app identifier is a composed identifier. The format of the composed identifier is either "Bundle-ID", "Bundle-ID (Team-ID)", or "Bundle-ID {Designated-Requirement}". "Bundle-ID" is the bundle identifier string of the app. "Team-ID" is the team identifier from the app's code signature. "Designated-Requirement" is the designated requirement string from the code signature of the app. For example, "com.example.app" for the bundle ID format, "com.example.app (ABCD1234)" for the team ID format, or "com.example.app {anchor apple generic}" for the designated requirement format. The device only applies defaults for an app if its code signature matches the composed identifier. + subkeys: + - key: ANY + type: + presence: optional + content: The dictionary that defines the app privacy permission defaults. Each + key is an app identifier. + subkeytype: AppDictionary + subkeys: + - key: OrganizationJustification + title: Organization justification + type: + presence: required + content: Text you provide that clearly explains to the user the reason why + the organization requires these app permission defaults. The device includes + this text in the permission consent prompt it displays when it launches + the app. + - key: Accessibility + title: Accessibility permission + supportedOS: + iOS: + introduced: n/a + type: + presence: optional + rangelist: + - None + - Allow + combinetype: enum-last + content: |- + Controls whether an app privacy permission default is set. + * `None`: No app privacy permission default is set for use of accessibility. + * `Allow`: The app privacy permission default is set to allow use of accessibility. + - key: Bluetooth + title: Bluetooth permission + type: + presence: optional + rangelist: + - None + - Allow + combinetype: enum-last + content: |- + Controls whether an app privacy permission default is set. + * `None`: No app privacy permission default is set for use of Bluetooth. + * `Allow`: The app privacy permission default is set to allow use of Bluetooth. + - key: Camera + title: Camera permission + type: + presence: optional + rangelist: + - None + - Allow + combinetype: enum-last + content: |- + Controls whether an app privacy permission default is set. + * `None`: No app privacy permission default is set for use of the camera. + * `Allow`: The app privacy permission default is set to allow use of the camera. + - key: Dictation + title: Dictation permission + type: + presence: optional + rangelist: + - None + - Allow + combinetype: enum-last + content: |- + Controls whether an app privacy permission default is set. + * `None`: No app privacy permission default is set for use of dictation. + * `Allow`: The app privacy permission default is set to allow use of dictation. + - key: LocalNetwork + title: Local network permission + type: + presence: optional + rangelist: + - None + - Allow + combinetype: enum-last + content: |- + Controls whether an app privacy permission default is set. + * `None`: No app privacy permission default is set for use of the local network. + * `Allow`: The app privacy permission default is set to allow use of the local network. + - key: Location + title: Location permission + type: + presence: optional + rangelist: + - None + - WhileUsing + - Always + combinetype: enum-last + content: |- + Controls whether an app privacy permission default is set. + * `None`: No app privacy permission default is set for access to location. + * `WhileUsing`: The app privacy permission default is set to allow access to location only while the user is using the app In macOS, this is equivalent to `Always`. + * `Always`: The app privacy permission default is set to allow access to location always. + - key: LocationAccuracy + title: Location accuracy permission + supportedOS: + macOS: + introduced: n/a + type: + presence: optional + rangelist: + - None + - Approximate + - Precise + combinetype: enum-last + content: |- + Controls whether an app privacy permission default is set. + * `None`: No app privacy permission default is set for access to precise location. + * `Approximate`: The app privacy permission default is set to allow approximate access to location. + * `Precise`: The app privacy permission default is set to allow precise access to location. + - key: Microphone + title: Microphone permission + type: + presence: optional + rangelist: + - None + - Allow + combinetype: enum-last + content: |- + Controls whether an app privacy permission default is set. + * `None`: No app privacy permission default is set for use of the microphone. + * `Allow`: The app privacy permission default is set to allow use of the microphone. +notes: +- title: Binary identifier rules + content: |- + The following combinations of binary identifiers are supported for each key: + + * `AllowedBinaries`: + * Either `CDHash` or `TeamID` needs to be present. + * `SigningID`, `PathPrefix`, or `SigningState` may be present. + * `DeniedBinaries`: + * Either `CDHash` or `TeamID` or `SigningID` needs to be present. + * `PathPrefix` or `SigningState` may be present. +- title: Privacy permission defaults + content: |- + Privacy permission defaults allow an organization to suggest a set of privacy permissions for use with an app. When set, the app displays a consent prompt listing all the configured defaults. If the user accepts, the device applies those defaults for the app. If the user declines, no defaults are set and the device prompts the user in the normal way when the app requires permission. + + The consent prompt only shows permissions that the user hasn't previously seen, and won't appear if the user has seen all permissions. The user can choose from one of two options in the prompt: + + * `Allow`: this option sets the app privacy permissions for the specified sub-systems (camera, microphone, and so on) to "Allow". The device doesn't prompt the user when the app uses the sub-system. + * `Not Now`: this option ignores the app privacy permission defaults for the specified sub-systems (camera, microphone, and so on). The device prompts the user in the normal way when the app uses the sub-system. + + The user can change the app permission privacy settings in Settings.app if they choose. + + Only AppKit-based apps on macOS support this feature. +examples: + title: Configuration examples + files: + - tab: Allow various permission defaults for several apps in iOS + description: This configuration sets various privacy permission defaults for several + apps. + file: examples/declarative/declarations/configurations/app.settings/example1.json + - tab: Allow various permission defaults for several apps in macOS + description: This configuration sets various privacy permission defaults for several + apps. + file: examples/declarative/declarations/configurations/app.settings/example2.json diff --git a/declarative/declarations/configurations/audio-accessory.settings.yaml b/declarative/declarations/configurations/audio-accessory.settings.yaml index d940b87..f71df8f 100644 --- a/declarative/declarations/configurations/audio-accessory.settings.yaml +++ b/declarative/declarations/configurations/audio-accessory.settings.yaml @@ -23,7 +23,7 @@ payload: apply: combined payloadkeys: - key: TemporaryPairing - title: Temporary Pairing + title: Temporary pairing type: presence: optional content: A dictionary that describes audio accessory temporary pairing behavior. @@ -32,14 +32,14 @@ payloadkeys: when temporary pairing is active. subkeys: - key: Disabled - title: Temporary Pairing Disabled + title: Temporary pairing disabled type: presence: optional default: false combinetype: boolean-or content: If `true`, temporary pairing of audio accessories is disabled. - key: Configuration - title: Temporary Pairing Configuration + title: Temporary pairing configuration type: presence: optional combinetype: first @@ -47,14 +47,14 @@ payloadkeys: if `Disabled` isn't present or is `false`. subkeys: - key: UnpairingTime - title: Temporary Pairing Unpairing Time + title: Temporary pairing unpairing time type: presence: required content: A dictionary that describes when the device automatically unpairs temporarily paired audio accessories. subkeys: - key: Policy - title: Unpairing Policy + title: Unpairing policy type: presence: required rangelist: @@ -65,7 +65,7 @@ payloadkeys: - `None`: The device doesn't automatically unpair. Use this only with a return to service device that you erase and reenroll when assigning it from one user to another. - `Hour`: The device automatically unpairs temporarily paired audio accessories at the local time that the `Hour` key specifies. - key: Hour - title: Hour of Unpairing + title: Hour of unpairing type: presence: optional range: @@ -81,3 +81,9 @@ notes: - Pair and use audio accessories - the device records the pairing and synchronizes it to their iCloud account. - Use the audio accessory AirPods Sharing feature. +examples: + title: Configuration example + files: + - description: This configuration enables temporary pairing and sets an unpairing + time of 6 pm. + file: examples/declarative/declarations/configurations/audio-accessory.settings/example1.json diff --git a/declarative/declarations/configurations/content-cache.settings.yaml b/declarative/declarations/configurations/content-cache.settings.yaml new file mode 100644 index 0000000..714f817 --- /dev/null +++ b/declarative/declarations/configurations/content-cache.settings.yaml @@ -0,0 +1,328 @@ +title: Content Caching +description: The declaration to configure the Content Caching service. +payload: + declarationtype: com.apple.configuration.content-cache.settings + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '27.0' + allowed-enrollments: + - supervised + - local + allowed-scopes: + - system + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a + apply: single +payloadkeys: +- key: AllowCacheDelete + title: Allow cache delete + type: + presence: optional + default: true + content: If `true`, the system purges content from the cache automatically when + it needs disk space for other apps when free disk space runs low on the computer. + Set to `false` to maximize effectiveness of Content Caching. +- key: AllowPersonalCaching + title: Allow personal caching + type: + presence: optional + default: true + content: |- + If `true`, the system caches the user's iCloud data. Changes to this value don't have an immediate effect. Clients may take some time to react to changes. + + > Note: + > At least one of the `AllowPersonalCaching` or `AllowSharedCaching` keys need to be `true`. +- key: AllowSharedCaching + title: Allow shared caching + type: + presence: optional + default: true + content: |- + If `true`, the system caches non-iCloud content, such as apps and software updates. Changes to this value don't have an immediate effect. Clients may take some time to react to changes. + + > Note: + > At least one of the `AllowPersonalCaching` or `AllowSharedCaching` keys need to be `true`. +- key: AutoActivation + title: Auto activation + type: + presence: optional + default: false + content: |- + If `true`, the system automatically activates the content cache when possible and prevents disabling it. If `allowContentCaching` is `false`, `AutoActivation` is also `false`. + + Removing a profile that set `AutoActivation` to `true` doesn't deactivate the Content Cache. +- key: AutoEnableTetheredCaching + title: Auto enable tethered caching + type: + presence: optional + default: false + content: If `true`, the system automatically enables Internet connection sharing + when possible and prevent disabling Internet connection sharing. `DenyTetheredCaching` + overrides `AutoEnableTetheredCaching`. Tethered caching requires Content Caching. +- key: CacheLimit + title: Cache limit + type: + presence: optional + default: 0 + content: The maximum number of bytes of disk space to use for the content cache. + Set to `0` for unlimited disk space. Also serves as the upper bound to the `PersonalCacheLimit`. +- key: DataPath + title: Data path + type: + presence: optional + default: /Library/Application Support/Apple/AssetCache/Data + content: |- + The path to the directory used to store cached content. Changing this setting manually doesn't automatically move cached content from the old location to the new one. To move content automatically, use the Sharing preference's Content Caching pane. The value must be (or end with) `/Library/Application Support/Apple/AssetCache/Data`. + + The system creates a directory and its intermediates for the given data path if it doesn't already exist. The directory is owned by `_assetcache:_assetcache` and has mode 0750. Its immediate parent directory (`.../Library/Application Support/Apple/AssetCache`) is owned by `_assetcache:_assetcache` and has mode `0755`. +- key: DenyActivation + title: Deny activation + type: + presence: optional + default: false + content: If `true`, the system disables Content Caching. This is the inverse of + the `allowContentCaching` restriction in MDM. It overrides the `AutoActivation` + key. Use this key to prevent launching the Content Caching service. +- key: DenyTetheredCaching + title: Deny tethered caching + type: + presence: optional + default: false + content: If `true`, the system disables tethered caching. +- key: DeclarativeStatusInterval + title: Declarative status interval + type: + presence: optional + range: + min: 300 + max: 86400 + default: 0 + content: The time interval in seconds the system uses to update the `StatusContentCacheInfo` + declarative status item. The reporting interval can't be less than 60 (1 per minute) + or larger than 86400 (1 per day), defaults to 0 (off) +- key: DisplayAlerts + title: Display alerts + type: + presence: optional + default: false + content: If `true`, Content Caching displays exceptional conditions (alerts) as + system notifications in the upper corner of the screen. +- key: KeepAwake + title: Keep awake + type: + presence: optional + default: false + content: If `true`, the system prevents the computer from sleeping as long as Content + Caching is on (System Preferences > Sharing > Content Caching is on). Customers + who want Content Caching to be as available as much as possible should turn this + setting on. +- key: ListenRanges + title: Listen ranges + type: + presence: optional + content: An array of dictionaries that describe a range of client IP addresses to + serve. + subkeytype: RangesItem + subkeys: &id001 + - key: RangesItem + title: Ranges item + type: + content: A range of IP addresses to cache. + subkeys: + - key: type + title: Type + type: + presence: optional + rangelist: + - IPv4 + - IPv6 + default: IPv4 + content: The IP address type. + - key: first + title: First + type: + presence: required + content: The first IP address in the range. + - key: last + title: Last + type: + presence: required + content: The last IP address in the range. +- key: ListenRangesOnly + title: Listen ranges only + type: + presence: optional + default: false + content: If `true`, the content cache provides content to the clients in the `ListenRanges`. +- key: ListenWithPeersAndParents + title: Listen with peers and parents + type: + presence: optional + default: true + content: If `true`, the content cache provides content to the clients in the union + of the `ListenRanges`, `PeerListenRanges` and `Parents`. +- key: LocalSubnetsOnly + title: Local subnets only + type: + presence: optional + default: true + content: If `true`, the content cache offers content to clients only on the same + immediate local network only. The content cache offers no content to clients on + other networks reachable by the content cache. If `LocalSubnetsOnly` is `true`, + the system ignores `ListenRanges`. +- key: LogClientIdentity + title: Log client identity + type: + presence: optional + default: false + content: If `true`, the Content Cache logs the IP address and port number of the + clients that request content. +- key: Parents + title: Parents + type: + presence: optional + content: An array of the local IP addresses of other content caches that this cache + should download from or upload to, instead of downloading from or uploading to + Apple directly. The system ignores invalid addresses and addresses of computers + that aren't content caches. The system skips Parent caches that become unavailable. + If all parent content caches become unavailable, the content cache downloads from + or uploads to Apple directly, until a parent content cache becomes available again. + subkeys: + - key: ParentsItem + type: + presence: required + content: An IP address. +- key: ParentSelectionPolicy + title: Parent selection policy + type: + presence: optional + rangelist: + - first-available + - url-path-hash + - random + - round-robin + - sticky-available + default: round-robin + content: |- + The policy to implement when choosing among more than one configured parent content cache. With every policy, the system skips parent caches that are temporarily unavailable. Allowed values: + + - `first-available`: Always use the first available parent in the Parents list. Use this policy to designate permanent primary, secondary, and subsequent parents. + - `url-path-hash`: Hash the path part of the requested URL so that the same parent is always used for the same URL. This is useful for maximizing the size of the combined caches of the parents. + - `random`: Choose a parent at random. Use this policy for load balancing. + - `round-robin`: Rotate through the parents in order. Use this policy for load balancing. + - `sticky-available`: Use the first available parent in the Parents list until it becomes unavailable, then advance to the next one. Use this policy for designating floating primary, secondary, and subsequent parents. +- key: PeerFilterRanges + title: Peer filter ranges + type: + presence: optional + content: An array of dictionaries describing a range of peer IP addresses that the + content cache uses to filter its list of peers to query for content. The content + cache only queries peers in `PeerFilterRanges`. When `PeerFilterRanges` is an + empty array, the content cache doesn't query any peers. + subkeytype: RangesItem + subkeys: *id001 +- key: PeerListenRanges + title: Peer listen ranges + type: + presence: optional + content: An array of dictionaries describing a range of peer IP addresses the content + cache responds to. When `PeerListenRanges` is an empty array, the content cache + responds with an error to all cache queries. + subkeytype: RangesItem + subkeys: *id001 +- key: PeerLocalSubnetsOnly + title: Peer local subnets only + type: + presence: optional + default: true + content: If `true`, the content cache only peers with other content caches on the + same immediate local network, rather than with content caches that use the same + public IP address as the device. When `PeerLocalSubnetsOnly` is `true`, it overrides + the configuration of `PeerFilterRanges` and `PeerListenRanges`. If the network + changes, the local network peering restrictions update appropriately. If `false`, + the content cache defers to `PeerFilterRanges` and `PeerListenRanges` for configuring + the peering restrictions. +- key: PersonalCacheLimit + title: Personal cache limit + type: + presence: optional + default: 0 + content: The maximum number of bytes of disk space to use for the personal content + cache. The content cache limits the maximum value to the `CacheLimit` value. Set + to `0` to use the overall `CacheLimit`. +- key: Port + title: Port + type: + presence: optional + default: 0 + content: The TCP port number on which the content cache accepts requests for uploads + or downloads. Set to `0` to pick a random, available port. +- key: PublicRanges + title: Public ranges + type: + presence: optional + content: An array of dictionaries describing a range of public IP addresses that + the cloud servers should use for matching clients to content caches. + subkeytype: RangesItem + subkeys: *id001 +- key: ManagementStatusTarget + title: Management status target + type: + presence: optional + content: The target URL the system uses to send management statistics using an HTTP + PUT request with a json dictionary as the payload. If the URL is an https URL + (recommended) the `ManagementSecurityConfig` defines how the system secures the + connection. The system sends the management statistics report to the target URL + at an interval set by the `ManagementReportingInterval` value. +- key: ManagementSecurityConfig + title: Management security config + type: + presence: optional + rangelist: + - no-cert + - signedByCACert + - specificServerCert + default: no-cert + content: |- + If the `ManagementStatusTarget` is an https URL, the system uses this field to determine how the connection is secured. + + - `no-cert`: The system uses regular https processing using the built-in anchor certificates. + - `signedByCACert`: The system requires the https connection's certificate to be signed by the certificate provided in the `ManagementStatusCertificateReference` field. If your organization has a CA infrastructure this is the best choice. + - `specificServerCert`: The system requires the https connection's certificate to match the certificate provided in the `ManagementStatusCertificateReference` field. +- key: ManagementReportingInterval + title: Management reporting interval + type: + presence: optional + range: + min: 60 + max: 86400 + default: 300 + content: The reporting interval in seconds the system uses when `ManagementStatusTarget` + is present. The reporting interval can't be less than 60 (1 per minute) or larger + than 86400 (1 per day), and defaults to 300 (1 per 5 min). +- key: ManagementStatusCertificateReference + title: Management status certificate reference + type: + assettypes: + - com.apple.asset.credential.certificate + presence: optional + content: The identifier of an asset declaration that contains the certificate the + system uses to verify the security of the status reporting https connection. Required + when `ManagementSecurityConfig` is set to `signedByCACert` or `specificServerCert`. +examples: + title: Configuration examples + files: + - tab: Basic caching + description: This configuration enables content caching for both personal and + shared content with automatic activation. + file: examples/declarative/declarations/configurations/content-cache.settings/example1.json + - tab: Advanced caching + description: This configuration sets up content caching with a parent cache server, + a restricted listen range, and a fixed port. + file: examples/declarative/declarations/configurations/content-cache.settings/example2.json diff --git a/declarative/declarations/configurations/diskmanagement.settings.yaml b/declarative/declarations/configurations/diskmanagement.settings.yaml index 2dc344c..88b0a64 100644 --- a/declarative/declarations/configurations/diskmanagement.settings.yaml +++ b/declarative/declarations/configurations/diskmanagement.settings.yaml @@ -21,12 +21,13 @@ payload: apply: combined payloadkeys: - key: Restrictions + title: Restrictions type: presence: optional content: The restrictions for the disk. subkeys: - key: ExternalStorage - title: External Storage + title: External storage type: presence: optional rangelist: @@ -37,11 +38,11 @@ payloadkeys: content: |- Specifies the mount policy for external storage: - - `Allowed`: The system can mount external storage that is read-write or read-only. - - `ReadOnly`: The system can only mount read-only external storage. Note that external storage that is read-write will not be mounted read-only. + - `Allowed`: The system can mount external storage that's read-write or read-only. + - `ReadOnly`: The system can only mount read-only external storage. Note that external storage that's read-write won't be mounted read-only. - `Disallowed`: The system can't mount any external storage. - key: NetworkStorage - title: Network Storage + title: Network storage type: presence: optional rangelist: @@ -52,6 +53,12 @@ payloadkeys: content: |- Specifies the mount policy for network storage: - - `Allowed`: The system can mount network storage that is read-write or read-only. - - `ReadOnly`: The system can only mount read-only network storage. Note that network storage that is read-write will not be mounted read-only. + - `Allowed`: The system can mount network storage that's read-write or read-only. + - `ReadOnly`: The system can only mount read-only network storage. Note that network storage that's read-write won't be mounted read-only. - `Disallowed`: The system can't mount any network storage. +examples: + title: Configuration example + files: + - description: This configuration prevents the use of external and network storage + devices. + file: examples/declarative/declarations/configurations/diskmanagement.settings/example1.json diff --git a/declarative/declarations/configurations/extensible-sso.yaml b/declarative/declarations/configurations/extensible-sso.yaml new file mode 100644 index 0000000..4b2e439 --- /dev/null +++ b/declarative/declarations/configurations/extensible-sso.yaml @@ -0,0 +1,570 @@ +title: Extensible SSO +description: The declaration to configure Extensible Single Sign-On. +payload: + declarationtype: com.apple.configuration.extensible-sso + supportedOS: + iOS: + introduced: '27.0' + allowed-enrollments: + - supervised + - device + - user + allowed-scopes: + - system + sharedipad: + allowed-scopes: + - user + macOS: + introduced: '27.0' + allowed-enrollments: + - supervised + - user + allowed-scopes: + - system + - user + tvOS: + introduced: n/a + visionOS: + introduced: '27.0' + allowed-enrollments: + - supervised + - device + - user + allowed-scopes: + - system + watchOS: + introduced: n/a + apply: multiple +payloadkeys: +- key: ExtensionComposedIdentifier + title: Extension composed identifier + type: + presence: required + content: |- + The identifier of the provider to use for this configuration. Useful for apps that contain more than one DNS proxy extension. + + In iOS and visionOS, the identifier is a bundle ID, for example, "com.example.app.sso-extension". + + In macOS, the identifier is a composed identifier. The format of the composed identifier is "Bundle-ID (Team-ID)". "Bundle-ID" is the bundle identifier string of the app extension. "Team-ID" is the team identifier from the app extension's code signature. For example, "com.example.app.sso-extension (ABCD1234)". +- key: Type + title: Type + type: + presence: required + rangelist: + - Credential + - Redirect + content: The type of SSO. +- key: Realm + title: Realm + type: + presence: optional + content: The realm name for `Credential` payloads. Use proper capitalization for + this value. Ignored for `Redirect` payloads. +- key: ExtensionData + title: Extension data + type: + presence: optional + content: A dictionary of arbitrary data passed through to the app extension. + subkeys: + - key: ANY + type: + presence: optional + content: Keys and values to pass to the app extension. +- key: URLs + title: URLs + type: + presence: optional + content: |- + An array of URL prefixes of identity providers where the app extension performs SSO. + + Required for `Redirect` payloads. Ignored for `Credential` payloads. + + The URLs need to begin with `http://` or `https://`. + + The system: + + - Matches scheme and host name case-insensitively + - Doesn't allow query parameters and URL fragments + - Requires that the URLs of all installed Extensible SSO payloads are unique + subkeys: + - key: URL + type: + presence: required + content: An http or https URL prefix. +- key: Hosts + title: Hosts + type: + presence: optional + content: |- + An array of host or domain names that apps can authenticate through the app extension. + + Required for `Credential` payloads. Ignored for `Redirect` payloads. + + The system: + + - Matches host or domain names case-insensitively + - Requires that all the host and domain names of all installed Extensible SSO payloads are unique + + > Note: + > Host names that begin with a "." are wildcard suffixes that match all subdomains; otherwise the host name needs be an exact match. + subkeys: + - key: hostname + type: + presence: required + content: A host or domain name, with or without a leading dot. +- key: DeniedBundleIdentifiers + title: Denied bundle identifiers + type: + presence: optional + content: An array of bundle identifiers of apps that don't use SSO provided by this + extension. + subkeys: + - key: bundleIdentifier + type: + presence: required + content: The bundle identifier of the app. +- key: ScreenLockedBehavior + title: Screen locked behavior + type: + presence: optional + rangelist: + - Cancel + - DoNotHandle + default: Cancel + content: If set to `Cancel`, the system cancels authentication requests when the + screen is locked. If set to `DoNotHandle`, the request continues without SSO instead. + This doesn't apply to requests where `userInterfaceEnabled` is `false`, or for + background `URLSession` requests. +- key: PlatformSSO + title: Platform SSO + supportedOS: + iOS: + introduced: n/a + visionOS: + introduced: n/a + type: + presence: optional + content: The dictionary to configure Platform SSO. + subkeys: + - key: AuthenticationMethod + title: Authentication method + type: + presence: optional + rangelist: + - Password + - UserSecureEnclaveKey + - SmartCard + - OpenID + content: The Platform SSO authentication method to use with the extension. Requires + that the SSO Extension also support the method. + - key: RegistrationToken + title: Registration token + supportedOS: + iOS: + introduced: n/a + visionOS: + introduced: n/a + type: + presence: optional + content: The token this device uses for registration with Platform SSO. Use it + for silent registration with the Identity Provider. Requires that `AuthenticationMethod` + in `PlatformSSO` isn't empty. + - key: UseSharedDeviceKeys + title: Use shared device keys + supportedOS: + macOS: + allowed-scopes: + - system + type: + presence: optional + default: false + content: If `true`, the system uses the same signing and encryption keys for all + users. + - key: LoginFrequency + title: Login frequency + type: + presence: optional + range: + min: 3600 + default: 64800 + content: The duration, in seconds, until the system requires a full login instead + of a refresh. The default value is 64,800 (18 hours). The minimum value is 3600 + (1 hour). + - key: AllowDeviceIdentifiersInAttestation + title: Allow device identifiers in attestation + type: + presence: optional + default: false + content: If `true`, the system includes the device UDID and serial number in Platform + SSO attestations. + - key: Account + title: Account + type: + presence: optional + content: Account display and profile settings. + subkeys: + - key: DisplayName + title: Display name + type: + presence: optional + content: The display name for the account in notifications and authentication + requests. + - key: SynchronizeProfilePicture + title: Synchronize profile picture + type: + presence: optional + default: false + content: If `true`, the system requests the user's profile picture from the + SSO extension. + - key: UserCreation + title: User creation + type: + presence: optional + content: Settings for creating new users via Platform SSO. + subkeys: + - key: EnableAtLogin + title: Enable at login + type: + presence: optional + default: false + content: Enables creating users at the Login Window with an `AuthenticationMethod` + of either `Password` or `SmartCard`. Requires that `UseSharedDeviceKeys` is + `true`. + - key: EnableFirstUserDuringSetup + title: Enable first user during setup + type: + presence: optional + default: true + content: If `true`, the device uses Platform SSO to create the first user account + on the Mac during `Setup Assistant`. + - key: EnableRegistrationDuringSetup + title: Enable registration during setup + type: + presence: optional + default: false + content: If `true`, the system enables the PlatformSSO registration process + during Setup Assistant on devices running macOS 26 and later. Set this key + to `true` when configuring PlatformSSO before enrollment using the `com.apple.psso.required` + error response. + - key: NewUserAuthenticationMethods + title: New user authentication methods + type: + presence: optional + content: The set of authentication methods to use for newly created accounts + at login or during `Setup Assistant`. The system uses `Password` and `SmartCard` + if this key isn't present. + subkeys: + - key: NewUserAuthenticationMethod + type: + presence: optional + rangelist: + - Password + - SmartCard + - AccessKey + - OpenID + content: |- + An authentication method to use for newly created accounts at login or during `Setup Assistant`. Allowed values: + + * `Password`: The account uses a password for authentication. + * `SmartCard`: The account uses a smart card for authentication. + * `AccessKey`: The account uses an access key for authentication. + * `OpenID`: The account uses OpenID for authentication. + - key: NewUserAuthorizationMode + title: New user authorization mode + type: + presence: optional + rangelist: + - Standard + - Admin + - Groups + - Temporary + content: |- + The permission to apply to newly created accounts at login. Allowed values: + + * `Standard`: The account is a standard user. + * `Admin`: The system adds the account to the local administrators group. + * `Groups`: The system assigns groups to the account using `Authorization.AdministratorGroups`, `Authorization.AdditionalGroups`, or `Authorization.AuthorizationGroups`. + * `Temporary`: The system uses a temporary session configuration for newly created accounts at login. + - key: TokenToUserMapping + title: Token to user mapping + type: + presence: optional + content: The attribute mapping to use when creating users, or for authorization. + subkeys: + - key: AccountName + title: Account name + type: + presence: optional + content: The claim name to use for the user's account name. + - key: FullName + title: Full name + type: + presence: optional + content: The claim name to use for the user's full name. + - key: TemporarySessionQuickLogin + title: Temporary session quick login + type: + presence: optional + default: false + content: If `true`, the system uses a quicker Authenticated Guest Mode login + to Mac behavior. The system erases user data from only select locations in + the user home directory after each session completes. Once every eight hours + the system erases the full user home directory after a session completes. + Turn this on for shared environments that have a high frequency of short sessions. + - key: Authorization + title: Authorization + type: + presence: optional + content: Settings for authorization prompts and group management. + subkeys: + - key: EnableIdentityProviderAccounts + title: Enable identity provider accounts + type: + presence: optional + default: false + content: Enables using identity provider accounts at authorization prompts. + Requires that `UseSharedDeviceKeys` is `true`. The system assigns groups using + `AdministratorGroups`, `AdditionalGroups`, or `AuthorizationGroups`. + - key: UserAuthorizationMode + title: User authorization mode + type: + presence: optional + rangelist: + - Standard + - Admin + - Groups + content: |- + The permission to apply to an account each time the user authenticates. Allowed values: + + * `Standard`: The account is a standard user. + * `Admin`: The system adds the account to the local administrators group. + * `Groups`: The system assigns group to the account using `AdministratorGroups`, `AdditionalGroups`, or `AuthorizationGroups`. + - key: AdministratorGroups + title: Administrator groups + type: + presence: optional + content: The list of groups to use for administrator access. The system requests + membership during authentication. + subkeys: + - key: Group + type: + presence: optional + content: The group name. + - key: AdditionalGroups + title: Additional groups + type: + presence: optional + content: The list of created groups that don't have administrator access. + subkeys: + - key: Group + type: + presence: optional + content: The group name. + - key: AuthorizationGroups + title: Authorization groups + type: + presence: optional + content: The pairing of Authorization Rights to group names. When using this, + the system updates the Authorization Right to use the group. + subkeys: + - key: ANY + type: + presence: optional + content: The key is an access right value, the value is the group to be associated + with that access right. + - key: AccessKey + title: Access key + type: + presence: optional + content: Settings for Access Key authentication. + subkeys: + - key: ReaderGroupIdentifier + title: Reader group identifier + type: + presence: optional + content: The reader group identifier for use with the `AccessKey`. The value + needs to match the configured access key. Required if `UserCreation.AuthenticationMethods` + contains `AccessKey`. + - key: TerminalIdentityAssetReference + title: Terminal identity asset reference + type: + assettypes: + - com.apple.asset.credential.identity + - com.apple.asset.credential.scep + - com.apple.asset.credential.acme + presence: optional + content: The identifier of an asset declaration that contains the identity to + use as the Terminal identity of the Access Key. The Access Key needs to trust + the identity. Required if `UserCreation.AuthenticationMethods` includes `AccessKey`. + - key: ReaderIssuerCertificateAssetReference + title: Reader issuer certificate asset reference + type: + assettypes: + - com.apple.asset.credential.certificate + presence: optional + content: The identifier of an asset declaration that contains the certificate + for the issuer certificate of the `Terminal` identity of the access key. Other + specifications refer to the key as the "Reader CA Public Key". The key must + be an elliptic curve key. Required if `UserCreation.AuthenticationMethods` + includes `AccessKey`. The issuer of the Terminal identity of the access key + needs to match this certificate, otherwise the device fails the authentication. + - key: AllowExpressMode + title: Allow express mode + type: + presence: optional + default: false + content: If `true`, the system uses the access key in express mode, and doesn't + require authentication before use. + - key: Policies + title: Policies + type: + presence: optional + content: Policies for login, unlock, and FileVault behavior. + subkeys: + - key: FileVault + title: FileVault + type: + presence: optional + content: |- + The policy to apply when using Platform SSO at FileVault unlock on a Mac with Apple silicon. Applies when `AuthenticationMethod` is `Password`. + + * `AttemptAuthentication`: The device attempts Platform SSO authentication before proceeding. If offline, unlock continues if the local account password matches. If online and the credential is incorrect, then the device requires a successful Platform SSO authentication is required, even if taken offline. + * `RequireAuthentication`: The device requires Platform SSO authentication before proceeding. If the device is offline and `AllowOfflineGracePeriod` is enabled, then the device uses the offline `OfflineGracePeriod` to determine if the user can proceed or not. If online and the credential is incorrect, then the device requires a valid Platform SSO authentication to proceed, regardless of the `OfflineGracePeriod`. If the account isn't registered for Platform SSO and `AllowAuthenticationGracePeriod` is enabled, then the device uses `AuthenticationGracePeriod` to determine if the user can proceed or not. + * `AllowOfflineGracePeriod`: The device allows the use of the `OfflineGracePeriod` when `RequireAuthentication` is enabled. If `AllowOfflineGracePeriod` isn't set, then the device denies offline access. + * `AllowAuthenticationGracePeriod`: The device allows the use of the `AuthenticationGracePeriod` for other local accounts when `RequireAuthentication` is enabled. The `AuthenticationGracePeriod` starts when any of the policies are updated. If `AllowAuthenticationGracePeriod` isn't set, then the device denies unregistered account access. + * `RequireTouchID`: The device requires the use of Touch ID (and not Apple Watch) for File Vault unlock. + * `RequireTouchIDOrWatch`: The device requires the use of Touch ID or Apple Watch for File Vault unlock. + * `AllowOpenIDForTouchIDFallback`: The device allows web login as a fallback if touchID fails or isn't available. + subkeys: + - key: policy + type: + presence: required + rangelist: + - AttemptAuthentication + - RequireAuthentication + - AllowOfflineGracePeriod + - AllowAuthenticationGracePeriod + - RequireTouchID + - RequireTouchIDOrWatch + - AllowOpenIDForTouchIDFallback + content: The policy to apply. + - key: Login + title: Login + type: + presence: optional + content: |- + The policy to apply when using Platform SSO at the Login Window. Applies when `AuthenticationMethod` is `Password`. + + * `AttemptAuthentication`: The device attempts Platform SSO authentication before proceeding. If offline, login continues if the local account password matches. If online and the credential is incorrect, then the device requires a successful Platform SSO authentication to proceed, even if taken offline. + * `RequireAuthentication`: The device requires Platform SSO authentication before proceeding. If the device is offline and `AllowOfflineGracePeriod` is enabled, then the device uses the offline `OfflineGracePeriod` to determine if the user can proceed or not. If online and the credential is incorrect, then the device requires a valid Platform SSO authentication to proceed, regardless of the `OfflineGracePeriod`. If the account isn't registered for Platform SSO and `AllowAuthenticationGracePeriod` is enabled, then the device uses the `AuthenticationGracePeriod` to determine if the user can proceed or not. + * `AllowOfflineGracePeriod`: The device allows the use of the `OfflineGracePeriod` when `RequireAuthentication` is enabled. If `AllowOfflineGracePeriod` isn't set, then the device denies offline access. Applies to web login and all offline passwords. + * `AllowAuthenticationGracePeriod`: The device allows the use of the `AuthenticationGracePeriod` for other local accounts when `RequireAuthentication` is enabled. The `AuthenticationGracePeriod` starts when any of the policies have been updated. If `AllowAuthenticationGracePeriod` isn't set, then the device denies unregistered account access. + * `RequireTouchID`: The device requires the use of Touch ID (and not Apple Watch) for login. + * `RequireTouchIDOrWatch`: The device requires the use of Touch ID or Apple Watch for login. + * `AllowOpenIDForTouchIDFallback`: The device allows web login as fallback if touchID fails or isn't available. + subkeys: + - key: policy + type: + presence: required + rangelist: + - AttemptAuthentication + - RequireAuthentication + - AllowOfflineGracePeriod + - AllowAuthenticationGracePeriod + - RequireTouchID + - RequireTouchIDOrWatch + - AllowOpenIDForTouchIDFallback + content: The policy to apply. + - key: Unlock + title: Unlock + type: + presence: optional + content: |- + The policy to apply when using Platform SSO at screensaver unlock. Applies when `AuthenticationMethod` is `Password`. later. + + * `AttemptAuthentication`: The device attempts Platform SSO authentication before proceeding. If offline, unlock will continue if the local account password matches. If online and the credential is incorrect, then the device requires a successful Platform SSO authentication to proceed, even if taken offline. + * `RequireAuthentication`: The device requires Platform SSO authentication before proceeding. If the device is offline and `AllowOfflineGracePeriod` is enabled, then the offline `OfflineGracePeriod` is used to determine if the user can proceed or not. If online and the credential is incorrect, then the device requires a valid Platform SSO authentication to proceed regardless of the `OfflineGracePeriod`. If the account isn't registered for Platform SSO and `AllowAuthenticationGracePeriod` is enabled, then the device uses `AuthenticationGracePeriod` to determine if the user can proceed or not. + * `AllowOfflineGracePeriod`: The device allows the use of the `OfflineGracePeriod` when `RequireAuthentication` is enabled. If `AllowOfflineGracePeriod` isn't set, then the device denies offline access. + * `AllowAuthenticationGracePeriod`: The device allows the use of the `AuthenticationGracePeriod` for other local accounts when `RequireAuthentication` is enabled. The `AuthenticationGracePeriod` starts when any of the policies have been updated. If `AllowAuthenticationGracePeriod` isn't set, then the device denies the unregistered account access. + * `AllowTouchIDOrWatchForUnlock`: The device allows TouchID or Watch to unlock the screensaver instead of Platform SSO authentication when `RequireAuthentication` is enabled. + * `RequireTouchID`: The device requires the use of Touch ID (and not Apple Watch) for unlock. + * `RequireTouchIDOrWatch`: RThe device requires the use of Touch ID or Apple Watch for unlock. + * `AllowOpenIDForTouchIDFallback`: The device allows web login as fallback if touchID fails or isn't available. + subkeys: + - key: policy + type: + presence: required + rangelist: + - AttemptAuthentication + - RequireAuthentication + - AllowOfflineGracePeriod + - AllowAuthenticationGracePeriod + - AllowTouchIDOrWatchForUnlock + - RequireTouchID + - RequireTouchIDOrWatch + - AllowOpenIDForTouchIDFallback + content: The policy to apply. + - key: OfflineGracePeriod + title: Offline grace period + type: + presence: optional + content: The amount of time after the last successful Platform SSO login for + using a local account password offline. Required when setting `AllowOfflineGracePeriod`. + - key: AuthenticationGracePeriod + title: Authentication grace period + type: + presence: optional + content: The amount of time after receiving or updating a `Policies.FileVault`, + `Policies.Login`, or `Policies.Unlock` that the system can use unregistered + local accounts. Required when `AllowAuthenticationGracePeriod` is set. + - key: NonPlatformSSOAccounts + title: Non-platform SSO accounts + type: + presence: optional + content: The list of local accounts that aren't subject to the `Policies.FileVault`, + `Policies.Login`, or `Policies.Unlock` policies. The accounts don't receive + a prompt to register for Platform SSO. + subkeys: + - key: username + type: + presence: required + content: A local account username. + - key: WebAuthentication + title: Web authentication + supportedOS: + macOS: + introduced: '27.0' + type: + presence: optional + content: Settings for web authentication behavior. + subkeys: + - key: URLAllowList + title: URL allow list + type: + presence: optional + content: The set of allowed hosts that the system can load in the PSSO web view. + Required if `AuthenticationMethod` is set to `OpenID`, or `UserCreation.AuthenticationMethods` + contains `OpenID`. + subkeys: + - key: Hosts + type: + presence: optional + content: A host or host prefix. + - key: AllowPasswordSync + title: Allow password sync + type: + presence: optional + default: false + content: If `true`, the system detects the password during web authentication + and synchronizes it to the local account password for the user. +examples: + title: Configuration examples + files: + - tab: Credential + description: This configuration sets up a Credential-type SSO extension that handles + authentication for hosts in the example.com domain. + file: examples/declarative/declarations/configurations/extensiblesso/example1.json + - tab: Redirect + description: This configuration sets up a Redirect-type SSO extension that intercepts + authentication requests to specific login URLs. + file: examples/declarative/declarations/configurations/extensiblesso/example2.json diff --git a/declarative/declarations/configurations/external-intelligence.settings.yaml b/declarative/declarations/configurations/external-intelligence.settings.yaml index 6144994..c728a95 100644 --- a/declarative/declarations/configurations/external-intelligence.settings.yaml +++ b/declarative/declarations/configurations/external-intelligence.settings.yaml @@ -29,24 +29,23 @@ payload: watchOS: introduced: n/a apply: combined - content: Configures External Intelligence Integrations settings. payloadkeys: - key: Enabled - title: Allow External Intelligence Integrations + title: Allow external intelligence integrations type: presence: optional default: true combinetype: boolean-and content: If `false`, disables external intelligence integrations. - key: AllowSignIn - title: Allow External Intelligence Integrations Sign In + title: Allow external intelligence integrations sign in type: presence: optional default: true combinetype: boolean-and content: If `false`, disables sign-in for external intelligence integrations. - key: AllowedWorkspaceIDs - title: Allowed External Intelligence Workspace IDs + title: Allowed external intelligence workspace IDs type: presence: optional combinetype: set-intersection @@ -57,5 +56,11 @@ payloadkeys: operation. subkeys: - key: workspaceID - title: Allowed Workspace ID + title: Allowed workspace ID type: +examples: + title: Configuration examples + files: + - tab: External Intelligence Restrictions + description: This configuration restricts external intelligence integrations. + file: examples/declarative/declarations/configurations/external-intelligence.settings/example1.json diff --git a/declarative/declarations/configurations/intelligence.settings.yaml b/declarative/declarations/configurations/intelligence.settings.yaml index 9093340..8530ee1 100644 --- a/declarative/declarations/configurations/intelligence.settings.yaml +++ b/declarative/declarations/configurations/intelligence.settings.yaml @@ -29,7 +29,6 @@ payload: watchOS: introduced: n/a apply: combined - content: Configures Apple Intelligence settings. payloadkeys: - key: AllowAppleIntelligenceReport title: Allow Apple Intelligence Report @@ -99,6 +98,26 @@ payloadkeys: presence: optional content: If present, configures app-specific Intelligence features. subkeys: + - key: Calendar + title: Calendar + supportedOS: + iOS: + introduced: '27.0' + macOS: + introduced: '27.0' + visionOS: + introduced: '27.0' + type: + presence: optional + content: If present, configures Calendar and Reminders Intelligence features. + subkeys: + - key: AllowNaturalLanguageEditing + title: Allow Natural Language Editing + type: + presence: optional + default: true + combinetype: boolean-and + content: If `false`, disables Natural Language Editing in Calendar and Reminders. - key: Mail title: Mail type: @@ -177,3 +196,9 @@ payloadkeys: default: false combinetype: boolean-or content: If `true`, forces On-Device Only Translation. +examples: + title: Configuration examples + files: + - tab: Intelligence Restrictions + description: This configuration restricts several Apple Intelligence features. + file: examples/declarative/declarations/configurations/intelligence.settings/example1.json diff --git a/declarative/declarations/configurations/keyboard.settings.yaml b/declarative/declarations/configurations/keyboard.settings.yaml index 7edbf53..693c970 100644 --- a/declarative/declarations/configurations/keyboard.settings.yaml +++ b/declarative/declarations/configurations/keyboard.settings.yaml @@ -26,10 +26,9 @@ payload: watchOS: introduced: n/a apply: combined - content: Configures keyboard settings. payloadkeys: - key: AllowAutoCorrection - title: Allow Auto-Correction + title: Allow auto-correction supportedOS: macOS: introduced: n/a @@ -39,21 +38,21 @@ payloadkeys: combinetype: boolean-and content: If `false`, disables auto-correction. - key: AllowDefinitionLookup - title: Allow Definition Lookup + title: Allow definition lookup type: presence: optional default: true combinetype: boolean-and content: If `false`, disables definition lookup. - key: AllowDictation - title: Allow Dictation + title: Allow dictation type: presence: optional default: true combinetype: boolean-and content: If `false`, disables dictation. - key: AllowMathKeyboardSuggestions - title: Allow Math Keyboard Suggestions + title: Allow math keyboard suggestions type: presence: optional default: true @@ -61,7 +60,7 @@ payloadkeys: content: If `false`, disables keyboard suggestions that include math solutions. This key is also supported by the math.settings configuration. - key: AllowPredictiveText - title: Allow Predictive Text + title: Allow predictive text supportedOS: macOS: introduced: n/a @@ -71,7 +70,7 @@ payloadkeys: combinetype: boolean-and content: If `false`, disables predictive text. - key: AllowSlideToType - title: Allow Slide to Type + title: Allow slide to type supportedOS: macOS: introduced: n/a @@ -81,7 +80,7 @@ payloadkeys: combinetype: boolean-and content: If `false`, disables slide to type. - key: AllowSpellCheck - title: Allow Spell Check + title: Allow spell check supportedOS: macOS: introduced: n/a @@ -91,7 +90,7 @@ payloadkeys: combinetype: boolean-and content: If `false`, disables spell check. - key: AllowTextReplacement - title: Allow Text Replacement + title: Allow text replacement supportedOS: macOS: introduced: n/a @@ -100,3 +99,9 @@ payloadkeys: default: true combinetype: boolean-and content: If `false`, disables text replacement. +examples: + title: Configuration examples + files: + - tab: Keyboard Restrictions + description: This configuration restricts keyboard features. + file: examples/declarative/declarations/configurations/keyboard.settings/example1.json diff --git a/declarative/declarations/configurations/legacy.interactive.yaml b/declarative/declarations/configurations/legacy.interactive.yaml index 2457b62..d6dd153 100644 --- a/declarative/declarations/configurations/legacy.interactive.yaml +++ b/declarative/declarations/configurations/legacy.interactive.yaml @@ -43,13 +43,37 @@ payloadkeys: - key: ProfileURL title: Profile's URL. type: - presence: required + presence: optional content: |- - The URL of the profile to download and install, which needs to start with `https://`, and must be hosted by the MDM server. + The URL of the profile to download and install, which needs to start with `https://`. The request uses MDM semantics, which includes the device-identity certificate, and any user authentication. This is equivalent to an MDM request made to the `CheckInURL` or `ServerURL`. - If a user enrollment triggers this configuration, the system silently ignores any MDMv1 payloads in macOS that are forbidden with user enrollment. In iOS, the system rejects the entire profile. + One of `ProfileURL` or `ProfileAssetReference` needs to be present. +- key: ProfileAssetReference + title: Profile asset reference + supportedOS: + iOS: + introduced: '27.0' + macOS: + introduced: '27.0' + tvOS: + introduced: '27.0' + visionOS: + introduced: '27.0' + type: + assettypes: + - com.apple.asset.data + asset-content-types: + - application/plist + - application/x-plist + - application/xml + - text/xml + presence: optional + content: |- + The identifier of an asset declaration containing a reference to the profile data. The corresponding asset needs to be of type `com.apple.asset.data`. The referenced data needs to be a property list file, and the asset's "ContentType" value set to match the data type. + + One of `ProfileURL` or `ProfileAssetReference` needs to be present. - key: VisibleName - title: Configuration Visible Name + title: Configuration visible name type: presence: required content: The visible name of the configuration. This name needs to indicate the @@ -63,3 +87,14 @@ notes: - `com.apple.mdm` - `com.apple.declarations` + + If a user enrollment triggers this configuration: in macOS the system silently ignores any MDMv1 payloads in macOS where the User Enrollment Mode setting is `forbidden`; in iOS, tvOS, watchOS and visionOS, the system rejects the entire profile if any MDMv1 payload has its User Enrollment Mode setting set to `forbidden`. +examples: + title: Configuration examples + files: + - tab: URL + description: Downloads the profile from a URL on the MDM server. + file: examples/declarative/declarations/configurations/legacy.interactive/example1.json + - tab: Asset + description: Downloads the profile using an asset. + file: examples/declarative/declarations/configurations/legacy.interactive/example2.json diff --git a/declarative/declarations/configurations/legacy.yaml b/declarative/declarations/configurations/legacy.yaml index 864dac2..727e084 100644 --- a/declarative/declarations/configurations/legacy.yaml +++ b/declarative/declarations/configurations/legacy.yaml @@ -54,11 +54,37 @@ payloadkeys: - key: ProfileURL title: Profile's URL. type: - presence: required + presence: optional content: |- - The URL of the profile to download and install, which needs to start with `https://`, and must be hosted by the MDM server. + The URL of the profile to download and install, which needs to start with `https://`. The request uses MDM semantics, which includes the device-identity certificate, and any user authentication. This is equivalent to an MDM request made to the `CheckInURL` or `ServerURL`. - If a user enrollment triggers this configuration, the system silently ignores any MDMv1 payloads in macOS where the User Enrollment Mode setting is `forbidden`. In iOS, the system rejects the entire profile. + One of `ProfileURL` or `ProfileAssetReference` needs to be present. +- key: ProfileAssetReference + title: Profile asset reference + supportedOS: + iOS: + introduced: '27.0' + macOS: + introduced: '27.0' + tvOS: + introduced: '27.0' + visionOS: + introduced: '27.0' + watchOS: + introduced: '27.0' + type: + assettypes: + - com.apple.asset.data + asset-content-types: + - application/plist + - application/x-plist + - application/xml + - text/xml + presence: optional + content: |- + The identifier of an asset declaration containing a reference to the profile data. The corresponding asset needs to be of type `com.apple.asset.data`. The referenced data needs to be a property list file, and the asset's "ContentType" value set to match the data type. + + One of `ProfileURL` or `ProfileAssetReference` needs to be present. notes: - title: '' content: |- @@ -68,3 +94,35 @@ notes: - `com.apple.mdm` - `com.apple.declarations` + + If a user enrollment triggers this configuration: in macOS the system silently ignores any MDMv1 payloads in macOS where the User Enrollment Mode setting is `forbidden`; in iOS, tvOS, watchOS and visionOS, the system rejects the entire profile if any MDMv1 payload has its User Enrollment Mode setting set to `forbidden`. +- title: Transition profiles from MDM + content: |- + A declarative device management (DDM) legacy profile can take control of profiles installed via MDM. This avoids the need to first remove the MDM profile, before installing the DDM equivalent. DDM cannot take over control of non-MDM-installed profiles. + + The rules for transitioning profiles are: + + 1. An existing MDM-installed profile is present (installed by MDM using the `Install-Profile-Command`). + 2. DDM is enabled on the device. + 3. The server sends a legacy profile configuration to the device and ensures it is "activated". + 1. The DDM profile that the configuration applies needs to conform to the following requirements: + 1. The DDM profile's `PayloadIdentifier` and `PayloadUUID` need to match that of the MDM profile. + 2. The DDM profile needs to have the same number of payloads as the MDM profile. + 3. The DDM profile payloads needs to have the same `PayloadType`, `PayloadIdentifier`, and `PayloadUUID`, in the same order as the profile payloads in the MDM profile. + 2. If the DDM profile doesn't conform to the above requirements, the configuration isn't applied and its `valid` status is set to `invalid`. + 3. The `Profile-List-Command` can be used to determine the "structure" of existing MDM profiles to satisfy the above requirements. + + When DDM takes control of the MDM profile, the following occurs: + + 1. The system doesn't reinstall the profile. Instead, the MDM profile's existing system state remains unchanged. Thus system state won't include any differences between the MDM and DDM profiles (other than the structural items outlined above that must match). + 2. Any attempt to install, update, or remove the profile using MDM commands fails (using the usual identifier and UUID matching rules). This holds true while the DDM profile is active. + 3. Updates to the DDM configuration result in the system reapplying the profile which updates the system state with any new or changed settings. +examples: + title: Configuration examples + files: + - tab: URL + description: Downloads the profile from a URL on the MDM server. + file: examples/declarative/declarations/configurations/legacy/example1.json + - tab: Asset + description: Downloads the profile using an asset. + file: examples/declarative/declarations/configurations/legacy/example2.json diff --git a/declarative/declarations/configurations/management.status-subscriptions.yaml b/declarative/declarations/configurations/management.status-subscriptions.yaml index 246cb24..1b0da2d 100644 --- a/declarative/declarations/configurations/management.status-subscriptions.yaml +++ b/declarative/declarations/configurations/management.status-subscriptions.yaml @@ -47,17 +47,24 @@ payload: apply: combined payloadkeys: - key: StatusItems - title: Status Items + title: Status items type: presence: required combinetype: set-union content: An array of status items that the device notifies subscribers about. subkeys: - key: StatusItem + title: Status item type: content: The declaration for configuring a specific status subscription. subkeys: - key: Name + title: Name type: presence: required content: The name of the status item to send to subscribers. +examples: + title: Configuration example + files: + - description: This configuration subscribes to a set of device status items. + file: examples/declarative/declarations/configurations/management.status-subscriptions/example1.json diff --git a/declarative/declarations/configurations/management.test.yaml b/declarative/declarations/configurations/management.test.yaml index 069958f..63de4dd 100644 --- a/declarative/declarations/configurations/management.test.yaml +++ b/declarative/declarations/configurations/management.test.yaml @@ -1,5 +1,5 @@ title: Management:Test -description: The declaration to test declarative device management. +description: The declaration to configure a declarative device management test. payload: declarationtype: com.apple.configuration.management.test supportedOS: @@ -52,12 +52,12 @@ payload: apply: multiple payloadkeys: - key: Echo - title: Status Echo + title: Status echo type: presence: required content: The string to echo back in a status response reason. - key: EchoDataAssetReference - title: Status Echo from Asset + title: Status echo from asset supportedOS: iOS: introduced: '17.0' @@ -72,7 +72,7 @@ payloadkeys: content: The string to read from a data asset to echo back in status response reason description. - key: ReturnStatus - title: Status to Return + title: Status to return type: presence: optional rangelist: @@ -82,3 +82,9 @@ payloadkeys: default: Installed content: The status the system reports back when the device implements the configuration. Use this to override the normal `success` result. +examples: + title: Configuration example + files: + - description: This configuration tests the management framework with a custom status + result. + file: examples/declarative/declarations/configurations/management.test/example1.json diff --git a/declarative/declarations/configurations/math.settings.yaml b/declarative/declarations/configurations/math.settings.yaml index 4593003..8cff565 100644 --- a/declarative/declarations/configurations/math.settings.yaml +++ b/declarative/declarations/configurations/math.settings.yaml @@ -25,20 +25,22 @@ payload: watchOS: introduced: n/a apply: combined - content: Configures the built-in math and calculator app settings. payloadkeys: - key: Calculator + title: Calculator type: presence: optional content: If present, configures the built-in Calculator app. subkeys: - key: BasicMode + title: Basic mode type: presence: optional content: If present, configures the basic mode of the calculator. Basic mode is always enabled. subkeys: - key: AddSquareRoot + title: Add square root type: presence: required combinetype: boolean-or @@ -46,17 +48,20 @@ payloadkeys: +/- button. Normally, the square root button is available in scientific mode, so this key can be used to make it available when the scientific mode is restricted. - key: ScientificMode + title: Scientific mode type: presence: optional content: If present, configures the scientific mode of the calculator. If not present, scientific mode is enabled. subkeys: - key: Enabled + title: Enabled type: presence: required combinetype: boolean-and content: Controls whether the mode is enabled. - key: ProgrammerMode + title: Programmer mode supportedOS: iOS: introduced: n/a @@ -66,33 +71,39 @@ payloadkeys: present, programmer mode is enabled. subkeys: - key: Enabled + title: Enabled type: presence: required combinetype: boolean-and content: Controls whether the mode is enabled. - key: MathNotesMode + title: Math notes mode type: presence: optional content: If present, configures the Math Notes mode of the calculator. If not present, Math Notes mode is enabled. subkeys: - key: Enabled + title: Enabled type: presence: required combinetype: boolean-and content: Controls whether the mode is enabled. - key: InputModes + title: Input modes type: presence: optional content: If present, controls global input options of the calculator. If not present, all input modes are enabled. subkeys: - key: UnitConversion + title: Unit conversion type: presence: required combinetype: boolean-and content: Configures whether unit conversions are enabled. - key: RPN + title: RPN supportedOS: iOS: introduced: n/a @@ -101,18 +112,27 @@ payloadkeys: combinetype: boolean-and content: Configures whether RPN input is enabled. - key: SystemBehavior + title: System behavior type: presence: optional content: If present, configures math behavior in the system. subkeys: - key: KeyboardSuggestions + title: Keyboard suggestions type: presence: required combinetype: boolean-and content: Controls whether keyboard suggestions include math solutions. This key is also supported by the keyboard.settings configuration. - key: MathNotes + title: Math notes type: presence: required combinetype: boolean-and content: Controls whether Math Notes is allowed in other apps such as Notes. +examples: + title: Configuration example + files: + - description: This configuration prevents the use of scientific and programmer + modes in calculator app. + file: examples/declarative/declarations/configurations/math.settings/example1.json diff --git a/declarative/declarations/configurations/migration-assistant.settings.yaml b/declarative/declarations/configurations/migration-assistant.settings.yaml index 8c11056..a63b4b9 100644 --- a/declarative/declarations/configurations/migration-assistant.settings.yaml +++ b/declarative/declarations/configurations/migration-assistant.settings.yaml @@ -18,14 +18,15 @@ payload: watchOS: introduced: n/a apply: combined - content: Configures the managed migration functions of Migration Assistant. payloadkeys: - key: ShouldDoManagedMigration + title: Should do managed migration type: presence: required combinetype: boolean-or content: If `true`, the device manages Migration Assistant. - key: ExcludedAccounts + title: Excluded accounts type: presence: optional combinetype: set-union @@ -35,6 +36,7 @@ payloadkeys: - key: _Accounts type: - key: ExcludedPaths + title: Excluded paths type: presence: optional combinetype: set-union @@ -46,6 +48,7 @@ payloadkeys: - key: _ExcludedPaths type: - key: RequiredPaths + title: Required paths type: presence: optional combinetype: set-union @@ -57,6 +60,7 @@ payloadkeys: - key: _RequiredPaths type: - key: ShouldMigrateSecurityPrivacySettings + title: Should migrate security privacy settings type: presence: required combinetype: boolean-or @@ -69,3 +73,8 @@ notes: Configure the device to use the `AwaitingConfiguration` state after it enrolls with the server. The server needs to send the configuration and verify the configuration as both active and valid using the Declarative Device Management status, before it sends the `DeviceConfiguredCommand` command to exit that state. The device reports Migration Assistant progress using the `StatusMigrationAssistantState` status item, and provides a report when migration completes using the `StatusMigrationAssistantReport` status item. +examples: + title: Configuration example + files: + - description: This configuration provides settings for a Mac to Mac migration. + file: examples/declarative/declarations/configurations/migration-assistant.settings/example1.json diff --git a/declarative/declarations/configurations/network.dns-proxy.yaml b/declarative/declarations/configurations/network.dns-proxy.yaml new file mode 100644 index 0000000..dc5b531 --- /dev/null +++ b/declarative/declarations/configurations/network.dns-proxy.yaml @@ -0,0 +1,84 @@ +title: Network:DNS Proxy +description: The declaration to configure DNS proxy settings. +payload: + declarationtype: com.apple.configuration.network.dns-proxy + supportedOS: + iOS: + introduced: '27.0' + allowed-enrollments: + - supervised + - device + - user + allowed-scopes: + - system + sharedipad: + allowed-scopes: + - system + macOS: + introduced: '27.0' + allowed-enrollments: + - supervised + - local + allowed-scopes: + - system + tvOS: + introduced: n/a + visionOS: + introduced: '27.0' + allowed-enrollments: + - supervised + - device + - user + allowed-scopes: + - system + watchOS: + introduced: n/a + apply: multiple +payloadkeys: +- key: VisibleName + title: Visible name + type: + presence: required + content: The name of the DNS proxy configuration that the system displays on the + device. +- key: AppBundleIdentifier + title: App bundle identifier + type: + presence: required + content: The bundle identifier of the app containing the DNS proxy network extension. +- key: ProviderComposedIdentifier + title: Provider composed identifier + type: + presence: optional + content: |- + The identifier of the provider to use for this configuration. Useful for apps that contain more than one DNS proxy extension. + + In iOS and visionOS, the identifier is a bundle ID, for example, "com.example.app". + + In macOS, the identifier is a composed identifier. The format of the composed identifier is either "Bundle-ID" or "Bundle-ID {Designated-Requirement}". "Bundle-ID" is the bundle identifier string of the provider. "Designated-Requirement" is the designated requirement string from the code signature of the provider. For example, "com.example.app" for the bundle ID format, or "com.example.app {anchor apple generic}" for the designated requirement format. +- key: ProviderConfiguration + title: Provider configuration + type: + presence: optional + content: The dictionary of vendor-specific configuration items. + subkeys: + - key: ANY + type: + presence: optional + content: Key/value pairs. +- key: DNSProxyUUID + title: DNS proxy UUID + supportedOS: + macOS: + introduced: n/a + type: + presence: optional + content: A globally unique identifier for this DNS proxy configuration. The proxy + processes DNS lookups traffic for managed apps with the same `DNSProxyUUID` in + their app attributes. This key is required for user enrollment. +examples: + title: Configuration example + files: + - description: This configuration sets up a DNS proxy using a Network Extension + app. + file: examples/declarative/declarations/configurations/network.dns-proxy/example1.json diff --git a/declarative/declarations/configurations/network.dns-settings.yaml b/declarative/declarations/configurations/network.dns-settings.yaml new file mode 100644 index 0000000..6445997 --- /dev/null +++ b/declarative/declarations/configurations/network.dns-settings.yaml @@ -0,0 +1,254 @@ +title: Network:DNS Settings +description: The declaration to configure encrypted DNS settings. +payload: + declarationtype: com.apple.configuration.network.dns-settings + supportedOS: + iOS: + introduced: '27.0' + allowed-enrollments: + - supervised + - device + - local + allowed-scopes: + - system + sharedipad: + allowed-scopes: + - system + macOS: + introduced: '27.0' + allowed-enrollments: + - supervised + - local + allowed-scopes: + - system + tvOS: + introduced: n/a + visionOS: + introduced: '27.0' + allowed-enrollments: + - supervised + - device + - local + allowed-scopes: + - system + watchOS: + introduced: n/a + apply: multiple +payloadkeys: +- key: VisibleName + title: Visible name + type: + presence: required + content: The name of the DNS settings that the system displays on the device. +- key: DNSSettings + title: DNS settings + type: + presence: required + content: A dictionary that defines a configuration for an encrypted DNS server. + subkeys: + - key: DNSProtocol + title: DNS protocol + type: + presence: required + rangelist: + - HTTPS + - TLS + content: The encrypted transport protocol used to communicate with the DNS server. + - key: ServerURL + title: Server URL + type: + presence: optional + content: The URI template of a DNS-over-HTTPS server, as defined in RFC 8484. + This URL needs to use the `https://` scheme, and the system uses the hostname + or address in the URL to validate the server certificate. If no `ServerAddresses` + are provided, the system uses the hostname or address in the URL to determine + the server addresses. Required if `DNSProtocol` is `HTTPS`. + - key: ServerName + title: Server name + type: + presence: optional + content: The hostname of a DNS-over-TLS server used to validate the server certificate, + as defined in RFC 7858. If no `ServerAddresses` are provided, the system uses + the hostname to determine the server addresses. This key must be present only + if the DNSProtocol is `TLS`. + - key: ServerAddresses + title: DNS server addresses + type: + presence: optional + content: An unordered list of DNS server IP address strings. These IP addresses + can be a mixture of IPv4 and IPv6 addresses. + subkeys: + - key: ServerAddressesElement + title: Server address element + type: + - key: AllowFailover + title: Allow failover + type: + presence: optional + default: false + content: If `true`, the device allows failover to the default system DNS resolver. + - key: IdentityAssetReference + title: Certificate identity asset reference + type: + assettypes: + - com.apple.asset.credential.identity + - com.apple.asset.credential.scep + - com.apple.asset.credential.acme + presence: optional + content: Specifies the identifier of an asset declaration containing an identity + that the system uses to authenticate the user to the DNS resolver. + - key: SupplementalMatchDomains + title: Supplemental match domains + type: + presence: optional + content: |- + A list of domain strings used to determine which DNS queries use the DNS server. If not set, all domains use the DNS server. + + The system supports a single wildcard (`*`) prefix, but it's not required. For example, both `*.example.com` and `example.com` match against `mydomain.example.com` and `your.domain.example.com`, but don't match against `mydomain-example.com`. + subkeys: + - key: SupplementalMatchDomainsElement + title: Supplemental match domains element + type: +- key: OnDemandRules + title: On demand rules + type: + presence: optional + content: An array of rules that define the DNS settings. If not set, the system + always applies the DNS settings. These rules are identical to the `OnDemandRules` + array in VPN payloads. + subkeytype: OnDemandRulesElement + subkeys: + - key: OnDemandRulesElement + title: On demand rules element + type: + subkeys: + - key: Action + title: On demand action + type: + presence: required + rangelist: + - Connect + - Disconnect + - EvaluateConnection + content: |- + The action to take if this dictionary matches the current network. Allowed values: + + - `Connect`: Apply DNS Settings when the dictionary matches. + - `Disconnect`: Don't apply DNS Settings when the dictionary matches. + - `EvaluateConnection`: Apply DNS Settings with per-domain exceptions when the dictionary matches. + - key: ActionParameters + title: Action parameters + type: + presence: optional + content: An array of dictionaries that provide per-connection rules. The system + uses this array only for settings where the `Action` value is `EvaluateConnection`. + subkeys: + - key: ActionParameter + title: Action parameter + type: + presence: optional + content: |- + A dictionary that provides per-connection rules. + The keys allowed in each dictionary are described below. Note: This array is only for dictionaries in which `EvaluateConnection` is the `Action` value. + subkeys: + - key: Domains + title: Domains + type: + presence: required + content: The domains for which this evaluation applies. + subkeys: + - key: DomainsElement + title: Domains element + type: + - key: DomainAction + title: Domain action + type: + presence: required + rangelist: + - NeverConnect + - ConnectIfNeeded + content: |- + The DNS settings behavior for the specified domains. Allowed values: + + * 'NeverConnect': Don't use the DNS Settings for the specified domains. + * 'ConnectIfNeeded': Allow using the DNS Settings for the specified domains. + - key: DNSDomainMatch + title: DNS domain match + type: + presence: optional + content: |- + An array of domain names. This rule matches if any of the domain names in the specified list matches any domain in the device's search domains list. + + The system supports a single wildcard (`*`) prefix, but it's not required. For example, both `*.example.com` and `example.com` match against `mydomain.example.com` and `your.domain.example.com`, but don't match against `mydomain-example.com`. + subkeys: + - key: DNSDomainMatchElement + title: DNS domain match element + type: + - key: DNSServerAddressMatch + title: DNS server address match + type: + presence: optional + content: |- + An array of IP addresses. This rule matches if any of the network's specified DNS servers match any entry in the array. + + The system supports matching with a single wildcard. For example, `17.*` matches any DNS server in the 17.0.0.0/8 subnet. + subkeys: + - key: DNSServerAddressMatchElement + title: DNS server address match element + type: + - key: InterfaceTypeMatch + title: Interface type match + type: + presence: optional + rangelist: + - Ethernet + - WiFi + - Cellular + content: An interface type. If specified, this rule matches only if the primary + network interface hardware matches the specified type. + - key: SSIDMatch + title: SSID match + type: + presence: optional + content: An array of SSIDs to match against the current network. If the network + isn't a Wi-Fi network or if the SSID doesn't appear in this array, the match + fails. Omit this key and the corresponding array to match against any SSID. + subkeys: + - key: SSIDMatchElement + title: SSID match element + type: + - key: URLStringProbe + title: URL string probe + type: + presence: optional + content: A URL to probe. This rule matches if this URL is successfully fetched + and returns a 200 HTTP status code without redirection. +- key: ProhibitDisablement + title: Prohibit disablement + supportedOS: + iOS: + allowed-enrollments: + - supervised + macOS: + allowed-enrollments: + - supervised + visionOS: + allowed-enrollments: + - supervised + type: + presence: optional + default: false + content: If `true`, the system prohibits users from disabling DNS settings. +notes: +- title: '' + content: |- + The following rules determine which networks the settings apply to: + + * For supervised enrollments, the settings apply to all networks. + * For device enrollments, the settings are limited to only managed networks. + * For local installs, the settings apply to all networks. +examples: + title: Configuration example + files: + - description: This configuration sets up encrypted DNS using DNS-over-HTTPS. + file: examples/declarative/declarations/configurations/network.dns-settings/example1.json diff --git a/declarative/declarations/configurations/network.relay.yaml b/declarative/declarations/configurations/network.relay.yaml new file mode 100644 index 0000000..dbca8bd --- /dev/null +++ b/declarative/declarations/configurations/network.relay.yaml @@ -0,0 +1,190 @@ +title: Network:Relay +description: The declaration to configure Network Relay settings. +payload: + declarationtype: com.apple.configuration.network.relay + supportedOS: + iOS: + introduced: '27.0' + allowed-enrollments: + - supervised + - device + - user + allowed-scopes: + - system + sharedipad: + allowed-scopes: + - user + macOS: + introduced: '27.0' + allowed-enrollments: + - supervised + - user + allowed-scopes: + - system + tvOS: + introduced: n/a + visionOS: + introduced: '27.0' + allowed-enrollments: + - supervised + - device + - user + allowed-scopes: + - system + watchOS: + introduced: n/a + apply: multiple +payloadkeys: +- key: VisibleName + title: Visible name + type: + presence: required + content: The name of the network relays that the system displays on the device. +- key: Relays + title: Relays + type: + presence: required + content: An array of dictionaries that describe one or more relay servers that the + system can chain together. + subkeys: + - key: Relay + title: Network relay + type: + subkeys: + - key: HTTP3RelayURL + title: HTTP/3 relay URL + type: + presence: optional + content: |- + The URL or URI template, as defined in RFC 9298, of a relay server that's reachable using HTTP/3 and supports proxying TCP and UDP using the CONNECT method. + + Each relay needs to include either `HTTP2RelayURL` or `HTTP3RelayURL`, or it can include both. + - key: HTTP2RelayURL + title: HTTP/2 relay URL + type: + presence: optional + content: |- + The URL or URI template, as defined in RFC 9298, of a relay server that's reachable using HTTP/2 and supports proxying TCP and UDP using the CONNECT method. + + Each relay needs to include either `HTTP2RelayURL` or `HTTP3RelayURL`, or it can include both. + - key: AdditionalHTTPHeaderFields + title: Additional HTTP header fields + type: + presence: optional + content: A dictionary that contains custom HTTP header keys and values to add + to each request. The dictionary key name represents the HTTP header field + name to use, and the dictionary value is the string to use as the HTTP header + field value. + subkeys: + - key: ANY + type: + presence: required + content: The HTTP header field value for the corresponding header field name. + - key: CredentialAssetReference + title: Credential asset reference + type: + assettypes: + - com.apple.asset.credential.identity + - com.apple.asset.credential.scep + - com.apple.asset.credential.acme + presence: optional + content: The identifier of an asset declaration that contains the identity to + install. + - key: PublicKeyData + title: Public keys + type: + assettypes: + - com.apple.asset.data + presence: optional + content: |- + An array of references to data assets containing DER-encoded public key data that the system uses to authenticate the server during a TLS handshake. The server needs to use one of the keys in the handshake to authenticate. + If this array is empty, the system uses the default TLS trust evaluation. + subkeys: + - key: PublicKeyDataAssetReference + title: Public key asset reference + type: +- key: MatchDomains + title: Match domains + type: + presence: optional + content: |- + A list of domain strings that the system uses to determine which connection to route through the servers in `Relays`. + + Any connection that matches a domain in the list exactly or is a subdomain of the listed domain uses the relay servers, unless it matches a domain in `ExcludedDomains`. + + If this list and `MatchFQDNs` are empty, the system routes traffic to all domains to the relay servers, except those that match an excluded domain or excluded FQDN. + subkeys: + - key: MatchDomainsElement + title: Match domains element + type: +- key: ExcludedDomains + title: Excluded domains + type: + presence: optional + content: A list of domain strings to exclude from routing through the servers in + `Relays`. Any connection that matches a domain in the list exactly or is a subdomain + of the listed domain won't use the relay server. + subkeys: + - key: ExcludedDomainsElement + title: Excluded domains element + type: +- key: MatchFQDNs + title: Match FQDNs + type: + presence: optional + content: A list of Fully Qualified Domain Names (FQDNs) to route through the servers + contained in `Relays`. Any connection that matches an FQDN in the list exactly + uses the relay servers. If this list and `MatchDomains` are empty, the system + routes traffic to all domains to the relay servers, except those that match an + excluded domain or excluded FQDN. + subkeys: + - key: MatchFQDNsElement + title: Match FQDNs element + type: +- key: ExcludedFQDNs + title: Excluded FQDNs + type: + presence: optional + content: A list of Fully Qualified Domain Names (FQDNs) to exclude from routing + through the servers contained in `Relays`. Any connection that matches an FQDN + in the list exactly won't use the relay server. When `MatchDomains` is also present, + any FQDN listed in the list should be a subdomain of at least one `MatchDomain` + value, otherwise it won't have any effect. + subkeys: + - key: ExcludedFQDNsElement + title: Excluded FQDNs element + type: +- key: RelayUUID + title: Relay UUID + supportedOS: + macOS: + introduced: n/a + type: + presence: optional + content: A globally unique identifier for this relay configuration. The system uses + this UUID to route managed apps through the servers in `Relays`. This key is required + for user enrollment. +- key: UIToggleEnabled + title: UI toggle enabled + type: + presence: optional + default: true + content: If `true`, the device allows the user to disable this network relay configuration. +- key: AllowDNSFailover + title: Allow DNS failover + type: + presence: optional + default: false + content: If `true`, the device allows the relay to failover to the default system + DNS resolver. +examples: + title: Configuration examples + files: + - tab: Single relay + description: This configuration routes traffic to two domains through a single + HTTP/2 relay with a custom authorization header. + file: examples/declarative/declarations/configurations/network.relay/example1.json + - tab: Chained relays + description: This configuration routes specific hostnames through two chained + relay hops supporting both HTTP/2 and HTTP/3. + file: examples/declarative/declarations/configurations/network.relay/example2.json diff --git a/declarative/declarations/configurations/network.vpn.always-on.yaml b/declarative/declarations/configurations/network.vpn.always-on.yaml new file mode 100644 index 0000000..0b9bf33 --- /dev/null +++ b/declarative/declarations/configurations/network.vpn.always-on.yaml @@ -0,0 +1,975 @@ +title: Network:VPN:AlwaysOn +description: The declaration to configure a VPN using the Always On sub-type. +payload: + declarationtype: com.apple.configuration.network.vpn.always-on + supportedOS: + iOS: + introduced: '27.0' + allowed-enrollments: + - supervised + - device + - local + allowed-scopes: + - system + sharedipad: + allowed-scopes: + - system + macOS: + introduced: n/a + tvOS: + introduced: n/a + visionOS: + introduced: '27.0' + allowed-enrollments: + - supervised + - device + - local + allowed-scopes: + - system + watchOS: + introduced: n/a + apply: single +payloadkeys: +- key: VisibleName + title: Visible name + type: + presence: required + content: The name of the VPN connection that the system displays on the device. +- key: UIToggleEnabled + title: UI toggle enabled + type: + presence: optional + default: false + content: If `true`, allows the user to disable the VPN configuration. +- key: TunnelConfigurations + title: Tunnel configurations + type: + presence: required + content: An array that contains an arbitrary number of tunnel configurations. + subkeys: + - key: TunnelConfigurationElement + title: A tunnel configuration element + type: + subkeys: + - key: ProtocolType + title: Protocol type + type: + presence: required + rangelist: + - IKEv2 + content: The type of connection, which needs to be `IKEv2`. + - key: Interfaces + title: Interfaces + type: + presence: optional + content: The interfaces to apply this configuration to. + subkeys: + - key: InterfacesElement + title: Interfaces element + type: + rangelist: + - Cellular + - WiFi + - key: IKEV2 + title: IKEv2 configuration + type: + presence: optional + content: The IKEv2 configuration for this tunnel. + subkeys: + - key: HostName + title: Host name + type: + presence: required + content: The IP address or hostname of the VPN server. + - key: LocalIdentifier + title: Local identifier + type: + presence: required + content: Identifier of the IKEv2 client. + - key: RemoteIdentifier + title: Remote identifier + type: + presence: required + content: The remote identifier. + - key: Authentication + title: Authentication details + type: + presence: required + content: Settings that control authentication. + subkeys: + - key: Method + title: Authentication method + type: + presence: required + rangelist: + - None + - SharedSecret + - Certificate + content: |- + The type of authentication method for the VPN. + + To enable EAP-only authentication, set this to `None` and `ExtendedAuthEnabled` to `true`. If this is `None` and the `ExtendedAuthEnabled` key isn't set, the authentication configuration defaults to `SharedSecret`. + - key: CredentialsAssetReference + title: Credentials asset reference + type: + assettypes: + - com.apple.asset.credential.userpassword + presence: optional + content: The identifier of an asset declaration that contains the credentials + (password) to authenticate with the VPN server. Required when `Authentication.Method` + is set to `SharedSecret`. + - key: IdentityCertificateType + title: Certificate type + type: + presence: optional + rangelist: + - RSA + - ECDSA256 + - ECDSA384 + - ECDSA521 + - RSA-PSS + default: RSA + content: The type of key used by the identity set in the `IdentityAssetReference` + to use for IKEv2 machine authentication. If this key is included, the + system requires a value for `ServerCertificateIssuerCommonName`. + - key: IdentityAssetReference + title: Identity asset reference + type: + assettypes: + - com.apple.asset.credential.acme + - com.apple.asset.credential.identity + - com.apple.asset.credential.scep + presence: optional + content: The identifier of a credential asset declaration that contains + the identity that this account requires to authenticate with the VPN server. + If the value of `AuthenticationMethod` is `Certificate`, the system sends + this certificate out for IKEv2 machine authentication. If extended authentication + (EAP) is used, the system sends this certificate out for EAP-TLS authentication. + Required when `Authentication.Method` is set to `Certificate`. + - key: ExtendedAuth + title: Extended authentication (EAP) + type: + presence: optional + content: Specifies details about how the VPN routes different types of network + traffic. + subkeys: + - key: Enabled + title: Enabled + type: + presence: optional + default: false + content: If `true`, enables EAP-only authentication. + - key: CredentialsAssetReference + title: Credentials asset reference + type: + assettypes: + - com.apple.asset.credential.userpassword + presence: optional + content: The identifier of an asset declaration that contains the credentials + (user name and password) to authenticate with the VPN server. Required + when `Enabled` is set to `true`. Implies the use of EAP-MSCHAPv2. + - key: ServerCertificateIssuerCommonName + title: Server certificate issuer common name + type: + presence: optional + content: Common Name of the server certificate issuer. If set, this field + causes IKE to send a certificate request based on this certificate issuer + to the server. This key is required if the `IdentityCertificateType` + key is included and the `ExtendedAuth.Enabled` key is `true`. + - key: ServerCertificateCommonName + title: Server certificate common name + type: + presence: optional + content: The common name of the server certificate. The system uses this + name to validate the certificate sent by the IKE server. If not set, + the system uses the remote identifier to validate the certificate. + - key: TLSMinimumVersion + title: TLS minimum version + type: + presence: optional + rangelist: + - '1.0' + - '1.1' + - '1.2' + - '1.3' + default: '1.0' + content: The minimum TLS version to use with EAP-TLS authentication. + - key: TLSMaximumVersion + title: TLS maximum version + type: + presence: optional + rangelist: + - '1.0' + - '1.1' + - '1.2' + - '1.3' + default: '1.2' + content: The maximum TLS version to use with EAP-TLS authentication. + - key: Provider + title: Provider details + type: + presence: optional + content: Specifies details about the provider. + subkeys: + - key: Type + title: Type + type: + presence: optional + rangelist: + - packet-tunnel + - app-proxy + default: packet-tunnel + content: The type of VPN service. If the value is `app-proxy`, the service + tunnels traffic at the app level. If the value is `packet-tunnel`, the + service tunnels traffic at the IP layer. + - key: ComposedIdentifier + title: Composed identifier + type: + presence: optional + content: |- + In iOS, tvOS, and visionOS, the identifier is a bundle ID, for example, "com.example.app". + + In macOS, the identifier is a composed identifier. The format of the composed identifier is either "Bundle-ID", "Bundle-ID (Team-ID)", or "Bundle-ID {Designated-Requirement}". "Bundle-ID" is the bundle identifier string of the provider. "Team-ID" is the team identifier from the provider's code signature. "Designated-Requirement" is the designated requirement string from the code signature of the provider. For example, "com.example.app" for the bundle ID format, "com.example.app (ABCD1234)" for the team ID format, or "com.example.app {anchor apple generic}" for the designated requirement format. + - key: NetworkRouting + title: Network routing details + supportedOS: + tvOS: + introduced: n/a + type: + presence: optional + content: Specifies details about how the VPN routes different types of network + traffic. + subkeys: + - key: EnforceRoutes + title: Enforce routes + type: + presence: optional + default: false + content: |- + If `true`, all the VPN's non-default routes take precedence over any locally defined routes. + + If `IncludeAllNetworks` is `true`, the system ignores the value of `EnforceRoutes`. + - key: IncludeAllNetworks + title: Include all networks + type: + presence: optional + default: false + content: |- + If `true`, routes all traffic through the VPN, with some exclusions. Several of the exclusions can be controlled with the `ExcludeLocalNetworks`, `ExcludeCellularServices`, `ExcludeAPNs` and `ExcludeDeviceCommunication` properties. The following traffic is always excluded from the tunnel: + + - Traffic necessary for connecting and maintaining the device's network connection, such as DHCP. + - Traffic necessary for connecting to captive networks. + - Certain cellular services traffic that's not routable over the internet and is instead directly routed to the cellular network. See the ExcludeCellularServices property for more details. + - Network communication with a companion device such as a watchOS device. + - key: ExcludeLocalNetworks + title: Exclude local networks + type: + presence: optional + content: If `true` and `IncludeAllNetworks` is `true`, routes all local + network traffic outside the VPN. + - key: ExcludeCellularServices + title: Exclude cellular services + type: + presence: optional + default: true + content: If `true` and `IncludeAllNetworks` is `true`, then the system excludes + internet-routable network traffic for cellular services (VoLTE, Wi-Fi + Calling, IMS, MMS, Visual Voicemail, etc.) from the tunnel. Note that + some cellular carriers route cellular services traffic directly to the + carrier network, bypassing the internet. The device always excludes such + cellular services traffic from the tunnel. + - key: ExcludeAPNs + title: Exclude APNs + type: + presence: optional + default: true + content: If `true` and `IncludeAllNetworks` is `true`, then the system excludes + the network traffic for the Apple Push Notification service (APNs) from + the tunnel. + - key: ExcludeDeviceCommunication + title: Exclude device communication + type: + presence: optional + default: true + content: If set to `true` and `IncludeAllNetworks` is set to `true`, the + device excludes network traffic used for communicating with devices connected + via USB or Wi-Fi from the tunnel. + - key: Idle + title: Disconnect on idle settings. + type: + presence: optional + content: Specifies details about how the system handles idle VPN connections. + subkeys: + - key: Disconnect + title: Enable disconnect on idle + type: + presence: optional + default: false + content: If `true`, disconnects after an on-demand connection idles. + - key: Timer + title: Disconnect on idle time + type: + presence: optional + content: The length of time to wait, in seconds, before disconnecting an + on-demand connection. + - key: DeadPeerDetectionRate + title: Dead peer detection rate + type: + presence: optional + rangelist: + - None + - Low + - Medium + - High + default: Medium + content: |- + One of the following: + + - `None`: No keepalive. + - `Low`: Send keepalive every 30 minutes. + - `Medium`: Send keepalive every 10 minutes. + - `High`: Send keepalive every 1 minute. + - key: OnDemand + title: On demand details + type: + presence: optional + content: Specifies details about how the system controls on-demand VPN. + subkeys: + - key: Enabled + title: Enable VPN on demand + type: + presence: optional + default: false + content: If `true`, enables VPN On Demand. + - key: DisableUserOverride + title: Prevent users from toggling VPN on demand + supportedOS: + macOS: + introduced: n/a + type: + presence: optional + default: false + content: If `true`, the Connect On Demand toggle in Settings is disabled + for this configuration. + - key: Rules + title: On demand rules + type: + presence: optional + content: An array of dictionaries defining On Demand Rules. + subkeytype: RulesElement + subkeys: + - key: RulesElement + title: Rules element + type: + subkeys: + - key: Action + title: On demand action + type: + presence: required + rangelist: + - Allow + - Connect + - Disconnect + - EvaluateConnection + - Ignore + content: |- + The action to take if this dictionary matches the current network. Possible values are: + - `Allow`: Deprecated. Allow VPN On Demand to connect if triggered. + - `Connect`: Unconditionally initiate a VPN connection on the next network attempt. + - `Disconnect`: Tear down the VPN connection and don't reconnect on demand as long as this dictionary matches. + - `EvaluateConnection`: Evaluate the ActionParameters array for each connection attempt. + - `Ignore`: Leave any existing VPN connection up, but don't reconnect on demand as long as this dictionary matches. + - key: ActionParameters + title: Action parameters + type: + presence: optional + content: An array of dictionaries that provides rules similar to the + `OnDemandRules` dictionary, but evaluated on each connection instead + of when the network changes. This value is only for use with dictionaries + in which the `Action` value is `EvaluateConnection`. The system evaluates + these dictionaries in order and the first dictionary that matches + determines the behavior. + subkeys: + - key: ActionParameter + title: Action parameter + type: + presence: optional + content: |- + A dictionary that provides rules similar to the OnDemandRules dictionary, but evaluated on each connection instead of when the network changes. These dictionaries are evaluated in order, and the behavior is determined by the first dictionary that matches. + The keys allowed in each dictionary are described below. Note: This array is used only for dictionaries in which EvaluateConnection is the Action value. + subkeys: + - key: Domains + title: Domains + type: + presence: required + content: The domains to apply this evaluation. + subkeys: + - key: DomainsElement + title: Domains element + type: + - key: DomainAction + title: Domain action + type: + presence: required + rangelist: + - ConnectIfNeeded + - NeverConnect + content: |- + Defines the VPN behavior for the specified domains. Allowed values are: + * 'ConnectIfNeeded': The specified domains should trigger a VPN connection attempt if domain name resolution fails, such as when the DNS server indicates that it can't resolve the domain, responds with a redirection to a different server, or fails to respond (timeout). + * 'NeverConnect': The specified domains should never trigger a VPN connection attempt. + - key: RequiredDNSServers + title: Required DNS servers + type: + presence: optional + content: |- + An array of IP addresses of DNS servers to use for resolving the specified domains. These servers don't need to be part of the device's current network configuration. If these DNS servers aren't reachable, the system establishes a VPN connection. These DNS servers need to be either internal DNS servers or trusted external DNS servers. + This key is valid only if the value of 'DomainAction' is 'ConnectIfNeeded'. + subkeys: + - key: RequiredDNSServersElement + title: Required DNS servers element + type: + - key: RequiredURLStringProbe + title: Required URL string probe + type: + presence: optional + content: |- + An HTTP or HTTPS (preferred) URL to probe, using a GET request. If the URL's hostname can't be resolved, if the server is unreachable, or if the server doesn't respond with a 200 HTTP status code, a VPN connection is established in response. + This key is valid only if the value of 'DomainAction' is 'ConnectIfNeeded'. + - key: DNSDomainMatch + title: DNS domain match + type: + presence: optional + content: |- + An array of domain names. This rule matches if any of the domain names in the specified list matches any domain in the device's search domains list. + The system supports a wildcard (`*`) prefix. For example, `*.example.com` matches against either `mydomain.example.com` or `yourdomain.example.com`. + subkeys: + - key: DNSDomainMatchElement + title: DNS domain match element + type: + - key: DNSServerAddressMatch + title: DNS server address match + type: + presence: optional + content: |- + An array of IP addresses. This rule matches if any of the network's specified DNS servers match any entry in the array. + The system supports matching with a single wildcard. For example, `17.*` matches any DNS server in the `17.0.0.0/8` subnet. + subkeys: + - key: DNSServerAddressMatchElement + title: DNS server address match element + type: + - key: InterfaceTypeMatch + title: Interface type match + type: + presence: optional + rangelist: + - Ethernet + - WiFi + - Cellular + content: An interface type. If specified, this rule matches only if + the primary network interface hardware matches the specified type. + - key: SSIDMatch + title: SSID match + type: + presence: optional + content: |- + An array of SSIDs to match against the current network. If the network isn't a Wi-Fi network or if the SSID doesn't appear in this array, the match fails. + Omit this key and the corresponding array to match against any SSID. + subkeys: + - key: SSIDMatchElement + title: SSID match element + type: + - key: URLStringProbe + title: URL string probe + type: + presence: optional + content: A URL to probe. This rule matches when this URL is successfully + fetched (returns a `200` HTTP status code) without redirection. + - key: UseConfigurationAttributeInternalIPSubnet + title: Use IPv4 / IPv6 internal subnet attributes + type: + presence: optional + default: false + content: If `true`, negotiations should use IKEv2 Configuration Attribute + `INTERNAL_IP4_SUBNET` and `INTERNAL_IP6_SUBNET`. + - key: DisableMOBIKE + title: Disable mobility and multihoming + type: + presence: optional + default: false + content: If `true`, the system disables MOBIKE. + - key: DisableRedirect + title: Disable redirect + type: + presence: optional + default: false + content: If `true`, the system disables IKEv2 redirect. If not set, the system + redirects an IKEv2 connection when it receives a redirect request from the + server. + - key: EnableNATKeepAliveOffload + title: Enable NAT keep alive offload + type: + presence: optional + default: true + content: |- + If `true`, enables NAT keepalive offload for Always On VPN IKEv2 connections. The device sends keepalive packets to maintain NAT mappings for IKEv2 connections that have a NAT on the path. It sends keepalive packets at regular intervals when the device is awake. If `NATKeepAliveOffloadEnable` is `true`, the system offloads keepalive packets to hardware while the device is asleep. + + NAT keepalive offload has an impact on the battery life due to the extra workload during sleep. The default interval for the keepalive offload packets is 20 seconds over Wi-Fi and 110 seconds over Cellular interface. The default NAT keepalive works well on networks with small NAT mapping timeouts but imposes a potential battery impact. If a network has larger NAT mapping timeouts, larger keepalive intervals may be safely used to minimize battery impact. Modify the keepalive interval through the `NATKeepAliveInterval` key. + - key: NATKeepAliveInterval + title: NAT keepalive interval + type: + presence: optional + default: 20 + content: The NAT Keepalive interval for Always On VPN IKEv2 connections. This + value controls the interval that the device sends keepalive offload packets. + The minimum value is 20 seconds. If no key is specified, the default is + 20 seconds over Wi-Fi and 110 seconds over a cellular interface. + - key: EnablePFS + title: Enable perfect forward secrecy + type: + presence: optional + default: false + content: If `true`, enables Perfect Forward Secrecy (PFS) for IKEv2 Connections. + - key: EnableCertificateRevocationCheck + title: Enable certificate revocation check + type: + presence: optional + default: false + content: If `true`, the system performs a certificate revocation check for + IKEv2 connections. This is a best-effort revocation check and server response + timeouts won't cause it to fail. + - key: EnableFallback + title: Enable fallback + supportedOS: + macOS: + introduced: n/a + type: + presence: optional + default: false + content: |- + If `true`, the system enables a tunnel over cellular data to carry traffic that's eligible for Wi-Fi Assist and also requires VPN. + + Enabling fallback requires that the server support multiple tunnels for a single user. + - key: MTU + title: Maximum transmission unit + type: + presence: optional + range: + min: 1280 + max: 1400 + default: 1280 + content: The Maximum Transmission Unit (MTU) specifies the maximum size in + bytes of each packet that the system sends over the IKEv2 VPN interface. + - key: EnforceStrictAlgorithmSelection + title: Enforce strict algorithm selection + type: + presence: optional + default: false + content: If set to `true`, the device doesn't allow DES, 3DES, and Diffie-Hellman + groups less than 14. Also the device requires the encryption algorithm specified + in `IKESecurityAssociationParameters` to be at least as cryptographically + strong as the algorithm specified in `ChildSecurityAssociationParameters`. + The device rejects this configuration if these requirements aren't met. + - key: PostQuantumKeyExchange + title: Post quantum key exchange + type: + presence: optional + content: Post Quantum Key Exchange settings. + subkeys: + - key: PPK + title: Post-quantum pre-shared key + type: + presence: optional + content: The Post-quantum Pre-shared key (PPK) the device uses for this + VPN. This key is is used with VPN servers that support RFC 8784. If this + key is present `PPKIdentifier` must also be present. + - key: PPKIdentifier + title: Post-quantum pre-shared key identifier + type: + presence: optional + content: The identifier for the Post-quantum Pre-shared key (PPK) the device + uses for this VPN. This key is is used with VPN servers that support RFC + 8784. If this key is present `PPK` must also be present. + - key: PPKMandatory + title: Post-quantum pre-shared key mandatory + type: + presence: optional + default: true + content: If set to `true`, the VPN doesn't establish a connection if the + server doesn't support RFC 8784 or doesn't accept the PPK identifier specified + in `PPKIdentifier`. The device ignores this key if `PPK` and `PPKIdentifier` + aren't present. + - key: AllowFallback + title: Allow post-quantum key exchange fallback + type: + presence: optional + default: false + content: If set to `false`, the VPN doesn't establish a connection if the + server doesn't support or doesn't allow post-quantum key exchanges. Thd + device ignores this key if `PostQuantumKeyExchangeMethods` isn't present + in `IKESecurityAssociationParameters` or `ChildSecurityAssociationParameters`. + - key: IKESecurityAssociationParameters + title: IKE security association parameters + type: + presence: optional + content: These parameters apply to Child Security Association unless `ChildSecurityAssociationParameters` + is specified. + subkeytype: SecurityAssociationParameters + subkeys: &id001 + - key: EncryptionAlgorithm + title: Encryption algorithm + type: + presence: optional + rangelist: + - AES-128 + - AES-256 + - AES-128-GCM + - AES-256-GCM + - ChaCha20Poly1305 + default: AES-256 + content: |- + The encryption algorithm. + + In tvOS the default value is `AES-256-GCM`. + - key: IntegrityAlgorithm + title: Integrity algorithm + type: + presence: optional + rangelist: + - SHA2-256 + - SHA2-384 + - SHA2-512 + default: SHA2-256 + content: The integrity algorithm. + - key: DiffieHellmanGroup + title: Diffie hellman group + type: + presence: optional + rangelist: + - 14 + - 15 + - 16 + - 17 + - 18 + - 19 + - 20 + - 21 + - 31 + - 32 + default: 14 + content: |- + The Diffie-Hellman group. + + For `AlwaysOn` VPN, the minimum allowed value is `14`. + - key: PostQuantumKeyExchangeMethods + title: Post-quantum key exchange methods + type: + presence: optional + content: An array of integers representing postquantum key exchange methods + the device uses during SA establishment and rekey. You can specify up + to seven items, which correspond to ADDKE1 - ADDKE7 from RFC 9370. + subkeys: + - key: PostQuantumKeyExchangeMethod + title: Post-quantum key exchange method + type: + rangelist: + - 0 + - 36 + - 37 + - key: LifeTimeInMinutes + title: Life time in minutes + type: + presence: optional + range: + min: 10 + max: 1440 + default: 1440 + content: The SA lifetime (rekey interval) in minutes. + - key: ChildSecurityAssociationParameters + title: Child security association parameters + type: + presence: optional + content: The `ChildSecurityAssociationParameters` dictionaries. + subkeytype: SecurityAssociationParameters + subkeys: *id001 +- key: ServiceExceptions + title: Service exceptions + type: + presence: optional + content: An array that contains an arbitrary number of service exceptions. + subkeys: + - key: ServiceExceptionElement + title: A service exception element + type: + subkeys: + - key: ServiceName + title: Service name + type: + presence: required + rangelist: + - VoiceMail + - AirPrint + - CellularServices + - DeviceCommunication + content: |- + The name of a service that's exempt from Always On VPN. + + `CellularServices` exempts `VoLTE`, `IMS`, `MMS`, and Wi-Fi calling. + + `DeviceCommunication` exempts network traffic used for communicating with devices connected via USB or Wi-Fi. + - key: Action + title: Action + type: + presence: required + rangelist: + - Allow + - Drop + content: The action to take with network connections from the named service. +- key: ApplicationExceptions + title: Application exceptions + type: + presence: optional + content: An array that contains an arbitrary number of apps whose connections occur + outside the VPN. + subkeys: + - key: ApplicationExceptionElement + title: A application exception element + type: + subkeys: + - key: BundleIdentifier + title: Bundle identifier + type: + presence: required + content: The app's bundle identifier. + - key: LimitToProtocols + title: Limit to protocols + type: + presence: optional + content: Limit the exception to only the specified list of protocols, with support + for `UDP` only. + subkeys: + - key: LimitToProtocolElement + title: Limit to protocol element + type: + rangelist: + - UDP +- key: AllowCaptiveWebSheet + title: Allow captive web sheet + type: + presence: optional + default: false + content: If `true`, allows traffic from Captive Web Sheet outside the VPN tunnel. +- key: AllowAllCaptiveNetworkPlugins + title: Allow all captive network plugins + type: + presence: optional + default: false + content: If `true`, allows traffic from all captive networking apps outside the + VPN tunnel to perform captive network handling. +- key: AllowedCaptiveNetworkPlugins + title: Allowed captive network plugins + type: + presence: optional + content: The array of captive networking apps whose traffic is allowed outside the + VPN tunnel, to perform captive network handling. Used only when `AllowAllCaptiveNetworkPlugins` + is `false`. + subkeys: + - key: AllowedCaptiveNetworkPluginElement + title: An allowed captive network plugin element + type: + subkeys: + - key: BundleIdentifier + title: Bundle identifier + type: + presence: required + content: The bundle identifier for the app that's allowed on the captive network. +- key: DNS + title: DNS + type: + presence: optional + content: A dictionary to use for all VPN types. + subkeys: + - key: Protocol + title: DNS protocol + type: + presence: required + rangelist: + - Cleartext + - HTTPS + - TLS + content: The transport protocol to communicate with the DNS server. + - key: ServerURL + title: Server URL + type: + presence: optional + content: The URI template of a DNS-over-HTTPS server, as defined in RFC 8484, + which needs to use the `https://` scheme. The system uses the hostname or address + in the URL to validate the server certificate. If `ServerAddresses` isn't specified, + the system uses the hostname or address in the URL to determine the server addresses. + This key is required if the `DNSProtocol` is `HTTPS`. + - key: ServerName + title: Server name + type: + presence: optional + content: The hostname of a DNS-over-TLS server to validate the server certificate, + as defined in RFC 7858. If `ServerAddresses` isn't specified, the system uses + the hostname to determine the server addresses. This key is required if the + `DNSProtocol` is `TLS`. + - key: ServerAddresses + title: DNS server addresses + type: + presence: required + content: The array of DNS server IP address strings. These IP addresses can be + a mixture of IPv4 and IPv6 addresses. + subkeys: + - key: ServerAddressesElement + title: Server address element + type: + - key: SearchDomains + title: DNS search domains + type: + presence: optional + content: The list of domain strings used to fully qualify single-label host names. + subkeys: + - key: SearchDomainsElement + title: Search domains element + type: + - key: DomainName + title: Domain name + type: + presence: optional + content: The primary domain of the tunnel. + - key: SupplementalMatchDomains + title: Supplemental match domains + type: + presence: optional + content: |- + The list of domain strings used to determine which DNS queries use the DNS resolver settings in `ServerAddresses`. The system uses this key to create a split DNS configuration where it resolves only hosts in certain domains using the tunnel's DNS resolver. The system uses the default resolver for hosts that aren't in one of the domains in this list. + + If `SupplementalMatchDomains` contains the empty string it becomes the default domain. + + Split-tunnel configurations can direct all DNS queries to the VPN DNS servers before the primary DNS servers. If the VPN tunnel becomes the network's default route, the servers listed in `ServerAddresses` become the default resolver and the system ignores the `SupplementalMatchDomains` list. + subkeys: &id002 + - key: SupplementalMatchDomainsElement + title: Supplemental match domains element + type: + - key: SupplementalMatchDomainsNoSearch + title: Supplemental match domains no search + type: + presence: optional + default: false + content: If `true`, don't append the domains in the `SupplementalMatchDomains` + list to the resolver's list of search domains. + - key: IdentityAssetReference + title: Identity asset reference + type: + assettypes: + - com.apple.asset.credential.acme + - com.apple.asset.credential.identity + - com.apple.asset.credential.scep + presence: optional + content: The identifier of a credential asset declaration that contains the identity + that the system uses to authenticate the user to the DNS resolver. +- key: Proxies + title: Proxies + type: + presence: optional + content: The dictionary to use to configure `Proxies` for use with `VPN`. + subkeys: + - key: AutoConfigEnable + title: Proxy auto config enable + type: + presence: optional + default: false + content: If `true`, enables automatic proxy configuration. + - key: AutoDiscoveryEnable + title: Proxy auto discovery enable + type: + presence: optional + default: true + content: If `true`, enables proxy auto discovery. + - key: AutoConfigURLString + title: Proxy server URL + type: + presence: optional + content: The URL to the location of the proxy auto-configuration file. Used only + when `ProxyAutoConfigEnable` is `true`. + - key: SupplementalMatchDomains + title: Supplemental match domains + type: + presence: optional + content: An array of domains that defines which hosts use proxy settings for hosts. + subkeys: *id002 + - key: Protocol + title: Protocol + type: + presence: optional + content: The dictionary to use to configure HTTP servers for `Proxies` for use + with `VPN`. + subkeys: + - key: HTTP + title: HTTP protocol + type: + presence: optional + content: The dictionary to use to configure the HTTP (non-TLS) server. + subkeys: + - key: Enable + title: Enable HTTP + type: + presence: optional + default: false + content: If `true`, enables proxy for HTTP traffic. + - key: HostName + title: HTTP host name + type: + presence: optional + content: The host name of the HTTP proxy. + - key: Port + title: HTTP port + type: + presence: optional + range: + min: 0 + max: 65535 + content: The port number of the HTTP proxy. This field is required if `HostName` + is specified. + - key: HTTPS + title: HTTPS protocol + type: + presence: optional + content: The dictionary to use to configure the HTTPS (TLS) server. + subkeys: + - key: Enable + title: Enable HTTPS + type: + presence: optional + default: false + content: If `true`, enables proxy for HTTPS traffic. + - key: HostName + title: HTTPS host name + type: + presence: optional + content: The host name of the HTTPS proxy. + - key: Port + title: HTTPS port + type: + presence: optional + range: + min: 0 + max: 65535 + content: The port number of the HTTPS proxy. This field is required if `HostName` + is specified. + - key: CredentialsAssetReference + title: Credentials asset reference + type: + assettypes: + - com.apple.asset.credential.userpassword + presence: optional + content: The identifier of an asset declaration that contains the credentials + (user name and password) to authenticate with the proxy server. +examples: + title: Configuration example + files: + - description: This configuration sets up an always-on IKEv2 VPN for both Cellular + and Wi-Fi interfaces using certificate authentication. + file: examples/declarative/declarations/configurations/network.vpn.always-on/example1.json diff --git a/declarative/declarations/configurations/network.vpn.ikev2.yaml b/declarative/declarations/configurations/network.vpn.ikev2.yaml new file mode 100644 index 0000000..b1ab277 --- /dev/null +++ b/declarative/declarations/configurations/network.vpn.ikev2.yaml @@ -0,0 +1,854 @@ +title: Network:VPN:IKEV2 +description: The declaration to configure a VPN using the IKEv2 sub-type. +payload: + declarationtype: com.apple.configuration.network.vpn.ikev2 + supportedOS: + iOS: + introduced: '27.0' + allowed-enrollments: + - supervised + - device + - local + allowed-scopes: + - system + sharedipad: + allowed-scopes: + - system + macOS: + introduced: '27.0' + allowed-enrollments: + - supervised + - local + allowed-scopes: + - system + - user + tvOS: + introduced: '27.0' + allowed-enrollments: + - supervised + - device + - local + allowed-scopes: + - system + visionOS: + introduced: '27.0' + allowed-enrollments: + - supervised + - device + - local + allowed-scopes: + - system + watchOS: + introduced: n/a + apply: multiple +payloadkeys: +- key: VisibleName + title: Visible name + type: + presence: required + content: The name of the VPN connection that the system displays on the device. +- key: HostName + title: Host name + type: + presence: required + content: The IP address or hostname of the VPN server. +- key: LocalIdentifier + title: Local identifier + type: + presence: required + content: Identifier of the IKEv2 client. +- key: RemoteIdentifier + title: Remote identifier + type: + presence: required + content: The remote identifier. +- key: Authentication + title: Authentication details + type: + presence: required + content: Settings that control authentication. + subkeys: + - key: Method + title: Authentication method + type: + presence: required + rangelist: + - None + - SharedSecret + - Certificate + content: |- + The type of authentication method for the VPN. + + To enable EAP-only authentication, set this to `None` and `ExtendedAuthEnabled` to `true`. If this is `None` and the `ExtendedAuthEnabled` key isn't set, the authentication configuration defaults to `SharedSecret`. + - key: CredentialsAssetReference + title: Credentials asset reference + type: + assettypes: + - com.apple.asset.credential.userpassword + presence: optional + content: The identifier of an asset declaration that contains the credentials + (password) to authenticate with the VPN server. Required when `Authentication.Method` + is set to `SharedSecret`. + - key: IdentityCertificateType + title: Certificate type + type: + presence: optional + rangelist: + - RSA + - ECDSA256 + - ECDSA384 + - ECDSA521 + - RSA-PSS + default: RSA + content: The type of key used by the identity set in the `IdentityAssetReference` + to use for IKEv2 machine authentication. If this key is included, the system + requires a value for `ServerCertificateIssuerCommonName`. + - key: IdentityAssetReference + title: Identity asset reference + type: + assettypes: + - com.apple.asset.credential.acme + - com.apple.asset.credential.identity + - com.apple.asset.credential.scep + presence: optional + content: The identifier of a credential asset declaration that contains the identity + that this account requires to authenticate with the VPN server. If the value + of `AuthenticationMethod` is `Certificate`, the system sends this certificate + out for IKEv2 machine authentication. If extended authentication (EAP) is used, + the system sends this certificate out for EAP-TLS authentication. Required when + `Authentication.Method` is set to `Certificate`. + - key: ExtendedAuth + title: Extended authentication (EAP) + type: + presence: optional + content: Specifies details about how the VPN routes different types of network + traffic. + subkeys: + - key: Enabled + title: Enabled + type: + presence: optional + default: false + content: If `true`, enables EAP-only authentication. + - key: CredentialsAssetReference + title: Credentials asset reference + type: + assettypes: + - com.apple.asset.credential.userpassword + presence: optional + content: The identifier of an asset declaration that contains the credentials + (user name and password) to authenticate with the VPN server. Required when + `Enabled` is set to `true`. Implies the use of EAP-MSCHAPv2. + - key: ServerCertificateIssuerCommonName + title: Server certificate issuer common name + type: + presence: optional + content: Common Name of the server certificate issuer. If set, this field causes + IKE to send a certificate request based on this certificate issuer to the + server. This key is required if the `IdentityCertificateType` key is included + and the `ExtendedAuth.Enabled` key is `true`. + - key: ServerCertificateCommonName + title: Server certificate common name + type: + presence: optional + content: The common name of the server certificate. The system uses this name + to validate the certificate sent by the IKE server. If not set, the system + uses the remote identifier to validate the certificate. + - key: TLSMinimumVersion + title: TLS minimum version + type: + presence: optional + rangelist: + - '1.0' + - '1.1' + - '1.2' + - '1.3' + default: '1.0' + content: The minimum TLS version to use with EAP-TLS authentication. + - key: TLSMaximumVersion + title: TLS maximum version + type: + presence: optional + rangelist: + - '1.0' + - '1.1' + - '1.2' + - '1.3' + default: '1.2' + content: The maximum TLS version to use with EAP-TLS authentication. +- key: Provider + title: Provider details + type: + presence: optional + content: Specifies details about the provider. + subkeys: + - key: Type + title: Type + type: + presence: optional + rangelist: + - packet-tunnel + - app-proxy + default: packet-tunnel + content: The type of VPN service. If the value is `app-proxy`, the service tunnels + traffic at the app level. If the value is `packet-tunnel`, the service tunnels + traffic at the IP layer. + - key: ComposedIdentifier + title: Composed identifier + type: + presence: optional + content: |- + In iOS, tvOS, and visionOS, the identifier is a bundle ID, for example, "com.example.app". + + In macOS, the identifier is a composed identifier. The format of the composed identifier is either "Bundle-ID" or "Bundle-ID {Designated-Requirement}". "Bundle-ID" is the bundle identifier string of the provider. "Designated-Requirement" is the designated requirement string from the code signature of the provider. For example, "com.example.app" for the bundle ID format, or "com.example.app {anchor apple generic}" for the designated requirement format. +- key: NetworkRouting + title: Network routing details + supportedOS: + tvOS: + introduced: n/a + type: + presence: optional + content: Specifies details about how the VPN routes different types of network traffic. + subkeys: + - key: EnforceRoutes + title: Enforce routes + type: + presence: optional + default: false + content: |- + If `true`, all the VPN's non-default routes take precedence over any locally defined routes. + + If `IncludeAllNetworks` is `true`, the system ignores the value of `EnforceRoutes`. + - key: IncludeAllNetworks + title: Include all networks + type: + presence: optional + default: false + content: |- + If `true`, routes all traffic through the VPN, with some exclusions. Several of the exclusions can be controlled with the `ExcludeLocalNetworks`, `ExcludeCellularServices`, `ExcludeAPNs` and `ExcludeDeviceCommunication` properties. The following traffic is always excluded from the tunnel: + + - Traffic necessary for connecting and maintaining the device's network connection, such as DHCP. + - Traffic necessary for connecting to captive networks. + - Certain cellular services traffic that's not routable over the internet and is instead directly routed to the cellular network. See the ExcludeCellularServices property for more details. + - key: ExcludeLocalNetworks + title: Exclude local networks + type: + presence: optional + content: If `true` and `IncludeAllNetworks` is `true`, routes all local network + traffic outside the VPN. + - key: ExcludeCellularServices + title: Exclude cellular services + type: + presence: optional + default: true + content: If `true` and `IncludeAllNetworks` is `true`, then the system excludes + internet-routable network traffic for cellular services (VoLTE, Wi-Fi Calling, + IMS, MMS, Visual Voicemail, etc.) from the tunnel. Note that some cellular carriers + route cellular services traffic directly to the carrier network, bypassing the + internet. Such cellular services traffic is always excluded from the tunnel. + - key: ExcludeAPNs + title: Exclude APNs + type: + presence: optional + default: true + content: If `true` and `IncludeAllNetworks` is `true`, then the system excludes + the network traffic for the Apple Push Notification service (APNs) from the + tunnel. + - key: ExcludeDeviceCommunication + title: Exclude device communication + type: + presence: optional + default: true + content: If set to `true` and `IncludeAllNetworks` is set to `true`, the device + excludes network traffic used for communicating with devices connected via USB + or Wi-Fi from the tunnel. +- key: Idle + title: Disconnect on idle settings. + type: + presence: optional + content: Specifies details about how the system handles idle VPN connections. + subkeys: + - key: Disconnect + title: Enable disconnect on idle + type: + presence: optional + default: false + content: If `true`, disconnects after an on-demand connection idles. + - key: Timer + title: Disconnect on idle time + type: + presence: optional + content: The length of time to wait, in seconds, before disconnecting an on-demand + connection. + - key: DeadPeerDetectionRate + title: Dead peer detection rate + type: + presence: optional + rangelist: + - None + - Low + - Medium + - High + default: Medium + content: |- + One of the following: + + - `None`: No keepalive. + - `Low`: Send keepalive every 30 minutes. + - `Medium`: Send keepalive every 10 minutes. + - `High`: Send keepalive every 1 minute. +- key: OnDemand + title: On demand details + type: + presence: optional + content: Specifies details about how the system controls on-demand VPN. + subkeys: + - key: Enabled + title: Enable VPN on demand + type: + presence: optional + default: false + content: If `true`, enables VPN On Demand. + - key: DisableUserOverride + title: Prevent users from toggling VPN on demand + supportedOS: + macOS: + introduced: n/a + type: + presence: optional + default: false + content: If `true`, the device disables the Connect On Demand toggle in Settings + for this configuration. + - key: Rules + title: On demand rules + type: + presence: optional + content: An array of dictionaries defining On Demand Rules. + subkeytype: RulesElement + subkeys: + - key: RulesElement + title: Rules element + type: + subkeys: + - key: Action + title: On demand action + type: + presence: required + rangelist: + - Allow + - Connect + - Disconnect + - EvaluateConnection + - Ignore + content: |- + The action to take if this dictionary matches the current network. Possible values are: + - `Allow`: Deprecated. Allow VPN On Demand to connect if triggered. + - `Connect`: Unconditionally initiate a VPN connection on the next network attempt. + - `Disconnect`: Tear down the VPN connection and don't reconnect on demand as long as this dictionary matches. + - `EvaluateConnection`: Evaluate the ActionParameters array for each connection attempt. + - `Ignore`: Leave any existing VPN connection up, but don't reconnect on demand as long as this dictionary matches. + - key: ActionParameters + title: Action parameters + type: + presence: optional + content: An array of dictionaries that provides rules similar to the `OnDemandRules` + dictionary, but evaluated on each connection instead of when the network + changes. This value is only for use with dictionaries in which the `Action` + value is `EvaluateConnection`. The system evaluates these dictionaries in + order and the first dictionary that matches determines the behavior. + subkeys: + - key: ActionParameter + title: Action parameter + type: + presence: optional + content: |- + A dictionary that provides rules similar to the OnDemandRules dictionary, but evaluated on each connection instead of when the network changes. These dictionaries are evaluated in order, and the behavior is determined by the first dictionary that matches. + The keys allowed in each dictionary are described below. Note: This array is used only for dictionaries in which EvaluateConnection is the Action value. + subkeys: + - key: Domains + title: Domains + type: + presence: required + content: The domains to apply this evaluation. + subkeys: + - key: DomainsElement + title: Domains element + type: + - key: DomainAction + title: Domain action + type: + presence: required + rangelist: + - ConnectIfNeeded + - NeverConnect + content: |- + Defines the VPN behavior for the specified domains. Allowed values are: + * 'ConnectIfNeeded': The specified domains should trigger a VPN connection attempt if domain name resolution fails, such as when the DNS server indicates that it can't resolve the domain, responds with a redirection to a different server, or fails to respond (timeout). + * 'NeverConnect': The specified domains should never trigger a VPN connection attempt. + - key: RequiredDNSServers + title: Required DNS servers + type: + presence: optional + content: |- + An array of IP addresses of DNS servers to use for resolving the specified domains. These servers don't need to be part of the device's current network configuration. If these DNS servers aren't reachable, the system establishes a VPN connection. These DNS servers need to be either internal DNS servers or trusted external DNS servers. + This key is valid only if the value of 'DomainAction' is 'ConnectIfNeeded'. + subkeys: + - key: RequiredDNSServersElement + title: Required DNS servers element + type: + - key: RequiredURLStringProbe + title: Required URL string probe + type: + presence: optional + content: |- + An HTTP or HTTPS (preferred) URL to probe, using a GET request. If the URL's hostname can't be resolved, if the server is unreachable, or if the server doesn't respond with a 200 HTTP status code, a VPN connection is established in response. + This key is valid only if the value of 'DomainAction' is 'ConnectIfNeeded'. + - key: DNSDomainMatch + title: DNS domain match + type: + presence: optional + content: |- + An array of domain names. This rule matches if any of the domain names in the specified list matches any domain in the device's search domains list. + The system supports a wildcard (`*`) prefix. For example, `*.example.com` matches against either `mydomain.example.com` or `yourdomain.example.com`. + subkeys: + - key: DNSDomainMatchElement + title: DNS domain match element + type: + - key: DNSServerAddressMatch + title: DNS server address match + type: + presence: optional + content: |- + An array of IP addresses. This rule matches if any of the network's specified DNS servers match any entry in the array. + The system supports matching with a single wildcard. For example, `17.*` matches any DNS server in the `17.0.0.0/8` subnet. + subkeys: + - key: DNSServerAddressMatchElement + title: DNS server address match element + type: + - key: InterfaceTypeMatch + title: Interface type match + type: + presence: optional + rangelist: + - Ethernet + - WiFi + - Cellular + content: An interface type. If specified, this rule matches only if the primary + network interface hardware matches the specified type. + - key: SSIDMatch + title: SSID match + type: + presence: optional + content: |- + An array of SSIDs to match against the current network. If the network isn't a Wi-Fi network or if the SSID doesn't appear in this array, the match fails. + Omit this key and the corresponding array to match against any SSID. + subkeys: + - key: SSIDMatchElement + title: SSID match element + type: + - key: URLStringProbe + title: URL string probe + type: + presence: optional + content: A URL to probe. This rule matches when this URL is successfully fetched + (returns a `200` HTTP status code) without redirection. +- key: UseConfigurationAttributeInternalIPSubnet + title: Use IPv4 / IPv6 internal subnet attributes + type: + presence: optional + default: false + content: If `true`, negotiations should use IKEv2 Configuration Attribute `INTERNAL_IP4_SUBNET` + and `INTERNAL_IP6_SUBNET`. +- key: DisableMOBIKE + title: Disable mobility and multihoming + type: + presence: optional + default: false + content: If `true`, the system disables MOBIKE. +- key: DisableRedirect + title: Disable redirect + type: + presence: optional + default: false + content: If `true`, the system disables IKEv2 redirect. If not set, the system redirects + an IKEv2 connection when it receives a redirect request from the server. +- key: EnableNATKeepAliveOffload + title: Enable NAT keep alive offload + type: + presence: optional + default: true + content: |- + If `true`, enables NAT keepalive offload for Always On VPN IKEv2 connections. The device sends keepalive packets to maintain NAT mappings for IKEv2 connections that have a NAT on the path. It sends keepalive packets at regular intervals when the device is awake. If `NATKeepAliveOffloadEnable` is `true`, the system offloads keepalive packets to hardware while the device is asleep. + + NAT keepalive offload has an impact on the battery life due to the extra workload during sleep. The default interval for the keepalive offload packets is 20 seconds over Wi-Fi and 110 seconds over Cellular interface. The default NAT keepalive works well on networks with small NAT mapping timeouts but imposes a potential battery impact. If a network has larger NAT mapping timeouts, larger keepalive intervals may be safely used to minimize battery impact. Modify the keepalive interval through the `NATKeepAliveInterval` key. +- key: NATKeepAliveInterval + title: NAT keepalive interval + type: + presence: optional + default: 20 + content: The NAT Keepalive interval for Always On VPN IKEv2 connections. This value + controls the interval that the device sends keepalive offload packets. The minimum + value is 20 seconds. If no key is specified, the default is 20 seconds over Wi-Fi + and 110 seconds over a cellular interface. +- key: EnablePFS + title: Enable perfect forward secrecy + type: + presence: optional + default: false + content: If `true`, enables Perfect Forward Secrecy (PFS) for IKEv2 Connections. +- key: EnableCertificateRevocationCheck + title: Enable certificate revocation check + type: + presence: optional + default: false + content: If `true`, the system performs a certificate revocation check for IKEv2 + connections. This is a best-effort revocation check and server response timeouts + won't cause it to fail. +- key: EnableFallback + title: Enable fallback + supportedOS: + macOS: + introduced: n/a + type: + presence: optional + default: false + content: |- + If `true`, the system enables a tunnel over cellular data to carry traffic that's eligible for Wi-Fi Assist and also requires VPN. + + Enabling fallback requires that the server support multiple tunnels for a single user. +- key: MTU + title: Maximum transmission unit + type: + presence: optional + range: + min: 1280 + max: 1400 + default: 1280 + content: The Maximum Transmission Unit (MTU) specifies the maximum size in bytes + of each packet that the system sends over the IKEv2 VPN interface. +- key: EnforceStrictAlgorithmSelection + title: Enforce strict algorithm selection + type: + presence: optional + default: false + content: If set to `true`, the device doesn't allow DES, 3DES, and Diffie-Hellman + groups less than 14. Also the device requires the encryption algorithm specified + in `IKESecurityAssociationParameters` to be at least as cryptographically strong + as the algorithm specified in `ChildSecurityAssociationParameters`. The device + rejects this configuration if these requirements aren't met. +- key: PostQuantumKeyExchange + title: Post quantum key exchange + type: + presence: optional + content: Post Quantum Key Exchange settings. + subkeys: + - key: PPK + title: Post-quantum pre-shared key + type: + presence: optional + content: The Post-quantum Pre-shared key (PPK) the device uses for this VPN. This + key is is used with VPN servers that support RFC 8784. If this key is present + `PPKIdentifier` must also be present. + - key: PPKIdentifier + title: Post-quantum pre-shared key identifier + type: + presence: optional + content: The identifier for the Post-quantum Pre-shared key (PPK) the device uses + for this VPN. This key is is used with VPN servers that support RFC 8784. If + this key is present `PPK` must also be present. + - key: PPKMandatory + title: Post-quantum pre-shared key mandatory + type: + presence: optional + default: true + content: If set to `true`, the VPN doesn't establish a connection if the server + doesn't support RFC 8784 or doesn't accept the PPK identifier specified in `PPKIdentifier`. + The device ignores this key if `PPK` and `PPKIdentifier` aren't present. + - key: AllowFallback + title: Allow post-quantum key exchange fallback + type: + presence: optional + default: false + content: If set to `false`, the VPN doesn't establish a connection if the server + doesn't support or doesn't allow post-quantum key exchanges. Thd device ignores + this key if `PostQuantumKeyExchangeMethods` isn't present in `IKESecurityAssociationParameters` + or `ChildSecurityAssociationParameters`. +- key: IKESecurityAssociationParameters + title: IKE security association parameters + type: + presence: optional + content: These parameters apply to Child Security Association unless `ChildSecurityAssociationParameters` + is specified. + subkeytype: SecurityAssociationParameters + subkeys: &id001 + - key: EncryptionAlgorithm + title: Encryption algorithm + type: + presence: optional + rangelist: + - AES-128 + - AES-256 + - AES-128-GCM + - AES-256-GCM + - ChaCha20Poly1305 + default: AES-256 + content: |- + The encryption algorithm. + + On tvOS, the default value is `AES-256-GCM`. + - key: IntegrityAlgorithm + title: Integrity algorithm + type: + presence: optional + rangelist: + - SHA2-256 + - SHA2-384 + - SHA2-512 + default: SHA2-256 + content: The integrity algorithm. + - key: DiffieHellmanGroup + title: Diffie hellman group + type: + presence: optional + rangelist: + - 14 + - 15 + - 16 + - 17 + - 18 + - 19 + - 20 + - 21 + - 31 + - 32 + default: 14 + content: |- + The Diffie-Hellman group. + + For `AlwaysOn` VPN, the minimum allowed value is `14`. + - key: PostQuantumKeyExchangeMethods + title: Post-quantum key exchange methods + type: + presence: optional + content: An array of integers representing postquantum key exchange methods the + device uses during SA establishment and rekey. You can specify up to seven items, + which correspond to ADDKE1 - ADDKE7 from RFC 9370. + subkeys: + - key: PostQuantumKeyExchangeMethod + title: Post-quantum key exchange method + type: + rangelist: + - 0 + - 36 + - 37 + - key: LifeTimeInMinutes + title: Life time in minutes + type: + presence: optional + range: + min: 10 + max: 1440 + default: 1440 + content: The SA lifetime (rekey interval) in minutes. +- key: ChildSecurityAssociationParameters + title: Child security association parameters + type: + presence: optional + content: The `ChildSecurityAssociationParameters` dictionaries. + subkeytype: SecurityAssociationParameters + subkeys: *id001 +- key: DNS + title: DNS + type: + presence: optional + content: A dictionary to use for all VPN types. + subkeys: + - key: Protocol + title: DNS protocol + type: + presence: required + rangelist: + - Cleartext + - HTTPS + - TLS + content: The transport protocol to communicate with the DNS server. + - key: ServerURL + title: Server URL + type: + presence: optional + content: The URI template of a DNS-over-HTTPS server, as defined in RFC 8484, + which needs to use the `https://` scheme. The system uses the hostname or address + in the URL to validate the server certificate. If `ServerAddresses` isn't specified, + the system uses the hostname or address in the URL to determine the server addresses. + This key is required if the `DNSProtocol` is `HTTPS`. + - key: ServerName + title: Server name + type: + presence: optional + content: The hostname of a DNS-over-TLS server to validate the server certificate, + as defined in RFC 7858. If `ServerAddresses` isn't specified, the system uses + the hostname to determine the server addresses. This key is required if the + `DNSProtocol` is `TLS`. + - key: ServerAddresses + title: DNS server addresses + type: + presence: required + content: The array of DNS server IP address strings. These IP addresses can be + a mixture of IPv4 and IPv6 addresses. + subkeys: + - key: ServerAddressesElement + title: Server address element + type: + - key: SearchDomains + title: DNS search domains + type: + presence: optional + content: The list of domain strings used to fully qualify single-label host names. + subkeys: + - key: SearchDomainsElement + title: Search domains element + type: + - key: DomainName + title: Domain name + type: + presence: optional + content: The primary domain of the tunnel. + - key: SupplementalMatchDomains + title: Supplemental match domains + type: + presence: optional + content: |- + The list of domain strings used to determine which DNS queries use the DNS resolver settings in `ServerAddresses`. The system uses this key to create a split DNS configuration where it resolves only hosts in certain domains using the tunnel's DNS resolver. The system uses the default resolver for hosts that aren't in one of the domains in this list. + + If `SupplementalMatchDomains` contains the empty string it becomes the default domain. + + Split-tunnel configurations can direct all DNS queries to the VPN DNS servers before the primary DNS servers. If the VPN tunnel becomes the network's default route, the servers listed in `ServerAddresses` become the default resolver and the system ignores the `SupplementalMatchDomains` list. + subkeys: &id002 + - key: SupplementalMatchDomainsElement + title: Supplemental match domains element + type: + - key: SupplementalMatchDomainsNoSearch + title: Supplemental match domains no search + type: + presence: optional + default: false + content: If `true`, don't append the domains in the `SupplementalMatchDomains` + list to the resolver's list of search domains. + - key: IdentityAssetReference + title: Identity asset reference + type: + assettypes: + - com.apple.asset.credential.acme + - com.apple.asset.credential.identity + - com.apple.asset.credential.scep + presence: optional + content: The identifier of a credential asset declaration that contains the identity + that the system uses to authenticate the user to the DNS resolver. +- key: Proxies + title: Proxies + type: + presence: optional + content: The dictionary to use to configure `Proxies` for use with `VPN`. + subkeys: + - key: AutoConfigEnable + title: Proxy auto config enable + type: + presence: optional + default: false + content: If `true`, enables automatic proxy configuration. + - key: AutoDiscoveryEnable + title: Proxy auto discovery enable + type: + presence: optional + default: true + content: If `true`, enables proxy auto discovery. + - key: AutoConfigURLString + title: Proxy server URL + type: + presence: optional + content: The URL to the location of the proxy auto-configuration file. Used only + when `ProxyAutoConfigEnable` is `true`. + - key: SupplementalMatchDomains + title: Supplemental match domains + type: + presence: optional + content: An array of domains that defines which hosts use proxy settings for hosts. + subkeys: *id002 + - key: Protocol + title: Protocol + type: + presence: optional + content: The dictionary to use to configure HTTP servers for `Proxies` for use + with `VPN`. + subkeys: + - key: HTTP + title: HTTP protocol + type: + presence: optional + content: The dictionary to use to configure the HTTP (non-TLS) server. + subkeys: + - key: Enable + title: Enable HTTP + type: + presence: optional + default: false + content: If `true`, enables proxy for HTTP traffic. + - key: HostName + title: HTTP host name + type: + presence: optional + content: The host name of the HTTP proxy. + - key: Port + title: HTTP port + type: + presence: optional + range: + min: 0 + max: 65535 + content: The port number of the HTTP proxy. This field is required if `HostName` + is specified. + - key: HTTPS + title: HTTPS protocol + type: + presence: optional + content: The dictionary to use to configure the HTTPS (TLS) server. + subkeys: + - key: Enable + title: Enable HTTPS + type: + presence: optional + default: false + content: If `true`, enables proxy for HTTPS traffic. + - key: HostName + title: HTTPS host name + type: + presence: optional + content: The host name of the HTTPS proxy. + - key: Port + title: HTTPS port + type: + presence: optional + range: + min: 0 + max: 65535 + content: The port number of the HTTPS proxy. This field is required if `HostName` + is specified. + - key: CredentialsAssetReference + title: Credentials asset reference + type: + assettypes: + - com.apple.asset.credential.userpassword + presence: optional + content: The identifier of an asset declaration that contains the credentials + (user name and password) to authenticate with the proxy server. +examples: + title: Configuration examples + files: + - tab: Shared secret + description: This configuration sets up an IKEv2 VPN using a shared-secret credential + asset for authentication. + file: examples/declarative/declarations/configurations/network.vpn.ikev2/example1.json + - tab: Certificate + description: This configuration sets up an IKEv2 VPN using certificate-based machine + authentication and EAP-MSCHAPv2 for extended user authentication. + file: examples/declarative/declarations/configurations/network.vpn.ikev2/example2.json diff --git a/declarative/declarations/configurations/network.vpn.ipsec.yaml b/declarative/declarations/configurations/network.vpn.ipsec.yaml new file mode 100644 index 0000000..3ed73b9 --- /dev/null +++ b/declarative/declarations/configurations/network.vpn.ipsec.yaml @@ -0,0 +1,509 @@ +title: Network:VPN:IPSec +description: The declaration to configure a VPN using the IPSec sub-type. +payload: + declarationtype: com.apple.configuration.network.vpn.ipsec + supportedOS: + iOS: + introduced: '27.0' + allowed-enrollments: + - supervised + - device + - local + allowed-scopes: + - system + sharedipad: + allowed-scopes: + - system + macOS: + introduced: '27.0' + allowed-enrollments: + - supervised + - local + allowed-scopes: + - system + tvOS: + introduced: n/a + visionOS: + introduced: '27.0' + allowed-enrollments: + - supervised + - device + - local + allowed-scopes: + - system + watchOS: + introduced: n/a + apply: multiple +payloadkeys: +- key: VisibleName + title: Visible name + type: + presence: required + content: The name of the VPN connection that the system displays on the device. +- key: HostName + title: Host name + type: + presence: required + content: The IP address or hostname of the VPN server. +- key: OverridePrimary + title: Override primary connection + type: + presence: optional + default: false + content: If `true`, the system sends all network traffic over VPN. +- key: Authentication + title: Authentication details + type: + presence: required + content: Settings that control authentication. + subkeys: + - key: Method + title: Authentication method + type: + presence: required + rangelist: + - SharedSecret + - Certificate + content: The authentication method to use. + - key: CredentialsAssetReference + title: Credentials asset reference + type: + assettypes: + - com.apple.asset.credential.userpassword + presence: optional + content: |- + The identifier of an asset declaration that contains the credentials + (password) to authenticate with the VPN servers. + + Only use this with Cisco IPSec VPNs and if the `Authentication.Method` key is to `SharedSecret`. + - key: IdentityAssetReference + title: Identity asset reference + type: + assettypes: + - com.apple.asset.credential.acme + - com.apple.asset.credential.identity + - com.apple.asset.credential.scep + presence: optional + content: |- + The identifier of a credential asset declaration that contains the identity + that this account requires to authenticate with the VPN servers. + + Only use this with Cisco IPSec VPNs and if the `Authentication.Method` key is to `Certificate`. + - key: LocalIdentifier + title: Local identifier + type: + presence: optional + content: |- + The name of the group. For hybrid authentication, the string needs to end with "hybrid". + + Present only for Cisco IPSec if `Authentication.Method` is `SharedSecret`. + - key: LocalIdentifierType + title: Local identifier type + type: + presence: optional + rangelist: + - KeyID + default: KeyID + content: Present only if `Authentication.Method` is `SharedSecret`. The value + is `KeyID`. The system uses this value for Cisco IPSec VPNs. + - key: PromptForVPNPIN + title: Prompt for PIN + type: + presence: optional + default: false + content: If `true`, prompts for a PIN when connecting to Cisco IPSec VPNs. + - key: XAuth + title: XAuth details + type: + presence: optional + content: Settings that control XAuth. + subkeys: + - key: Enabled + title: XAuth enabled + type: + presence: required + content: If `true`, enables Xauth for Cisco IPSec VPNs. + - key: CredentialsAssetReference + title: Credentials asset reference + type: + assettypes: + - com.apple.asset.credential.userpassword + presence: optional + content: The identifier of an asset declaration that contains the credentials + (user name and password) required for XAuth. Required when `Enabled` key is + set to `true`. + - key: PasswordEncryption + title: XAuth password encryption + type: + presence: optional + rangelist: + - Prompt + content: A string that either has the value `Prompt` or isn't present. +- key: Idle + title: Disconnect on idle settings. + type: + presence: optional + content: Specifies details about how the system handles idle VPN connections. + subkeys: + - key: Disconnect + title: Enable disconnect on idle + type: + presence: optional + default: false + content: If `true`, disconnects after an on-demand connection idles. + - key: Timer + title: Disconnect on idle time + type: + presence: optional + content: The length of time to wait, in seconds, before disconnecting an on-demand + connection. +- key: OnDemand + title: On demand details + type: + presence: optional + content: Specifies details about how the system controls on-demand VPN. + subkeys: + - key: Enabled + title: Enable VPN on demand + type: + presence: optional + default: false + content: If `true`, enables VPN On Demand. + - key: DisableUserOverride + title: Prevent users from toggling VPN on demand + supportedOS: + macOS: + introduced: n/a + type: + presence: optional + default: false + content: If `true`, the device disables the Connect On Demand toggle in Settings + for this configuration. + - key: Rules + title: On demand rules + type: + presence: optional + content: An array of dictionaries defining On Demand Rules. + subkeytype: RulesElement + subkeys: + - key: RulesElement + title: Rules element + type: + subkeys: + - key: Action + title: On demand action + type: + presence: required + rangelist: + - Allow + - Connect + - Disconnect + - EvaluateConnection + - Ignore + content: |- + The action to take if this dictionary matches the current network. Possible values are: + - `Allow`: Deprecated. Allow VPN On Demand to connect if triggered. + - `Connect`: Unconditionally initiate a VPN connection on the next network attempt. + - `Disconnect`: Tear down the VPN connection and don't reconnect on demand as long as this dictionary matches. + - `EvaluateConnection`: Evaluate the ActionParameters array for each connection attempt. + - `Ignore`: Leave any existing VPN connection up, but don't reconnect on demand as long as this dictionary matches. + - key: ActionParameters + title: Action parameters + type: + presence: optional + content: An array of dictionaries that provides rules similar to the `OnDemandRules` + dictionary, but evaluated on each connection instead of when the network + changes. This value is only for use with dictionaries in which the `Action` + value is `EvaluateConnection`. The system evaluates these dictionaries in + order and the first dictionary that matches determines the behavior. + subkeys: + - key: ActionParameter + title: Action parameter + type: + presence: optional + content: |- + A dictionary that provides rules similar to the OnDemandRules dictionary, but evaluated on each connection instead of when the network changes. These dictionaries are evaluated in order, and the behavior is determined by the first dictionary that matches. + The keys allowed in each dictionary are described below. Note: This array is used only for dictionaries in which EvaluateConnection is the Action value. + subkeys: + - key: Domains + title: Domains + type: + presence: required + content: The domains to apply this evaluation. + subkeys: + - key: DomainsElement + title: Domains element + type: + - key: DomainAction + title: Domain action + type: + presence: required + rangelist: + - ConnectIfNeeded + - NeverConnect + content: |- + Defines the VPN behavior for the specified domains. Allowed values are: + * 'ConnectIfNeeded': The specified domains should trigger a VPN connection attempt if domain name resolution fails, such as when the DNS server indicates that it can't resolve the domain, responds with a redirection to a different server, or fails to respond (timeout). + * 'NeverConnect': The specified domains should never trigger a VPN connection attempt. + - key: RequiredDNSServers + title: Required DNS servers + type: + presence: optional + content: |- + An array of IP addresses of DNS servers to use for resolving the specified domains. These servers don't need to be part of the device's current network configuration. If these DNS servers aren't reachable, the system establishes a VPN connection. These DNS servers need to be either internal DNS servers or trusted external DNS servers. + This key is valid only if the value of 'DomainAction' is 'ConnectIfNeeded'. + subkeys: + - key: RequiredDNSServersElement + title: Required DNS servers element + type: + - key: RequiredURLStringProbe + title: Required URL string probe + type: + presence: optional + content: |- + An HTTP or HTTPS (preferred) URL to probe, using a GET request. If the URL's hostname can't be resolved, if the server is unreachable, or if the server doesn't respond with a 200 HTTP status code, a VPN connection is established in response. + This key is valid only if the value of 'DomainAction' is 'ConnectIfNeeded'. + - key: DNSDomainMatch + title: DNS domain match + type: + presence: optional + content: |- + An array of domain names. This rule matches if any of the domain names in the specified list matches any domain in the device's search domains list. + The system supports a wildcard (`*`) prefix. For example, `*.example.com` matches against either `mydomain.example.com` or `yourdomain.example.com`. + subkeys: + - key: DNSDomainMatchElement + title: DNS domain match element + type: + - key: DNSServerAddressMatch + title: DNS server address match + type: + presence: optional + content: |- + An array of IP addresses. This rule matches if any of the network's specified DNS servers match any entry in the array. + The system supports matching with a single wildcard. For example, `17.*` matches any DNS server in the `17.0.0.0/8` subnet. + subkeys: + - key: DNSServerAddressMatchElement + title: DNS server address match element + type: + - key: InterfaceTypeMatch + title: Interface type match + type: + presence: optional + rangelist: + - Ethernet + - WiFi + - Cellular + content: An interface type. If specified, this rule matches only if the primary + network interface hardware matches the specified type. + - key: SSIDMatch + title: SSID match + type: + presence: optional + content: |- + An array of SSIDs to match against the current network. If the network isn't a Wi-Fi network or if the SSID doesn't appear in this array, the match fails. + Omit this key and the corresponding array to match against any SSID. + subkeys: + - key: SSIDMatchElement + title: SSID match element + type: + - key: URLStringProbe + title: URL string probe + type: + presence: optional + content: A URL to probe. This rule matches when this URL is successfully fetched + (returns a `200` HTTP status code) without redirection. +- key: DNS + title: DNS + type: + presence: optional + content: A dictionary to use for all VPN types. + subkeys: + - key: Protocol + title: DNS protocol + type: + presence: required + rangelist: + - Cleartext + - HTTPS + - TLS + content: The transport protocol to communicate with the DNS server. + - key: ServerURL + title: Server URL + type: + presence: optional + content: The URI template of a DNS-over-HTTPS server, as defined in RFC 8484, + which needs to use the `https://` scheme. The system uses the hostname or address + in the URL to validate the server certificate. If `ServerAddresses` isn't specified, + the system uses the hostname or address in the URL to determine the server addresses. + This key is required if the `DNSProtocol` is `HTTPS`. + - key: ServerName + title: Server name + type: + presence: optional + content: The hostname of a DNS-over-TLS server to validate the server certificate, + as defined in RFC 7858. If `ServerAddresses` isn't specified, the system uses + the hostname to determine the server addresses. This key is required if the + `DNSProtocol` is `TLS`. + - key: ServerAddresses + title: DNS server addresses + type: + presence: required + content: The array of DNS server IP address strings. These IP addresses can be + a mixture of IPv4 and IPv6 addresses. + subkeys: + - key: ServerAddressesElement + title: Server address element + type: + - key: SearchDomains + title: DNS search domains + type: + presence: optional + content: The list of domain strings used to fully qualify single-label host names. + subkeys: + - key: SearchDomainsElement + title: Search domains element + type: + - key: DomainName + title: Domain name + type: + presence: optional + content: The primary domain of the tunnel. + - key: SupplementalMatchDomains + title: Supplemental match domains + type: + presence: optional + content: |- + The list of domain strings used to determine which DNS queries use the DNS resolver settings in `ServerAddresses`. The system uses this key to create a split DNS configuration where it resolves only hosts in certain domains using the tunnel's DNS resolver. The system uses the default resolver for hosts that aren't in one of the domains in this list. + + If `SupplementalMatchDomains` contains the empty string it becomes the default domain. + + Split-tunnel configurations can direct all DNS queries to the VPN DNS servers before the primary DNS servers. If the VPN tunnel becomes the network's default route, the servers listed in `ServerAddresses` become the default resolver and the system ignores the `SupplementalMatchDomains` list. + subkeys: &id001 + - key: SupplementalMatchDomainsElement + title: Supplemental match domains element + type: + - key: SupplementalMatchDomainsNoSearch + title: Supplemental match domains no search + type: + presence: optional + default: false + content: If `true`, don't append the domains in the `SupplementalMatchDomains` + list to the resolver's list of search domains. + - key: IdentityAssetReference + title: Identity asset reference + type: + assettypes: + - com.apple.asset.credential.acme + - com.apple.asset.credential.identity + - com.apple.asset.credential.scep + presence: optional + content: The identifier of a credential asset declaration that contains the identity + that the system uses to authenticate the user to the DNS resolver. +- key: Proxies + title: Proxies + type: + presence: optional + content: The dictionary to use to configure `Proxies` for use with `VPN`. + subkeys: + - key: AutoConfigEnable + title: Proxy auto config enable + type: + presence: optional + default: false + content: If `true`, enables automatic proxy configuration. + - key: AutoDiscoveryEnable + title: Proxy auto discovery enable + type: + presence: optional + default: true + content: If `true`, enables proxy auto discovery. + - key: AutoConfigURLString + title: Proxy server URL + type: + presence: optional + content: The URL to the location of the proxy auto-configuration file. Used only + when `ProxyAutoConfigEnable` is `true`. + - key: SupplementalMatchDomains + title: Supplemental match domains + type: + presence: optional + content: An array of domains that defines which hosts use proxy settings for hosts. + subkeys: *id001 + - key: Protocol + title: Protocol + type: + presence: optional + content: The dictionary to use to configure HTTP servers for `Proxies` for use + with `VPN`. + subkeys: + - key: HTTP + title: HTTP protocol + type: + presence: optional + content: The dictionary to use to configure the HTTP (non-TLS) server. + subkeys: + - key: Enable + title: Enable HTTP + type: + presence: optional + default: false + content: If `true`, enables proxy for HTTP traffic. + - key: HostName + title: HTTP host name + type: + presence: optional + content: The host name of the HTTP proxy. + - key: Port + title: HTTP port + type: + presence: optional + range: + min: 0 + max: 65535 + content: The port number of the HTTP proxy. This field is required if `HostName` + is specified. + - key: HTTPS + title: HTTPS protocol + type: + presence: optional + content: The dictionary to use to configure the HTTPS (TLS) server. + subkeys: + - key: Enable + title: Enable HTTPS + type: + presence: optional + default: false + content: If `true`, enables proxy for HTTPS traffic. + - key: HostName + title: HTTPS host name + type: + presence: optional + content: The host name of the HTTPS proxy. + - key: Port + title: HTTPS port + type: + presence: optional + range: + min: 0 + max: 65535 + content: The port number of the HTTPS proxy. This field is required if `HostName` + is specified. + - key: CredentialsAssetReference + title: Credentials asset reference + type: + assettypes: + - com.apple.asset.credential.userpassword + presence: optional + content: The identifier of an asset declaration that contains the credentials + (user name and password) to authenticate with the proxy server. +examples: + title: Configuration examples + files: + - tab: Shared secret + description: This configuration sets up an IPSec VPN using a shared secret and + group name for authentication. + file: examples/declarative/declarations/configurations/network.vpn.ipsec/example1.json + - tab: Certificate + description: This configuration sets up an IPSec VPN using a certificate identity + asset for authentication. + file: examples/declarative/declarations/configurations/network.vpn.ipsec/example2.json diff --git a/declarative/declarations/configurations/network.vpn.vpn-plugin.yaml b/declarative/declarations/configurations/network.vpn.vpn-plugin.yaml new file mode 100644 index 0000000..9680908 --- /dev/null +++ b/declarative/declarations/configurations/network.vpn.vpn-plugin.yaml @@ -0,0 +1,590 @@ +title: Network:VPN:VPN Plugin +description: The declaration to configure a VPN using the VPN plugin sub-type. +payload: + declarationtype: com.apple.configuration.network.vpn.vpn-plugin + supportedOS: + iOS: + introduced: '27.0' + allowed-enrollments: + - supervised + - device + - local + allowed-scopes: + - system + sharedipad: + allowed-scopes: + - system + macOS: + introduced: '27.0' + allowed-enrollments: + - supervised + - local + allowed-scopes: + - system + tvOS: + introduced: '27.0' + allowed-enrollments: + - supervised + - device + - local + allowed-scopes: + - system + visionOS: + introduced: '27.0' + allowed-enrollments: + - supervised + - device + - local + allowed-scopes: + - system + watchOS: + introduced: n/a + apply: multiple +payloadkeys: +- key: VisibleName + title: Visible name + type: + presence: required + content: The name of the VPN connection that the system displays on the device. +- key: HostName + title: Host name + type: + presence: required + content: The IP address or hostname of the VPN server. +- key: SubType + title: VPN subtype + type: + presence: required + content: |- + An identifier for a vendor-specified configuration dictionary. + + If the configuration targets a VPN solution that uses a VPN plugin, then this field contains the bundle identifier of the plugin. Here are some examples: + + - Cisco AnyConnect: `com.cisco.anyconnect.applevpn.plugin` + - Juniper SSL: `net.juniper.sslvpn` + - F5 SSL: `com.f5.F5-Edge-Client.vpnplugin` + - SonicWALL Mobile Connect: `com.sonicwall.SonicWALL-SSLVPN.vpnplugin` + - ``Aruba VIA: `com.arubanetworks.aruba-via.vpnplugin` + + If the configuration targets a VPN solution that uses a network extension provider, then this field contains the bundle identifier of the app that contains the provider. Contact the VPN solution vendor for the value of the identifier. +- key: VendorConfig + title: Vendor configuration dictionary + type: + presence: optional + content: The vendor-specific configuration dictionary, which the system reads only + when `SubType` has a value. + subkeys: + - key: Realm + title: Realm + type: + presence: optional + content: The Kerberos realm name, which needs to be properly capitalized. Valid + only for Juniper SSL and Pulse Secure. + - key: Role + title: Role + type: + presence: optional + content: The role to select when connecting to the server. Valid only for Juniper + SSL and Pulse Secure. + - key: Group + title: Group + type: + presence: optional + content: The group to connect to on the head end. Valid for Cisco AnyConnect and + Cisco Legacy AnyConnect. + - key: LoginGroupOrDomain + title: Login group or domain + type: + presence: optional + content: The login group or domain. Valid only for SonicWALL Mobile Connect. +- key: Authentication + title: Authentication details + type: + presence: required + content: Settings that control authentication. + subkeys: + - key: Method + title: Authentication method + type: + presence: required + rangelist: + - Password + - Certificate + - Password+Certificate + content: The authentication method to use. + - key: CredentialsAssetReference + title: Credentials asset reference + type: + assettypes: + - com.apple.asset.credential.userpassword + presence: optional + content: The identifier of an asset declaration that contains the credentials + (user name and password) to authenticate with the VPN server. Required when + `Authentication.Method` is set to `Password`. + - key: IdentityAssetReference + title: Identity asset reference + type: + assettypes: + - com.apple.asset.credential.acme + - com.apple.asset.credential.identity + - com.apple.asset.credential.scep + presence: optional + content: The identifier of a credential asset declaration that contains the identity + that this account requires to authenticate with the VPN server. Required when + `Authentication.Method` is set to `Certificate`. +- key: Provider + title: Provider details + type: + presence: optional + content: Specifies details about the provider. + subkeys: + - key: Type + title: Type + type: + presence: optional + rangelist: + - packet-tunnel + - app-proxy + default: packet-tunnel + content: The type of VPN service. If the value is `app-proxy`, the service tunnels + traffic at the app level. If the value is `packet-tunnel`, the service tunnels + traffic at the IP layer. + - key: ComposedIdentifier + title: Composed identifier + type: + presence: optional + content: |- + If the `SubType` field contains the bundle identifier of an app that contains multiple VPN providers of the same type (app-proxy or packet-tunnel), then the system uses this field to choose which provider to use for this configuration. If the VPN provider is implemented as a System Extension, then this field is required. + + In iOS, tvOS, and visionOS, the identifier is a bundle ID, for example, "com.example.app". + + In macOS, the identifier is a composed identifier. The format of the composed identifier is either "Bundle-ID" or "Bundle-ID {Designated-Requirement}". "Bundle-ID" is the bundle identifier string of the provider. "Designated-Requirement" is the designated requirement string from the code signature of the provider. For example, "com.example.app" for the bundle ID format, or "com.example.app {anchor apple generic}" for the designated requirement format. +- key: NetworkRouting + title: Network routing details + supportedOS: + tvOS: + introduced: n/a + type: + presence: optional + content: Specifies details about how the VPN routes different types of network traffic. + subkeys: + - key: EnforceRoutes + title: Enforce routes + type: + presence: optional + default: false + content: |- + If `true`, all the VPN's non-default routes take precedence over any locally defined routes. + + If `IncludeAllNetworks` is `true`, the system ignores the value of `EnforceRoutes`. + - key: IncludeAllNetworks + title: Include all networks + type: + presence: optional + default: false + content: |- + If `true`, routes all traffic through the VPN, with some exclusions. Several of the exclusions can be controlled with the `ExcludeLocalNetworks`, `ExcludeCellularServices`, `ExcludeAPNs` and `ExcludeDeviceCommunication` properties. The following traffic is always excluded from the tunnel: + + - Traffic necessary for connecting and maintaining the device's network connection, such as DHCP. + - Traffic necessary for connecting to captive networks. + - Certain cellular services traffic that's not routable over the internet and is instead directly routed to the cellular network. See the ExcludeCellularServices property for more details. + - key: ExcludeLocalNetworks + title: Exclude local networks + type: + presence: optional + content: If `true` and `IncludeAllNetworks` is `true`, routes all local network + traffic outside the VPN. + - key: ExcludeCellularServices + title: Exclude cellular services + type: + presence: optional + default: true + content: If `true` and `IncludeAllNetworks` is `true`, then the system excludes + internet-routable network traffic for cellular services (VoLTE, Wi-Fi Calling, + IMS, MMS, Visual Voicemail, etc.) from the tunnel. Note that some cellular carriers + route cellular services traffic directly to the carrier network, bypassing the + internet. Such cellular services traffic is always excluded from the tunnel. + - key: ExcludeAPNs + title: Exclude APNs + type: + presence: optional + default: true + content: If `true` and `IncludeAllNetworks` is `true`, then the system excludes + the network traffic for the Apple Push Notification service (APNs) from the + tunnel. + - key: ExcludeDeviceCommunication + title: Exclude device communication + type: + presence: optional + default: true + content: If set to `true` and `IncludeAllNetworks` is set to `true`, the device + excludes network traffic used for communicating with devices connected via USB + or Wi-Fi from the tunnel. +- key: Idle + title: Disconnect on idle settings. + type: + presence: optional + content: Specifies details about how the system handles idle VPN connections. + subkeys: + - key: Disconnect + title: Enable disconnect on idle + type: + presence: optional + default: false + content: If `true`, disconnects after an on-demand connection idles. + - key: Timer + title: Disconnect on idle time + type: + presence: optional + content: The length of time to wait, in seconds, before disconnecting an on-demand + connection. +- key: OnDemand + title: On demand details + type: + presence: optional + content: Specifies details about how the system controls on-demand VPN. + subkeys: + - key: Enabled + title: Enable VPN on demand + type: + presence: optional + default: false + content: If `true`, enables VPN On Demand. + - key: DisableUserOverride + title: Prevent users from toggling VPN on demand + supportedOS: + macOS: + introduced: n/a + type: + presence: optional + default: false + content: If `true`, the device disables the Connect On Demand toggle in Settings + for this configuration. + - key: Rules + title: On demand rules + type: + presence: optional + content: An array of dictionaries defining On Demand Rules. + subkeytype: RulesElement + subkeys: + - key: RulesElement + title: Rules element + type: + subkeys: + - key: Action + title: On demand action + type: + presence: required + rangelist: + - Allow + - Connect + - Disconnect + - EvaluateConnection + - Ignore + content: |- + The action to take if this dictionary matches the current network. Possible values are: + - `Allow`: Deprecated. Allow VPN On Demand to connect if triggered. + - `Connect`: Unconditionally initiate a VPN connection on the next network attempt. + - `Disconnect`: Tear down the VPN connection and don't reconnect on demand as long as this dictionary matches. + - `EvaluateConnection`: Evaluate the ActionParameters array for each connection attempt. + - `Ignore`: Leave any existing VPN connection up, but don't reconnect on demand as long as this dictionary matches. + - key: ActionParameters + title: Action parameters + type: + presence: optional + content: An array of dictionaries that provides rules similar to the `OnDemandRules` + dictionary, but evaluated on each connection instead of when the network + changes. This value is only for use with dictionaries in which the `Action` + value is `EvaluateConnection`. The system evaluates these dictionaries in + order and the first dictionary that matches determines the behavior. + subkeys: + - key: ActionParameter + title: Action parameter + type: + presence: optional + content: |- + A dictionary that provides rules similar to the OnDemandRules dictionary, but evaluated on each connection instead of when the network changes. These dictionaries are evaluated in order, and the behavior is determined by the first dictionary that matches. + The keys allowed in each dictionary are described below. Note: This array is used only for dictionaries in which EvaluateConnection is the Action value. + subkeys: + - key: Domains + title: Domains + type: + presence: required + content: The domains to apply this evaluation. + subkeys: + - key: DomainsElement + title: Domains element + type: + - key: DomainAction + title: Domain action + type: + presence: required + rangelist: + - ConnectIfNeeded + - NeverConnect + content: |- + Defines the VPN behavior for the specified domains. Allowed values are: + * 'ConnectIfNeeded': The specified domains should trigger a VPN connection attempt if domain name resolution fails, such as when the DNS server indicates that it can't resolve the domain, responds with a redirection to a different server, or fails to respond (timeout). + * 'NeverConnect': The specified domains should never trigger a VPN connection attempt. + - key: RequiredDNSServers + title: Required DNS servers + type: + presence: optional + content: |- + An array of IP addresses of DNS servers to use for resolving the specified domains. These servers don't need to be part of the device's current network configuration. If these DNS servers aren't reachable, the system establishes a VPN connection. These DNS servers need to be either internal DNS servers or trusted external DNS servers. + This key is valid only if the value of 'DomainAction' is 'ConnectIfNeeded'. + subkeys: + - key: RequiredDNSServersElement + title: Required DNS servers element + type: + - key: RequiredURLStringProbe + title: Required URL string probe + type: + presence: optional + content: |- + An HTTP or HTTPS (preferred) URL to probe, using a GET request. If the URL's hostname can't be resolved, if the server is unreachable, or if the server doesn't respond with a 200 HTTP status code, a VPN connection is established in response. + This key is valid only if the value of 'DomainAction' is 'ConnectIfNeeded'. + - key: DNSDomainMatch + title: DNS domain match + type: + presence: optional + content: |- + An array of domain names. This rule matches if any of the domain names in the specified list matches any domain in the device's search domains list. + The system supports a wildcard (`*`) prefix. For example, `*.example.com` matches against either `mydomain.example.com` or `yourdomain.example.com`. + subkeys: + - key: DNSDomainMatchElement + title: DNS domain match element + type: + - key: DNSServerAddressMatch + title: DNS server address match + type: + presence: optional + content: |- + An array of IP addresses. This rule matches if any of the network's specified DNS servers match any entry in the array. + The system supports matching with a single wildcard. For example, `17.*` matches any DNS server in the `17.0.0.0/8` subnet. + subkeys: + - key: DNSServerAddressMatchElement + title: DNS server address match element + type: + - key: InterfaceTypeMatch + title: Interface type match + type: + presence: optional + rangelist: + - Ethernet + - WiFi + - Cellular + content: An interface type. If specified, this rule matches only if the primary + network interface hardware matches the specified type. + - key: SSIDMatch + title: SSID match + type: + presence: optional + content: |- + An array of SSIDs to match against the current network. If the network isn't a Wi-Fi network or if the SSID doesn't appear in this array, the match fails. + Omit this key and the corresponding array to match against any SSID. + subkeys: + - key: SSIDMatchElement + title: SSID match element + type: + - key: URLStringProbe + title: URL string probe + type: + presence: optional + content: A URL to probe. This rule matches when this URL is successfully fetched + (returns a `200` HTTP status code) without redirection. +- key: DNS + title: DNS + type: + presence: optional + content: A dictionary to use for all VPN types. + subkeys: + - key: Protocol + title: DNS protocol + type: + presence: required + rangelist: + - Cleartext + - HTTPS + - TLS + content: The transport protocol to communicate with the DNS server. + - key: ServerURL + title: Server URL + type: + presence: optional + content: The URI template of a DNS-over-HTTPS server, as defined in RFC 8484, + which needs to use the `https://` scheme. The system uses the hostname or address + in the URL to validate the server certificate. If `ServerAddresses` isn't specified, + the system uses the hostname or address in the URL to determine the server addresses. + This key is required if the `DNSProtocol` is `HTTPS`. + - key: ServerName + title: Server name + type: + presence: optional + content: The hostname of a DNS-over-TLS server to validate the server certificate, + as defined in RFC 7858. If `ServerAddresses` isn't specified, the system uses + the hostname to determine the server addresses. This key is required if the + `DNSProtocol` is `TLS`. + - key: ServerAddresses + title: DNS server addresses + type: + presence: required + content: The array of DNS server IP address strings. These IP addresses can be + a mixture of IPv4 and IPv6 addresses. + subkeys: + - key: ServerAddressesElement + title: Server address element + type: + - key: SearchDomains + title: DNS search domains + type: + presence: optional + content: The list of domain strings used to fully qualify single-label host names. + subkeys: + - key: SearchDomainsElement + title: Search domains element + type: + - key: DomainName + title: Domain name + type: + presence: optional + content: The primary domain of the tunnel. + - key: SupplementalMatchDomains + title: Supplemental match domains + type: + presence: optional + content: |- + The list of domain strings used to determine which DNS queries use the DNS resolver settings in `ServerAddresses`. The system uses this key to create a split DNS configuration where it resolves only hosts in certain domains using the tunnel's DNS resolver. The system uses the default resolver for hosts that aren't in one of the domains in this list. + + If `SupplementalMatchDomains` contains the empty string it becomes the default domain. + + Split-tunnel configurations can direct all DNS queries to the VPN DNS servers before the primary DNS servers. If the VPN tunnel becomes the network's default route, the servers listed in `ServerAddresses` become the default resolver and the system ignores the `SupplementalMatchDomains` list. + subkeys: &id001 + - key: SupplementalMatchDomainsElement + title: Supplemental match domains element + type: + - key: SupplementalMatchDomainsNoSearch + title: Supplemental match domains no search + type: + presence: optional + default: false + content: If `true`, don't append the domains in the `SupplementalMatchDomains` + list to the resolver's list of search domains. + - key: IdentityAssetReference + title: Identity asset reference + type: + assettypes: + - com.apple.asset.credential.acme + - com.apple.asset.credential.identity + - com.apple.asset.credential.scep + presence: optional + content: The identifier of a credential asset declaration that contains the identity + that the system uses to authenticate the user to the DNS resolver. +- key: Proxies + title: Proxies + type: + presence: optional + content: The dictionary to use to configure `Proxies` for use with `VPN`. + subkeys: + - key: AutoConfigEnable + title: Proxy auto config enable + type: + presence: optional + default: false + content: If `true`, enables automatic proxy configuration. + - key: AutoDiscoveryEnable + title: Proxy auto discovery enable + type: + presence: optional + default: true + content: If `true`, enables proxy auto discovery. + - key: AutoConfigURLString + title: Proxy server URL + type: + presence: optional + content: The URL to the location of the proxy auto-configuration file. Used only + when `ProxyAutoConfigEnable` is `true`. + - key: SupplementalMatchDomains + title: Supplemental match domains + type: + presence: optional + content: An array of domains that defines which hosts use proxy settings for hosts. + subkeys: *id001 + - key: Protocol + title: Protocol + type: + presence: optional + content: The dictionary to use to configure HTTP servers for `Proxies` for use + with `VPN`. + subkeys: + - key: HTTP + title: HTTP protocol + type: + presence: optional + content: The dictionary to use to configure the HTTP (non-TLS) server. + subkeys: + - key: Enable + title: Enable HTTP + type: + presence: optional + default: false + content: If `true`, enables proxy for HTTP traffic. + - key: HostName + title: HTTP host name + type: + presence: optional + content: The host name of the HTTP proxy. + - key: Port + title: HTTP port + type: + presence: optional + range: + min: 0 + max: 65535 + content: The port number of the HTTP proxy. This field is required if `HostName` + is specified. + - key: HTTPS + title: HTTPS protocol + type: + presence: optional + content: The dictionary to use to configure the HTTPS (TLS) server. + subkeys: + - key: Enable + title: Enable HTTPS + type: + presence: optional + default: false + content: If `true`, enables proxy for HTTPS traffic. + - key: HostName + title: HTTPS host name + type: + presence: optional + content: The host name of the HTTPS proxy. + - key: Port + title: HTTPS port + type: + presence: optional + range: + min: 0 + max: 65535 + content: The port number of the HTTPS proxy. This field is required if `HostName` + is specified. + - key: CredentialsAssetReference + title: Credentials asset reference + type: + assettypes: + - com.apple.asset.credential.userpassword + presence: optional + content: The identifier of an asset declaration that contains the credentials + (user name and password) to authenticate with the proxy server. +examples: + title: Configuration examples + files: + - tab: Password + description: This configuration sets up a VPN plugin using username and password + credentials from an asset. + file: examples/declarative/declarations/configurations/network.vpn.vpn-plugin/example1.json + - tab: Certificate + description: This configuration sets up a VPN plugin using a certificate identity + asset for authentication. + file: examples/declarative/declarations/configurations/network.vpn.vpn-plugin/example2.json diff --git a/declarative/declarations/configurations/package.yaml b/declarative/declarations/configurations/package.yaml index c2f737b..9826d37 100644 --- a/declarative/declarations/configurations/package.yaml +++ b/declarative/declarations/configurations/package.yaml @@ -1,5 +1,5 @@ title: Package -description: The declaration to install a package. +description: The declaration to configure a package. payload: declarationtype: com.apple.configuration.package supportedOS: @@ -27,7 +27,7 @@ payloadkeys: The manifest is returned as a `ManifestURL` property list. The `url` property of the manifest must point to the package (.pkg) file to install. - key: InstallBehavior - title: Install Behavior + title: Install behavior type: presence: optional content: A dictionary that describes how and when to install the package. @@ -45,8 +45,29 @@ payloadkeys: - `Optional`: The user can install the package after the system activates the configuration. - `Required`: The system installs the package after it activates the configuration. +- key: UninstallBehavior + title: Uninstall behavior + supportedOS: + macOS: + introduced: '27.0' + type: + presence: optional + content: A dictionary that describes how to uninstall the package. + subkeys: + - key: Remove + title: Remove + type: + presence: optional + default: false + content: If `true`, the system removes the files that the package installs when + removing the configuration. notes: - title: '' content: This declaration installs a package on a device. Packages can contain apps, fonts, documents, and other items. Apps that a package installs aren't automatically managed; you can manage them using the `AppManaged` declaration. +examples: + title: Configuration example + files: + - description: This configuration installs a required package. + file: examples/declarative/declarations/configurations/package/example1.json diff --git a/declarative/declarations/configurations/passcode.settings.yaml b/declarative/declarations/configurations/passcode.settings.yaml index 4db085c..684e1cd 100644 --- a/declarative/declarations/configurations/passcode.settings.yaml +++ b/declarative/declarations/configurations/passcode.settings.yaml @@ -43,7 +43,7 @@ payload: apply: combined payloadkeys: - key: RequirePasscode - title: Require Passcode on Device + title: Require passcode on device type: presence: optional default: false @@ -52,7 +52,7 @@ payloadkeys: about the length or quality of the passcode. The presence of any other keys implicitly requires a passcode, and overrides this key's value. - key: RequireAlphanumericPasscode - title: Require Alphanumeric Passcode + title: Require alphanumeric passcode supportedOS: iOS: introduced: '16.2' @@ -67,7 +67,7 @@ payloadkeys: content: If `true`, the passcode needs to consist of at least one alphabetic character and at least one number. - key: RequireComplexPasscode - title: Require Complex Passcode + title: Require complex passcode type: presence: optional default: false @@ -76,7 +76,7 @@ payloadkeys: one that doesn't contain repeated characters or increasing or decreasing characters (such as 123 or CBA). - key: MinimumLength - title: Minimum Passcode Length + title: Minimum passcode length type: presence: optional range: @@ -86,7 +86,7 @@ payloadkeys: combinetype: number-max content: The minimum number of characters a passcode can contain. - key: MinimumComplexCharacters - title: Minimum Complex Characters + title: Minimum complex characters supportedOS: iOS: introduced: '16.2' @@ -105,7 +105,7 @@ payloadkeys: character is a character other than a number or a letter, such as `&`, `%`, `$`, and `#`. - key: MaximumFailedAttempts - title: Maximum Number of Failed Attempts + title: Maximum number of failed attempts type: presence: optional range: @@ -118,7 +118,7 @@ payloadkeys: After the final failed attempt, the system locks a macOS device, or securely erases all data and settings from an iOS, visionOS, or watchOS device. - key: FailedAttemptsResetInMinutes - title: Failed Attempts Reset + title: Failed attempts reset supportedOS: iOS: introduced: n/a @@ -135,7 +135,7 @@ payloadkeys: of failed attempts. Also set the `MaximumFailedAttempts` key for this to take effect. - key: MaximumGracePeriodInMinutes - title: Maximum Grace Period + title: Maximum grace period type: presence: optional combinetype: number-min @@ -144,7 +144,7 @@ payloadkeys: requires a passcode immediately. In the absence of this key, the user can select any period. In macOS, the system translates this to screensaver settings. - key: MaximumInactivityInMinutes - title: Automatic Device Lock + title: Automatic device lock type: presence: optional range: @@ -157,7 +157,7 @@ payloadkeys: the absence of this key, the user can select any period. In macOS, the system translates this to screensaver settings. - key: MaximumPasscodeAgeInDays - title: Maximum Passcode Age + title: Maximum passcode age supportedOS: iOS: introduced: '16.2' @@ -173,7 +173,7 @@ payloadkeys: After this number of days, the system forces the user to change the passcode before it unlocks the device. - key: PasscodeReuseLimit - title: Passcode Reuse Limit + title: Passcode reuse limit type: presence: optional range: @@ -185,7 +185,7 @@ payloadkeys: passcode within the specified passcode history range. In the absence of this key, the system performs no historical check. - key: ChangeAtNextAuth - title: Change At Next Auth + title: Change at next auth supportedOS: iOS: introduced: n/a @@ -204,6 +204,7 @@ payloadkeys: channel), the setting takes effect for all users, and admin authentication may fail until the admin user password is also reset. - key: CustomRegex + title: Custom regex supportedOS: iOS: introduced: n/a @@ -228,6 +229,7 @@ payloadkeys: whether it complies with a policy. The regular expression uses the ICU syntax. The string can't exceed 2048 characters in length. - key: Description + title: Description type: presence: optional content: A dictionary with supported OS language IDs for the keys (such as `en-US`), @@ -255,3 +257,12 @@ notes: - `RequireComplexPasscode`: always set to `true` - `MinimumLength`: always set to `6` - `MaximumInactivityInMinutes`: if this key is present its value is ignored, but the `never` option is removed in the Settings UI. +examples: + title: Configuration examples + files: + - tab: Complex + description: This configuration applies a complex passcode policy. + file: examples/declarative/declarations/configurations/passcode.settings/example1.json + - tab: Regular expression + description: This configuration applies a passcode policy using a regular expression. + file: examples/declarative/declarations/configurations/passcode.settings/example2.json diff --git a/declarative/declarations/configurations/safari.bookmarks.yaml b/declarative/declarations/configurations/safari.bookmarks.yaml index 5427d4a..1c8d10f 100644 --- a/declarative/declarations/configurations/safari.bookmarks.yaml +++ b/declarative/declarations/configurations/safari.bookmarks.yaml @@ -33,12 +33,13 @@ payload: apply: combined payloadkeys: - key: ManagedBookmarks - title: Managed Bookmarks + title: Managed bookmarks type: presence: optional content: A dictionary that specifies a set of managed bookmarks. subkeys: - key: BookmarkGroup + title: Bookmark group type: presence: required content: A group of managed bookmarks. @@ -67,6 +68,7 @@ payloadkeys: subkeytype: BookmarksItem subkeys: - key: bookmarks-item + title: Bookmarks item type: presence: required content: A bookmark that specifies a title, and either a URL for the bookmark, @@ -96,8 +98,15 @@ payloadkeys: subkeytype: BookmarksItem subkeys: - key: folder-item + title: Folder item type: presence: required content: A bookmark that specifies a title, and either a URL for the bookmark, or a nested folder of bookmarks. subkeys: *id001 +examples: + title: Configuration example + files: + - description: 'This configuration applies a set of managed bookmarks: two bookmarks + and one bookmarks folder, which contains two more bookmarks.' + file: examples/declarative/declarations/configurations/safari.bookmarks/example1.json diff --git a/declarative/declarations/configurations/safari.extensions.settings.yaml b/declarative/declarations/configurations/safari.extensions.settings.yaml index 4e62191..66b9b63 100644 --- a/declarative/declarations/configurations/safari.extensions.settings.yaml +++ b/declarative/declarations/configurations/safari.extensions.settings.yaml @@ -31,7 +31,7 @@ payload: apply: combined payloadkeys: - key: ManagedExtensions - title: Managed Extensions + title: Managed extensions type: presence: optional content: |- @@ -57,12 +57,12 @@ payloadkeys: - AlwaysOff combinetype: enum-last content: |- - Controls whether an extension is allowed. + Controls whether an extension is allowed. The device uses this key when the extension identifier is a composed identifier or a single "*" character. * `Allowed` - The user is allowed to turn the extension on or off. * `AlwaysOn` - The extension will always be on. * `AlwaysOff` - The extension will always be off. - key: PrivateBrowsing - title: Private Browsing state + title: Private browsing state type: presence: optional rangelist: @@ -71,7 +71,7 @@ payloadkeys: - AlwaysOff combinetype: enum-last content: |- - Controls whether an extension is allowed in Private Browsing. + Controls whether an extension is allowed in Private Browsing. The device uses this key when the extension identifier is a composed identifier or a single "*" character. * `Allowed` - The user is allowed to turn the extension on or off in Private Browsing. * `AlwaysOn` - The extension will always be on in Private Browsing if the extension is on outside of Private Browsing. * `AlwaysOff` - The extension will never be on in Private Browsing. @@ -80,8 +80,8 @@ payloadkeys: type: presence: optional combinetype: set-union - content: Controls the domains and sub-domains the extension is granted access - to. + content: Controls the domains and sub-domains the extension can access. The + device ignores this key when the extension identifier is a single "*" character. subkeys: - key: Domain title: Domain @@ -93,7 +93,8 @@ payloadkeys: presence: optional combinetype: set-union content: Controls the domains and sub-domains the extension isn't allowed to - access. + access. The device uses this key when the extension identifier is a composed + identifier or a single "*" character. subkeys: - key: Domain title: Domain @@ -144,3 +145,21 @@ notes: "AllowedDomains": ["public.example.com"], "DeniedDomains": ["*example.com"] ``` +examples: + title: Configuration examples + files: + - tab: Disallow all + description: This configuration disables all Safari extensions. + file: examples/declarative/declarations/configurations/safari.extensions.settings/example1.json + - tab: Allow one + description: This configuration disables all Safari extensions, except for one + that it requires. + file: examples/declarative/declarations/configurations/safari.extensions.settings/example2.json + - tab: Disallow private browsing + description: This configuration allows all Safari extensions, but one isn't allowed + in private browsing. + file: examples/declarative/declarations/configurations/safari.extensions.settings/example3.json + - tab: Disallow domain + description: This configuration allows all Safari extensions, but one isn't allowed + for use with a domain and its sub-domains. + file: examples/declarative/declarations/configurations/safari.extensions.settings/example4.json diff --git a/declarative/declarations/configurations/safari.settings.yaml b/declarative/declarations/configurations/safari.settings.yaml index 9134f9d..d79ed00 100644 --- a/declarative/declarations/configurations/safari.settings.yaml +++ b/declarative/declarations/configurations/safari.settings.yaml @@ -33,7 +33,7 @@ payload: apply: combined payloadkeys: - key: AcceptCookies - title: Accept Cookies + title: Accept cookies supportedOS: iOS: allowed-enrollments: @@ -59,7 +59,7 @@ payloadkeys: - `VisitedWebsites`: Safari allows cookies only from visited websites. - `Always`: Safari always allows cookies. - key: AllowDisablingFraudWarning - title: Allow Disabling Fraud Warning + title: Allow disabling fraud warning supportedOS: iOS: allowed-enrollments: @@ -74,7 +74,7 @@ payloadkeys: combinetype: boolean-and content: If `false`, the system forces fraud warnings on in Safari. - key: AllowHistoryClearing - title: Allow History Clearing + title: Allow history clearing supportedOS: iOS: allowed-enrollments: @@ -103,7 +103,7 @@ payloadkeys: combinetype: boolean-and content: If `false`, the system disables JavaScript in Safari. - key: AllowPrivateBrowsing - title: Allow Private Browsing + title: Allow private browsing supportedOS: iOS: allowed-enrollments: @@ -117,7 +117,7 @@ payloadkeys: combinetype: boolean-and content: If `false`, the system disables private browsing in Safari. - key: AllowPopups - title: Allow Popups + title: Allow popups supportedOS: iOS: allowed-enrollments: @@ -132,7 +132,7 @@ payloadkeys: combinetype: boolean-and content: If `false`, the system disables popups in Safari. - key: AllowSummary - title: Allow Summary + title: Allow summary supportedOS: iOS: allowed-enrollments: @@ -146,12 +146,13 @@ payloadkeys: combinetype: boolean-and content: If `false`, the system disables summarization of content in Safari. - key: NewTabStartPage - title: New Tab Start Page + title: New tab start page type: presence: optional content: Sets the start page for new tabs in Safari. subkeys: - key: PageType + title: Page type type: presence: required rangelist: @@ -177,3 +178,109 @@ payloadkeys: content: The composed identifier of the extension that provides the start page. The required format is "Identifier (TeamIdentifier)", for example "com.example.app (ABCD1234)". Required when setting `PageType` to `Extension`. +- key: Privacy + title: Website privacy + supportedOS: + iOS: + introduced: '27.0' + allowed-enrollments: + - supervised + allowed-scopes: + - system + sharedipad: + allowed-scopes: + - user + macOS: + introduced: '27.0' + allowed-enrollments: + - supervised + allowed-scopes: + - user + visionOS: + introduced: n/a + type: + presence: optional + content: The dictionary of website privacy settings. + subkeys: + - key: PermissionDefaults + title: Website privacy permission defaults + type: + presence: optional + content: |- + The dictionary of website permission defaults. Each key in the dictionary represents a single website, or a website and its sub-domains. The dictionary values represent the permission defaults that Safari applies for each website that matches the key. + + Safari supports the following patterns for the website key: + + - A specific domain such as "example.com" or "www.example.com". The permission defaults apply to that website only. + - A wildcard domain that uses a single "\*" character as a prefix for the domain, such as "\*example.com". The permission defaults apply to both the exact domain "example.com", and any sub-domains such as "www.example.com". It won't match other domains with a similar string suffix such as "myexample.com". + + When multiple patterns match a website, Safari uses the most precise pattern. For example, for the website "www.example.com", if rules "www.example.com" and "*example.com" match, Safari uses the former. + subkeys: + - key: ANY + type: + presence: optional + content: The dictionary that defines the website privacy permission defaults. + Each key represents a website. + subkeytype: WebsiteDictionary + subkeys: + - key: OrganizationJustification + title: Organization justification + type: + presence: required + content: Text that clearly explains to the Safari user the reason why the + organization requires these website privacy permission defaults. Safari + includes this text in the permission consent prompt it displays when it + first displays the website. + - key: Camera + title: Camera permission + type: + presence: optional + rangelist: + - None + - Allow + combinetype: enum-last + content: |- + Controls whether a website privacy permission default is set. + * `None`: Safari sets no website privacy permission default for use of the camera. + * `Allow`: Safari sets the website privacy permission default to allow use of the camera. + - key: Microphone + title: Microphone permission + type: + presence: optional + rangelist: + - None + - Allow + combinetype: enum-last + content: |- + Controls whether a website privacy permission default is set. + * `None`: Safari sets no website privacy permission default for use of the microphone. + * `Allow`: Safari sets the website privacy permission default to allow use of the microphone. +notes: +- title: Privacy permission defaults + content: |- + Privacy permission defaults allow an organization to suggest a set of privacy permissions for use on a website. When set, Safari displays a consent prompt listing all the configured defaults. If the user accepts, the system applies those defaults for the website. If the user declines, no defaults are set and Safari prompts the user in the normal way when the website requires permission. + + The consent prompt only shows permissions that the user hasn't previously seen, and won't appear if the user has seen all permissions. The user can choose from one of two options in the prompt: + + * `Allow`: this option sets the website privacy permissions for the specified sub-systems (camera or microphone) to "Allow". Safari doesn't prompt the user when the website uses the sub-system. + * `Not Now`: this option ignores the website privacy permission defaults for the specified sub-systems (camera or microphone). Safari prompts the user in the normal way when the website uses the sub-system. + + The user can change the website privacy permission settings in Safari settings if they choose. +examples: + title: Configuration examples + files: + - tab: Start page + description: This configuration sets the Safari start page to show a specific + website. + file: examples/declarative/declarations/configurations/safari.settings/example1.json + - tab: Restrictions + description: This configuration restricts several Safari features. + file: examples/declarative/declarations/configurations/safari.settings/example2.json + - tab: Website privacy (1) + description: This configuration sets the camera permission default in Safari for + one specific website. + file: examples/declarative/declarations/configurations/safari.settings/example3.json + - tab: Website privacy (2) + description: This configuration sets the camera and microphone permission defaults + in Safari for a specific website and its child websites. + file: examples/declarative/declarations/configurations/safari.settings/example4.json diff --git a/declarative/declarations/configurations/screensharing.connection.group.yaml b/declarative/declarations/configurations/screensharing.connection.group.yaml index bef69ec..2c953a2 100644 --- a/declarative/declarations/configurations/screensharing.connection.group.yaml +++ b/declarative/declarations/configurations/screensharing.connection.group.yaml @@ -23,26 +23,32 @@ payload: apply: multiple payloadkeys: - key: ConnectionGroupUUID - title: Unique Identifier + title: Unique identifier type: presence: required content: A unique identifier for this connection group. - key: GroupName - title: Group Name + title: Group name type: presence: required content: The name of the connection group. - key: Members - title: Group Members + title: Group members type: presence: required content: An array of `ConnectionUUID`s that represent connections declared in `ScreenSharingConnection` configurations that are members of this group. subkeys: - key: ConnectionUUID + title: Connection UUID type: related-status-items: - status-items: - screensharing.connection.group.unresolved-connection note: Any unresolved connection groups in the configuration will appear in the corresponding status item. +examples: + title: Configuration example + files: + - description: This configuration defines a group of screen-sharing connections. + file: examples/declarative/declarations/configurations/screensharing.connection.group/example1.json diff --git a/declarative/declarations/configurations/screensharing.connection.yaml b/declarative/declarations/configurations/screensharing.connection.yaml index 0f1d391..cdb5c9e 100644 --- a/declarative/declarations/configurations/screensharing.connection.yaml +++ b/declarative/declarations/configurations/screensharing.connection.yaml @@ -23,7 +23,7 @@ payload: apply: multiple payloadkeys: - key: ConnectionUUID - title: Unique Identifier + title: Unique identifier type: presence: required content: A unique identifier for this connection when it's in a connection group. @@ -33,22 +33,23 @@ payloadkeys: presence: required content: The name of the connection. - key: HostName - title: Host Name + title: Host name type: presence: required content: The host name or IP address of the Mac that hosts the screen-sharing connection. - key: Port - title: TCP Port + title: TCP port type: presence: optional content: The TCP port number on the host to initiate the connection. - key: DisplayConfiguration - title: Display Configuration + title: Display configuration type: presence: required content: The display configuration for this connection. subkeys: - key: DisplayType + title: Display type type: presence: required rangelist: @@ -60,7 +61,7 @@ payloadkeys: - `Virtual1`: Create one virtual display. - `Virtual2`: Create two virtual displays. - key: AuthenticationCredentialsAssetReference - title: Authentication Credentials Asset Reference + title: Authentication credentials asset reference type: assettypes: - com.apple.asset.credential.userpassword @@ -68,3 +69,9 @@ payloadkeys: content: The identifier of an asset declaration that contains the required credentials for this connection to authenticate with the screen-sharing server. Set the corresponding asset type to `com.apple.asset.credential.userpassword`. +examples: + title: Configuration example + files: + - description: This configuration sets up a screen-sharing connection to a remote + Mac. + file: examples/declarative/declarations/configurations/screensharing.connection/example1.json diff --git a/declarative/declarations/configurations/screensharing.host.settings.yaml b/declarative/declarations/configurations/screensharing.host.settings.yaml index 8ca3f47..ff63b70 100644 --- a/declarative/declarations/configurations/screensharing.host.settings.yaml +++ b/declarative/declarations/configurations/screensharing.host.settings.yaml @@ -21,7 +21,7 @@ payload: apply: single payloadkeys: - key: MaximumVirtualDisplays - title: Maximum number of Virtual Displays + title: Maximum number of virtual displays type: presence: optional range: @@ -29,7 +29,7 @@ payloadkeys: max: 2 content: The maximum number of virtual displays to make available to clients. - key: PortBase - title: UDP Port base + title: UDP port base type: presence: optional range: @@ -54,9 +54,14 @@ payloadkeys: content: If `true`, the system prevents users from copying files to the screen-sharing host. - key: PreventHighPerformanceConnections - title: Prevent High Performance connections + title: Prevent high performance connections type: presence: optional default: false content: If `true`, the system prevents clients from establishing high-performance connections to the host. +examples: + title: Configuration example + files: + - description: This configuration manages screen-sharing host settings and restrictions. + file: examples/declarative/declarations/configurations/screensharing.host.settings/example1.json diff --git a/declarative/declarations/configurations/security.certificate.yaml b/declarative/declarations/configurations/security.certificate.yaml index ccddf26..8e20f9e 100644 --- a/declarative/declarations/configurations/security.certificate.yaml +++ b/declarative/declarations/configurations/security.certificate.yaml @@ -1,5 +1,5 @@ title: Security:Certificate -description: The declaration to add a certificate to the device. +description: The declaration to configure a certificate. payload: declarationtype: com.apple.configuration.security.certificate supportedOS: @@ -63,3 +63,8 @@ related-status-items: - status-items: - security.certificate.list note: Each configuration will have a corresponding status item. +examples: + title: Configuration example + files: + - description: This configuration installs a certificate on the device. + file: examples/declarative/declarations/configurations/security.certificate/example1.json diff --git a/declarative/declarations/configurations/security.identity.yaml b/declarative/declarations/configurations/security.identity.yaml index f20bb08..2ee02cd 100644 --- a/declarative/declarations/configurations/security.identity.yaml +++ b/declarative/declarations/configurations/security.identity.yaml @@ -1,5 +1,5 @@ title: Security:Identity -description: The declaration to install an identity on the device. +description: The declaration to configure an identity. payload: declarationtype: com.apple.configuration.security.identity supportedOS: @@ -94,3 +94,8 @@ related-status-items: - status-items: - security.certificate.list note: Each configuration will have a corresponding status item. +examples: + title: Configuration example + files: + - description: This configuration installs a certificate identity on the device. + file: examples/declarative/declarations/configurations/security.identity/example1.json diff --git a/declarative/declarations/configurations/security.passkey.attestation.yaml b/declarative/declarations/configurations/security.passkey.attestation.yaml index 6d7c890..e2df9a1 100644 --- a/declarative/declarations/configurations/security.passkey.attestation.yaml +++ b/declarative/declarations/configurations/security.passkey.attestation.yaml @@ -56,3 +56,9 @@ payloadkeys: - key: RelyingParty title: Relying party type: +examples: + title: Configuration example + files: + - description: This configuration enables enterprise passkey attestation for a relying + party. + file: examples/declarative/declarations/configurations/security.passkey.attestation/example1.json diff --git a/declarative/declarations/configurations/services.background-tasks.yaml b/declarative/declarations/configurations/services.background-tasks.yaml index bb235c2..8536ab4 100644 --- a/declarative/declarations/configurations/services.background-tasks.yaml +++ b/declarative/declarations/configurations/services.background-tasks.yaml @@ -20,19 +20,19 @@ payload: apply: multiple payloadkeys: - key: TaskType - title: Task Type + title: Task type type: presence: required content: The unique identifier of the set of background tasks managed with this configuration. This should be a reverse DNS style identifier. The system uses this identifier to differentiate between tasks in different configurations. - key: TaskDescription - title: Task Description + title: Task description type: presence: optional content: A description of the set of background tasks managed by this configuration. - key: ExecutableAssetReference - title: Executable Asset Reference + title: Executable asset reference type: assettypes: - com.apple.asset.data @@ -46,18 +46,19 @@ payloadkeys: This file should contain background task executables, scripts, and configuration files, but not the `launchd` configuration files. - key: LaunchdConfigurations - title: Launchd Configurations + title: Launchd configurations type: presence: optional content: An array of `launchd` configuration files used to run the background tasks. subkeys: - key: launchd-item + title: Launchd item type: presence: required content: A dictionary of launchd configurations. subkeys: - key: FileAssetReference - title: File Asset Reference + title: File asset reference type: assettypes: - com.apple.asset.data @@ -73,14 +74,14 @@ payloadkeys: The asset's "ContentType" and "Hash-SHA-256" keys in the "Reference" key are required. - key: Context - title: Launchd Context + title: Launchd context type: presence: required rangelist: - daemon - agent - content: Indicates whether the launchd configuration file is applied to the - system daemon, or system agent domain. + content: Indicates whether the system applies the launchd configuration file + to the system daemon or system agent domain. related-status-items: - status-items: - services.background-task @@ -99,3 +100,8 @@ notes: > Note: > If an executable is an app, the system can't manage the app as it can only manage apps installed in `/Applications`. Also, the system can't use system extensions in the app as it only loads them from apps installed in `/Applications`. +examples: + title: Configuration example + files: + - description: This configuration sets up a background task using a launchd daemon. + file: examples/declarative/declarations/configurations/services.background-tasks/example1.json diff --git a/declarative/declarations/configurations/services.configuration-files.yaml b/declarative/declarations/configurations/services.configuration-files.yaml index b91b40b..1c9104e 100644 --- a/declarative/declarations/configurations/services.configuration-files.yaml +++ b/declarative/declarations/configurations/services.configuration-files.yaml @@ -1,5 +1,5 @@ title: Services Configuration Files -description: The managed configuration files for services. +description: The declaration to configure managed configuration files for services. payload: declarationtype: com.apple.configuration.services.configuration-files supportedOS: @@ -20,13 +20,13 @@ payload: apply: multiple payloadkeys: - key: ServiceType - title: Service Type + title: Service type type: presence: required content: The identifier of the system service with managed configuration files. Use a reverse DNS style for this identifier. - key: DataAssetReference - title: Data Asset Reference + title: Data asset reference type: assettypes: - com.apple.asset.data @@ -87,3 +87,8 @@ notes: > Important: > The system reserves the `com.apple` prefix for built-in services. +examples: + title: Configuration example + files: + - description: This configuration deploys configuration files for a system service. + file: examples/declarative/declarations/configurations/services.configuration-files/example1.json diff --git a/declarative/declarations/configurations/siri.settings.yaml b/declarative/declarations/configurations/siri.settings.yaml index 703c970..1ca86d7 100644 --- a/declarative/declarations/configurations/siri.settings.yaml +++ b/declarative/declarations/configurations/siri.settings.yaml @@ -20,7 +20,11 @@ payload: - system - user tvOS: - introduced: n/a + introduced: '27.0' + allowed-enrollments: + - supervised + allowed-scopes: + - system visionOS: introduced: '26.4' allowed-enrollments: @@ -34,7 +38,6 @@ payload: allowed-scopes: - system apply: combined - content: Configures Siri settings. payloadkeys: - key: Enabled title: Enabled @@ -47,10 +50,12 @@ payloadkeys: combinetype: boolean-and content: If `false`, disables Siri. - key: AllowUserGeneratedContent - title: Allow User Generated Content + title: Allow user generated content supportedOS: macOS: introduced: n/a + tvOS: + introduced: n/a visionOS: introduced: n/a type: @@ -59,10 +64,12 @@ payloadkeys: combinetype: boolean-and content: If `false`, disables Siri user-generated content. - key: AllowWhileLocked - title: Allow While Locked + title: Allow while locked supportedOS: macOS: introduced: n/a + tvOS: + introduced: n/a visionOS: introduced: n/a type: @@ -71,8 +78,10 @@ payloadkeys: combinetype: boolean-and content: If `false`, disables Siri while locked. - key: ForceProfanityFilter - title: Force Profanity Filter + title: Force profanity filter supportedOS: + tvOS: + introduced: n/a visionOS: introduced: n/a watchOS: @@ -82,3 +91,9 @@ payloadkeys: default: false combinetype: boolean-or content: If `true`, forces Siri profanity filter. +examples: + title: Configuration examples + files: + - tab: Siri Restrictions + description: This configuration restricts Siri features. + file: examples/declarative/declarations/configurations/siri.settings/example1.json diff --git a/declarative/declarations/configurations/softwareupdate.enforcement.specific.yaml b/declarative/declarations/configurations/softwareupdate.enforcement.specific.yaml index 4b3ddb1..4abb6d6 100644 --- a/declarative/declarations/configurations/softwareupdate.enforcement.specific.yaml +++ b/declarative/declarations/configurations/softwareupdate.enforcement.specific.yaml @@ -1,5 +1,6 @@ title: Software Update:Enforcement:Specific -description: A software update enforcement policy for a specific OS release. +description: The declaration to configure a software update enforcement policy for + a specific OS release. payload: declarationtype: com.apple.configuration.softwareupdate.enforcement.specific supportedOS: @@ -38,13 +39,13 @@ payload: apply: multiple payloadkeys: - key: TargetOSVersion - title: Target OS Version + title: Target OS version type: presence: required content: The target OS version to update the device to by the appropriate time. This is the OS version number, for example, `16.1`. - key: TargetBuildVersion - title: Target Build Version + title: Target build version type: presence: optional content: The target build version to update the device to by the appropriate time, @@ -52,13 +53,13 @@ payloadkeys: The build version can include a supplemental version identifier, for example, `20A242a`. - key: TargetLocalDateTime - title: Target Local Date Time + title: Target local date time type: presence: required content: The local date time value that specifies when to force install the software - update. Use the format `yyyy-mm-ddThh:mm:ss`, which is derived from RFC3339 but - doesn't include a time zone offset. If the user doesn't trigger the software update - before this time, the device force installs it. + update. Use the format `yyyy-mm-ddThh:mm:ss`, which is derived from RFC 3339 but + doesn't include a time zone offset or fractional seconds. If the user doesn't + trigger the software update before this time, the device force installs it. - key: DetailsURL title: Details URL type: @@ -79,8 +80,14 @@ notes: To determine available software updates to show to an admin, a device management service uses the Apple GDMF service via `https://gdmf.apple.com/v2/pmv`. Configurations only enforce a software update if GDMF has the corresponding OS version or build available. So device management services need to regularly check available versions, and adjust the list shown to admins, and also remove any deployed configurations that use OS versions or builds that are no longer available. Device management services should check GDMF no more than once a day. - If the `TargetOSVersion` is an OS version that includes both a minor and patch version, the system installs that specific version, for example, `16.1.1`. If the minor version doesn't include a patch version, the system installs the latest available patch version. For example, if the `TargetOSVersion` is `16.1` and a `.1` patch is available, the system installs `16.1.1`. + The system installs the specific version set in the `TargetOSVersion`, and it won't install a patch version if only a minor version is set. The system can only install a supplemental software update on a device that already has the base OS version installed. For example, the system can only install a `16.1`(a) update on a device that currently has `16.1` installed, but it can't install that update on a device that has only `16.0` installed. To update to a supplemental version from an older base version, use two configurations. Use the first configuration to update to the new base version, and the second configuration to update the new base version to its supplemental version. If the device isn't running at the target date-time, the system enforces the software update 1 hour after restarting, or when the device meets all required conditions, such as minimum battery level. +examples: + title: Configuration example + files: + - description: This configuration enforces a software update to a specific OS version + and build at a specified time. + file: examples/declarative/declarations/configurations/softwareupdate.enforcement.specific/example1.json diff --git a/declarative/declarations/configurations/softwareupdate.settings.yaml b/declarative/declarations/configurations/softwareupdate.settings.yaml index 3c3c2b0..018c200 100644 --- a/declarative/declarations/configurations/softwareupdate.settings.yaml +++ b/declarative/declarations/configurations/softwareupdate.settings.yaml @@ -38,7 +38,7 @@ payload: apply: combined payloadkeys: - key: Notifications - title: Software Update Notifications + title: Software update notifications type: presence: optional default: true @@ -48,7 +48,7 @@ payloadkeys: If set to `false`, the device only shows notifications triggered one hour before the enforcement deadline, and the restart countdown notification. - key: Deferrals - title: Software Update Deferrals + title: Software update deferrals supportedOS: iOS: allowed-enrollments: @@ -65,7 +65,7 @@ payloadkeys: Improvements aren't considered in `Major`, `Minor`, or `System` deferral mechanism. subkeys: - key: CombinedPeriodInDays - title: Combined Major/Minor Update Deferral Period + title: Combined major/minor update deferral period supportedOS: macOS: introduced: n/a @@ -77,9 +77,9 @@ payloadkeys: combinetype: number-max content: Specifies the number of days to defer a major or minor OS software update on the device. When set, software updates only appear after the specified delay, - following the release of the software update. Available in iOS 18 and later. + following the release of the software update. - key: MajorPeriodInDays - title: Major Update Deferral Period + title: Major update deferral period supportedOS: iOS: introduced: n/a @@ -95,9 +95,9 @@ payloadkeys: combinetype: number-max content: Specifies the number of days to defer a major OS software update on the device. When set, software updates only appear after the specified delay, following - the release of the software update. Available in macOS 15 and later. + the release of the software update. - key: MinorPeriodInDays - title: Minor Update Deferral Period + title: Minor update deferral period supportedOS: iOS: introduced: n/a @@ -114,9 +114,8 @@ payloadkeys: content: Specifies the number of days to defer a minor OS software update on the device. It also defers major updates for iOS. When set, software updates only appear after the specified delay, following the release of the software update. - Available in macOS 15 and later. - key: SystemPeriodInDays - title: System Update Deferral Period + title: System update deferral period supportedOS: iOS: introduced: n/a @@ -132,9 +131,9 @@ payloadkeys: combinetype: number-max content: Specifies the number of days to defer system or non-OS updates. When set, updates only appear after the specified delay, following the release of - the update. Available in macOS 15 and later. + the update. - key: RecommendedCadence - title: Software Update Recommended Cadence + title: Software update recommended cadence supportedOS: macOS: introduced: n/a @@ -154,7 +153,7 @@ payloadkeys: - `Oldest` - Shows only the oldest (lower numbered) software update version. - `Newest` - Shows only the newest (highest numbered) software update version. - key: AutomaticActions - title: Automatic Software Update Settings + title: Automatic software update settings supportedOS: iOS: allowed-enrollments: @@ -204,6 +203,9 @@ payloadkeys: - `Allowed` - the user can enable or disable automatic installation. - `AlwaysOn` - automatic installations are always enabled. - `AlwaysOff` - automatic installations are always disabled. + + > Note: + > The device uses this only with automatic downloads enabled. - key: InstallSecurityUpdate title: Automatic installs of available security updates. supportedOS: @@ -223,8 +225,11 @@ payloadkeys: - `Allowed` - the user can enable or disable automatic installation. - `AlwaysOn` - automatic installations are always enabled. - `AlwaysOff` - automatic installations are always disabled. + + > Note: + > The device uses this only with automatic downloads enabled. - key: RapidSecurityResponse - title: Background Security Improvement Settings + title: Background Security Improvements settings supportedOS: iOS: allowed-enrollments: @@ -239,7 +244,7 @@ payloadkeys: Improvement. subkeys: - key: Enable - title: Enable Background Security Improvement Installation + title: Enable Background Security Improvements installation type: presence: optional default: true @@ -249,7 +254,7 @@ payloadkeys: If set to `true`, the system offers Background Security Improvements to the user. - key: EnableRollback - title: Enable Background Security Improvement Rollbacks + title: Enable Background Security Improvements rollbacks type: presence: optional default: true @@ -259,7 +264,7 @@ payloadkeys: If set to `true`, the system offers Background Security Improvement rollbacks to the user. - key: AllowStandardUserOSUpdates - title: Allow Standard User OS Updates + title: Allow standard user OS updates supportedOS: iOS: introduced: n/a @@ -276,6 +281,7 @@ payloadkeys: If set to `false`, only administrators can perform Major and Minor Software Updates. - key: Beta + title: Beta supportedOS: macOS: introduced: '15.4' @@ -292,6 +298,7 @@ payloadkeys: content: This object configures the beta program settings for a device. subkeys: - key: ProgramEnrollment + title: Program enrollment supportedOS: iOS: allowed-enrollments: @@ -308,9 +315,10 @@ payloadkeys: Specifies whether the user can control beta program enrollment in the software update settings UI: - `Allowed` - the user can enroll in any applicable beta programs associated with their logged in Apple Account. If the `OfferPrograms` key is present, then the programs listed in that key are also presented to the user. - - `AlwaysOn` - the beta programs specified by the organization are used, and the user isn't able to enroll in a beta program using their logged in Apple Account. The device is automatically enrolled into the beta program specified by the `RequireProgram` key if it's present. Otherwise, the system presents the programs listed in the `OfferPrograms` key to the user to choose which to enroll with. + - `AlwaysOn` - the device uses the beta programs the organization specifies, and the user isn't able to enroll in a beta program using their logged in Apple Account. The device is automatically enrolled into the beta program specified by the `RequireProgram` key if it's present. Otherwise, the system presents the programs listed in the `OfferPrograms` key to the user to choose which to enroll with. - `AlwaysOff` - The device isn't allowed to enroll in any beta programs. The system removes the device from any beta programs, if already enrolled. - key: OfferPrograms + title: Offer programs type: presence: optional combinetype: set-union @@ -321,21 +329,25 @@ payloadkeys: but is implicitly set to `Allowed`. subkeys: - key: Program + title: Program type: presence: required content: The name and token associated with a specific beta program to be allowed. subkeys: - key: Description + title: Description type: presence: required content: A human readable description of the beta program. - key: Token + title: Token type: presence: required - content: The Apple Business Manager or Apple School Manager seeding service - token for the organization the MDM server is part of. The system uses this - token to enroll the device in the corresponding beta program. + content: The Apple School Manager or Apple Business seeding service token + for the organization the MDM server is part of. The system uses this token + to enroll the device in the corresponding beta program. - key: RequireProgram + title: Require program supportedOS: iOS: allowed-enrollments: @@ -348,16 +360,24 @@ payloadkeys: key must not be present if this key is present. subkeys: - key: Description + title: Description type: presence: required content: A human readable description of the beta program. - key: Token + title: Token type: presence: required - content: The Apple Business Manager or Apple School Manager seeding service - token for the organization the MDM server is part of. The system uses this - token to enroll the device in the corresponding beta program. + content: The Apple School Manager or Apple Business seeding service token for + the organization the MDM server is part of. The system uses this token to + enroll the device in the corresponding beta program. related-status-items: - status-items: - softwareupdate.beta-enrollment - softwareupdate.pending-version +examples: + title: Configuration example + files: + - description: This configuration manages software update behavior and deferral + settings. + file: examples/declarative/declarations/configurations/softwareupdate.settings/example1.json diff --git a/declarative/declarations/configurations/watch.enrollment.yaml b/declarative/declarations/configurations/watch.enrollment.yaml index 2449933..e5cd487 100644 --- a/declarative/declarations/configurations/watch.enrollment.yaml +++ b/declarative/declarations/configurations/watch.enrollment.yaml @@ -22,7 +22,7 @@ payload: apply: single payloadkeys: - key: EnrollmentProfileURL - title: Watch Enrollment Profile's URL. + title: Watch enrollment profile's URL. type: presence: required content: The URL of the profile that the Apple Watch downloads and installs if the @@ -31,7 +31,7 @@ payloadkeys: and the profile contains an MDM payload. Apple Watch attempts to install each payload that the profile contains. - key: AnchorCertificateAssetReferences - title: Anchor Certificate Asset References. + title: Anchor certificate asset references. type: assettypes: - com.apple.asset.credential.certificate @@ -47,3 +47,8 @@ payloadkeys: type: content: Specifies the identifier of an asset declaration containing the anchor certificate to be used. +examples: + title: Configuration example + files: + - description: This configuration enrolls an Apple Watch using a profile URL. + file: examples/declarative/declarations/configurations/watch.enrollment/example1.json diff --git a/declarative/declarations/configurations/webcontent-filter.plugin.yaml b/declarative/declarations/configurations/webcontent-filter.plugin.yaml new file mode 100644 index 0000000..f9b0eec --- /dev/null +++ b/declarative/declarations/configurations/webcontent-filter.plugin.yaml @@ -0,0 +1,280 @@ +title: WebContentFilter:Plugin +description: The declaration to configure a WebContent Filter that uses a plugin. +payload: + declarationtype: com.apple.configuration.webcontent-filter.plugin + supportedOS: + iOS: + introduced: '27.0' + allowed-enrollments: + - supervised + - device + - user + - local + allowed-scopes: + - system + sharedipad: + allowed-scopes: + - system + macOS: + introduced: '27.0' + allowed-enrollments: + - supervised + - local + allowed-scopes: + - system + tvOS: + introduced: n/a + visionOS: + introduced: '27.0' + allowed-enrollments: + - supervised + - device + - user + - local + allowed-scopes: + - system + watchOS: + introduced: n/a + apply: multiple +payloadkeys: +- key: VisibleName + title: Visible name + type: + presence: required + content: The name of the web content filter that the system displays on the device. +- key: PluginBundleID + title: Plugin bundle ID + type: + presence: required + content: The bundle ID of the plug-in that provides filtering service. Consult your + filtering solution vendor to determine what to specify for this value. +- key: ContentFilterUUID + title: Content filter UUID + supportedOS: + macOS: + introduced: n/a + type: + presence: optional + content: A globally unique identifier for this content filter configuration. The + content filter processes network traffic for managed apps with the same `ContentFilterUUID` + in their app attributes. This key must be present for unsupervised devices and + user enrollment. +- key: ServerAddress + title: Server address + type: + presence: optional + content: The server address, which may be the IP address, hostname, or URL. +- key: Organization + title: Organization + type: + presence: optional + content: The organization string to pass to the third-party plug-in. +- key: VendorConfig + title: Vendor config + type: + presence: optional + content: The custom dictionary that the filtering service plug-in needs. + subkeys: + - key: ANY + type: + presence: required + content: The custom key/value pairs for the filtering service. +- key: Authentication + title: Authentication details + type: + presence: optional + content: Settings that control authentication. + subkeys: + - key: CredentialsAssetReference + title: Credentials asset reference + type: + assettypes: + - com.apple.asset.credential.userpassword + presence: optional + content: The identifier of an asset declaration that contains the credentials + (user name and password) to authenticate with the service. + - key: IdentityAssetReference + title: Identity asset reference + type: + assettypes: + - com.apple.asset.credential.acme + - com.apple.asset.credential.identity + - com.apple.asset.credential.scep + presence: optional + content: The identifier of a credential asset declaration that contains the identity + that this account requires to authenticate with the service. +- key: Filter + title: Filter details + type: + presence: optional + content: Settings that control authentication. + subkeys: + - key: Grade + title: Filter grade + supportedOS: + iOS: + introduced: n/a + visionOS: + introduced: n/a + type: + presence: optional + rangelist: + - firewall + - inspector + default: firewall + content: The system uses this value to derive the relative order of content filters. + Filters with a grade of `firewall` see network traffic before filters with a + grade of `inspector`. However, the system doesn't define the order of filters + within a grade. + - key: Browsers + title: Browser filter details + supportedOS: + macOS: + introduced: n/a + type: + presence: optional + content: Settings that control the browser filter. If not present, the system + doesn't use browser filtering. + subkeys: + - key: Enabled + title: Enable browser filter + type: + presence: required + content: If `true`, the system enables filtering WebKit traffic. + - key: Sockets + title: Socket filter details + type: + presence: optional + content: Settings that control the socket filter. If not present, the system doesn't + use socket filtering. + subkeys: + - key: Enabled + title: Enable socket filter + type: + presence: required + content: If `true`, enables the filtering of socket traffic. + - key: ProviderComposedIdentifier + title: Data provider composed identifier + type: + presence: optional + content: |- + The data provider identifier. This string identifies the filter data provider when the filter starts running. Required when Enabled is true. + + In iOS and visionOS, the identifier is a bundle ID, for example, "com.example.app". + + In macOS, the identifier is a composed identifier. The format of the composed identifier is "Bundle-ID {Designated-Requirement}". "Bundle-ID" is the bundle identifier string of the provider. "Designated-Requirement" is the designated requirement string from the code signature of the provider. For example, "com.example.app {anchor apple generic}". + - key: Packets + title: Packet filter details + supportedOS: + iOS: + introduced: n/a + visionOS: + introduced: n/a + type: + presence: optional + content: Settings that control the packet filter. If not present, the system doesn't + use packet filtering. + subkeys: + - key: Enabled + title: Enable packet filter + type: + presence: required + content: If `true`, the system enables filtering network packets. + - key: ProviderComposedIdentifier + title: Packet provider composed identifier + type: + presence: optional + content: |- + The packet provider identifier. This string identifies the filter data provider when the filter starts running. Required when Enabled is true. + + The identifier is a composed identifier. The format of the composed identifier is "Bundle-ID {Designated-Requirement}". "Bundle-ID" is the bundle identifier string of the provider. "Designated-Requirement" is the designated requirement string from the code signature of the provider. For example, "com.example.app {anchor apple generic}". + - key: URLs + title: URL filter details + supportedOS: + visionOS: + introduced: n/a + type: + presence: optional + content: Settings that control the URL filter. If not present, the system doesn't + use URL filtering. + subkeys: + - key: Enabled + title: Enable URL filter + type: + presence: required + content: If `true`, the system filters URL requests. + - key: Parameters + title: URL filter parameters. + type: + presence: optional + content: A dictionary containing URL filter parameters. Required when `Enabled` + is `true`. + subkeys: + - key: ProviderComposedIdentifier + title: Control provider composed identifier + type: + presence: required + content: |- + The URL filter control provider identifier. This string identifies the filter data provider when the filter starts running. Required when Enabled is true. + + In iOS, the identifier is a bundle ID, for example, "com.example.app". + + In macOS, the identifier is a composed identifier. The format of the composed identifier is "Bundle-ID {Designated-Requirement}". "Bundle-ID" is the bundle identifier string of the provider. "Designated-Requirement" is the designated requirement string from the code signature of the provider. For example, "com.example.app {anchor apple generic}". + - key: PIR + title: Private information retrieval server settings. + type: + presence: required + content: A dictionary containing Private Information Retrieval server settings. + subkeys: + - key: ServerURL + title: Private information retrieval server URL + type: + presence: required + content: The URL containing the domain name of the private information retrieval + server. + - key: PrivacyPassIssuerURL + title: Privacy pass issuer URL + type: + presence: required + content: The URL containing the domain name of Privacy Pass Issuer. + - key: AuthenticationTokenAssetReference + title: Authentication token asset reference + type: + assettypes: + - com.apple.asset.credential.userpassword + presence: optional + content: The identifier of an asset declaration containing the HTTP bearer + token required to authenticate with the service. The bearer token is provided + in the `Password` field of the asset data. The system uses this token + to attest that it's a valid user when requesting anonymous authentication + tokens for PIR exchanges. + - key: FailClosed + title: URL filter fail closed + type: + presence: optional + default: false + content: If `true`, the system blocks URLs if the filter is enabled, but it + fails to make any filtering decision; for example, if there's a communication + failure with the PIR server. If `false`, the system allows URLs if the filter + is enabled, but it fails to make any filtering decision. + - key: PrefilterFetchFrequency + title: Prefilter fetch frequency + type: + presence: optional + range: + min: 2700 + default: 86400 + content: The time interval in seconds that the system uses to periodically + run the `NEURLFilterControlProvider` app extension. The default value is + 86400 seconds (1 day). The minimum allowed value is 2700 seconds (45 minutes). + The system allows `NEURLFilterControlProvider` implementations to download + prefilter Bloom filter data onto the device periodically at the specified + interval. Implementations need to allow for a slight difference between + the scheduled time and the actual runtime of the task, due to the scheduling + mechanism on the system. +examples: + title: Configuration example + files: + - description: This configuration sets up a web content filter using a Network Extension + plugin bundle. + file: examples/declarative/declarations/configurations/network.webcontent-filter.plugin/example1.json diff --git a/declarative/declarations/declarationbase.yaml b/declarative/declarations/declarationbase.yaml index 1a72b3e..f9ab871 100644 --- a/declarative/declarations/declarationbase.yaml +++ b/declarative/declarations/declarationbase.yaml @@ -15,20 +15,24 @@ payload: introduced: '10.0' payloadkeys: - key: Type + title: Type type: presence: required content: A string specifying the type of this declaration. - key: Identifier + title: Identifier type: presence: required content: A string uniquely identifying this declaration. The size of this string - should not exceed 64 octets. A UUID string value is a good choice. + shouldn't exceed 64 octets. A UUID string value is a good choice. - key: ServerToken + title: Server token type: presence: required content: A unique token generated by the server specifying a particular revision - of the declaration. The size of this string should not exceed 64 octets. + of the declaration. The size of this string shouldn't exceed 64 octets. - key: Payload + title: Payload type: presence: required content: The payload describing this declaration. diff --git a/declarative/declarations/management/organization-info.yaml b/declarative/declarations/management/organization-info.yaml index 93d1c8b..090cb58 100644 --- a/declarative/declarations/management/organization-info.yaml +++ b/declarative/declarations/management/organization-info.yaml @@ -15,12 +15,12 @@ payload: introduced: '10.0' payloadkeys: - key: Name - title: Organization Name + title: Organization name type: presence: required content: The name of the organization. - key: Email - title: Organization Email Address + title: Organization email address type: presence: optional content: The email address of the contact person for the organization. @@ -30,15 +30,19 @@ payloadkeys: presence: optional content: The website of the organization to contact for support. - key: Proof - title: Organization Identity + title: Organization identity type: presence: optional content: The additional properties that verify the identity and authenticity of the organization. subkeys: - key: IdentityToken - title: Organization Identity Token + title: Organization identity token type: presence: optional content: A token that verifies the identity of the organization when using this service. +examples: + title: Management declaration example + files: + - file: examples/declarative/declarations/management/organization-info/example1.json diff --git a/declarative/declarations/management/properties.yaml b/declarative/declarations/management/properties.yaml index 6fa4ccc..d6d5396 100644 --- a/declarative/declarations/management/properties.yaml +++ b/declarative/declarations/management/properties.yaml @@ -19,3 +19,7 @@ payloadkeys: type: presence: optional content: Each entry represents a property key/value. +examples: + title: Management declaration example + files: + - file: examples/declarative/declarations/management/properties/example1.json diff --git a/declarative/declarations/management/server-capabilities.yaml b/declarative/declarations/management/server-capabilities.yaml index 066d128..2cfc54c 100644 --- a/declarative/declarations/management/server-capabilities.yaml +++ b/declarative/declarations/management/server-capabilities.yaml @@ -15,12 +15,12 @@ payload: introduced: '10.0' payloadkeys: - key: Version - title: Protocol Version + title: Protocol version type: presence: required content: The server's protocol version. - key: SupportedFeatures - title: Supported Features + title: Supported features type: presence: required content: |- @@ -32,3 +32,7 @@ payloadkeys: type: presence: optional content: Additional keys may be present. +examples: + title: Management declaration example + files: + - file: examples/declarative/declarations/management/server-capabilities/example1.json diff --git a/declarative/protocol/declarationitemsresponse.yaml b/declarative/protocol/declarationitemsresponse.yaml index ba2590e..6e9bb90 100644 --- a/declarative/protocol/declarationitemsresponse.yaml +++ b/declarative/protocol/declarationitemsresponse.yaml @@ -15,7 +15,7 @@ payload: introduced: '10.0' payloadkeys: - key: Declarations - title: Manifest Declaration Items + title: Manifest declaration items type: presence: required content: The set of available declarations on the server. @@ -28,18 +28,18 @@ payloadkeys: subkeytype: DeclarationItem subkeys: - key: _Activations - title: Manifest Declaration + title: Manifest declaration type: content: Information about an available declaration on the server. subkeytype: DeclarationItem subkeys: &id001 - key: Identifier - title: Declaration Identifier + title: Declaration identifier type: presence: required content: The declaration's identifier. - key: ServerToken - title: Declaration Server Token + title: Declaration server token type: presence: required content: |- @@ -53,7 +53,7 @@ payloadkeys: subkeytype: DeclarationItem subkeys: - key: _Configurations - title: Manifest Declaration + title: Manifest declaration type: content: Information about an available declaration on the server. subkeytype: DeclarationItem @@ -66,7 +66,7 @@ payloadkeys: subkeytype: DeclarationItem subkeys: - key: _Assets - title: Manifest Declaration + title: Manifest declaration type: content: Information about an available declaration on the server. subkeytype: DeclarationItem @@ -79,13 +79,13 @@ payloadkeys: subkeytype: DeclarationItem subkeys: - key: _Management - title: Manifest Declaration + title: Manifest declaration type: content: Information about an available declaration on the server. subkeytype: DeclarationItem subkeys: *id001 - key: DeclarationsToken - title: Declarations Token + title: Declarations token type: presence: required content: The current value of the declarations token. Clients use this to detect diff --git a/declarative/protocol/statusreport.yaml b/declarative/protocol/statusreport.yaml index a2ab46d..c334b45 100644 --- a/declarative/protocol/statusreport.yaml +++ b/declarative/protocol/statusreport.yaml @@ -15,7 +15,7 @@ payload: introduced: '10.0' payloadkeys: - key: StatusItems - title: Status Items + title: Status items type: presence: required content: The status items for this report. @@ -31,40 +31,40 @@ payloadkeys: content: Error information for a status item that cannot be returned. subkeys: - key: StatusItem - title: Status Item + title: Status item type: presence: required content: The status item that this error pertains to. - key: Reasons - title: Status Reasons + title: Status reasons type: presence: optional content: An array of reasons for the error. subkeytype: StatusReason subkeys: - key: _Reasons - title: Status Reason + title: Status reason type: content: Information about a status error. subkeytype: StatusReason subkeys: - key: Code - title: Error Code + title: Error code type: presence: required content: The error code for this error. - key: Description - title: Error Description + title: Error description type: presence: optional content: The description for this error. - key: Details - title: Error Details + title: Error details type: presence: optional content: A dictionary that contains further details about this error. - key: FullReport - title: Full Report + title: Full report supportedOS: iOS: introduced: '17.0' @@ -76,7 +76,7 @@ payloadkeys: presence: optional default: false content: The system sets this to `true` to indicate that the status report contains - the full set of current status, and is not an incremental report. A full status + the full set of current status, and isn't an incremental report. A full status report includes the full set of items in any status array item, not just the changes. Servers use this to replace their entire status for the device, rather than do an incremental update to the existing status. The system sets this to `true` when diff --git a/declarative/protocol/tokensresponse.yaml b/declarative/protocol/tokensresponse.yaml index faadd96..a74e931 100644 --- a/declarative/protocol/tokensresponse.yaml +++ b/declarative/protocol/tokensresponse.yaml @@ -15,7 +15,7 @@ payload: introduced: '10.0' payloadkeys: - key: SyncTokens - title: Synchronization Tokens + title: Synchronization tokens type: presence: required content: A dictionary of synchronization tokens that describes the state of different diff --git a/declarative/status/account.list.caldav.yaml b/declarative/status/account.list.caldav.yaml index 29fc4a6..22248c0 100644 --- a/declarative/status/account.list.caldav.yaml +++ b/declarative/status/account.list.caldav.yaml @@ -1,5 +1,5 @@ title: Status Account List CalDAV -description: A status report of the client's Calendar accounts. +description: The status item that lists the devices's Calendar accounts. payload: statusitemtype: account.list.caldav supportedOS: @@ -45,8 +45,9 @@ payloadkeys: subkeytype: Account subkeys: - key: status_value + title: Status value type: - content: A status report of the client's Calendar account details. + content: A Calendar account. subkeys: - key: identifier title: Unique identifier of the account. @@ -58,8 +59,8 @@ payloadkeys: type: presence: optional default: false - content: If `true`, the account is removed and the status item object only contains - this key and the `identifier` key. + content: If `true`, the device has removed the account and the status item object + only contains this key and the `identifier` key. - key: declaration-identifier title: Identifier of the declaration that installed the account. type: @@ -77,7 +78,7 @@ payloadkeys: presence: optional content: The server host name for the account. - key: port - title: Server Port + title: Server port type: presence: optional content: The server port for the account. @@ -97,3 +98,12 @@ payloadkeys: type: presence: optional content: If `true`, the Reminders app is displaying reminders for the account. +examples: + title: Status item example + files: + - tab: New or updated account + description: Reports a new or updated account. + file: data/docc-examples/remotemanagementmodel/status/account.list.caldav/example1.json + - tab: Removed account + description: Reports a removed account. + file: data/docc-examples/remotemanagementmodel/status/account.list.caldav/example2.json diff --git a/declarative/status/account.list.carddav.yaml b/declarative/status/account.list.carddav.yaml index ea7953e..e12048a 100644 --- a/declarative/status/account.list.carddav.yaml +++ b/declarative/status/account.list.carddav.yaml @@ -1,5 +1,5 @@ title: Status Account List CardDAV -description: A status report of the client's Contacts accounts. +description: The status item that lists the devices's Contacts accounts. payload: statusitemtype: account.list.carddav supportedOS: @@ -45,8 +45,9 @@ payloadkeys: subkeytype: Account subkeys: - key: status_value + title: Status value type: - content: A status report of the client's Contacts account details. + content: A Contacts account. subkeys: - key: identifier title: Unique identifier of the account. @@ -58,8 +59,8 @@ payloadkeys: type: presence: optional default: false - content: If `true`, the account is removed and the status item object only contains - this key and the `identifier` key. + content: If `true`, the device has removed the account and the status item object + only contains this key and the `identifier` key. - key: declaration-identifier title: Identifier of the declaration that installed the account. type: @@ -77,7 +78,7 @@ payloadkeys: presence: optional content: The server host name for the account. - key: port - title: Server Port + title: Server port type: presence: optional content: The server port for the account. @@ -86,3 +87,12 @@ payloadkeys: type: presence: optional content: The user name for the account. +examples: + title: Status item example + files: + - tab: New or updated account + description: Reports a new or updated account. + file: data/docc-examples/remotemanagementmodel/status/account.list.carddav/example1.json + - tab: Removed account + description: Reports a removed account. + file: data/docc-examples/remotemanagementmodel/status/account.list.carddav/example2.json diff --git a/declarative/status/account.list.exchange.yaml b/declarative/status/account.list.exchange.yaml index 668e15a..46dec6a 100644 --- a/declarative/status/account.list.exchange.yaml +++ b/declarative/status/account.list.exchange.yaml @@ -1,5 +1,5 @@ title: Status Account List Exchange -description: A status report of the client's Exchange accounts. +description: The status item that lists the devices's Exchange accounts. payload: statusitemtype: account.list.exchange supportedOS: @@ -45,8 +45,9 @@ payloadkeys: subkeytype: Account subkeys: - key: status_value + title: Status value type: - content: A status report of the client's Exchange account details. + content: An Exchange account. subkeys: - key: identifier title: Unique identifier of the account. @@ -58,8 +59,8 @@ payloadkeys: type: presence: optional default: false - content: If `true`, the account is removed and the status item object only contains - this key and the `identifier` key. + content: If `true`, the device has removed the account and the status item object + only contains this key and the `identifier` key. - key: declaration-identifier title: Identifier of the declaration that installed the account. type: @@ -77,7 +78,7 @@ payloadkeys: presence: optional content: The server host name for the account. - key: port - title: Server Port + title: Server port type: presence: optional content: The server port for the account. @@ -116,3 +117,12 @@ payloadkeys: presence: optional content: A Boolean value that indicates whether the Reminders app displays reminders for this account. +examples: + title: Status item example + files: + - tab: New or updated account + description: Reports a new or updated account. + file: data/docc-examples/remotemanagementmodel/status/account.list.exchange/example1.json + - tab: Removed account + description: Reports a removed account. + file: data/docc-examples/remotemanagementmodel/status/account.list.exchange/example2.json diff --git a/declarative/status/account.list.google.yaml b/declarative/status/account.list.google.yaml index ee88327..f141500 100644 --- a/declarative/status/account.list.google.yaml +++ b/declarative/status/account.list.google.yaml @@ -1,5 +1,5 @@ title: Status Account List Google -description: A status report of the client's Google accounts. +description: The status item that lists the client's Google accounts. payload: statusitemtype: account.list.google supportedOS: @@ -45,8 +45,9 @@ payloadkeys: subkeytype: Account subkeys: - key: status_value + title: Status value type: - content: A status report of the client's Google account details. + content: A Google account. subkeys: - key: identifier title: Unique identifier of the account. @@ -58,8 +59,8 @@ payloadkeys: type: presence: optional default: false - content: If `true`, the account is removed and the status item object only contains - this key and the `identifier` key. + content: If `true`, the device removed the account and the status item object + only contains this key and the `identifier` key. - key: declaration-identifier title: Identifier of the declaration that installed the account. type: @@ -100,3 +101,12 @@ payloadkeys: presence: optional content: A Boolean value that indicates whether the Notes app displays notes for this account. +examples: + title: Status item example + files: + - tab: New or updated account + description: Reports a new or updated account. + file: data/docc-examples/remotemanagementmodel/status/account.list.google/example1.json + - tab: Removed account + description: Reports a removed account. + file: data/docc-examples/remotemanagementmodel/status/account.list.google/example2.json diff --git a/declarative/status/account.list.ldap.yaml b/declarative/status/account.list.ldap.yaml index 18342dc..cfd3fab 100644 --- a/declarative/status/account.list.ldap.yaml +++ b/declarative/status/account.list.ldap.yaml @@ -1,6 +1,6 @@ title: Status Account List LDAP -description: A status report of the client's Lightweight Directory Access Protocol - (LDAP) accounts. +description: The status item that lists the devices's Lightweight Directory Access + Protocol (LDAP) accounts. payload: statusitemtype: account.list.ldap supportedOS: @@ -46,8 +46,9 @@ payloadkeys: subkeytype: Account subkeys: - key: status_value + title: Status value type: - content: A status report of the client's LDAP account details. + content: An LDAP account. subkeys: - key: identifier title: Unique identifier of the account. @@ -59,8 +60,8 @@ payloadkeys: type: presence: optional default: false - content: If `true`, the account is removed and the status item object only contains - this key and the `identifier` key. + content: If `true`, the device removed the account and the status item object + only contains this key and the `identifier` key. - key: declaration-identifier title: Identifier of the declaration that installed the account. type: @@ -78,7 +79,7 @@ payloadkeys: presence: optional content: The server host name for the account. - key: port - title: Server Port + title: Server port type: presence: optional content: The server port for the account. @@ -93,3 +94,12 @@ payloadkeys: presence: optional content: A Boolean value that indicates whether the account is enabled for use with the Contacts app. +examples: + title: Status item example + files: + - tab: New or updated account + description: Reports a new or updated account. + file: data/docc-examples/remotemanagementmodel/status/account.list.ldap/example1.json + - tab: Removed account + description: Reports a removed account. + file: data/docc-examples/remotemanagementmodel/status/account.list.ldap/example2.json diff --git a/declarative/status/account.list.mail.incoming.yaml b/declarative/status/account.list.mail.incoming.yaml index 64a8f2c..0836489 100644 --- a/declarative/status/account.list.mail.incoming.yaml +++ b/declarative/status/account.list.mail.incoming.yaml @@ -1,5 +1,5 @@ title: Status Account List Mail Incoming -description: A status report of the client's incoming Mail accounts. +description: The status item that lists the devices's incoming Mail accounts. payload: statusitemtype: account.list.mail.incoming supportedOS: @@ -45,8 +45,9 @@ payloadkeys: subkeytype: Account subkeys: - key: status_value + title: Status value type: - content: A status report of the client's incoming Mail account details. + content: An incoming Mail account. subkeys: - key: identifier title: Unique identifier of the account. @@ -58,8 +59,8 @@ payloadkeys: type: presence: optional default: false - content: If `true`, the account is removed and the status item object only contains - this key and the `identifier` key. + content: If `true`, the device removed the account and the status item object + only contains this key and the `identifier` key. - key: declaration-identifier title: Identifier of the declaration that installed the account. type: @@ -77,7 +78,7 @@ payloadkeys: presence: optional content: The server host name for the account. - key: port - title: Server Port + title: Server port type: presence: optional content: The server port for the account. @@ -98,3 +99,12 @@ payloadkeys: presence: optional content: A Boolean value that indicates whether the Notes app displays notes for this account. +examples: + title: Status item example + files: + - tab: New or updated account + description: Reports a new or updated account. + file: data/docc-examples/remotemanagementmodel/status/account.list.mail.incoming/example1.json + - tab: Removed account + description: Reports a removed account. + file: data/docc-examples/remotemanagementmodel/status/account.list.mail.incoming/example2.json diff --git a/declarative/status/account.list.mail.outgoing.yaml b/declarative/status/account.list.mail.outgoing.yaml index 607a78c..3bda798 100644 --- a/declarative/status/account.list.mail.outgoing.yaml +++ b/declarative/status/account.list.mail.outgoing.yaml @@ -1,5 +1,5 @@ title: Status Account List Mail Outgoing -description: A status report of the client's outgoing Mail accounts. +description: The status item that lists the devices's outgoing Mail accounts. payload: statusitemtype: account.list.mail.outgoing supportedOS: @@ -45,8 +45,9 @@ payloadkeys: subkeytype: Account subkeys: - key: status_value + title: Status value type: - content: A status report of the client's outgoing Mail account details. + content: An outgoing Mail account. subkeys: - key: identifier title: Unique identifier of the account. @@ -58,8 +59,8 @@ payloadkeys: type: presence: optional default: false - content: If `true`, the account is removed and the status item object only contains - this key and the `identifier` key. + content: If `true`, the device removed the account and the status item object + only contains this key and the `identifier` key. - key: declaration-identifier title: Identifier of the declaration that installed the account. type: @@ -77,7 +78,7 @@ payloadkeys: presence: optional content: The server host name for the account. - key: port - title: Server Port + title: Server port type: presence: optional content: The server port for the account. @@ -86,3 +87,12 @@ payloadkeys: type: presence: optional content: The user name for the account. +examples: + title: Status item example + files: + - tab: New or updated account + description: Reports a new or updated account. + file: data/docc-examples/remotemanagementmodel/status/account.list.mail.outgoing/example1.json + - tab: Removed account + description: Reports a removed account. + file: data/docc-examples/remotemanagementmodel/status/account.list.mail.outgoing/example2.json diff --git a/declarative/status/account.list.subscribed-calendar.yaml b/declarative/status/account.list.subscribed-calendar.yaml index c5ce4c6..c2d18d8 100644 --- a/declarative/status/account.list.subscribed-calendar.yaml +++ b/declarative/status/account.list.subscribed-calendar.yaml @@ -1,5 +1,5 @@ title: Status Account List Subscribed Calendar -description: A status report of the client's subscribed calendars. +description: The status item that lists the devices's subscribed calendars. payload: statusitemtype: account.list.subscribed-calendar supportedOS: @@ -45,8 +45,9 @@ payloadkeys: subkeytype: Account subkeys: - key: status_value + title: Status value type: - content: A status report of the client's subscribed calendar details. + content: A subscribed calendar. subkeys: - key: identifier title: Unique identifier of the subscribed calendar. @@ -58,8 +59,8 @@ payloadkeys: type: presence: optional default: false - content: If `true`, the subscribed calendar is removed and the status item object - only contains this key and the `identifier` key. + content: If `true`, the device removed the subscribed calendar and the status + item object only contains this key and the `identifier` key. - key: declaration-identifier title: Identifier of the declaration that installed the subscribed calendar. type: @@ -87,3 +88,12 @@ payloadkeys: presence: optional content: A Boolean value that indicates whether the Calendar app displays this subscribed calendar. +examples: + title: Status item example + files: + - tab: New or updated account + description: Reports a new or updated account. + file: data/docc-examples/remotemanagementmodel/status/account.list.subscribed-calendar/example1.json + - tab: Removed account + description: Reports a removed account. + file: data/docc-examples/remotemanagementmodel/status/account.list.subscribed-calendar/example2.json diff --git a/declarative/status/app.managed.list.yaml b/declarative/status/app.managed.list.yaml index 3eaba40..1014744 100644 --- a/declarative/status/app.managed.list.yaml +++ b/declarative/status/app.managed.list.yaml @@ -1,5 +1,5 @@ title: Status App Managed List -description: The device's declarative managed apps. +description: The status item that lists the device's declarative managed apps. payload: statusitemtype: app.managed.list supportedOS: @@ -44,8 +44,9 @@ payloadkeys: subkeytype: App subkeys: - key: status_value + title: Status value type: - content: A dictionary that describes a declarative managed app. + content: A managed app. subkeys: - key: identifier title: Unique identifier of the app. @@ -74,7 +75,7 @@ payloadkeys: type: presence: optional content: |- - The app's external version identifier. You can also retrieve this value from the App Store. For more information, see `Apps and Books for Organizations`. + The app's external version identifier. You can also retrieve this value from the App Store. For more information, see `Apps and books metadata for organizations`. If the current external version identifier of an app on the App Store doesn't match the external version identifier reported by the device, there may be an app update available for the device. - key: version @@ -108,7 +109,7 @@ payloadkeys: - `optional`: The app is optional and the user has to trigger its installation. - `queued`: The system has started installation of the app. - - `not-present`: Management of the app occurs after it is installed. + - `not-present`: Management of the app occurs after it's installed. - `prompting-for-consent`: The system is displaying a prompt to the user to proceed with app installation. - `prompting-for-login`: The system is displaying an App Store sign-in prompt to the user to allow app installation. - `prompting-for-management`: The system is displaying a prompt to the user to allow changing the installed app to a managed app. @@ -144,7 +145,7 @@ payloadkeys: iOS: introduced: '18.4' macOS: - introduced: n/a + introduced: '27.0' type: presence: optional content: The status of app or extension managed configurations. This key is @@ -170,9 +171,9 @@ payloadkeys: - valid content: |- The managed configuration status. - - `unknown`: The managed configuration has not been read - - `invalid`: The managed configuration was read and deemed to be invalid - - `valid`: The managed configuration was read and deemed to be valid + - `unknown`: The device hasn't read the managed configuration. + - `invalid`: The device read the managed configuration and found it to be invalid. + - `valid`: The device read the managed configuration and found it to be valid. - key: extension-config-state title: Extensions managed configuration status type: @@ -189,7 +190,7 @@ payloadkeys: subkeytype: ManagedConfigurationState subkeys: *id001 - key: reasons - title: Status Reasons + title: Status reasons type: presence: optional content: An array that contains additional details about the app state, including @@ -197,23 +198,23 @@ payloadkeys: subkeytype: StatusReason subkeys: - key: _reasons - title: Status Reason + title: Status reason type: content: Information about a status error. subkeytype: StatusReason subkeys: - key: code - title: Error Code + title: Error code type: presence: required content: A code for the state. - key: description - title: Error Description + title: Error description type: presence: optional content: A description of the state. - key: details - title: Error Details + title: Error details type: presence: optional content: A dictionary that contains additional details about the state. @@ -230,6 +231,7 @@ reasons: details: - key: Timestamp type: + valuetype: timestamp description: The RFC 3339 timestamp of the last download failure. - value: Error.DuplicateConfiguredApp description: The app is already being managed. @@ -238,6 +240,7 @@ reasons: details: - key: Timestamp type: + valuetype: timestamp description: The RFC 3339 timestamp of the last install failure. - value: Error.InvalidAppID description: The app id could not be found. @@ -263,4 +266,14 @@ reasons: details: - key: Timestamp type: + valuetype: timestamp description: The RFC 3339 timestamp of the last update failure. +examples: + title: Status item example + files: + - tab: New or updated app + description: Reports a new or updated app. + file: data/docc-examples/remotemanagementmodel/status/app.managed.list/example1.json + - tab: Removed app + description: Reports a removed app. + file: data/docc-examples/remotemanagementmodel/status/app.managed.list/example2.json diff --git a/declarative/status/content-cache.info.yaml b/declarative/status/content-cache.info.yaml new file mode 100644 index 0000000..4f4366d --- /dev/null +++ b/declarative/status/content-cache.info.yaml @@ -0,0 +1,100 @@ +title: Status Content Cache Info +description: The status item that reports information about the Content Cache service. +payload: + statusitemtype: content-cache.info + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '27.0' + allowed-enrollments: + - supervised + - local + allowed-scopes: + - system + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a +payloadkeys: +- key: content-cache.info + title: Cache info + type: + presence: required + content: A dictionary that contains info about the usage of the Content Cache on + the device + subkeys: + - key: cache-details + title: Cache details + type: + presence: optional + content: The amount of disk space that various categories of cached content use. + Apple defines these categories and they're subject to change. + subkeys: + - key: detail-item + title: Example file category + type: + presence: required + content: The amount of disk space in bytes, that this category of cached content + uses. + - key: cache-free + title: Cache free space + type: + presence: optional + content: The amount of disk space in bytes, available to the Content Cache. + - key: cache-limit + title: Cache limit + type: + presence: optional + content: The maximum amount of disk space in bytes, available to the Content Cache. + A value of `0` indicates an unlimited amount. This value corresponds to `CacheLimit` + in the installed `ContentCaching` configuration. + - key: cache-status + title: Cache status + type: + presence: optional + rangelist: + - LOWSPACE + - OK + content: The level of cache pressure. `LOWSPACE` means cache pressure is high. + - key: cache-used + title: Cache used + type: + presence: optional + content: The amount of disk space in bytes, cached content uses. The Content Cache + allocates space in its cache for entire files even when it stores only part + of those files in its cache. + - key: max-cache-pressure-last-hour + title: Maximum cache pressure + type: + presence: optional + range: + min: 0.0 + max: 1.0 + content: A floating-point number between `0.0` and `1.0` that represents how often + the cache needed more disk space over the last hour of operation. A lower value + is better. + - key: personal-cache-free + title: Personal cache free + type: + presence: optional + content: The amount of disk space in bytes, available to the Content Cache for + personal iCloud content. + - key: personal-cache-limit + title: Personal cache limit + type: + presence: optional + content: The maximum amount of disk space in bytes, available to the Content Cache + for personal iCloud content. A value of `0` indicates an unlimited amount. + - key: personal-cache-used + title: Personal cache used + type: + presence: optional + content: The amount of disk space, in bytes, available to the Content Cache for + personal iCloud content. +examples: + title: Status item example + files: + - file: data/docc-examples/remotemanagementmodel/status/content-cache.info/example1.json diff --git a/declarative/status/content-cache.parents.yaml b/declarative/status/content-cache.parents.yaml new file mode 100644 index 0000000..0ecd309 --- /dev/null +++ b/declarative/status/content-cache.parents.yaml @@ -0,0 +1,76 @@ +title: Status Content Cache Parents +description: The status item that reports information about the Content Cache service + parent caches. +payload: + statusitemtype: content-cache.parents + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '27.0' + allowed-enrollments: + - supervised + - local + allowed-scopes: + - system + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a +payloadkeys: +- key: content-cache.parents + title: Content cache parents + type: + presence: optional + content: An array of dictionaries that describes parent Content Caches. + subkeys: + - key: parents-item + title: Parent item + type: + presence: optional + content: A parent Content Cache. + subkeys: + - key: identifier + title: Parent GUID + type: + presence: required + content: The unique identifier of the parent Content Cache. + - key: _removed + title: Indicates removal of the entry. + type: + presence: optional + default: false + content: If `true`, the system removed the parent entry and only this key and + the `identifier` key are present in the status item object. + - key: address + title: IP address + type: + presence: required + content: The local IPv4 address of the parent Content Cache. + - key: port + title: Port + type: + presence: required + content: The IP port number the parent Content Cache listens to for requests. + - key: healthy + title: Cache health + type: + presence: required + content: If `true,` the parent Content Cache is able to respond to requests + from this Content Cache. + - key: version + title: Version + type: + presence: required + content: The version number of the parent Content Cache software. +examples: + title: Status item example + files: + - tab: New or updated parent + description: Reports a new or updated parent. + file: data/docc-examples/remotemanagementmodel/status/content-cache.parents/example1.json + - tab: Removed parent + description: Reports a removed parent. + file: data/docc-examples/remotemanagementmodel/status/content-cache.parents/example2.json diff --git a/declarative/status/content-cache.peers.yaml b/declarative/status/content-cache.peers.yaml new file mode 100644 index 0000000..33c9412 --- /dev/null +++ b/declarative/status/content-cache.peers.yaml @@ -0,0 +1,82 @@ +title: Status Content Cache Peers +description: The status item that reports information about the Content Cache service + peer caches. +payload: + statusitemtype: content-cache.peers + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '27.0' + allowed-enrollments: + - supervised + - local + allowed-scopes: + - system + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a +payloadkeys: +- key: content-cache.peers + title: Content cache peers + type: + presence: required + content: An array of dictionaries that describes peer Content Caches. + subkeys: + - key: peer-item + title: Peer item + type: + presence: optional + content: A peer Content Cache. + subkeys: + - key: identifier + title: Peer GUID + type: + presence: required + content: The unique identifier of the peer Content Cache. + - key: _removed + title: Indicates removal of the entry. + type: + presence: optional + default: false + content: If `true`, the system removed the peer entry and only this key and + the `identifier` key are present in the status item object. + - key: address + title: IP address + type: + presence: required + content: The local IPv4 address of the peer Content Cache. + - key: port + title: Port + type: + presence: required + content: The IP port number the peer Content Cache listens to for requests. + - key: friendly + title: Friendly + type: + presence: required + content: If `true`, the peer Content Cache is willing to respond to requests + from this Content Cache. + - key: healthy + title: Cache health + type: + presence: required + content: If `true`, the peer Content Cache is able to respond to requests from + this Content Cache. + - key: version + title: Version + type: + presence: required + content: The version number of the peer Content Cache software. +examples: + title: Status item example + files: + - tab: New or updated peer + description: Reports a new or updated peer. + file: data/docc-examples/remotemanagementmodel/status/content-cache.peers/example1.json + - tab: Removed peer + description: Reports a removed peer. + file: data/docc-examples/remotemanagementmodel/status/content-cache.peers/example2.json diff --git a/declarative/status/content-cache.status.yaml b/declarative/status/content-cache.status.yaml new file mode 100644 index 0000000..7b85b27 --- /dev/null +++ b/declarative/status/content-cache.status.yaml @@ -0,0 +1,159 @@ +title: Status Content Cache Service +description: The status item that reports the status of the Content Cache service. +payload: + statusitemtype: content-cache.status + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '27.0' + allowed-enrollments: + - supervised + - local + allowed-scopes: + - system + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a +payloadkeys: +- key: content-cache.status + title: Status of the content cache service + type: + presence: required + content: The basic set of AssetCache status items + subkeys: + - key: server-guid + title: Server GUID + type: + presence: required + content: The unique identifier of the Content Cache. + - key: activated + title: Activated + type: + presence: optional + default: false + content: If `true`, the device has enabled the Content Cache. Enabling the Content + Caching doesn't guarantee service. See the `Active` key for the readiness of + the Content Cache to serve requests. + - key: active + title: Active + type: + presence: optional + default: false + content: If `true`, the Content Cache is ready to serve requests. + - key: cache-status + title: Cache status + type: + presence: optional + rangelist: + - LOWSPACE + - OK + content: The level of cache pressure. `LOWSPACE` means cache pressure is high. + - key: private-addresses + title: Private addresses + type: + presence: optional + content: An array of the Content Cache's local IP addresses. + subkeys: + - key: private-address-item + title: Private address + type: + presence: required + content: Local IP address at which the Content Cache listens for requests from + clients, peers, and children. + - key: public-address + title: Public address + type: + presence: optional + content: The public IP address of the Content Cache. + - key: port + title: Port + type: + presence: optional + content: The IP port number the Content Cache listens to for requests from clients, + peers, and children. + - key: registration-status + title: Registration status + type: + presence: optional + rangelist: + - -1 + - 0 + - 1 + content: |- + The status of the Content Cache's registration with Apple, which is one of the following values: + + - `-1`: The registration failed. + - `0`: The registration is pending. + - `1`: The registration succeeded. + - key: registration-started + title: Registration timestamp + type: + presence: optional + content: The RFC 3339 timestamp for when the Content Cache began registering itself + with Apple. This value is only available during registration attempts. + - key: registration-response-code + title: Registration response code + type: + presence: optional + content: If present, the HTTP response code that the Content Cache received when + it failed to register itself with Apple. + - key: registration-error + title: Registration error + type: + presence: optional + content: If present, the reason the Content Cache failed to register itself with + Apple. + - key: startup-status + title: Startup status + type: + presence: optional + rangelist: + - FAILED + - MIGRATING_DATA + - OK + - PENDING + content: The status of the Content Cache's registration with Apple. + - key: tetherator-status + title: Tetherator status + type: + presence: optional + rangelist: + - -1 + - 0 + - 1 + content: |- + The status of tethered caching, which is the Content Cache with a shared internet connection, which is one of the following values: + - '-1' : Unknown + - '0' : Disabled + - '1' : Enabled + - key: sending-reports + title: Sending metrics reports + type: + presence: optional + content: When present, a value of `true` indicates that the cache is sending metrics + reports to the URL specified in the `ManagementStatusTarget` key in the installed + `ContentCaching` configuration. + - key: report-response-code + title: Metrics report response code + type: + presence: optional + content: When present, contains the HTTP response code that the Content Cache + received when it failed to send the metrics report to the target URL. + - key: report-error + title: Metrics report error + type: + presence: optional + content: When present, indicates why the Content Cache failed to send the metrics. + - key: version + title: Version + type: + presence: required + content: The version number of the Content Cache software. +examples: + title: Status item example + files: + - file: data/docc-examples/remotemanagementmodel/status/content-cache.status/example1.json diff --git a/declarative/status/device.identifier.serial-number.yaml b/declarative/status/device.identifier.serial-number.yaml index 12f8c17..c5807b7 100644 --- a/declarative/status/device.identifier.serial-number.yaml +++ b/declarative/status/device.identifier.serial-number.yaml @@ -1,5 +1,5 @@ title: Status Device Serial Number -description: A status report of the device's serial number. +description: The status item that reports the device's serial number. payload: statusitemtype: device.identifier.serial-number supportedOS: @@ -52,3 +52,7 @@ payloadkeys: type: presence: required content: The device's serial number. +examples: + title: Status item example + files: + - file: data/docc-examples/remotemanagementmodel/status/device.identifier.serial-number/example1.json diff --git a/declarative/status/device.identifier.udid.yaml b/declarative/status/device.identifier.udid.yaml index 7aeea7c..1433430 100644 --- a/declarative/status/device.identifier.udid.yaml +++ b/declarative/status/device.identifier.udid.yaml @@ -1,5 +1,5 @@ title: Status Device UDID -description: A status report of the device's UDID. +description: The status item that reports the device's UDID. payload: statusitemtype: device.identifier.udid supportedOS: @@ -54,3 +54,7 @@ payloadkeys: content: The device's UDID. This value is always available on the device channel. This value is only available on user channels whose organization matches that of the device channel. +examples: + title: Status item example + files: + - file: data/docc-examples/remotemanagementmodel/status/device.identifier.udid/example1.json diff --git a/declarative/status/device.model.family.yaml b/declarative/status/device.model.family.yaml index 38c7782..56c8140 100644 --- a/declarative/status/device.model.family.yaml +++ b/declarative/status/device.model.family.yaml @@ -1,5 +1,5 @@ title: Status Device Model Family -description: A status report of the device's hardware family. +description: The status item that reports the device's hardware model family. payload: statusitemtype: device.model.family supportedOS: @@ -55,3 +55,7 @@ payloadkeys: type: presence: required content: The hardware family of the device, such as `Mac`, `iPhone`, or `iPad`. +examples: + title: Status item example + files: + - file: data/docc-examples/remotemanagementmodel/status/device.model.family/example1.json diff --git a/declarative/status/device.model.identifier.yaml b/declarative/status/device.model.identifier.yaml index b3eba5a..0c0108b 100644 --- a/declarative/status/device.model.identifier.yaml +++ b/declarative/status/device.model.identifier.yaml @@ -1,5 +1,5 @@ title: Status Device Model Identifier -description: A status report of the device's hardware identifier. +description: The status item that reports the device's hardware model identifier. payload: statusitemtype: device.model.identifier supportedOS: @@ -59,3 +59,7 @@ payloadkeys: model's version is a comma-separated number where the first part of the number is the version, and the second part is a variant, such as `MacBookPro15,1` or `iPhone13,2`. +examples: + title: Status item example + files: + - file: data/docc-examples/remotemanagementmodel/status/device.model.identifier/example1.json diff --git a/declarative/status/device.model.marketing-name.yaml b/declarative/status/device.model.marketing-name.yaml index 23db038..633eece 100644 --- a/declarative/status/device.model.marketing-name.yaml +++ b/declarative/status/device.model.marketing-name.yaml @@ -1,5 +1,5 @@ title: Status Device Model Marketing Name -description: A status report of the device's marketing name. +description: The status item that reports the device's model marketing name. payload: statusitemtype: device.model.marketing-name supportedOS: @@ -56,3 +56,7 @@ payloadkeys: presence: required content: The device's marketing name, such as `iPhone 12`. This value may not always be available. +examples: + title: Status item example + files: + - file: data/docc-examples/remotemanagementmodel/status/device.model.marketing-name/example1.json diff --git a/declarative/status/device.model.number.yaml b/declarative/status/device.model.number.yaml index 3f259a2..1ca886b 100644 --- a/declarative/status/device.model.number.yaml +++ b/declarative/status/device.model.number.yaml @@ -1,5 +1,5 @@ title: Status Device Model Number -description: A status report of the device's hardware number. +description: The status item that reports the device's hardware number. payload: statusitemtype: device.model.number supportedOS: @@ -55,3 +55,7 @@ payloadkeys: type: presence: required content: The device's model number. +examples: + title: Status item example + files: + - file: data/docc-examples/remotemanagementmodel/status/device.model.number/example1.json diff --git a/declarative/status/device.operating-system.build-version.yaml b/declarative/status/device.operating-system.build-version.yaml index 8b0bb8a..09f6ac6 100644 --- a/declarative/status/device.operating-system.build-version.yaml +++ b/declarative/status/device.operating-system.build-version.yaml @@ -1,5 +1,5 @@ title: Status Device Operating System Build Version -description: A status report of the device's software build identifier. +description: The status item that reports the device's operating system build version. payload: statusitemtype: device.operating-system.build-version supportedOS: @@ -55,3 +55,7 @@ payloadkeys: type: presence: required content: The operating system's build version on the device, such as `18F132`. +examples: + title: Status item example + files: + - file: data/docc-examples/remotemanagementmodel/status/device.operating-system.build-version/example1.json diff --git a/declarative/status/device.operating-system.family.yaml b/declarative/status/device.operating-system.family.yaml index 4d5f22d..c88a2d9 100644 --- a/declarative/status/device.operating-system.family.yaml +++ b/declarative/status/device.operating-system.family.yaml @@ -1,5 +1,5 @@ title: Status Device Operating System Family -description: A status report of the device's operating system family. +description: The status item that reports the device's operating system family. payload: statusitemtype: device.operating-system.family supportedOS: @@ -55,3 +55,7 @@ payloadkeys: type: presence: required content: The operating system family in use on the device, such as `macOS` or `iOS`. +examples: + title: Status item example + files: + - file: data/docc-examples/remotemanagementmodel/status/device.operating-system.family/example1.json diff --git a/declarative/status/device.operating-system.marketing-name.yaml b/declarative/status/device.operating-system.marketing-name.yaml index 8cbee1b..16d0d44 100644 --- a/declarative/status/device.operating-system.marketing-name.yaml +++ b/declarative/status/device.operating-system.marketing-name.yaml @@ -1,5 +1,6 @@ title: Status Device Operating System Marketing Name -description: A status report of the device's operating system marketing name. +description: The status item that reports the device's operating system marketing + name. payload: statusitemtype: device.operating-system.marketing-name supportedOS: @@ -55,3 +56,7 @@ payloadkeys: type: presence: required content: The operating system's marketing name in use on the device, such as `Catalina`. +examples: + title: Status item example + files: + - file: data/docc-examples/remotemanagementmodel/status/device.operating-system.marketing-name/example1.json diff --git a/declarative/status/device.operating-system.supplemental.build-version.yaml b/declarative/status/device.operating-system.supplemental.build-version.yaml index cdd3f53..17a92ff 100644 --- a/declarative/status/device.operating-system.supplemental.build-version.yaml +++ b/declarative/status/device.operating-system.supplemental.build-version.yaml @@ -1,5 +1,6 @@ title: Status Device Operating System Supplemental Build Version -description: A status report of the device's operating system supplemental build identifier. +description: The status item that reports the device's operating system supplemental + build version and Background Security Improvement version. payload: statusitemtype: device.operating-system.supplemental.build-version supportedOS: @@ -56,3 +57,7 @@ payloadkeys: presence: required content: The operating system's build and Background Security Improvement versions in use on the device, for example, `20A123a` or `20B27c`. +examples: + title: Status item example + files: + - file: data/docc-examples/remotemanagementmodel/status/device.operating-system.supplemental.build-version/example1.json diff --git a/declarative/status/device.operating-system.supplemental.extra-version.yaml b/declarative/status/device.operating-system.supplemental.extra-version.yaml index da29b75..597665b 100644 --- a/declarative/status/device.operating-system.supplemental.extra-version.yaml +++ b/declarative/status/device.operating-system.supplemental.extra-version.yaml @@ -1,6 +1,6 @@ title: Status Device Operating System Supplemental Extra Version -description: A status report of the device's operating system's Background Security - Improvement identifier. +description: The status item that reports the device's operating system Background + Security Improvement version. payload: statusitemtype: device.operating-system.supplemental.extra-version supportedOS: @@ -57,3 +57,7 @@ payloadkeys: presence: required content: The operating system's Background Security Improvement version in use on the device, for example, `a`. +examples: + title: Status item example + files: + - file: data/docc-examples/remotemanagementmodel/status/device.operating-system.supplemental.extra-version/example1.json diff --git a/declarative/status/device.operating-system.version.yaml b/declarative/status/device.operating-system.version.yaml index cf62710..5092848 100644 --- a/declarative/status/device.operating-system.version.yaml +++ b/declarative/status/device.operating-system.version.yaml @@ -1,5 +1,5 @@ title: Status Device Operating System Version -description: A status report of the device's operating system version. +description: The status item that reports the device's operating system version. payload: statusitemtype: device.operating-system.version supportedOS: @@ -55,3 +55,7 @@ payloadkeys: type: presence: required content: The operating system's version in use on the device, such as `15.0`. +examples: + title: Status item example + files: + - file: data/docc-examples/remotemanagementmodel/status/device.operating-system.version/example1.json diff --git a/declarative/status/device.power.battery-health.yaml b/declarative/status/device.power.battery-health.yaml index 749e6c4..c45dd18 100644 --- a/declarative/status/device.power.battery-health.yaml +++ b/declarative/status/device.power.battery-health.yaml @@ -1,5 +1,5 @@ title: Status Device Battery Health -description: The device's battery health. +description: The status item that reports the device's battery health. payload: statusitemtype: device.power.battery-health supportedOS: @@ -47,7 +47,7 @@ payloadkeys: - `unknown`: The system couldn't determine battery health information. - `unsupported`: The device doesn't support battery health reporting. - Available in iOS 17 and later on iPhone, iPadOS 18.4 and later on supported iPad models, and macOS 14.4 and later on a Mac with Apple silicon. + Supported on iPhones, specific iPad models, and Mac computers with Apple silicon. notes: - title: '' content: |- @@ -56,3 +56,7 @@ notes: - [iPhone devices](https://support.apple.com/101575) - [iPad devices](https://support.apple.com/117759) - [macOS devices](https://support.apple.com/108376) +examples: + title: Status item example + files: + - file: data/docc-examples/remotemanagementmodel/status/device.power.battery-health/example1.json diff --git a/declarative/status/device.system.health.yaml b/declarative/status/device.system.health.yaml new file mode 100644 index 0000000..9d5db97 --- /dev/null +++ b/declarative/status/device.system.health.yaml @@ -0,0 +1,128 @@ +title: Status Device System Health +description: The status item that reports the device's system health. +payload: + statusitemtype: device.system.health + supportedOS: + iOS: + introduced: '27.0' + allowed-enrollments: + - supervised + allowed-scopes: + - system + sharedipad: + allowed-scopes: + - system + macOS: + introduced: n/a + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a +payloadkeys: +- key: device.system.health + title: Status item value. + type: + presence: required + content: |- + A dictionary where each key represents a hardware component name and each value is a string indicating the component's health status, which has the following values: + + - `ok`: The component is operating normally. + - `error`: The component has a detected error or failure. + - `non-genuine`: The component isn't a genuine Apple component. + + Not all keys are supported on each device. The dictionary includes only components that are present and reportable on the device. + subkeys: + - key: Baseband + title: Baseband health status + type: + presence: optional + rangelist: + - ok + - error + content: |- + The baseband health status, which has the following values: + + - `ok`: The component is operating normally. + - `error`: The component has a detected error or failure. + - key: Camera + title: Camera health status + type: + presence: optional + rangelist: + - ok + - error + - non-genuine + content: |- + The camera health status, which has the following values: + + - `ok`: The component is operating normally. + - `error`: The component has a detected error or failure. + - `non-genuine`: The component isn't a genuine Apple component. + - key: Display + title: Display health status + type: + presence: optional + rangelist: + - ok + - error + - non-genuine + content: |- + The display health status, which has the following values: + + - `ok`: The component is operating normally. + - `error`: The component has a detected error or failure. + - `non-genuine`: The component isn't a genuine Apple component. + - key: FaceID + title: Face ID health status + type: + presence: optional + rangelist: + - ok + - error + content: |- + The Face ID health status, which has the following values: + + - `ok`: The component is operating normally. + - `error`: The component has a detected error or failure. + - key: NFC + title: NFC health status + type: + presence: optional + rangelist: + - ok + - error + content: |- + The NFC (Near Field Communication) health status, which has the following values: + + - `ok`: The component is operating normally. + - `error`: The component has a detected error or failure. + - key: TouchID + title: Touch ID health status + type: + presence: optional + rangelist: + - ok + - error + content: |- + The Touch ID health status, which has the following values: + + - `ok`: The component is operating normally. + - `error`: The component has a detected error or failure. + - key: UWB + title: Ultra-wideband radio health status + type: + presence: optional + rangelist: + - ok + - error + content: |- + The UWB (Ultra-Wideband) radio health status, which has the following values: + + - `ok`: The component is operating normally. + - `error`: The component has a detected error or failure. +examples: + title: Status item example + files: + - file: data/docc-examples/remotemanagementmodel/status/device.system.health/example1.json diff --git a/declarative/status/diskmanagement.filevault.enabled.yaml b/declarative/status/diskmanagement.filevault.enabled.yaml index 511814d..28aa1a6 100644 --- a/declarative/status/diskmanagement.filevault.enabled.yaml +++ b/declarative/status/diskmanagement.filevault.enabled.yaml @@ -1,5 +1,5 @@ title: Status Disk Management File Vault Enabled -description: The enabled status of the File Vault. +description: The status item that reports whether FileVault is enabled. payload: statusitemtype: diskmanagement.filevault.enabled supportedOS: @@ -24,3 +24,7 @@ payloadkeys: type: presence: required content: A Boolean value that specifies the File Vault enabled status on the device. +examples: + title: Status item example + files: + - file: data/docc-examples/remotemanagementmodel/status/diskmanagement.filevault.enabled/example1.json diff --git a/declarative/status/enhanced-logging.applecare-token.yaml b/declarative/status/enhanced-logging.applecare-token.yaml new file mode 100644 index 0000000..0875966 --- /dev/null +++ b/declarative/status/enhanced-logging.applecare-token.yaml @@ -0,0 +1,42 @@ +title: Status Enhanced Logging AppleCare Token +description: The status item that reports the device's enhanced log collection session + AppleCare token. +payload: + statusitemtype: enhanced-logging.applecare-token + supportedOS: + iOS: + introduced: '27.0' + allowed-enrollments: + - supervised + allowed-scopes: + - system + sharedipad: + allowed-scopes: + - system + macOS: + introduced: '27.0' + allowed-enrollments: + - supervised + allowed-scopes: + - user + tvOS: + introduced: '27.0' + allowed-enrollments: + - supervised + allowed-scopes: + - system + visionOS: + introduced: n/a + watchOS: + introduced: n/a +payloadkeys: +- key: enhanced-logging.applecare-token + title: AppleCare token value. + type: + presence: optional + content: The current enhanced log collection session AppleCare token. The device + returns an empty string if there's no session status to report. +examples: + title: Status item example + files: + - file: data/docc-examples/remotemanagementmodel/status/enhanced-logging.applecare-token/example1.json diff --git a/declarative/status/enhanced-logging.status.yaml b/declarative/status/enhanced-logging.status.yaml new file mode 100644 index 0000000..721fa42 --- /dev/null +++ b/declarative/status/enhanced-logging.status.yaml @@ -0,0 +1,64 @@ +title: Status Enhanced Logging +description: The status item that reports the device's enhanced log collection session + status. +payload: + statusitemtype: enhanced-logging.status + supportedOS: + iOS: + introduced: '27.0' + allowed-enrollments: + - supervised + allowed-scopes: + - system + sharedipad: + allowed-scopes: + - system + macOS: + introduced: '27.0' + allowed-enrollments: + - supervised + allowed-scopes: + - user + tvOS: + introduced: '27.0' + allowed-enrollments: + - supervised + allowed-scopes: + - system + visionOS: + introduced: n/a + watchOS: + introduced: n/a +payloadkeys: +- key: enhanced-logging.status + title: Status item value. + type: + presence: required + rangelist: + - none + - waiting-for-consent + - collecting + - follow-up-question + - upload-consent + - uploading + - finished + - failed + - cancelled + - declined + content: |- + The enhanced log collection session status, which has the following values: + + - `none`: The device has never run an enhanced log collection session. + - `waiting-for-consent`: The device is waiting for the user to consent to the enhanced log collection. + - `collecting`: The enhanced log collection is in progress. + - `follow-up-question`: The device is waiting for follow-up response from the user. + - `upload-consent`: The device is waiting for the user to approve upload of the enhanced logs. + - `uploading`: The device is uploading the enhanced logs. + - `finished`: The device completed the enhanced log collection session. + - `failed`: The device failed to complete the enhanced log collection session. + - `cancelled` - The device management service cancelled the enhanced log collection session. + - `declined` - The user declined the enhanced log collection session. +examples: + title: Status item example + files: + - file: data/docc-examples/remotemanagementmodel/status/enhanced-logging.status/example1.json diff --git a/declarative/status/enhanced-logging.timestamp.yaml b/declarative/status/enhanced-logging.timestamp.yaml new file mode 100644 index 0000000..5834dfe --- /dev/null +++ b/declarative/status/enhanced-logging.timestamp.yaml @@ -0,0 +1,43 @@ +title: Status Enhanced Logging Timestamp +description: The status item that reports the device's enhanced log collection session + timestamp. +payload: + statusitemtype: enhanced-logging.timestamp + supportedOS: + iOS: + introduced: '27.0' + allowed-enrollments: + - supervised + allowed-scopes: + - system + sharedipad: + allowed-scopes: + - system + macOS: + introduced: '27.0' + allowed-enrollments: + - supervised + allowed-scopes: + - user + tvOS: + introduced: '27.0' + allowed-enrollments: + - supervised + allowed-scopes: + - system + visionOS: + introduced: n/a + watchOS: + introduced: n/a +payloadkeys: +- key: enhanced-logging.timestamp + title: Timestamp value. + type: + presence: optional + content: The enhanced log collection session RFC 3339 timestamp that the device + reports for the last session status change. The device returns an empty string + if there's no session status to report. +examples: + title: Status item example + files: + - file: data/docc-examples/remotemanagementmodel/status/enhanced-logging.timestamp/example1.json diff --git a/declarative/status/management.client-capabilities.yaml b/declarative/status/management.client-capabilities.yaml index 841d887..7054c14 100644 --- a/declarative/status/management.client-capabilities.yaml +++ b/declarative/status/management.client-capabilities.yaml @@ -1,5 +1,5 @@ title: Status Management Client Capabilities -description: A status report of the client's protocol capabilities. +description: The status item that reports the devices's protocol capabilities. payload: statusitemtype: management.client-capabilities supportedOS: @@ -56,17 +56,17 @@ payloadkeys: subkeytype: Capabilities subkeys: - key: supported-versions - title: Supported Protocol Versions + title: Supported protocol versions type: presence: required content: A list of protocol versions that the client supports. subkeys: - key: _supported-versions - title: Supported Protocol Version + title: Supported protocol version type: content: A protocol version supported by the client. - key: supported-features - title: Supported Features + title: Supported features type: presence: required content: A set of optional protocol features that the client supports. Each object's @@ -78,67 +78,71 @@ payloadkeys: presence: optional content: Optional protocol features supported by the client. - key: supported-payloads - title: Supported Payloads + title: Supported payloads type: presence: required content: A set of declaration and status items that the client supports. subkeys: - key: declarations - title: Supported Declarations + title: Supported declarations type: presence: required content: A set of declarations that the client supports. subkeys: - key: activations - title: Supported Activations + title: Supported activations type: presence: optional content: An array of strings that represents the activation types that the client supports. subkeys: - key: _activations - title: Activation Type + title: Activation type type: content: Supported activation type. - key: assets - title: Supported Assets + title: Supported assets type: presence: optional content: An array of strings that represents the assets that the client supports. subkeys: - key: _assets - title: Asset Type + title: Asset type type: content: Supported asset type. - key: configurations - title: Supported Configurations + title: Supported configurations type: presence: optional content: An array of strings that represents the configuration types that the client supports. subkeys: - key: _configurations - title: Configuration Type + title: Configuration type type: content: Supported configuration type. - key: management - title: Supported Management Declarations + title: Supported management declarations type: presence: optional content: An array of strings that represents the declaration types that the client supports. subkeys: - key: _management - title: Management Declaration Type + title: Management declaration type type: content: Supported management declaration type. - key: status-items - title: Supported Status Items + title: Supported status items type: presence: required content: A list of status items that the client supports. subkeys: - key: _status_items - title: Status Item + title: Status item type: content: Supported status item. +examples: + title: Status item example + files: + - file: data/docc-examples/remotemanagementmodel/status/management.client-capabilities/example1.json diff --git a/declarative/status/management.declarations.yaml b/declarative/status/management.declarations.yaml index ce736bd..eece676 100644 --- a/declarative/status/management.declarations.yaml +++ b/declarative/status/management.declarations.yaml @@ -1,5 +1,5 @@ title: Status Management Declarations -description: A status report of the client's processed declarations. +description: The status item that reports the device's processed declarations. payload: statusitemtype: management.declarations supportedOS: @@ -61,7 +61,7 @@ payloadkeys: subkeytype: Declaration subkeys: - key: _activations - title: Status Declaration Item + title: Status declaration item type: content: Status for a declaration processed by the client. subkeytype: Declaration @@ -72,17 +72,17 @@ payloadkeys: presence: required content: The `identifier` of the declaration this status report refers to. - key: server-token - title: Server-Token + title: Server-token type: presence: required content: The `ServerToken` of the declaration this status report refers to. - key: active - title: Declaration's Active State + title: Declaration's active state type: presence: required content: If `true`, the declaration is active on the device. - key: valid - title: Declaration's Valid State + title: Declaration's valid state type: presence: required rangelist: @@ -92,30 +92,30 @@ payloadkeys: content: This string defines the validity of the declaration. If it's `invalid`, the `reasons` property contains more details. - key: reasons - title: Status Reasons + title: Status reasons type: presence: optional content: The details of any client errors. subkeytype: StatusReason subkeys: - key: _reasons - title: Status Reason + title: Status reason type: content: Information about a status error. subkeytype: StatusReason subkeys: - key: code - title: Error Code + title: Error code type: presence: required content: The error code for this error. - key: description - title: Error Description + title: Error description type: presence: optional content: The description for this error. - key: details - title: Error Details + title: Error details type: presence: optional content: A dictionary that contains further details about this error. @@ -133,7 +133,7 @@ payloadkeys: subkeytype: Declaration subkeys: - key: _configurations - title: Status Declaration Item + title: Status declaration item type: content: Status for a declaration processed by the client. subkeytype: Declaration @@ -146,7 +146,7 @@ payloadkeys: subkeytype: Declaration subkeys: - key: _assets - title: Status Declaration Item + title: Status declaration item type: content: Status for a declaration processed by the client. subkeytype: Declaration @@ -160,7 +160,7 @@ payloadkeys: subkeytype: Declaration subkeys: - key: _management - title: Status Declaration Item + title: Status declaration item type: content: Status for a declaration processed by the client. subkeytype: Declaration @@ -168,3 +168,7 @@ payloadkeys: notes: - title: '' content: The name of the declaration status item is `management.declarations`. +examples: + title: Status item example + files: + - file: data/docc-examples/remotemanagementmodel/status/management.declarations/example1.json diff --git a/declarative/status/mdm.app.yaml b/declarative/status/mdm.app.yaml index c2717c1..7784d1b 100644 --- a/declarative/status/mdm.app.yaml +++ b/declarative/status/mdm.app.yaml @@ -1,5 +1,5 @@ title: Status MDM App -description: A status report of the client's MDM-installed apps. +description: The status item that lists the devices's MDM-installed apps. payload: statusitemtype: mdm.app supportedOS: @@ -43,11 +43,12 @@ payloadkeys: title: Status item value. type: presence: required - content: The list of apps. The response doesn't include apps that are managed by - Declarative Device Management. + content: The list of apps. The response doesn't include apps that Declarative Device + Management manages. subkeytype: App subkeys: - key: status_value + title: Status value type: content: A status report that contains details about an MDM-installed app. subkeys: @@ -75,7 +76,7 @@ payloadkeys: type: presence: optional content: |- - The app's external version identifier. You can also retrieve this value from the App Store. For more information, see `Apps and Books for Organizations`. + The app's external version identifier. You can also retrieve this value from the App Store. For more information, see `Apps and books metadata for organizations`. If the current external version identifier of an app on the App Store doesn't match the external version identifier reported by the device, there may be an app update available for the device. - key: version @@ -114,3 +115,12 @@ payloadkeys: - management-rejected - failed content: The status of the app that `ManagedApplicationListCommand` reports. +examples: + title: Status item example + files: + - tab: New or updated app + description: Reports a new or updated app. + file: data/docc-examples/remotemanagementmodel/status/mdm.app/example1.json + - tab: Removed app + description: Reports a removed app. + file: data/docc-examples/remotemanagementmodel/status/mdm.app/example2.json diff --git a/declarative/status/mdm.enrollment-type.yaml b/declarative/status/mdm.enrollment-type.yaml new file mode 100644 index 0000000..9abe6a6 --- /dev/null +++ b/declarative/status/mdm.enrollment-type.yaml @@ -0,0 +1,67 @@ +title: Status MDM Enrollment Type +description: The status item that reports the device's management enrollment type. +payload: + statusitemtype: mdm.enrollment-type + supportedOS: + iOS: + introduced: '27.0' + allowed-enrollments: + - supervised + - device + - user + allowed-scopes: + - system + sharedipad: + allowed-scopes: + - system + - user + macOS: + introduced: '27.0' + allowed-enrollments: + - supervised + - user + allowed-scopes: + - system + - user + tvOS: + introduced: '27.0' + allowed-enrollments: + - supervised + - device + allowed-scopes: + - system + visionOS: + introduced: '27.0' + allowed-enrollments: + - supervised + - device + - user + allowed-scopes: + - system + watchOS: + introduced: '27.0' + allowed-enrollments: + - supervised + allowed-scopes: + - system +payloadkeys: +- key: mdm.enrollment-type + title: Status item value. + type: + presence: required + rangelist: + - none + - supervised + - device + - user + content: |- + The device management enrollment type that indicates how the device is enrolled, which has the following possible values: + + - `none`: Device isn't enrolled + - `supervised`: Device is supervised + - `device`: Device enrollment + - `user`: User enrollment +examples: + title: Status item example + files: + - file: data/docc-examples/remotemanagementmodel/status/mdm.enrollment-type/example1.json diff --git a/declarative/status/mdm.is-awaiting-configuration.yaml b/declarative/status/mdm.is-awaiting-configuration.yaml new file mode 100644 index 0000000..e2981d8 --- /dev/null +++ b/declarative/status/mdm.is-awaiting-configuration.yaml @@ -0,0 +1,53 @@ +title: Status MDM Is Awaiting Configuration +description: The status item that reports the device management awaiting configuration + state. +payload: + statusitemtype: mdm.is-awaiting-configuration + supportedOS: + iOS: + introduced: '27.0' + allowed-enrollments: + - supervised + - device + - user + allowed-scopes: + - system + sharedipad: + allowed-scopes: + - system + - user + macOS: + introduced: '27.0' + allowed-enrollments: + - supervised + - user + allowed-scopes: + - system + - user + tvOS: + introduced: '27.0' + allowed-enrollments: + - supervised + - device + allowed-scopes: + - system + visionOS: + introduced: '27.0' + allowed-enrollments: + - supervised + - device + - user + allowed-scopes: + - system + watchOS: + introduced: n/a +payloadkeys: +- key: mdm.is-awaiting-configuration + title: Status item value. + type: + presence: required + content: If `true`, the device is awaiting configuration from the MDM server. +examples: + title: Status item example + files: + - file: data/docc-examples/remotemanagementmodel/status/mdm.is-awaiting-configuration/example1.json diff --git a/declarative/status/mdm.is-return-to-service.yaml b/declarative/status/mdm.is-return-to-service.yaml new file mode 100644 index 0000000..fae3c0b --- /dev/null +++ b/declarative/status/mdm.is-return-to-service.yaml @@ -0,0 +1,43 @@ +title: Status MDM Is Return to Service +description: The status item that reports the device's return to service with app + preservation state. +payload: + statusitemtype: mdm.is-return-to-service + supportedOS: + iOS: + introduced: '27.0' + allowed-enrollments: + - supervised + - device + - user + allowed-scopes: + - system + sharedipad: + allowed-scopes: + - system + - user + macOS: + introduced: n/a + tvOS: + introduced: n/a + visionOS: + introduced: '27.0' + allowed-enrollments: + - supervised + - device + - user + allowed-scopes: + - system + watchOS: + introduced: n/a +payloadkeys: +- key: mdm.is-return-to-service + title: Status item value. + type: + presence: required + content: If `true`, the device is using the return to service with app preservation + mode. +examples: + title: Status item example + files: + - file: data/docc-examples/remotemanagementmodel/status/mdm.is-return-to-service/example1.json diff --git a/declarative/status/mdm.is-shared-ipad.yaml b/declarative/status/mdm.is-shared-ipad.yaml new file mode 100644 index 0000000..bab896b --- /dev/null +++ b/declarative/status/mdm.is-shared-ipad.yaml @@ -0,0 +1,35 @@ +title: Status MDM Is Shared iPad +description: The status item that reports the device's Shared iPad state. +payload: + statusitemtype: mdm.is-shared-ipad + supportedOS: + iOS: + introduced: '27.0' + allowed-enrollments: + - supervised + - device + - user + allowed-scopes: + - system + sharedipad: + allowed-scopes: + - system + - user + macOS: + introduced: n/a + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a +payloadkeys: +- key: mdm.is-shared-ipad + title: Status item value. + type: + presence: required + content: If `true`, the device is a Shared iPad. +examples: + title: Status item example + files: + - file: data/docc-examples/remotemanagementmodel/status/mdm.is-shared-ipad/example1.json diff --git a/declarative/status/mdm.push-magic.yaml b/declarative/status/mdm.push-magic.yaml new file mode 100644 index 0000000..8828717 --- /dev/null +++ b/declarative/status/mdm.push-magic.yaml @@ -0,0 +1,57 @@ +title: Status MDM Push Magic +description: The status item that reports the device's push magic value. +payload: + statusitemtype: mdm.push-magic + supportedOS: + iOS: + introduced: '27.0' + allowed-enrollments: + - supervised + - device + - user + allowed-scopes: + - system + sharedipad: + allowed-scopes: + - system + - user + macOS: + introduced: '27.0' + allowed-enrollments: + - supervised + - user + allowed-scopes: + - system + - user + tvOS: + introduced: '27.0' + allowed-enrollments: + - supervised + - device + allowed-scopes: + - system + visionOS: + introduced: '27.0' + allowed-enrollments: + - supervised + - device + - user + allowed-scopes: + - system + watchOS: + introduced: '27.0' + allowed-enrollments: + - supervised + allowed-scopes: + - system +payloadkeys: +- key: mdm.push-magic + title: Status item value. + type: + presence: required + content: The push magic value that the device expects the MDM server to include + in Apple Push Notification service messages. +examples: + title: Status item example + files: + - file: data/docc-examples/remotemanagementmodel/status/mdm.push-magic/example1.json diff --git a/declarative/status/mdm.push-token.yaml b/declarative/status/mdm.push-token.yaml new file mode 100644 index 0000000..4ba7a84 --- /dev/null +++ b/declarative/status/mdm.push-token.yaml @@ -0,0 +1,57 @@ +title: Status MDM Push Token +description: The status item that reports the device's push token. +payload: + statusitemtype: mdm.push-token + supportedOS: + iOS: + introduced: '27.0' + allowed-enrollments: + - supervised + - device + - user + allowed-scopes: + - system + sharedipad: + allowed-scopes: + - system + - user + macOS: + introduced: '27.0' + allowed-enrollments: + - supervised + - user + allowed-scopes: + - system + - user + tvOS: + introduced: '27.0' + allowed-enrollments: + - supervised + - device + allowed-scopes: + - system + visionOS: + introduced: '27.0' + allowed-enrollments: + - supervised + - device + - user + allowed-scopes: + - system + watchOS: + introduced: '27.0' + allowed-enrollments: + - supervised + allowed-scopes: + - system +payloadkeys: +- key: mdm.push-token + title: Status item value. + type: + presence: required + content: The device push token that the MDM server uses for Apple Push Notification + service messages. +examples: + title: Status item example + files: + - file: data/docc-examples/remotemanagementmodel/status/mdm.push-token/example1.json diff --git a/declarative/status/migration-assistant.report.yaml b/declarative/status/migration-assistant.report.yaml index 4112a35..e588c58 100644 --- a/declarative/status/migration-assistant.report.yaml +++ b/declarative/status/migration-assistant.report.yaml @@ -1,5 +1,5 @@ title: Status Migration Assistant Report -description: Reports the status of a completed migration. +description: The status item that reports the state of a completed migration. payload: statusitemtype: migration-assistant.report supportedOS: @@ -19,59 +19,63 @@ payload: introduced: n/a payloadkeys: - key: migration-assistant.report - title: Migration Assistant Report + title: Migration Assistant report type: presence: required content: The Migration Assistant migration status. subkeys: - key: completed-data-size - title: Migration Completed Data Size + title: Migration completed data size type: presence: optional content: The total amount of data the system successfully migrated from the source system. - key: completed-file-count - title: Migration Completed File Count + title: Migration completed file count type: presence: optional content: The number of files successfully migrated from the source system. - key: completion-time - title: Migration Completion Time + title: Migration completion time type: presence: optional content: The RFC 3339 timestamp for when the system completed migration. - key: source-user - title: Migration Source User + title: Migration source user type: presence: optional content: The username of the user that the system migrated from the source system. - key: start-time - title: Migration Start Time + title: Migration start time type: presence: optional content: The RFC 3339 timestamp for when the system started migration. - key: target-user - title: Migration Target User + title: Migration target user type: presence: optional content: The username of the target user account on the destination system. - key: total-data-size - title: Migration Total Data Size + title: Migration total data size type: presence: optional content: The total amount of data the system considers in scope for migration from the source system. - key: total-file-count - title: Migration Total File Count + title: Migration total file count type: presence: optional content: The number of files the system considers in scope for migration from the source system. - key: errors - title: Migration Errors + title: Migration errors type: presence: optional content: The descriptions of migration errors that the system reports. subkeys: - key: _errors type: +examples: + title: Status item example + files: + - file: data/docc-examples/remotemanagementmodel/status/migration-assistant.report/example1.json diff --git a/declarative/status/migration-assistant.state.yaml b/declarative/status/migration-assistant.state.yaml index 5c04f12..af8b7a0 100644 --- a/declarative/status/migration-assistant.state.yaml +++ b/declarative/status/migration-assistant.state.yaml @@ -1,5 +1,5 @@ title: Status Migration Assistant State -description: The current migration state of the system. +description: A status item that shows the device's current migration state. payload: statusitemtype: migration-assistant.state supportedOS: @@ -19,7 +19,7 @@ payload: introduced: n/a payloadkeys: - key: migration-assistant.state - title: Migration Assistant State + title: Migration Assistant state type: presence: required rangelist: @@ -31,9 +31,13 @@ payloadkeys: - unknown content: |- The current migration state of the system, which has the following possible values: - - `none`: Migration has not started yet or no migration has taken place. + - `none`: Migration hasn't started yet or no migration has taken place. - `migrating`: Migration is in progress. - `completed`: Migration has completed successfully. - `failed`: Migration has failed. - `cancelled`: The user cancelled migration. - `unknown`: Migration status is unknown. +examples: + title: Status item example + files: + - file: data/docc-examples/remotemanagementmodel/status/migration-assistant.state/example1.json diff --git a/declarative/status/package.list.yaml b/declarative/status/package.list.yaml index 14a417b..3260687 100644 --- a/declarative/status/package.list.yaml +++ b/declarative/status/package.list.yaml @@ -1,5 +1,5 @@ title: Status Package List -description: The client's declarative packages. +description: The status item that lists the device's declarative packages. payload: statusitemtype: package.list supportedOS: @@ -26,6 +26,7 @@ payloadkeys: subkeytype: Package subkeys: - key: status_value + title: Status value type: content: A dictionary that describes a declarative package. subkeys: @@ -81,7 +82,7 @@ payloadkeys: - `installed`: The package is installed. - `failed`: The package install failed. - key: reasons - title: Status Reasons + title: Status reasons type: presence: optional content: An array that contains additional details about the package state, @@ -89,23 +90,23 @@ payloadkeys: subkeytype: StatusReason subkeys: - key: _reasons - title: Status Reason + title: Status reason type: content: Information about a status error. subkeytype: StatusReason subkeys: - key: code - title: Error Code + title: Error code type: presence: required content: A code for the state. - key: description - title: Error Description + title: Error description type: presence: optional content: A description of the state. - key: details - title: Error Details + title: Error details type: presence: optional content: A dictionary that contains additional details about the state. @@ -120,10 +121,21 @@ reasons: details: - key: Timestamp type: + valuetype: timestamp description: The RFC 3339 timestamp of the last download failure. - value: Error.InstallFailed description: The package install failed. details: - key: Timestamp type: + valuetype: timestamp description: The RFC 3339 timestamp of the last install failure. +examples: + title: Status item example + files: + - tab: New or updated package + description: Reports a new or updated package. + file: data/docc-examples/remotemanagementmodel/status/package.list/example1.json + - tab: Removed package + description: Reports a removed package. + file: data/docc-examples/remotemanagementmodel/status/package.list/example2.json diff --git a/declarative/status/passcode.is-compliant.yaml b/declarative/status/passcode.is-compliant.yaml index 04fb15e..17246cb 100644 --- a/declarative/status/passcode.is-compliant.yaml +++ b/declarative/status/passcode.is-compliant.yaml @@ -1,5 +1,5 @@ title: Status Passcode Compliance -description: A status report of passcode compliance. +description: The status item that reports the device's passcode compliance. payload: statusitemtype: passcode.is-compliant supportedOS: @@ -45,3 +45,7 @@ payloadkeys: on the device. If `false`, the passcode isn't in compliance with one or more passcode policies set on the device. When there are no passcode policies on the device, this value `true`. +examples: + title: Status item example + files: + - file: data/docc-examples/remotemanagementmodel/status/passcode.is-compliant/example1.json diff --git a/declarative/status/passcode.is-present.yaml b/declarative/status/passcode.is-present.yaml index 373a775..542121d 100644 --- a/declarative/status/passcode.is-present.yaml +++ b/declarative/status/passcode.is-present.yaml @@ -1,5 +1,5 @@ title: Status Passcode Is Present -description: A status report of the passcode on the device. +description: The status item that reports whether the device has a passcode. payload: statusitemtype: passcode.is-present supportedOS: @@ -46,3 +46,7 @@ payloadkeys: of the passcode, such as length or number of complex characters, aren't reported. Instead, use the `passcode.is-compliant` status item to verify that the passcode complies with all passcode policies set on the device. +examples: + title: Status item example + files: + - file: data/docc-examples/remotemanagementmodel/status/passcode.is-present/example1.json diff --git a/declarative/status/screensharing.connection.group.unresolved-connection.yaml b/declarative/status/screensharing.connection.group.unresolved-connection.yaml index 7b1e1a2..cc53997 100644 --- a/declarative/status/screensharing.connection.group.unresolved-connection.yaml +++ b/declarative/status/screensharing.connection.group.unresolved-connection.yaml @@ -1,6 +1,6 @@ title: Status Screen Sharing Connection Group Unresolved Connections -description: Information about connection groups with member connection references - that the system couldn't resolve. +description: The status item that lists connection groups with member connection references + that the device couldn't resolve. payload: statusitemtype: screensharing.connection.group.unresolved-connection supportedOS: @@ -23,15 +23,16 @@ payload: introduced: n/a payloadkeys: - key: screensharing.connection.group.unresolved-connection - title: Connection Groups status + title: Connection groups status type: presence: required - content: A status item that contains an array of unresolved connection groups. + content: The status item that contains an array of unresolved connection groups. subkeytype: UnresolvedGroup subkeys: - key: unresolved_group + title: Unresolved group type: - content: A status item that contains an unresolved connection group. + content: The status item that contains an unresolved connection group. subkeys: - key: identifier title: Unique identifier of the connection group. @@ -53,7 +54,16 @@ payloadkeys: in the group's declaration for the unresolved connections. subkeys: - key: ConnectionUUID - title: Connection Unique Identifier + title: Connection unique identifier type: content: The unique identifier (i.e., ConnectionUUID) of a connection which could not be resolved. +examples: + title: Status item example + files: + - tab: New or updated connection group + description: Reports a new or updated connection group. + file: data/docc-examples/remotemanagementmodel/status/screensharing.connection.group.unresolved-connection/example1.json + - tab: Removed connection group + description: Reports a removed connection group. + file: data/docc-examples/remotemanagementmodel/status/screensharing.connection.group.unresolved-connection/example2.json diff --git a/declarative/status/security.certificate.list.yaml b/declarative/status/security.certificate.list.yaml index ab6603a..d900f27 100644 --- a/declarative/status/security.certificate.list.yaml +++ b/declarative/status/security.certificate.list.yaml @@ -1,5 +1,5 @@ title: Status Security Certificate List -description: A status report of the client's managed certificates. +description: The status item that lists the device's managed certificates. payload: statusitemtype: security.certificate.list supportedOS: @@ -58,8 +58,9 @@ payloadkeys: subkeytype: Certificate subkeys: - key: status_value + title: Status value type: - content: A status report of a security certificate. + content: A security certificate. subkeys: - key: identifier title: Unique identifier of the certificate. @@ -72,8 +73,8 @@ payloadkeys: type: presence: optional default: false - content: If `true`, the system removed the app and only this key and the `identifier` - key are present in the status item object. + content: If `true`, the system removed the certificate and only this key and + the `identifier` key are present in the status item object. - key: declaration-identifier title: Asset declaration identifier. type: @@ -86,12 +87,21 @@ payloadkeys: presence: required content: The summary of the certificate's subject. - key: is-identity - title: Is Identity + title: Is identity type: presence: required content: If `true`, the certificate is an identity certificate. - key: data - title: Certificate Data + title: Certificate data type: presence: required content: The certificate data in DER-encoded X.509 format. +examples: + title: Status item example + files: + - tab: New or updated certificate + description: Reports a new or updated certificate. + file: data/docc-examples/remotemanagementmodel/status/security.certificate.list/example1.json + - tab: Removed certificate + description: Reports a removed certificate. + file: data/docc-examples/remotemanagementmodel/status/security.certificate.list/example2.json diff --git a/declarative/status/security.lockdown-mode.yaml b/declarative/status/security.lockdown-mode.yaml new file mode 100644 index 0000000..10acc86 --- /dev/null +++ b/declarative/status/security.lockdown-mode.yaml @@ -0,0 +1,39 @@ +title: Status Security Lockdown Mode +description: The status item that reports the device's Lockdown Mode state. +payload: + statusitemtype: security.lockdown-mode + supportedOS: + iOS: + introduced: '27.0' + allowed-enrollments: + - supervised + allowed-scopes: + - system + sharedipad: + allowed-scopes: [] + macOS: + introduced: '27.0' + allowed-enrollments: + - supervised + allowed-scopes: + - system + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: '27.0' + allowed-enrollments: + - supervised + allowed-scopes: + - system +payloadkeys: +- key: security.lockdown-mode + title: Status item value. + type: + presence: required + content: If `true`, indicates that Lockdown Mode is enabled. +examples: + title: Status item example + files: + - file: data/docc-examples/remotemanagementmodel/status/security.lockdown-mode/example1.json diff --git a/declarative/status/services.background-task.yaml b/declarative/status/services.background-task.yaml index cffe962..e385d88 100644 --- a/declarative/status/services.background-task.yaml +++ b/declarative/status/services.background-task.yaml @@ -1,5 +1,5 @@ title: Status Services Background Task -description: A status report of the device's background task details. +description: The status item that reports the device's background task details. payload: statusitemtype: services.background-task supportedOS: @@ -27,8 +27,9 @@ payloadkeys: subkeytype: Background Task subkeys: - key: status_value + title: Status value type: - content: A status report of a background task. + content: The status item that reports a background task. subkeys: - key: identifier title: Identifier @@ -40,8 +41,8 @@ payloadkeys: type: presence: optional default: false - content: If `true`, the background task is removed and the status item object - only contains this key and the `identifier` key. + content: If `true`, the system removed the background task and the status item + object only contains this key and the `identifier` key. - key: code-signature title: Code signature type: @@ -112,7 +113,7 @@ payloadkeys: presence: required content: The hash value of the `launchd` `plist` file. - key: device-management - title: Device Management + title: Device management supportedOS: macOS: introduced: '15.0' @@ -124,20 +125,29 @@ payloadkeys: for the task. subkeys: - key: configuration-identifier - title: Configuration Identifier + title: Configuration identifier type: presence: required content: The identifier of the `ServicesBackgroundTasks` configuration that created this task. - key: asset-identifier - title: Asset Identifier + title: Asset identifier type: presence: required content: The `Identifier` of the declaration asset that provided the launchd plist for this task. - key: asset-server-token - title: Asset Server Token + title: Asset server token type: presence: required content: The `ServerToken` of the declaration asset that provided the launchd plist for this task. +examples: + title: Status item example + files: + - tab: New or updated task + description: Reports a new or updated background task. + file: data/docc-examples/remotemanagementmodel/status/services.background-task/example1.json + - tab: Removed task + description: Reports a removed background task. + file: data/docc-examples/remotemanagementmodel/status/services.background-task/example2.json diff --git a/declarative/status/softwareupdate.beta-enrollment.yaml b/declarative/status/softwareupdate.beta-enrollment.yaml index b5c037f..4d0f875 100644 --- a/declarative/status/softwareupdate.beta-enrollment.yaml +++ b/declarative/status/softwareupdate.beta-enrollment.yaml @@ -1,5 +1,5 @@ title: Status Software Update Beta Enrollment -description: A status report of the device's enrolled beta program. +description: The status item that reports the device's enrolled beta program. payload: statusitemtype: softwareupdate.beta-enrollment supportedOS: @@ -32,3 +32,7 @@ payloadkeys: presence: required content: The device's enrolled beta program name, or an empty string if there's no enrolled beta program. +examples: + title: Status item example + files: + - file: data/docc-examples/remotemanagementmodel/status/softwareupdate.beta-enrollment/example1.json diff --git a/declarative/status/softwareupdate.device-id.yaml b/declarative/status/softwareupdate.device-id.yaml index f2418c2..445a4ab 100644 --- a/declarative/status/softwareupdate.device-id.yaml +++ b/declarative/status/softwareupdate.device-id.yaml @@ -1,5 +1,5 @@ title: Status Software Update Device ID -description: A status report of the device's update device ID. +description: The status item that reports the device's software update device ID. payload: statusitemtype: softwareupdate.device-id supportedOS: @@ -42,3 +42,7 @@ payloadkeys: presence: required content: The device identifier to use when looking up available software updates via `https://gdmf.apple.com/v2/pmv`. +examples: + title: Status item example + files: + - file: data/docc-examples/remotemanagementmodel/status/softwareupdate.device-id/example1.json diff --git a/declarative/status/softwareupdate.failure-reason.yaml b/declarative/status/softwareupdate.failure-reason.yaml index 98477e2..162a30a 100644 --- a/declarative/status/softwareupdate.failure-reason.yaml +++ b/declarative/status/softwareupdate.failure-reason.yaml @@ -1,5 +1,5 @@ title: Status Software Update Failure Reason -description: A status report of a software update failure reason. +description: The status item that reports the device's software update failure reason. payload: statusitemtype: softwareupdate.failure-reason supportedOS: @@ -62,3 +62,7 @@ payloadkeys: content: If present, this is the RFC 3339 timestamp of the last software update failure. This key isn't present if there are no failures or no pending software update. +examples: + title: Status item example + files: + - file: data/docc-examples/remotemanagementmodel/status/softwareupdate.failure-reason/example1.json diff --git a/declarative/status/softwareupdate.install-reason.yaml b/declarative/status/softwareupdate.install-reason.yaml index 5201673..25bc3f0 100644 --- a/declarative/status/softwareupdate.install-reason.yaml +++ b/declarative/status/softwareupdate.install-reason.yaml @@ -1,5 +1,5 @@ title: Status Software Update Install Reason -description: A status report of the reason for a pending software update on the device. +description: The status item that reports the device's pending software update reason. payload: statusitemtype: softwareupdate.install-reason supportedOS: @@ -80,3 +80,7 @@ payloadkeys: content: The identifier of the declaration that caused the software update to occur. This key is present only if the `reason` array contains the `declaration` value. +examples: + title: Status item example + files: + - file: data/docc-examples/remotemanagementmodel/status/softwareupdate.install-reason/example1.json diff --git a/declarative/status/softwareupdate.install-state.yaml b/declarative/status/softwareupdate.install-state.yaml index 311cbbd..58f5698 100644 --- a/declarative/status/softwareupdate.install-state.yaml +++ b/declarative/status/softwareupdate.install-state.yaml @@ -1,5 +1,5 @@ title: Status Software Update Install State -description: A status report of the software update install state. +description: The status item that reports the device's software update install state. payload: statusitemtype: softwareupdate.install-state supportedOS: @@ -50,8 +50,11 @@ payloadkeys: The software update install status, which has the following values: - `none`: There's no software update pending, and any previous software update succeeded. - - `waiting': A software update is waiting to start. - `downloading`: The system is downloading data for a software update. - `prepared`: The system prepared the software update and it's ready for installation. - `installing`: The system is installing the software update. - `failed`: The software update failed. +examples: + title: Status item example + files: + - file: data/docc-examples/remotemanagementmodel/status/softwareupdate.install-state/example1.json diff --git a/declarative/status/softwareupdate.pending-version.yaml b/declarative/status/softwareupdate.pending-version.yaml index 9318cb0..6524808 100644 --- a/declarative/status/softwareupdate.pending-version.yaml +++ b/declarative/status/softwareupdate.pending-version.yaml @@ -1,5 +1,5 @@ title: Status Software Update Pending Version -description: A status report of the pending software update version. +description: The status item that reports the device's pending software update version. payload: statusitemtype: softwareupdate.pending-version supportedOS: @@ -63,3 +63,7 @@ payloadkeys: content: The local date time value that indicates when the pending software update will be installed. This key is only present when the pending software update is being enforced. +examples: + title: Status item example + files: + - file: data/docc-examples/remotemanagementmodel/status/softwareupdate.pending-version/example1.json diff --git a/declarative/status/statusreason.yaml b/declarative/status/statusreason.yaml index ae1526f..6f9f995 100644 --- a/declarative/status/statusreason.yaml +++ b/declarative/status/statusreason.yaml @@ -15,17 +15,17 @@ payload: introduced: '10.0' payloadkeys: - key: code - title: Error Code + title: Error code type: presence: required content: The error code for this error. - key: description - title: Error Description + title: Error description type: presence: optional content: A description of this error. - key: details - title: Error Details + title: Error details type: presence: optional content: A dictionary that contains additional details about the error. @@ -33,3 +33,7 @@ notes: - title: '' content: Each status item defines its own set of `code`, `description`, and `details` values. +examples: + title: Status item example + files: + - file: data/docc-examples/remotemanagementmodel/status/statusreason/example1.json diff --git a/declarative/status/test.array-value.yaml b/declarative/status/test.array-value.yaml index 01cf3a2..cb90a67 100644 --- a/declarative/status/test.array-value.yaml +++ b/declarative/status/test.array-value.yaml @@ -58,16 +58,21 @@ payloadkeys: subkeytype: Array subkeys: - key: status_value + title: Status value type: content: A status value for the test status item array. subkeys: - key: key1 - title: First Key Value + title: First key value type: presence: required content: The value of the first sub-key. - key: key2 - title: Second Key Value + title: Second key value type: presence: optional content: The value of the second sub-key. +examples: + title: Status item example + files: + - file: data/docc-examples/remotemanagementmodel/status/test.array-value/example1.json diff --git a/declarative/status/test.boolean-value.yaml b/declarative/status/test.boolean-value.yaml index 8266449..29403c4 100644 --- a/declarative/status/test.boolean-value.yaml +++ b/declarative/status/test.boolean-value.yaml @@ -55,3 +55,7 @@ payloadkeys: type: presence: required content: The test status Boolean value. +examples: + title: Status item example + files: + - file: data/docc-examples/remotemanagementmodel/status/test.boolean-value/example1.json diff --git a/declarative/status/test.dictionary-value.yaml b/declarative/status/test.dictionary-value.yaml index 2c7241e..072cda1 100644 --- a/declarative/status/test.dictionary-value.yaml +++ b/declarative/status/test.dictionary-value.yaml @@ -58,12 +58,16 @@ payloadkeys: subkeytype: Dictionary subkeys: - key: key1 - title: First Key Value + title: First key value type: presence: required content: The value of the first sub-key. - key: key2 - title: Second Key Value + title: Second key value type: presence: optional content: The value of the second sub-key. +examples: + title: Status item example + files: + - file: data/docc-examples/remotemanagementmodel/status/test.dictionary-value/example1.json diff --git a/declarative/status/test.error-value.yaml b/declarative/status/test.error-value.yaml index 7004039..5055746 100644 --- a/declarative/status/test.error-value.yaml +++ b/declarative/status/test.error-value.yaml @@ -55,3 +55,7 @@ payloadkeys: type: presence: required content: The test status error value. +examples: + title: Status item example + files: + - file: data/docc-examples/remotemanagementmodel/status/test.error-value/example1.json diff --git a/declarative/status/test.integer-value.yaml b/declarative/status/test.integer-value.yaml index 989f0a6..4b8ac68 100644 --- a/declarative/status/test.integer-value.yaml +++ b/declarative/status/test.integer-value.yaml @@ -55,3 +55,7 @@ payloadkeys: type: presence: required content: The test status integer value. +examples: + title: Status item example + files: + - file: data/docc-examples/remotemanagementmodel/status/test.integer-value/example1.json diff --git a/declarative/status/test.real-value.yaml b/declarative/status/test.real-value.yaml index a8ac9ec..d6f4ed9 100644 --- a/declarative/status/test.real-value.yaml +++ b/declarative/status/test.real-value.yaml @@ -55,3 +55,7 @@ payloadkeys: type: presence: required content: The test status real value. +examples: + title: Status item example + files: + - file: data/docc-examples/remotemanagementmodel/status/test.real-value/example1.json diff --git a/declarative/status/test.string-value.yaml b/declarative/status/test.string-value.yaml index c928c90..fc8067f 100644 --- a/declarative/status/test.string-value.yaml +++ b/declarative/status/test.string-value.yaml @@ -55,3 +55,7 @@ payloadkeys: type: presence: required content: The test status string value. +examples: + title: Status item example + files: + - file: data/docc-examples/remotemanagementmodel/status/test.string-value/example1.json diff --git a/docs/errata.md b/docs/errata.md index be5b720..cd88429 100644 --- a/docs/errata.md +++ b/docs/errata.md @@ -2,6 +2,32 @@ This document lists errata for the YAML schema. This is used when older versions of the schema are incorrect, and a fix was made in later schema to correct the problem. +## Release 27.0 + +### mdm/commands/settings.yaml + +`DefaultApplications` - the setting is allowed on Shared iPad (user channel only), not forbidden. + +### mdm/profiles/com.apple.applicationaccess.new.yaml + +Replacements for keys deprecated in 10.15 were missing. + +### mdm/profiles/com.apple.dnsProxy.managed.yaml + +The `ProviderDesignatedRequirement` key in the `com.apple.dnsProxy.managed` profile payload was missing. + +### mdm/profiles/com.apple.loginwindow.yaml + +Several missing keys have been added. + +### mdm/profiles/com.apple.relay.managed.yaml + +`RelayUUID` is not available on macOS. + +### mdm/profiles/com.apple.webcontent-filter.yaml + +`FilterDataProviderBundleIdentifier` is available on iOS and visionOS. + ## iOS 26.4 ### other/skipkeys.yaml diff --git a/docs/schema.md b/docs/schema.md index 4fe1f5d..92c7fec 100644 --- a/docs/schema.md +++ b/docs/schema.md @@ -15,6 +15,7 @@ The definition of the schema used here is in the `schema.yaml` file. That file c | responsekeys | array | A list of YAML objects representing the command response | | reasons | array | A list of YAML objects representing declarative device management status reason codes | | notes | array | A list of YAML objects representing additional notes for the schema item as a whole | +| examples | array | A list of references to example files for this schema object | ### Payload Object diff --git a/docs/schema.yaml b/docs/schema.yaml index a7a16b0..aaa8304 100644 --- a/docs/schema.yaml +++ b/docs/schema.yaml @@ -387,3 +387,38 @@ properties: content: type: string description: The note content in "markdown" format. + + examples: + type: object + description: An array of examples. + additionalProperties: false + required: + - title + - files + properties: + title: + type: string + description: Title for the example. + files: + type: array + description: An array of files with their own descriptions. + items: + type: object + description: A description and path for an example file. + additionalProperties: false + properties: + tab: + type: string + description: Tab title. Must be present when there are multiple items in files array. Must be unique. + description: + type: string + description: Description for the example. Must be present when there are multiple items in files array. + file: + type: string + description: The file path for the example data. + request-file: + type: string + description: The file path for the request example data in a tabbed request/response. + response-file: + type: string + description: The file path for the response example data in a tabbed request/response. diff --git a/examples/declarative/declarations/activations/simple/example1.json b/examples/declarative/declarations/activations/simple/example1.json new file mode 100644 index 0000000..b9fb129 --- /dev/null +++ b/examples/declarative/declarations/activations/simple/example1.json @@ -0,0 +1,10 @@ +{ + "Type": "com.apple.activation.simple", + "Identifier": "1A136E03-0979-4B79-BAE9-1A2A2A785D3F", + "ServerToken": "F292FEF9-0C62-4E60-A989-2597352AA699", + "Payload": { + "StandardConfigurations": [ + "5D9502B9-9676-42D1-B094-A919DAFFB504" + ] + } +} diff --git a/examples/declarative/declarations/activations/simple/example2.json b/examples/declarative/declarations/activations/simple/example2.json new file mode 100644 index 0000000..86bed73 --- /dev/null +++ b/examples/declarative/declarations/activations/simple/example2.json @@ -0,0 +1,12 @@ +{ + "Type": "com.apple.activation.simple", + "Identifier": "04BECEFA-47B9-4F2E-8040-246509A52409", + "ServerToken": "CBE396A0-637B-438D-9F0C-EA912A5BB587", + "Payload": { + "Predicate": "@status(device.model.family) == 'AppleTV'", + "StandardConfigurations": [ + "892853C1-DDD1-4562-84B9-1591A76AD42B", + "DCF869F1-09B7-4EC2-83B5-073F6FE94597" + ] + } +} diff --git a/examples/declarative/declarations/assets/credential.acme/example1.json b/examples/declarative/declarations/assets/credential.acme/example1.json new file mode 100644 index 0000000..58351a5 --- /dev/null +++ b/examples/declarative/declarations/assets/credential.acme/example1.json @@ -0,0 +1,11 @@ +{ + "Type": "com.apple.asset.credential.acme", + "Identifier": "EB13EE2B-5D63-4EBA-810F-5B81D07F5017", + "ServerToken": "E180CA9A-F089-4FA3-BBDF-94CC159C4AE8", + "Payload": { + "Reference": { + "DataURL": "https://example.com/asset-data/certificates/security_acme.json", + "ContentType": "application/json" + } + } +} diff --git a/examples/declarative/declarations/assets/credential.certificate/example1.json b/examples/declarative/declarations/assets/credential.certificate/example1.json new file mode 100644 index 0000000..8347fcb --- /dev/null +++ b/examples/declarative/declarations/assets/credential.certificate/example1.json @@ -0,0 +1,11 @@ +{ + "Type": "com.apple.asset.credential.certificate", + "Identifier": "EB13EE2B-5D63-4EBA-810F-5B81D07F5017", + "ServerToken": "E180CA9A-F089-4FA3-BBDF-94CC159C4AE8", + "Payload": { + "Reference": { + "DataURL": "https://example.com/asset-data/certificates/cert.pem", + "ContentType": "application/pem" + } + } +} diff --git a/examples/declarative/declarations/assets/credential.identity/example1.json b/examples/declarative/declarations/assets/credential.identity/example1.json new file mode 100644 index 0000000..c7c81e3 --- /dev/null +++ b/examples/declarative/declarations/assets/credential.identity/example1.json @@ -0,0 +1,11 @@ +{ + "Type": "com.apple.asset.credential.identity", + "Identifier": "EB13EE2B-5D63-4EBA-810F-5B81D07F5017", + "ServerToken": "E180CA9A-F089-4FA3-BBDF-94CC159C4AE8", + "Payload": { + "Reference": { + "DataURL": "https://example.com/asset-data/certificates/www.example.com.json", + "ContentType": "application/json" + } + } +} diff --git a/examples/declarative/declarations/assets/credential.scep/example1.json b/examples/declarative/declarations/assets/credential.scep/example1.json new file mode 100644 index 0000000..bd472d5 --- /dev/null +++ b/examples/declarative/declarations/assets/credential.scep/example1.json @@ -0,0 +1,11 @@ +{ + "Type": "com.apple.asset.credential.scep", + "Identifier": "EB13EE2B-5D63-4EBA-810F-5B81D07F5017", + "ServerToken": "E180CA9A-F089-4FA3-BBDF-94CC159C4AE8", + "Payload": { + "Reference": { + "DataURL": "https://example.com/asset-data/certificates/security_scep.json", + "ContentType": "application/json" + } + } +} diff --git a/examples/declarative/declarations/assets/credential.userpassword/example1.json b/examples/declarative/declarations/assets/credential.userpassword/example1.json new file mode 100644 index 0000000..472ab76 --- /dev/null +++ b/examples/declarative/declarations/assets/credential.userpassword/example1.json @@ -0,0 +1,11 @@ +{ + "Type": "com.apple.asset.credential.userpassword", + "Identifier": "EB13EE2B-5D63-4EBA-810F-5B81D07F5017", + "ServerToken": "E180CA9A-F089-4FA3-BBDF-94CC159C4AE8", + "Payload": { + "Reference": { + "DataURL": "https://example.com/asset-data/credential.json", + "ContentType": "application/json" + } + } +} diff --git a/examples/declarative/declarations/assets/credentials/acme/example1.json b/examples/declarative/declarations/assets/credentials/acme/example1.json new file mode 100644 index 0000000..a642a61 --- /dev/null +++ b/examples/declarative/declarations/assets/credentials/acme/example1.json @@ -0,0 +1,19 @@ +{ + "DirectoryURL": "https://example.com/acme/dir", + "ClientIdentifier": "This is a ClientIdentifier", + "KeySize": 384, + "KeyType": "ECSECPrimeRandom", + "HardwareBound": true, + "Subject": [[["C", "US"]], [["O", "Example Inc."]], [["1.2.840.113635.100.6.99999.99999", "test custom OID value"]]], + "SubjectAltName": { + "dNSName": "site.example.com", + "rfc822Name": "rfc822", + "uniformResourceIdentifier": "https://www.example.com/", + "ntPrincipalName": "Principal Example" + }, + "UsageFlags": 5, + "ExtendedKeyUsage": [ + "1.3.6.1.5.5.7.3.2" + ], + "Attest": true +} diff --git a/examples/declarative/declarations/assets/credentials/identity/example1.json b/examples/declarative/declarations/assets/credentials/identity/example1.json new file mode 100644 index 0000000..0710456 --- /dev/null +++ b/examples/declarative/declarations/assets/credentials/identity/example1.json @@ -0,0 +1,4 @@ +{ + "Password": "secret", + "Identity": "MIIJ....CCAA=" +} diff --git a/examples/declarative/declarations/assets/credentials/scep/example1.json b/examples/declarative/declarations/assets/credentials/scep/example1.json new file mode 100644 index 0000000..b1697c1 --- /dev/null +++ b/examples/declarative/declarations/assets/credentials/scep/example1.json @@ -0,0 +1,17 @@ +{ + "URL": "https://example.com/scep", + "Name": "This is a ClientIdentifier", + "Subject": [[["C", "US"]], [["O", "Example Inc."]], [["1.2.840.113635.100.6.99999.99999", "test custom OID value"]]], + "Challenge": "1E857F393D01EAE47E4A4AC2D8B8CFE4", + "Keysize": 2048, + "Key Type": "RSA", + "Key Usage": 5, + "Retries": 3, + "RetryDelay": 10, + "SubjectAltName": { + "dNSName": "site.example.com", + "rfc822Name": "rfc822", + "uniformResourceIdentifier": "https://www.example.com/", + "ntPrincipalName": "Principal Example" + } +} diff --git a/examples/declarative/declarations/assets/credentials/usernameandpassword/example1.json b/examples/declarative/declarations/assets/credentials/usernameandpassword/example1.json new file mode 100644 index 0000000..5bf26ad --- /dev/null +++ b/examples/declarative/declarations/assets/credentials/usernameandpassword/example1.json @@ -0,0 +1,4 @@ +{ + "UserName": "a.user", + "Password": "secret" +} diff --git a/examples/declarative/declarations/assets/data/example1.json b/examples/declarative/declarations/assets/data/example1.json new file mode 100644 index 0000000..dcf0cde --- /dev/null +++ b/examples/declarative/declarations/assets/data/example1.json @@ -0,0 +1,14 @@ +{ + "Type": "com.apple.asset.data", + "Identifier": "EB13EE2B-5D63-4EBA-810F-5B81D07F5017", + "ServerToken": "E180CA9A-F089-4FA3-BBDF-94CC159C4AE8", + "Payload": { + "Reference": { + "DataURL": "https://example.com/asset-data/data/test.txt", + "ContentType": "text/plain" + }, + "Authentication": { + "Type": "MDM" + } + } +} diff --git a/examples/declarative/declarations/assets/useridentity/example1.json b/examples/declarative/declarations/assets/useridentity/example1.json new file mode 100644 index 0000000..9fbc292 --- /dev/null +++ b/examples/declarative/declarations/assets/useridentity/example1.json @@ -0,0 +1,9 @@ +{ + "Type": "com.apple.asset.useridentity", + "Identifier": "CB3E6C7F-2318-437B-8A9E-D50C69376DE4", + "ServerToken": "F25C68F6-D2E5-4A09-9170-F21E8FAD6A2F", + "Payload": { + "FullName": "A User", + "EmailAddress": "a.user@example.com" + } +} diff --git a/examples/declarative/declarations/configurations/account.caldav/example1.json b/examples/declarative/declarations/configurations/account.caldav/example1.json new file mode 100644 index 0000000..f544d4d --- /dev/null +++ b/examples/declarative/declarations/configurations/account.caldav/example1.json @@ -0,0 +1,12 @@ +{ + "Type": "com.apple.configuration.account.caldav", + "Identifier": "EB13EE2B-5D63-4EBA-810F-5B81D07F5017", + "ServerToken": "E180CA9A-F089-4FA3-BBDF-94CC159C4AE8", + "Payload": { + "VisibleName": "Work Calendar", + "HostName": "calendar.example.com", + "Port": 8443, + "Path": "/principals", + "AuthenticationCredentialsAssetReference": "64BF8F5C-8CFD-40AA-9082-A0B594D4E100" + } +} diff --git a/examples/declarative/declarations/configurations/account.carddav/example1.json b/examples/declarative/declarations/configurations/account.carddav/example1.json new file mode 100644 index 0000000..0cae272 --- /dev/null +++ b/examples/declarative/declarations/configurations/account.carddav/example1.json @@ -0,0 +1,12 @@ +{ + "Type": "com.apple.configuration.account.carddav", + "Identifier": "EB13EE2B-5D63-4EBA-810F-5B81D07F5017", + "ServerToken": "E180CA9A-F089-4FA3-BBDF-94CC159C4AE8", + "Payload": { + "VisibleName": "Work Contacts", + "HostName": "contacts.example.com", + "Port": 8443, + "Path": "/principals", + "AuthenticationCredentialsAssetReference": "64BF8F5C-8CFD-40AA-9082-A0B594D4E100" + } +} diff --git a/examples/declarative/declarations/configurations/account.exchange/example1.json b/examples/declarative/declarations/configurations/account.exchange/example1.json new file mode 100644 index 0000000..0543ea2 --- /dev/null +++ b/examples/declarative/declarations/configurations/account.exchange/example1.json @@ -0,0 +1,18 @@ +{ + "Type": "com.apple.configuration.account.exchange", + "Identifier": "EB13EE2B-5D63-4EBA-810F-5B81D07F5017", + "ServerToken": "E180CA9A-F089-4FA3-BBDF-94CC159C4AE8", + "Payload": { + "VisibleName": "Work Exchange", + "HostName": "exchange.example.com", + "EnabledProtocolTypes": [ + "EAS", + "EWS" + ], + "UserIdentityAssetReference": "CB3E6C7F-2318-437B-8A9E-D50C69376DE4", + "AuthenticationCredentialsAssetReference": "64BF8F5C-8CFD-40AA-9082-A0B594D4E100", + "LockMailService": true, + "NotesServiceActive": false, + "LockNotesService": true + } +} diff --git a/examples/declarative/declarations/configurations/account.google/example1.json b/examples/declarative/declarations/configurations/account.google/example1.json new file mode 100644 index 0000000..262c8f2 --- /dev/null +++ b/examples/declarative/declarations/configurations/account.google/example1.json @@ -0,0 +1,9 @@ +{ + "Type": "com.apple.configuration.account.google", + "Identifier": "EB13EE2B-5D63-4EBA-810F-5B81D07F5017", + "ServerToken": "E180CA9A-F089-4FA3-BBDF-94CC159C4AE8", + "Payload": { + "VisibleName": "Work Google", + "UserIdentityAssetReference": "CB3E6C7F-2318-437B-8A9E-D50C69376DE4" + } +} diff --git a/examples/declarative/declarations/configurations/account.ldap/example1.json b/examples/declarative/declarations/configurations/account.ldap/example1.json new file mode 100644 index 0000000..aaf70fd --- /dev/null +++ b/examples/declarative/declarations/configurations/account.ldap/example1.json @@ -0,0 +1,16 @@ +{ + "Type": "com.apple.configuration.account.ldap", + "Identifier": "EB13EE2B-5D63-4EBA-810F-5B81D07F5017", + "ServerToken": "E180CA9A-F089-4FA3-BBDF-94CC159C4AE8", + "Payload": { + "VisibleName": "Work Directory", + "HostName": "ldap.example.com", + "SearchSettings": [ + { + "VisibleName": "Search Work", + "SearchBase": "dc=example,dc=com", + "Scope": "Subtree" + } + ] + } +} diff --git a/examples/declarative/declarations/configurations/account.mail/example1.json b/examples/declarative/declarations/configurations/account.mail/example1.json new file mode 100644 index 0000000..fa9011a --- /dev/null +++ b/examples/declarative/declarations/configurations/account.mail/example1.json @@ -0,0 +1,20 @@ +{ + "Type": "com.apple.configuration.account.mail", + "Identifier": "EB13EE2B-5D63-4EBA-810F-5B81D07F5017", + "ServerToken": "E180CA9A-F089-4FA3-BBDF-94CC159C4AE8", + "Payload": { + "VisibleName": "Work Mail", + "UserIdentityAssetReference": "CB3E6C7F-2318-437B-8A9E-D50C69376DE4", + "IncomingServer": { + "ServerType": "IMAP", + "HostName": "imap.example.com", + "AuthenticationMethod": "Password", + "AuthenticationCredentialsAssetReference": "64BF8F5C-8CFD-40AA-9082-A0B594D4E100" + }, + "OutgoingServer": { + "HostName": "smtp.example.com", + "AuthenticationMethod": "Password", + "AuthenticationCredentialsAssetReference": "64BF8F5C-8CFD-40AA-9082-A0B594D4E100" + } + } +} diff --git a/examples/declarative/declarations/configurations/account.subscribed-calendar/example1.json b/examples/declarative/declarations/configurations/account.subscribed-calendar/example1.json new file mode 100644 index 0000000..b2fcbc6 --- /dev/null +++ b/examples/declarative/declarations/configurations/account.subscribed-calendar/example1.json @@ -0,0 +1,9 @@ +{ + "Type": "com.apple.configuration.account.subscribed-calendar", + "Identifier": "EB13EE2B-5D63-4EBA-810F-5B81D07F5017", + "ServerToken": "E180CA9A-F089-4FA3-BBDF-94CC159C4AE8", + "Payload": { + "VisibleName": "Company Holidays", + "CalendarURL": "https://calendar.example.com/holidays.ics/" + } +} diff --git a/examples/declarative/declarations/configurations/app.managed/example1.json b/examples/declarative/declarations/configurations/app.managed/example1.json new file mode 100644 index 0000000..277b822 --- /dev/null +++ b/examples/declarative/declarations/configurations/app.managed/example1.json @@ -0,0 +1,14 @@ +{ + "Type": "com.apple.configuration.app.managed", + "Identifier": "EB13EE2B-5D63-4EBA-810F-5B81D07F5017", + "ServerToken": "E180CA9A-F089-4FA3-BBDF-94CC159C4AE8", + "Payload": { + "AppStoreID": "361285480", + "InstallBehavior": { + "Install": "Required", + "License": { + "Assignment": "Device" + } + } + } +} diff --git a/examples/declarative/declarations/configurations/app.managed/example2.json b/examples/declarative/declarations/configurations/app.managed/example2.json new file mode 100644 index 0000000..baa5260 --- /dev/null +++ b/examples/declarative/declarations/configurations/app.managed/example2.json @@ -0,0 +1,29 @@ +{ + "Type": "com.apple.configuration.app.managed", + "Identifier": "EB13EE2B-5D63-4EBA-810F-5B81D07F5017", + "ServerToken": "E180CA9A-F089-4FA3-BBDF-94CC159C4AE8", + "Payload": { + "ManifestURL": "https://example.com/apps/TestApp.plist", + "InstallBehavior": { + "Install": "Required", + "AllowDownloadsOverCellular": "AlwaysOff" + }, + "UpdateBehavior": { + "AutomaticAppUpdates": "AlwaysOn" + }, + "Attributes": { + "AssociatedDomains": [ + "www.example.com" + ], + "AssociatedDomainsEnableDirectDownloads": true, + "CellularSliceUUID": "Cellular-12345", + "ContentFilterUUID": "ContentFilter-12345", + "DNSProxyUUID": "DNSProxy-12345", + "Hideable": false, + "Lockable": false, + "RelayUUID": "Relay-12345", + "TapToPayScreenLock": true, + "VPNUUID": "VPN-12345" + } + } +} diff --git a/examples/declarative/declarations/configurations/app.managed/example3.json b/examples/declarative/declarations/configurations/app.managed/example3.json new file mode 100644 index 0000000..c73d2eb --- /dev/null +++ b/examples/declarative/declarations/configurations/app.managed/example3.json @@ -0,0 +1,11 @@ +{ + "Type": "com.apple.configuration.app.managed", + "Identifier": "EB13EE2B-5D63-4EBA-810F-5B81D07F5017", + "ServerToken": "E180CA9A-F089-4FA3-BBDF-94CC159C4AE8", + "Payload": { + "AppComposedIdentifier": "com.example.TestApp (ABCDE12345)", + "InstallBehavior": { + "Install": "Required" + } + } +} diff --git a/examples/declarative/declarations/configurations/app.managed/example4.json b/examples/declarative/declarations/configurations/app.managed/example4.json new file mode 100644 index 0000000..6073044 --- /dev/null +++ b/examples/declarative/declarations/configurations/app.managed/example4.json @@ -0,0 +1,39 @@ +{ + "Type": "com.apple.configuration.app.managed", + "Identifier": "EB13EE2B-5D63-4EBA-810F-5B81D07F5017", + "ServerToken": "E180CA9A-F089-4FA3-BBDF-94CC159C4AE8", + "Payload": { + "ManifestURL": "https://example.com/apps/TestApp.plist", + "InstallBehavior": { + "Install": "Required", + "AllowDownloadsOverCellular": "AlwaysOff" + }, + "UpdateBehavior": { + "AutomaticAppUpdates": "AlwaysOn" + }, + "AppConfig": { + "DataAssetReference": "52C7D562-1DEC-472A-BFDF-3A8BE630385B", + "Certificates": [ + { + "Identifier": "Certificate1", + "AssetReference": "84965BAD-11B2-48CE-9766-CE32387C508E" + } + ] + }, + "ExtensionConfigs": { + "com.example.TestApp.extension1 (ABCDE12345)": { + "DataAssetReference": "52C7D562-1DEC-472A-BFDF-3A8BE630385B", + "Certificates": [ + { + "Identifier": "Certificate1", + "AssetReference": "84965BAD-11B2-48CE-9766-CE32387C508E" + }, + { + "Identifier": "Certificate2", + "AssetReference": "4CEF7D59-CDB5-477A-B51B-6A1E8A63D678" + } + ] + } + } + } +} diff --git a/examples/declarative/declarations/configurations/app.settings/example1.json b/examples/declarative/declarations/configurations/app.settings/example1.json new file mode 100644 index 0000000..1584b83 --- /dev/null +++ b/examples/declarative/declarations/configurations/app.settings/example1.json @@ -0,0 +1,22 @@ +{ + "Type": "com.apple.configuration.app.settings", + "Identifier": "AF389B6F-5784-4DB6-BEFF-EA6D689BD4B0", + "ServerToken": "A5CA3371-559E-44B4-B9ED-A0A7DFEC193A", + "Payload": { + "Privacy": { + "PermissionDefaults": { + "com.example.scanner": { + "OrganizationJustification": "This app is used for scanning work documents.", + "Camera": "Allow" + }, + "com.example.on-site": { + "OrganizationJustification": "This app is used for video conferences while on-site with customers.", + "Camera": "Allow", + "Microphone": "Allow", + "Location": "WhileUsing", + "LocationAccuracy": "Precise" + } + } + } + } +} diff --git a/examples/declarative/declarations/configurations/app.settings/example2.json b/examples/declarative/declarations/configurations/app.settings/example2.json new file mode 100644 index 0000000..7a34eaa --- /dev/null +++ b/examples/declarative/declarations/configurations/app.settings/example2.json @@ -0,0 +1,22 @@ +{ + "Type": "com.apple.configuration.app.settings", + "Identifier": "245E4CBC-021B-4DB0-9B30-25F581119A2A", + "ServerToken": "D6472788-7568-4268-99CE-AD8AE114B28C", + "Payload": { + "Privacy": { + "PermissionDefaults": { + "com.example.scanner (ABCD1234)": { + "OrganizationJustification": "This app is used for scanning work documents.", + "Camera": "Allow" + }, + "com.example.on-site {anchor apple generic}": { + "OrganizationJustification": "This app is used for video conferences while on-site with customers.", + "Camera": "Allow", + "Microphone": "Allow", + "Location": "WhileUsing", + "LocationAccuracy": "Precise" + } + } + } + } +} diff --git a/examples/declarative/declarations/configurations/audio-accessory.settings/example1.json b/examples/declarative/declarations/configurations/audio-accessory.settings/example1.json new file mode 100644 index 0000000..7ffe20c --- /dev/null +++ b/examples/declarative/declarations/configurations/audio-accessory.settings/example1.json @@ -0,0 +1,15 @@ +{ + "Type": "com.apple.configuration.audio-accessory.settings", + "Identifier": "EB13EE2B-5D63-4EBA-810F-5B81D07F5017", + "ServerToken": "E180CA9A-F089-4FA3-BBDF-94CC159C4AE8", + "Payload": { + "TemporaryPairing": { + "Configuration": { + "UnpairingTime": { + "Policy": "Hour", + "Hour": 18 + } + } + } + } +} diff --git a/examples/declarative/declarations/configurations/content-cache.settings/example1.json b/examples/declarative/declarations/configurations/content-cache.settings/example1.json new file mode 100644 index 0000000..f577c30 --- /dev/null +++ b/examples/declarative/declarations/configurations/content-cache.settings/example1.json @@ -0,0 +1,12 @@ +{ + "Type": "com.apple.configuration.content-cache.settings", + "Identifier": "EB13EE2B-5D63-4EBA-810F-5B81D07F5017", + "ServerToken": "E180CA9A-F089-4FA3-BBDF-94CC159C4AE8", + "Payload": { + "AutoActivation": true, + "AllowPersonalCaching": true, + "AllowSharedCaching": true, + "KeepAwake": true, + "Port": 0 + } +} diff --git a/examples/declarative/declarations/configurations/content-cache.settings/example2.json b/examples/declarative/declarations/configurations/content-cache.settings/example2.json new file mode 100644 index 0000000..d1de9bd --- /dev/null +++ b/examples/declarative/declarations/configurations/content-cache.settings/example2.json @@ -0,0 +1,22 @@ +{ + "Type": "com.apple.configuration.content-cache.settings", + "Identifier": "2A3B4C5D-6E7F-8A9B-0C1D-2E3F4A5B6C7D", + "ServerToken": "F1E2D3C4-B5A6-7890-ABCD-EF1234567890", + "Payload": { + "AutoActivation": true, + "AllowPersonalCaching": false, + "AllowSharedCaching": true, + "LocalSubnetsOnly": false, + "ListenRangesOnly": true, + "ListenRanges": [ + { + "type": "IPv4", + "first": "192.168.1.1", + "last": "192.168.1.254" + } + ], + "Parents": ["10.0.0.1"], + "ParentSelectionPolicy": "first-available", + "Port": 8080 + } +} diff --git a/examples/declarative/declarations/configurations/diskmanagement.settings/example1.json b/examples/declarative/declarations/configurations/diskmanagement.settings/example1.json new file mode 100644 index 0000000..d146ac8 --- /dev/null +++ b/examples/declarative/declarations/configurations/diskmanagement.settings/example1.json @@ -0,0 +1,11 @@ +{ + "Type": "com.apple.configuration.diskmanagement.settings", + "Identifier": "EB13EE2B-5D63-4EBA-810F-5B81D07F5017", + "ServerToken": "E180CA9A-F089-4FA3-BBDF-94CC159C4AE8", + "Payload": { + "Restrictions": { + "ExternalStorage": "Disallowed", + "NetworkStorage": "Disallowed" + } + } +} diff --git a/examples/declarative/declarations/configurations/extensiblesso/example1.json b/examples/declarative/declarations/configurations/extensiblesso/example1.json new file mode 100644 index 0000000..31ab73a --- /dev/null +++ b/examples/declarative/declarations/configurations/extensiblesso/example1.json @@ -0,0 +1,17 @@ +{ + "Type": "com.apple.configuration.extensible-sso", + "Identifier": "EB13EE2B-5D63-4EBA-810F-5B81D07F5017", + "ServerToken": "E180CA9A-F089-4FA3-BBDF-94CC159C4AE8", + "Payload": { + "ExtensionIdentifier": "com.example.sso.extension", + "TeamIdentifier": "ABCDE12345", + "Type": "Credential", + "Realm": "EXAMPLE.COM", + "Hosts": [ + ".example.com" + ], + "ExtensionData": { + "useSiteAutoDiscovery": true + } + } +} diff --git a/examples/declarative/declarations/configurations/extensiblesso/example2.json b/examples/declarative/declarations/configurations/extensiblesso/example2.json new file mode 100644 index 0000000..f708ebe --- /dev/null +++ b/examples/declarative/declarations/configurations/extensiblesso/example2.json @@ -0,0 +1,15 @@ +{ + "Type": "com.apple.configuration.extensible-sso", + "Identifier": "2A3B4C5D-6E7F-8A9B-0C1D-2E3F4A5B6C7D", + "ServerToken": "F1E2D3C4-B5A6-7890-ABCD-EF1234567890", + "Payload": { + "ExtensionIdentifier": "com.example.sso.extension", + "TeamIdentifier": "ABCDE12345", + "Type": "Redirect", + "URLs": [ + "https://login.example.com/auth", + "https://sso.example.com/" + ], + "ScreenLockedBehavior": "Cancel" + } +} diff --git a/examples/declarative/declarations/configurations/external-intelligence.settings/example1.json b/examples/declarative/declarations/configurations/external-intelligence.settings/example1.json new file mode 100644 index 0000000..59e69f7 --- /dev/null +++ b/examples/declarative/declarations/configurations/external-intelligence.settings/example1.json @@ -0,0 +1,12 @@ +{ + "Type": "com.apple.configuration.external-intelligence.settings", + "Identifier": "A1B2C3D4-E5F6-4A5B-9C8D-7E6F5A4B3C2D", + "ServerToken": "F1E2D3C4-B5A6-4D5E-8F9A-0B1C2D3E4F5A", + "Payload": { + "Enabled": false, + "AllowSignIn": false, + "AllowedWorkspaceIDs": [ + "ABCDEFGH" + ] + } +} diff --git a/examples/declarative/declarations/configurations/intelligence.settings/example1.json b/examples/declarative/declarations/configurations/intelligence.settings/example1.json new file mode 100644 index 0000000..1e70814 --- /dev/null +++ b/examples/declarative/declarations/configurations/intelligence.settings/example1.json @@ -0,0 +1,29 @@ +{ + "Type": "com.apple.configuration.intelligence.settings", + "Identifier": "A1B2C3D4-E5F6-4A5B-9C8D-7E6F5A4B3C2D", + "ServerToken": "F1E2D3C4-B5A6-4D5E-8F9A-0B1C2D3E4F5A", + "Payload": { + "AllowAppleIntelligenceReport": false, + "AllowGenmoji": false, + "AllowImagePlayground": false, + "AllowImageWand": false, + "Apps": { + "Mail": { + "AllowSmartReplies": false, + "AllowSummary": false + }, + "Notes": { + "AllowTranscription": false, + "AllowTranscriptionSummary": false + }, + "Safari": { + "AllowSummary": false + } + }, + "AllowPersonalizedHandwritingResults": false, + "AllowVisualIntelligenceSummary": false, + "AllowWritingTools": false, + "ForceOnDeviceOnlyDictation": true, + "ForceOnDeviceOnlyTranslation": true + } +} diff --git a/examples/declarative/declarations/configurations/keyboard.settings/example1.json b/examples/declarative/declarations/configurations/keyboard.settings/example1.json new file mode 100644 index 0000000..cbfbabf --- /dev/null +++ b/examples/declarative/declarations/configurations/keyboard.settings/example1.json @@ -0,0 +1,15 @@ +{ + "Type": "com.apple.configuration.keyboard.settings", + "Identifier": "A1B2C3D4-E5F6-4A5B-9C8D-7E6F5A4B3C2D", + "ServerToken": "F1E2D3C4-B5A6-4D5E-8F9A-0B1C2D3E4F5A", + "Payload": { + "AllowAutoCorrection": false, + "AllowSlideToType": false, + "AllowDefinitionLookup": false, + "AllowDictation": false, + "AllowMathKeyboardSuggestions": false, + "AllowPredictiveText": false, + "AllowTextReplacement": false, + "AllowSpellCheck": false + } +} diff --git a/examples/declarative/declarations/configurations/legacy.interactive/example1.json b/examples/declarative/declarations/configurations/legacy.interactive/example1.json new file mode 100644 index 0000000..ca2ab8e --- /dev/null +++ b/examples/declarative/declarations/configurations/legacy.interactive/example1.json @@ -0,0 +1,9 @@ +{ + "Type": "com.apple.configuration.legacy.interactive", + "Identifier": "EB13EE2B-5D63-4EBA-810F-5B81D07F5017", + "ServerToken": "E180CA9A-F089-4FA3-BBDF-94CC159C4AE8", + "Payload": { + "ProfileURL": "https://www.example.com/profiles/passcode.mobileconfig", + "VisibleName": "Passcode Policy" + } +} diff --git a/examples/declarative/declarations/configurations/legacy.interactive/example2.json b/examples/declarative/declarations/configurations/legacy.interactive/example2.json new file mode 100644 index 0000000..3168bf8 --- /dev/null +++ b/examples/declarative/declarations/configurations/legacy.interactive/example2.json @@ -0,0 +1,9 @@ +{ + "Type": "com.apple.configuration.legacy.interactive", + "Identifier": "EB13EE2B-5D63-4EBA-810F-5B81D07F5017", + "ServerToken": "E180CA9A-F089-4FA3-BBDF-94CC159C4AE8", + "Payload": { + "ProfileAssetReference": "F8D5BF80-F38A-476A-BEE0-0B10BDED2161", + "VisibleName": "Passcode Policy" + } +} diff --git a/examples/declarative/declarations/configurations/legacy/example1.json b/examples/declarative/declarations/configurations/legacy/example1.json new file mode 100644 index 0000000..52791f1 --- /dev/null +++ b/examples/declarative/declarations/configurations/legacy/example1.json @@ -0,0 +1,8 @@ +{ + "Type": "com.apple.configuration.legacy", + "Identifier": "EB13EE2B-5D63-4EBA-810F-5B81D07F5017", + "ServerToken": "E180CA9A-F089-4FA3-BBDF-94CC159C4AE8", + "Payload": { + "ProfileURL": "https://www.example.com/profiles/passcode.mobileconfig" + } +} diff --git a/examples/declarative/declarations/configurations/legacy/example2.json b/examples/declarative/declarations/configurations/legacy/example2.json new file mode 100644 index 0000000..eb9621a --- /dev/null +++ b/examples/declarative/declarations/configurations/legacy/example2.json @@ -0,0 +1,8 @@ +{ + "Type": "com.apple.configuration.legacy", + "Identifier": "EB13EE2B-5D63-4EBA-810F-5B81D07F5017", + "ServerToken": "E180CA9A-F089-4FA3-BBDF-94CC159C4AE8", + "Payload": { + "ProfileAssetReference": "F8D5BF80-F38A-476A-BEE0-0B10BDED2161" + } +} diff --git a/examples/declarative/declarations/configurations/management.status-subscriptions/example1.json b/examples/declarative/declarations/configurations/management.status-subscriptions/example1.json new file mode 100644 index 0000000..51e1559 --- /dev/null +++ b/examples/declarative/declarations/configurations/management.status-subscriptions/example1.json @@ -0,0 +1,30 @@ +{ + "Type": "com.apple.configuration.management.status-subscriptions", + "Identifier": "EB13EE2B-5D63-4EBA-810F-5B81D07F5017", + "ServerToken": "E180CA9A-F089-4FA3-BBDF-94CC159C4AE8", + "Payload": { + "StatusItems": [ + { + "Name": "device.identifier.serial-number" + }, + { + "Name": "device.identifier.udid" + }, + { + "Name": "device.operating-system.build-version" + }, + { + "Name": "device.operating-system.version" + }, + { + "Name": "device.power.battery-health" + }, + { + "Name": "passcode.is-compliant" + }, + { + "Name": "security.certificate.list" + } + ] + } +} diff --git a/examples/declarative/declarations/configurations/management.test/example1.json b/examples/declarative/declarations/configurations/management.test/example1.json new file mode 100644 index 0000000..b533cca --- /dev/null +++ b/examples/declarative/declarations/configurations/management.test/example1.json @@ -0,0 +1,8 @@ +{ + "Type": "com.apple.configuration.management.test", + "Identifier": "EB13EE2B-5D63-4EBA-810F-5B81D07F5017", + "ServerToken": "E180CA9A-F089-4FA3-BBDF-94CC159C4AE8", + "Payload": { + "Echo": "Hello World!" + } +} diff --git a/examples/declarative/declarations/configurations/math.settings/example1.json b/examples/declarative/declarations/configurations/math.settings/example1.json new file mode 100644 index 0000000..bd00b8f --- /dev/null +++ b/examples/declarative/declarations/configurations/math.settings/example1.json @@ -0,0 +1,15 @@ +{ + "Type": "com.apple.configuration.math.settings", + "Identifier": "EB13EE2B-5D63-4EBA-810F-5B81D07F5017", + "ServerToken": "E180CA9A-F089-4FA3-BBDF-94CC159C4AE8", + "Payload": { + "Calculator": { + "ScientificMode": { + "Enabled": false + }, + "ProgrammerMode": { + "Enabled": false + } + } + } +} diff --git a/examples/declarative/declarations/configurations/migration-assistant.settings/example1.json b/examples/declarative/declarations/configurations/migration-assistant.settings/example1.json new file mode 100644 index 0000000..fd7f73d --- /dev/null +++ b/examples/declarative/declarations/configurations/migration-assistant.settings/example1.json @@ -0,0 +1,18 @@ +{ + "Type": "com.apple.configuration.migration-assistant.settings", + "Identifier": "F3CD2AD7-85AA-4FF3-9264-A737259FB55E", + "ServerToken": "5AB2B98C-FCE9-4A33-88B3-ADB05F081F77", + "Payload": { + "ShouldDoManagedMigration": true, + "ExcludedAccounts": [ + "admin" + ], + "ExcludedPaths": [ + "Documents/Personal Items/" + ], + "RequiredPaths": [ + "Documents/Work Items/" + ], + "ShouldMigrateSecurityPrivacySettings": false + } +} diff --git a/examples/declarative/declarations/configurations/network.dns-proxy/example1.json b/examples/declarative/declarations/configurations/network.dns-proxy/example1.json new file mode 100644 index 0000000..217c7e5 --- /dev/null +++ b/examples/declarative/declarations/configurations/network.dns-proxy/example1.json @@ -0,0 +1,15 @@ +{ + "Type": "com.apple.configuration.network.dns-proxy", + "Identifier": "EB13EE2B-5D63-4EBA-810F-5B81D07F5017", + "ServerToken": "E180CA9A-F089-4FA3-BBDF-94CC159C4AE8", + "Payload": { + "VisibleName": "DNS Proxy", + "AppBundleIdentifier": "com.example.mydnsproxyapp", + "ProviderComposedIdentifier": "com.example.mydnsproxyapp.mydnsproxyprovider", + "ProviderConfiguration": { + "resolver": { + "ipaddress": "9.9.9.9" + } + } + } +} diff --git a/examples/declarative/declarations/configurations/network.dns-settings/example1.json b/examples/declarative/declarations/configurations/network.dns-settings/example1.json new file mode 100644 index 0000000..aeef1a0 --- /dev/null +++ b/examples/declarative/declarations/configurations/network.dns-settings/example1.json @@ -0,0 +1,19 @@ +{ + "Type": "com.apple.configuration.network.dns-settings", + "Identifier": "EB13EE2B-5D63-4EBA-810F-5B81D07F5017", + "ServerToken": "E180CA9A-F089-4FA3-BBDF-94CC159C4AE8", + "Payload": { + "VisibleName": "DNS Settings", + "DNSSettings": { + "DNSProtocol": "HTTPS", + "ServerURL": "https://dns.example.com/dns-query", + "ServerAddresses": [ + "12.12.12.12" + ], + "AllowFailover": false, + "SupplementalMatchDomains": [ + "example.com" + ] + } + } +} diff --git a/examples/declarative/declarations/configurations/network.relay/example1.json b/examples/declarative/declarations/configurations/network.relay/example1.json new file mode 100644 index 0000000..9e9d5b7 --- /dev/null +++ b/examples/declarative/declarations/configurations/network.relay/example1.json @@ -0,0 +1,19 @@ +{ + "Type": "com.apple.configuration.network.relay", + "Identifier": "EB13EE2B-5D63-4EBA-810F-5B81D07F5017", + "ServerToken": "E180CA9A-F089-4FA3-BBDF-94CC159C4AE8", + "Payload": { + "VisibleName": "Corporate Relay", + "Relays": [ + { + "HTTP2RelayURL": "https://relay.example.com/proxy", + "AdditionalHTTPHeaderFields": { + "Authorization": "Bearer enterprise-token-12345" + } + } + ], + "MatchDomains": ["example.com", "internal.example.com"], + "RelayUUID": "C3D4E5F6-A7B8-9012-CDEF-123456789012", + "UIToggleEnabled": false + } +} diff --git a/examples/declarative/declarations/configurations/network.relay/example2.json b/examples/declarative/declarations/configurations/network.relay/example2.json new file mode 100644 index 0000000..1dad6f4 --- /dev/null +++ b/examples/declarative/declarations/configurations/network.relay/example2.json @@ -0,0 +1,21 @@ +{ + "Type": "com.apple.configuration.network.relay", + "Identifier": "2A3B4C5D-6E7F-8A9B-0C1D-2E3F4A5B6C7D", + "ServerToken": "F1E2D3C4-B5A6-7890-ABCD-EF1234567890", + "Payload": { + "VisibleName": "Two-Hop Privacy Relay", + "Relays": [ + { + "HTTP3RelayURL": "https://relay1.example.com/hop1", + "HTTP2RelayURL": "https://relay1.example.com/hop1" + }, + { + "HTTP3RelayURL": "https://relay2.example.com/hop2" + } + ], + "MatchFQDNs": ["secure.example.com", "api.example.com"], + "ExcludedDomains": ["cdn.example.com"], + "RelayUUID": "D4E5F6A7-B8C9-0123-DEF0-234567890123", + "AllowDNSFailover": true + } +} diff --git a/examples/declarative/declarations/configurations/network.vpn.always-on/example1.json b/examples/declarative/declarations/configurations/network.vpn.always-on/example1.json new file mode 100644 index 0000000..90e019e --- /dev/null +++ b/examples/declarative/declarations/configurations/network.vpn.always-on/example1.json @@ -0,0 +1,27 @@ +{ + "Type": "com.apple.configuration.network.vpn.always-on", + "Identifier": "EB13EE2B-5D63-4EBA-810F-5B81D07F5017", + "ServerToken": "E180CA9A-F089-4FA3-BBDF-94CC159C4AE8", + "Payload": { + "VisibleName": "Always-On VPN", + "UIToggleEnabled": false, + "TunnelConfigurations": [ + { + "ProtocolType": "IKEv2", + "Interfaces": [ + "Cellular", + "WiFi" + ], + "IKEV2": { + "HostName": "vpn.example.com", + "LocalIdentifier": "device@example.com", + "RemoteIdentifier": "vpn.example.com", + "Authentication": { + "Method": "Certificate", + "IdentityAssetReference": "CB3E6C7F-2318-437B-8A9E-D50C69376DE4" + } + } + } + ] + } +} diff --git a/examples/declarative/declarations/configurations/network.vpn.ikev2/example1.json b/examples/declarative/declarations/configurations/network.vpn.ikev2/example1.json new file mode 100644 index 0000000..899212a --- /dev/null +++ b/examples/declarative/declarations/configurations/network.vpn.ikev2/example1.json @@ -0,0 +1,15 @@ +{ + "Type": "com.apple.configuration.network.vpn.ikev2", + "Identifier": "EB13EE2B-5D63-4EBA-810F-5B81D07F5017", + "ServerToken": "E180CA9A-F089-4FA3-BBDF-94CC159C4AE8", + "Payload": { + "VisibleName": "Corporate IKEv2 VPN", + "HostName": "vpn.example.com", + "LocalIdentifier": "device@example.com", + "RemoteIdentifier": "vpn.example.com", + "Authentication": { + "Method": "SharedSecret", + "CredentialsAssetReference": "64BF8F5C-8CFD-40AA-9082-A0B594D4E100" + } + } +} diff --git a/examples/declarative/declarations/configurations/network.vpn.ikev2/example2.json b/examples/declarative/declarations/configurations/network.vpn.ikev2/example2.json new file mode 100644 index 0000000..7c02d5c --- /dev/null +++ b/examples/declarative/declarations/configurations/network.vpn.ikev2/example2.json @@ -0,0 +1,22 @@ +{ + "Type": "com.apple.configuration.network.vpn.ikev2", + "Identifier": "2A3B4C5D-6E7F-8A9B-0C1D-2E3F4A5B6C7D", + "ServerToken": "F1E2D3C4-B5A6-7890-ABCD-EF1234567890", + "Payload": { + "VisibleName": "Corporate IKEv2 VPN (Certificate)", + "HostName": "vpn.example.com", + "LocalIdentifier": "device@example.com", + "RemoteIdentifier": "vpn.example.com", + "Authentication": { + "Method": "Certificate", + "IdentityAssetReference": "CB3E6C7F-2318-437B-8A9E-D50C69376DE4", + "IdentityCertificateType": "RSA", + "ExtendedAuth": { + "Enabled": true, + "CredentialsAssetReference": "64BF8F5C-8CFD-40AA-9082-A0B594D4E100", + "ServerCertificateIssuerCommonName": "Example Corp CA", + "TLSMinimumVersion": "1.2" + } + } + } +} diff --git a/examples/declarative/declarations/configurations/network.vpn.ipsec/example1.json b/examples/declarative/declarations/configurations/network.vpn.ipsec/example1.json new file mode 100644 index 0000000..660e1dd --- /dev/null +++ b/examples/declarative/declarations/configurations/network.vpn.ipsec/example1.json @@ -0,0 +1,15 @@ +{ + "Type": "com.apple.configuration.network.vpn.ipsec", + "Identifier": "EB13EE2B-5D63-4EBA-810F-5B81D07F5017", + "ServerToken": "E180CA9A-F089-4FA3-BBDF-94CC159C4AE8", + "Payload": { + "VisibleName": "Corporate IPSec VPN", + "HostName": "vpn.example.com", + "Authentication": { + "Method": "SharedSecret", + "LocalIdentifier": "vpngroup", + "LocalIdentifierType": "KeyID", + "CredentialsAssetReference": "64BF8F5C-8CFD-40AA-9082-A0B594D4E100" + } + } +} diff --git a/examples/declarative/declarations/configurations/network.vpn.ipsec/example2.json b/examples/declarative/declarations/configurations/network.vpn.ipsec/example2.json new file mode 100644 index 0000000..45edafe --- /dev/null +++ b/examples/declarative/declarations/configurations/network.vpn.ipsec/example2.json @@ -0,0 +1,13 @@ +{ + "Type": "com.apple.configuration.network.vpn.ipsec", + "Identifier": "2A3B4C5D-6E7F-8A9B-0C1D-2E3F4A5B6C7D", + "ServerToken": "F1E2D3C4-B5A6-7890-ABCD-EF1234567890", + "Payload": { + "VisibleName": "Corporate IPSec VPN (Certificate)", + "HostName": "vpn.example.com", + "Authentication": { + "Method": "Certificate", + "IdentityAssetReference": "CB3E6C7F-2318-437B-8A9E-D50C69376DE4" + } + } +} diff --git a/examples/declarative/declarations/configurations/network.vpn.vpn-plugin/example1.json b/examples/declarative/declarations/configurations/network.vpn.vpn-plugin/example1.json new file mode 100644 index 0000000..4ae1749 --- /dev/null +++ b/examples/declarative/declarations/configurations/network.vpn.vpn-plugin/example1.json @@ -0,0 +1,14 @@ +{ + "Type": "com.apple.configuration.network.vpn.vpn-plugin", + "Identifier": "EB13EE2B-5D63-4EBA-810F-5B81D07F5017", + "ServerToken": "E180CA9A-F089-4FA3-BBDF-94CC159C4AE8", + "Payload": { + "VisibleName": "Corporate VPN", + "HostName": "vpn.example.com", + "SubType": "com.example.vpn.plugin", + "Authentication": { + "Method": "Password", + "CredentialsAssetReference": "64BF8F5C-8CFD-40AA-9082-A0B594D4E100" + } + } +} diff --git a/examples/declarative/declarations/configurations/network.vpn.vpn-plugin/example2.json b/examples/declarative/declarations/configurations/network.vpn.vpn-plugin/example2.json new file mode 100644 index 0000000..006bbaf --- /dev/null +++ b/examples/declarative/declarations/configurations/network.vpn.vpn-plugin/example2.json @@ -0,0 +1,14 @@ +{ + "Type": "com.apple.configuration.network.vpn.vpn-plugin", + "Identifier": "2A3B4C5D-6E7F-8A9B-0C1D-2E3F4A5B6C7D", + "ServerToken": "F1E2D3C4-B5A6-7890-ABCD-EF1234567890", + "Payload": { + "VisibleName": "Corporate VPN (Certificate)", + "HostName": "vpn.example.com", + "SubType": "com.example.vpn.plugin", + "Authentication": { + "Method": "Certificate", + "IdentityAssetReference": "CB3E6C7F-2318-437B-8A9E-D50C69376DE4" + } + } +} diff --git a/examples/declarative/declarations/configurations/network.webcontent-filter.plugin/example1.json b/examples/declarative/declarations/configurations/network.webcontent-filter.plugin/example1.json new file mode 100644 index 0000000..4795085 --- /dev/null +++ b/examples/declarative/declarations/configurations/network.webcontent-filter.plugin/example1.json @@ -0,0 +1,11 @@ +{ + "Type": "com.apple.configuration.webcontent-filter.plugin", + "Identifier": "EB13EE2B-5D63-4EBA-810F-5B81D07F5017", + "ServerToken": "E180CA9A-F089-4FA3-BBDF-94CC159C4AE8", + "Payload": { + "VisibleName": "Content Filter", + "PluginBundleID": "com.example.contentfilter", + "ServerAddress": "filter.example.com", + "ContentFilterUUID": "A1B2C3D4-E5F6-7890-ABCD-EF1234567890" + } +} diff --git a/examples/declarative/declarations/configurations/package/example1.json b/examples/declarative/declarations/configurations/package/example1.json new file mode 100644 index 0000000..83b2b42 --- /dev/null +++ b/examples/declarative/declarations/configurations/package/example1.json @@ -0,0 +1,11 @@ +{ + "Type": "com.apple.configuration.package", + "Identifier": "EB13EE2B-5D63-4EBA-810F-5B81D07F5017", + "ServerToken": "E180CA9A-F089-4FA3-BBDF-94CC159C4AE8", + "Payload": { + "ManifestURL": "https://example.com/files/packages/TestPackage.plist", + "InstallBehavior": { + "Install": "Required" + } + } +} diff --git a/examples/declarative/declarations/configurations/passcode.settings/example1.json b/examples/declarative/declarations/configurations/passcode.settings/example1.json new file mode 100644 index 0000000..f792abe --- /dev/null +++ b/examples/declarative/declarations/configurations/passcode.settings/example1.json @@ -0,0 +1,11 @@ +{ + "Type": "com.apple.configuration.passcode.settings", + "Identifier": "EB13EE2B-5D63-4EBA-810F-5B81D07F5017", + "ServerToken": "E180CA9A-F089-4FA3-BBDF-94CC159C4AE8", + "Payload": { + "RequirePasscode": true, + "RequireComplexPasscode": true, + "MinimumLength": 10, + "MaximumInactivityInMinutes": 1 + } +} diff --git a/examples/declarative/declarations/configurations/passcode.settings/example2.json b/examples/declarative/declarations/configurations/passcode.settings/example2.json new file mode 100644 index 0000000..528f56d --- /dev/null +++ b/examples/declarative/declarations/configurations/passcode.settings/example2.json @@ -0,0 +1,15 @@ +{ + "Type": "com.apple.configuration.passcode.settings", + "Identifier": "EB13EE2B-5D63-4EBA-810F-5B81D07F5017", + "ServerToken": "E180CA9A-F089-4FA3-BBDF-94CC159C4AE8", + "Payload": { + "CustomRegex": { + "Regex": "^(?=.*?[A-Z])(?=.*?[a-z])(?=.*?[0-9]).{8,}$", + "Description": { + "default": "Default: Minimum 8 characters, 1 number, 1 uppercase, 1 lowercase.", + "en-US": "Minimum 8 characters, 1 number, 1 uppercase, 1 lowercase.", + "fr": "Minimum 8 caractères, 1 chiffre, 1 majuscule, 1 minuscule." + } + } + } +} diff --git a/examples/declarative/declarations/configurations/safari.bookmarks/example1.json b/examples/declarative/declarations/configurations/safari.bookmarks/example1.json new file mode 100644 index 0000000..e483b74 --- /dev/null +++ b/examples/declarative/declarations/configurations/safari.bookmarks/example1.json @@ -0,0 +1,36 @@ +{ + "Type": "com.apple.configuration.safari.bookmarks", + "Identifier": "EB13EE2B-5D63-4EBA-810F-5B81D07F5017", + "ServerToken": "E180CA9A-F089-4FA3-BBDF-94CC159C4AE8", + "Payload": { + "ManagedBookmarks": [ + { + "GroupIdentifier": "Group1", + "Title": "Company Bookmarks", + "Bookmarks": [ + { + "Title": "Public Site", + "URL": "https://www.example.com" + }, + { + "Title": "Store", + "URL": "https://store.example.com" + }, + { + "Title": "Internal Developers", + "Folder": [ + { + "Title": "Developers", + "URL": "https://developer.example.com" + }, + { + "Title": "Repositories", + "URL": "https://repo.example.com" + } + ] + } + ] + } + ] + } +} diff --git a/examples/declarative/declarations/configurations/safari.extensions.settings/example1.json b/examples/declarative/declarations/configurations/safari.extensions.settings/example1.json new file mode 100644 index 0000000..0028e9c --- /dev/null +++ b/examples/declarative/declarations/configurations/safari.extensions.settings/example1.json @@ -0,0 +1,12 @@ +{ + "Type": "com.apple.configuration.safari.extensions.settings", + "Identifier": "EB13EE2B-5D63-4EBA-810F-5B81D07F5017", + "ServerToken": "E180CA9A-F089-4FA3-BBDF-94CC159C4AE8", + "Payload": { + "ManagedExtensions": { + "*": { + "State": "AlwaysOff" + } + } + } +} diff --git a/examples/declarative/declarations/configurations/safari.extensions.settings/example2.json b/examples/declarative/declarations/configurations/safari.extensions.settings/example2.json new file mode 100644 index 0000000..03f4a49 --- /dev/null +++ b/examples/declarative/declarations/configurations/safari.extensions.settings/example2.json @@ -0,0 +1,15 @@ +{ + "Type": "com.apple.configuration.safari.extensions.settings", + "Identifier": "EB13EE2B-5D63-4EBA-810F-5B81D07F5017", + "ServerToken": "E180CA9A-F089-4FA3-BBDF-94CC159C4AE8", + "Payload": { + "ManagedExtensions": { + "*": { + "State": "AlwaysOff" + }, + "com.example.WebExtension (ABCDE12345)": { + "State": "AlwaysOn" + } + } + } +} diff --git a/examples/declarative/declarations/configurations/safari.extensions.settings/example3.json b/examples/declarative/declarations/configurations/safari.extensions.settings/example3.json new file mode 100644 index 0000000..112607f --- /dev/null +++ b/examples/declarative/declarations/configurations/safari.extensions.settings/example3.json @@ -0,0 +1,13 @@ +{ + "Type": "com.apple.configuration.safari.extensions.settings", + "Identifier": "EB13EE2B-5D63-4EBA-810F-5B81D07F5017", + "ServerToken": "E180CA9A-F089-4FA3-BBDF-94CC159C4AE8", + "Payload": { + "ManagedExtensions": { + "com.example.WebExtension (ABCDE12345)": { + "State": "AlwaysOn", + "PrivateBrowsing": "AlwaysOff" + } + } + } +} diff --git a/examples/declarative/declarations/configurations/safari.extensions.settings/example4.json b/examples/declarative/declarations/configurations/safari.extensions.settings/example4.json new file mode 100644 index 0000000..42c1dd5 --- /dev/null +++ b/examples/declarative/declarations/configurations/safari.extensions.settings/example4.json @@ -0,0 +1,14 @@ +{ + "Type": "com.apple.configuration.safari.extensions.settings", + "Identifier": "EB13EE2B-5D63-4EBA-810F-5B81D07F5017", + "ServerToken": "E180CA9A-F089-4FA3-BBDF-94CC159C4AE8", + "Payload": { + "ManagedExtensions": { + "com.example.WebExtension (ABCDE12345)": { + "DeniedDomains": [ + "*example.org" + ] + } + } + } +} diff --git a/examples/declarative/declarations/configurations/safari.settings/example1.json b/examples/declarative/declarations/configurations/safari.settings/example1.json new file mode 100644 index 0000000..a7f099d --- /dev/null +++ b/examples/declarative/declarations/configurations/safari.settings/example1.json @@ -0,0 +1,11 @@ +{ + "Type": "com.apple.configuration.safari.settings", + "Identifier": "EB13EE2B-5D63-4EBA-810F-5B81D07F5017", + "ServerToken": "E180CA9A-F089-4FA3-BBDF-94CC159C4AE8", + "Payload": { + "NewTabStartPage": { + "PageType": "Home", + "HomepageURL": "https://www.example.com" + } + } +} diff --git a/examples/declarative/declarations/configurations/safari.settings/example2.json b/examples/declarative/declarations/configurations/safari.settings/example2.json new file mode 100644 index 0000000..1d5957c --- /dev/null +++ b/examples/declarative/declarations/configurations/safari.settings/example2.json @@ -0,0 +1,14 @@ +{ + "Type": "com.apple.configuration.safari.settings", + "Identifier": "EB13EE2B-5D63-4EBA-810F-5B81D07F5017", + "ServerToken": "E180CA9A-F089-4FA3-BBDF-94CC159C4AE8", + "Payload": { + "AcceptCookies": "Never", + "AllowDisablingFraudWarning": false, + "AllowHistoryClearing": false, + "AllowJavaScript": false, + "AllowPrivateBrowsing": false, + "AllowPopups": false, + "AllowSummary": false + } +} diff --git a/examples/declarative/declarations/configurations/safari.settings/example3.json b/examples/declarative/declarations/configurations/safari.settings/example3.json new file mode 100644 index 0000000..fc78261 --- /dev/null +++ b/examples/declarative/declarations/configurations/safari.settings/example3.json @@ -0,0 +1,15 @@ +{ + "Type": "com.apple.configuration.safari.settings", + "Identifier": "B5C63FC4-3D53-4705-AC70-9F03C178A7B4", + "ServerToken": "40E91AFE-464D-4DA1-842F-3838CEE7597C", + "Payload": { + "Privacy": { + "PermissionDefaults": { + "example.com": { + "OrganizationJustification": "The camera is required to scan your QR code for authentication.", + "Camera": "Allow" + } + } + } + } +} diff --git a/examples/declarative/declarations/configurations/safari.settings/example4.json b/examples/declarative/declarations/configurations/safari.settings/example4.json new file mode 100644 index 0000000..a6e093d --- /dev/null +++ b/examples/declarative/declarations/configurations/safari.settings/example4.json @@ -0,0 +1,16 @@ +{ + "Type": "com.apple.configuration.safari.settings", + "Identifier": "614B7CD6-2E0B-4BFE-812F-E4E6277C9624", + "ServerToken": "19B9F819-D65F-4805-9D12-CC264C19D191", + "Payload": { + "Privacy": { + "PermissionDefaults": { + "*example.com": { + "OrganizationJustification": "The camera and microphone are required for video conferencing.", + "Camera": "Allow", + "Microphone": "Allow" + } + } + } + } +} diff --git a/examples/declarative/declarations/configurations/screensharing.connection.group/example1.json b/examples/declarative/declarations/configurations/screensharing.connection.group/example1.json new file mode 100644 index 0000000..cf951d9 --- /dev/null +++ b/examples/declarative/declarations/configurations/screensharing.connection.group/example1.json @@ -0,0 +1,13 @@ +{ + "Type": "com.apple.configuration.screensharing.connection.group", + "Identifier": "EB13EE2B-5D63-4EBA-810F-5B81D07F5017", + "ServerToken": "E180CA9A-F089-4FA3-BBDF-94CC159C4AE8", + "Payload": { + "ConnectionGroupUUID": "4BF32552-6F85-4F67-999B-7B2494C4DD99", + "GroupName": "Lab Devices", + "Members": [ + "7F8F28A5-C024-470B-8166-EC6669A12C3A", + "EDF04C7F-F9B0-4204-A5EE-34AE094CA7BB" + ] + } +} diff --git a/examples/declarative/declarations/configurations/screensharing.connection/example1.json b/examples/declarative/declarations/configurations/screensharing.connection/example1.json new file mode 100644 index 0000000..a17f931 --- /dev/null +++ b/examples/declarative/declarations/configurations/screensharing.connection/example1.json @@ -0,0 +1,13 @@ +{ + "Type": "com.apple.configuration.screensharing.connection", + "Identifier": "EB13EE2B-5D63-4EBA-810F-5B81D07F5017", + "ServerToken": "E180CA9A-F089-4FA3-BBDF-94CC159C4AE8", + "Payload": { + "ConnectionUUID": "FA80E209-B31B-4862-B880-399F79E8FC35", + "HostName": "example.com", + "DisplayName": "Host1", + "DisplayConfiguration": { + "DisplayType": "Virtual1" + } + } +} diff --git a/examples/declarative/declarations/configurations/screensharing.host.settings/example1.json b/examples/declarative/declarations/configurations/screensharing.host.settings/example1.json new file mode 100644 index 0000000..68da8ac --- /dev/null +++ b/examples/declarative/declarations/configurations/screensharing.host.settings/example1.json @@ -0,0 +1,12 @@ +{ + "Type": "com.apple.configuration.screensharing.host.settings", + "Identifier": "EB13EE2B-5D63-4EBA-810F-5B81D07F5017", + "ServerToken": "E180CA9A-F089-4FA3-BBDF-94CC159C4AE8", + "Payload": { + "MaximumVirtualDisplays": 1, + "PortBase": 1100, + "PreventCopyFilesFromHost": true, + "PreventCopyFilesToHost": true, + "PreventHighPerformanceConnections": true + } +} diff --git a/examples/declarative/declarations/configurations/security.certificate/example1.json b/examples/declarative/declarations/configurations/security.certificate/example1.json new file mode 100644 index 0000000..49346eb --- /dev/null +++ b/examples/declarative/declarations/configurations/security.certificate/example1.json @@ -0,0 +1,8 @@ +{ + "Type": "com.apple.configuration.security.certificate", + "Identifier": "EB13EE2B-5D63-4EBA-810F-5B81D07F5017", + "ServerToken": "E180CA9A-F089-4FA3-BBDF-94CC159C4AE8", + "Payload": { + "CredentialAssetReference": "A762DE40-2C43-4FE2-BC2E-B6EB2B571CF6" + } +} diff --git a/examples/declarative/declarations/configurations/security.identity/example1.json b/examples/declarative/declarations/configurations/security.identity/example1.json new file mode 100644 index 0000000..cb92145 --- /dev/null +++ b/examples/declarative/declarations/configurations/security.identity/example1.json @@ -0,0 +1,8 @@ +{ + "Type": "com.apple.configuration.security.identity", + "Identifier": "EB13EE2B-5D63-4EBA-810F-5B81D07F5017", + "ServerToken": "E180CA9A-F089-4FA3-BBDF-94CC159C4AE8", + "Payload": { + "CredentialAssetReference": "48FFFD93-AB1E-4726-979E-421FD3265AA8" + } +} diff --git a/examples/declarative/declarations/configurations/security.passkey.attestation/example1.json b/examples/declarative/declarations/configurations/security.passkey.attestation/example1.json new file mode 100644 index 0000000..44c4c4f --- /dev/null +++ b/examples/declarative/declarations/configurations/security.passkey.attestation/example1.json @@ -0,0 +1,11 @@ +{ + "Type": "com.apple.configuration.security.passkey.attestation", + "Identifier": "EB13EE2B-5D63-4EBA-810F-5B81D07F5017", + "ServerToken": "E180CA9A-F089-4FA3-BBDF-94CC159C4AE8", + "Payload": { + "AttestationIdentityAssetReference": "AD0A8CB5-64EE-4CC9-8CB6-22DCBE6ED38A", + "RelyingParties": [ + "example.com" + ] + } +} diff --git a/examples/declarative/declarations/configurations/services.background-tasks/example1.json b/examples/declarative/declarations/configurations/services.background-tasks/example1.json new file mode 100644 index 0000000..b3179ce --- /dev/null +++ b/examples/declarative/declarations/configurations/services.background-tasks/example1.json @@ -0,0 +1,16 @@ +{ + "Type": "com.apple.configuration.services.background-tasks", + "Identifier": "EB13EE2B-5D63-4EBA-810F-5B81D07F5017", + "ServerToken": "E180CA9A-F089-4FA3-BBDF-94CC159C4AE8", + "Payload": { + "TaskType": "com.example.bgtask", + "TaskDescription": "Test script", + "ExecutableAssetReference": "5840A1CB-A769-4C08-8968-13E8BA705B3E", + "LaunchdConfigurations": [ + { + "FileAssetReference": "F6A59159-FFA5-4DA9-B2E8-316AC4C99C78", + "Context": "daemon" + } + ] + } +} diff --git a/examples/declarative/declarations/configurations/services.configuration-files/example1.json b/examples/declarative/declarations/configurations/services.configuration-files/example1.json new file mode 100644 index 0000000..2d9a257 --- /dev/null +++ b/examples/declarative/declarations/configurations/services.configuration-files/example1.json @@ -0,0 +1,9 @@ +{ + "Type": "com.apple.configuration.services.configuration-files", + "Identifier": "EB13EE2B-5D63-4EBA-810F-5B81D07F5017", + "ServerToken": "E180CA9A-F089-4FA3-BBDF-94CC159C4AE8", + "Payload": { + "ServiceType": "com.openssh.sshd", + "DataAssetReference": "168663D8-A06D-4C8A-93A4-AD225D85BF69" + } +} diff --git a/examples/declarative/declarations/configurations/siri.settings/example1.json b/examples/declarative/declarations/configurations/siri.settings/example1.json new file mode 100644 index 0000000..9b182ff --- /dev/null +++ b/examples/declarative/declarations/configurations/siri.settings/example1.json @@ -0,0 +1,11 @@ +{ + "Type": "com.apple.configuration.siri.settings", + "Identifier": "A1B2C3D4-E5F6-4A5B-9C8D-7E6F5A4B3C2D", + "ServerToken": "F1E2D3C4-B5A6-4D5E-8F9A-0B1C2D3E4F5A", + "Payload": { + "Enabled": false, + "AllowUserGeneratedContent": false, + "AllowWhileLocked": false, + "ForceProfanityFilter": true + } +} diff --git a/examples/declarative/declarations/configurations/softwareupdate.enforcement.specific/example1.json b/examples/declarative/declarations/configurations/softwareupdate.enforcement.specific/example1.json new file mode 100644 index 0000000..db5b2d8 --- /dev/null +++ b/examples/declarative/declarations/configurations/softwareupdate.enforcement.specific/example1.json @@ -0,0 +1,10 @@ +{ + "Type": "com.apple.configuration.softwareupdate.enforcement.specific", + "Identifier": "EB13EE2B-5D63-4EBA-810F-5B81D07F5017", + "ServerToken": "E180CA9A-F089-4FA3-BBDF-94CC159C4AE8", + "Payload": { + "TargetOSVersion": "26.0", + "TargetBuildVersion": "23A309", + "TargetLocalDateTime": "2025-09-21T01:00:00" + } +} diff --git a/examples/declarative/declarations/configurations/softwareupdate.settings/example1.json b/examples/declarative/declarations/configurations/softwareupdate.settings/example1.json new file mode 100644 index 0000000..6483362 --- /dev/null +++ b/examples/declarative/declarations/configurations/softwareupdate.settings/example1.json @@ -0,0 +1,24 @@ +{ + "Type": "com.apple.configuration.softwareupdate.settings", + "Identifier": "EB13EE2B-5D63-4EBA-810F-5B81D07F5017", + "ServerToken": "E180CA9A-F089-4FA3-BBDF-94CC159C4AE8", + "Payload": { + "Notifications": false, + "Deferrals": { + "MajorPeriodInDays": 30 + }, + "RecommendedCadence": "All", + "AutomaticActions": { + "Download": "AlwaysOn", + "InstallOSUpdates": "AlwaysOn", + "InstallSecurityUpdate": "AlwaysOn" + }, + "RapidSecurityResponse": { + "Enable": false + }, + "AllowStandardUserOSUpdates": false, + "Beta": { + "ProgramEnrollment": "AlwaysOn" + } + } +} diff --git a/examples/declarative/declarations/configurations/watch.enrollment/example1.json b/examples/declarative/declarations/configurations/watch.enrollment/example1.json new file mode 100644 index 0000000..092290c --- /dev/null +++ b/examples/declarative/declarations/configurations/watch.enrollment/example1.json @@ -0,0 +1,11 @@ +{ + "Type": "com.apple.configuration.watch.enrollment", + "Identifier": "EB13EE2B-5D63-4EBA-810F-5B81D07F5017", + "ServerToken": "E180CA9A-F089-4FA3-BBDF-94CC159C4AE8", + "Payload": { + "EnrollmentProfileURL": "https://example.com/enroll/watch", + "AnchorCertificateAssetReferences": [ + "91D3512C-5E44-4C6F-97A5-59A8F731641D" + ] + } +} diff --git a/examples/declarative/declarations/management/organization-info/example1.json b/examples/declarative/declarations/management/organization-info/example1.json new file mode 100644 index 0000000..f9548d8 --- /dev/null +++ b/examples/declarative/declarations/management/organization-info/example1.json @@ -0,0 +1,10 @@ +{ + "Type": "com.apple.management.organization-info", + "Identifier": "EB13EE2B-5D63-4EBA-810F-5B81D07F5017", + "ServerToken": "E180CA9A-F089-4FA3-BBDF-94CC159C4AE8", + "Payload": { + "Name": "Example, Inc.", + "Email": "admin@example.com", + "URL": "https://site.example.com/support" + } +} diff --git a/examples/declarative/declarations/management/properties/example1.json b/examples/declarative/declarations/management/properties/example1.json new file mode 100644 index 0000000..28e5e5d --- /dev/null +++ b/examples/declarative/declarations/management/properties/example1.json @@ -0,0 +1,14 @@ +{ + "Type": "com.apple.management.properties", + "Identifier": "187C9F47-297C-4811-80C4-2E19D3C11963", + "ServerToken": "526CE2FB-DB79-409A-825D-8C5DC5EE873E", + "Payload": { + "is-part-time": false, + "groups": [ + "teacher", + "grade 1", + "grade 2", + "it-admin" + ] + } +} diff --git a/examples/declarative/declarations/management/server-capabilities/example1.json b/examples/declarative/declarations/management/server-capabilities/example1.json new file mode 100644 index 0000000..4ee4f61 --- /dev/null +++ b/examples/declarative/declarations/management/server-capabilities/example1.json @@ -0,0 +1,13 @@ +{ + "Type": "com.apple.management.server-capabilities", + "Identifier": "EB13EE2B-5D63-4EBA-810F-5B81D07F5017", + "ServerToken": "E180CA9A-F089-4FA3-BBDF-94CC159C4AE8", + "Payload": { + "Version": "1.0.0", + "SupportedFeatures": { + "Example Feature": { + "parameter1": 1 + } + } + } +} diff --git a/examples/mdm/commands/account.configuration/example1.plist b/examples/mdm/commands/account.configuration/example1.plist new file mode 100644 index 0000000..f53e7c3 --- /dev/null +++ b/examples/mdm/commands/account.configuration/example1.plist @@ -0,0 +1,55 @@ + + + + + Command + + AutoSetupAdminAccounts + + + fullName + Administrator + hidden + + shortName + admin + passwordHash + + PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4K + PCFET0NUWVBFIHBsaXN0IFBVQkxJQyAiLS8vQXBwbGUvL0RURCBQ + TElTVCAxLjAvL0VOIiAiaHR0cDovL3d3dy5hcHBsZS5jb20vRFRE + cy9Qcm9wZXJ0eUxpc3QtMS4wLmR0ZCI+CjxwbGlzdCB2ZXJzaW9u + PSIxLjAiPgo8ZGljdD4KCTxrZXk+U0FMVEVELVNIQTUxMi1QQktE + RjI8L2tleT4KCTxkaWN0PgoJCTxrZXk+ZW50cm9weTwva2V5PgoJ + CTxkYXRhPgoJCXJiSXZtVGlQQlJ3cWZ6dmFQQnhPT1VLRHVnTnRM + YVVQZ2lIVnpBUWNsNDNjSmUzaGZ6ZW05TDVhczAyRQoJCXp2TEFl + aTJFT0tqMFNaOENpKzNXV0tQN2orMklSdWU0T1ZyTzBsYnhGOHR5 + K3pZb0hTMTVRU3hGcUplagoJCU5qdkk1NTk1N1JjZUVLaXFSRjZ1 + UEpQUTYvbUxEc0xnSTR4dko3NVpEa0JlYW51QkI0TT0KCQk8L2Rh + dGE+CgkJPGtleT5zYWx0PC9rZXk+CgkJPGRhdGE+CgkJTXVpS2g1 + MjR3QkJMV0ZoQ3lzRFIzRnJPOGM0WlFIUGZTRE5JbDZvQjlCST0K + CQk8L2RhdGE+CgkJPGtleT5pdGVyYXRpb25zPC9rZXk+CgkJPGlu + dGVnZXI+NDAwMDA8L2ludGVnZXI+Cgk8L2RpY3Q+CjwvZGljdD4K + PC9wbGlzdD4K + + + + DontAutoPopulatePrimaryAccountInfo + + LockPrimaryAccountInfo + + PrimaryAccountFullName + User + PrimaryAccountUserName + user + RequestType + AccountConfiguration + SetPrimarySetupAccountAsRegularUser + + SkipPrimarySetupAccountCreation + + + CommandUUID + 0001_AccountConfiguration + + diff --git a/examples/mdm/commands/account.configuration/example2.plist b/examples/mdm/commands/account.configuration/example2.plist new file mode 100644 index 0000000..2a26021 --- /dev/null +++ b/examples/mdm/commands/account.configuration/example2.plist @@ -0,0 +1,12 @@ + + + + + CommandUUID + 0001_AccountConfiguration + Status + Acknowledged + UDID + 91FE0F6E-F91C-589A-95E6-02835CE7126D + + \ No newline at end of file diff --git a/examples/mdm/commands/application.extensions.listactive/example1.plist b/examples/mdm/commands/application.extensions.listactive/example1.plist new file mode 100644 index 0000000..83840c9 --- /dev/null +++ b/examples/mdm/commands/application.extensions.listactive/example1.plist @@ -0,0 +1,17 @@ + + + + + Command + + FilterExtensionPoints + + com.apple.share-services + + RequestType + ActiveNSExtensions + + CommandUUID + 0001_ActiveNSExtensions + + \ No newline at end of file diff --git a/examples/mdm/commands/application.extensions.listactive/example2.plist b/examples/mdm/commands/application.extensions.listactive/example2.plist new file mode 100644 index 0000000..9dd0aa7 --- /dev/null +++ b/examples/mdm/commands/application.extensions.listactive/example2.plist @@ -0,0 +1,69 @@ + + + + + ActiveNSExtensions + + + ContainerDisplayName + Messages.app + ContainerIdentifier + com.apple.iChat + DisplayName + Messages + ExtensionPoint + com.apple.share-services + Identifier + com.apple.messages.ShareExtension + Path + /System/Applications/Messages.app/Contents/PlugIns/Messages Share Extension.appex + UserElection + Use + Version + 1.0 + + + DisplayName + Set Background Image + ExtensionPoint + com.apple.share-services + Identifier + com.apple.share.System.set-desktop-image + Path + /System/Library/PrivateFrameworks/ShareKit.framework/Versions/A/PlugIns/SystemSetDesktopImage.appex + UserElection + Use + Version + 639 + + + DisplayName + Add to Reading List + ExtensionPoint + com.apple.share-services + Identifier + com.apple.share.System.add-to-safari-reading-list + Path + /System/Library/PrivateFrameworks/ShareKit.framework/Versions/A/PlugIns/SystemAddToReadingList.appex + UserElection + Use + Version + 639 + + + CommandUUID + 0001_ActiveNSExtensions + NotOnConsole + + Status + Acknowledged + UDID + E84CD517-CB37-52F7-988C-DB5137B604B8 + UserID + 03EBB586-53E7-48CE-8E6E-C54A374F6FA6 + UserLongName + admin + UserShortName + admin + + \ No newline at end of file diff --git a/examples/mdm/commands/application.extensions.mappings/example1.plist b/examples/mdm/commands/application.extensions.mappings/example1.plist new file mode 100644 index 0000000..69b7a0d --- /dev/null +++ b/examples/mdm/commands/application.extensions.mappings/example1.plist @@ -0,0 +1,13 @@ + + + + + Command + + RequestType + NSExtensionMappings + + CommandUUID + 0001_NSExtensionMappings + + \ No newline at end of file diff --git a/examples/mdm/commands/application.extensions.mappings/example2.plist b/examples/mdm/commands/application.extensions.mappings/example2.plist new file mode 100644 index 0000000..cb035dd --- /dev/null +++ b/examples/mdm/commands/application.extensions.mappings/example2.plist @@ -0,0 +1,55 @@ + + + + + CommandUUID + 0001_NSExtensionMappings + NSExtensionMappings + + + DisplayName + Photos + ExtensionPoint + com.apple.storagemanagement + Identifier + com.apple.Photos.StorageManagementExtension + + + DisplayName + Messages + ExtensionPoint + com.apple.share-services + Identifier + com.apple.messages.ShareExtension + + + DisplayName + iCloud Drive + ExtensionPoint + com.apple.fileprovider-nonui + Identifier + com.apple.CloudDocs.MobileDocumentsFileProvider + + + DisplayName + Notes Spotlight Index Extension + ExtensionPoint + com.apple.spotlight.index + Identifier + com.apple.Notes.SpotlightIndexExtension + + + NotOnConsole + + Status + Acknowledged + UDID + E84CD517-CB37-52F7-988C-DB5137B604B8 + UserID + 03EBB586-53E7-48CE-8E6E-C54A374F6FA6 + UserLongName + admin + UserShortName + admin + + \ No newline at end of file diff --git a/examples/mdm/commands/application.install.enterprise/example1.plist b/examples/mdm/commands/application.install.enterprise/example1.plist new file mode 100644 index 0000000..1ed3295 --- /dev/null +++ b/examples/mdm/commands/application.install.enterprise/example1.plist @@ -0,0 +1,17 @@ + + + + + Command + + ManifestURL + https://yourmdmhost.example.com/files/myenterpriseapp.plist + PinningRevocationCheckRequired + + RequestType + InstallEnterpriseApplication + + CommandUUID + 0001_InstallEnterpriseApplication + + \ No newline at end of file diff --git a/examples/mdm/commands/application.install.enterprise/example2.plist b/examples/mdm/commands/application.install.enterprise/example2.plist new file mode 100644 index 0000000..f21ee25 --- /dev/null +++ b/examples/mdm/commands/application.install.enterprise/example2.plist @@ -0,0 +1,14 @@ + + + + + CommandUUID + 0001_InstallEnterpriseApplication + Queued + + Status + Acknowledged + UDID + E84CD517-CB37-52F7-988C-DB5137B604B8 + + \ No newline at end of file diff --git a/examples/mdm/commands/application.install/example1.plist b/examples/mdm/commands/application.install/example1.plist new file mode 100644 index 0000000..f840560 --- /dev/null +++ b/examples/mdm/commands/application.install/example1.plist @@ -0,0 +1,17 @@ + + + + + Command + + ManagementFlags + 0 + ManifestURL + https://yourmdmhost.example.com/files/myenterpriseapp.plist + RequestType + InstallApplication + + CommandUUID + 0001_InstallApplication + + \ No newline at end of file diff --git a/examples/mdm/commands/application.install/example2.plist b/examples/mdm/commands/application.install/example2.plist new file mode 100644 index 0000000..8627c01 --- /dev/null +++ b/examples/mdm/commands/application.install/example2.plist @@ -0,0 +1,16 @@ + + + + + CommandUUID + 0001_InstallApplication + Identifier + com.acme.myenterpriseapp + State + Installing + Status + Acknowledged + UDID + 00008020-000915083C80012E + + \ No newline at end of file diff --git a/examples/mdm/commands/application.install/example3.plist b/examples/mdm/commands/application.install/example3.plist new file mode 100644 index 0000000..09dba55 --- /dev/null +++ b/examples/mdm/commands/application.install/example3.plist @@ -0,0 +1,22 @@ + + + + + Command + + ManagementFlags + 0 + Options + + PurchaseMethod + 1 + + RequestType + InstallApplication + iTunesStoreID + 1096834193 + + CommandUUID + 0001_InstallApplication + + \ No newline at end of file diff --git a/examples/mdm/commands/application.install/example4.plist b/examples/mdm/commands/application.install/example4.plist new file mode 100644 index 0000000..8a7fa7d --- /dev/null +++ b/examples/mdm/commands/application.install/example4.plist @@ -0,0 +1,16 @@ + + + + + CommandUUID + 0001_InstallApplication + Identifier + com.apple.TVRemote + State + Installing + Status + Acknowledged + UDID + 00008020-000915083C80012E + + \ No newline at end of file diff --git a/examples/mdm/commands/application.installed.list/example1.plist b/examples/mdm/commands/application.installed.list/example1.plist new file mode 100644 index 0000000..7d727d0 --- /dev/null +++ b/examples/mdm/commands/application.installed.list/example1.plist @@ -0,0 +1,15 @@ + + + + + Command + + ManagedAppsOnly + + RequestType + InstalledApplicationList + + CommandUUID + 0001_InstalledApplicationList + + \ No newline at end of file diff --git a/examples/mdm/commands/application.installed.list/example2.plist b/examples/mdm/commands/application.installed.list/example2.plist new file mode 100644 index 0000000..5633135 --- /dev/null +++ b/examples/mdm/commands/application.installed.list/example2.plist @@ -0,0 +1,43 @@ + + + + + CommandUUID + 0001_InstalledApplicationList + InstalledApplicationList + + + AdHocCodeSigned + + AppStoreVendable + + BetaApp + + BundleSize + 1036288 + DeviceBasedVPP + + DynamicSize + 8192 + ExternalVersionIdentifier + 0 + Identifier + com.acme.myenterpriseapp + Installing + + IsValidated + + Name + MyEnterpriseApp + ShortVersion + 1.0 + Version + 1.0 + + + Status + Acknowledged + UDID + 00008020-000915083C80012E + + \ No newline at end of file diff --git a/examples/mdm/commands/application.installed.list/example3.plist b/examples/mdm/commands/application.installed.list/example3.plist new file mode 100644 index 0000000..abb605f --- /dev/null +++ b/examples/mdm/commands/application.installed.list/example3.plist @@ -0,0 +1,15 @@ + + + + + Command + + ManagedAppsOnly + + RequestType + InstalledApplicationList + + CommandUUID + 0001_InstalledApplicationList + + \ No newline at end of file diff --git a/examples/mdm/commands/application.installed.list/example4.plist b/examples/mdm/commands/application.installed.list/example4.plist new file mode 100644 index 0000000..937dea1 --- /dev/null +++ b/examples/mdm/commands/application.installed.list/example4.plist @@ -0,0 +1,85 @@ + + + + + CommandUUID + 0001_InstalledApplicationList + InstalledApplicationList + + + BundleSize + 1 + Identifier + com.apple.Safari + Installing + + Name + Safari + ShortVersion + 13.1.2 + Version + 13.1.2 + + + BundleSize + 1 + Identifier + com.apple.Notes + Installing + + Name + Notes + ShortVersion + 4.7 + Version + 4.7 + + + BundleSize + 1 + Identifier + com.apple.AddressBook + Installing + + Name + Contacts + ShortVersion + 12.0 + Version + 12.0 + + + BundleSize + 1 + Identifier + com.apple.mail + Installing + + Name + Mail + ShortVersion + 13.4 + Version + 13.4 + + + BundleSize + 1 + Identifier + com.apple.iCal + Installing + + Name + Calendar + ShortVersion + 11.0 + Version + 11.0 + + + Status + Acknowledged + UDID + 91FE0F6E-F91C-589A-95E6-02835CE7126D + + \ No newline at end of file diff --git a/examples/mdm/commands/application.invitetoprogram/example1.plist b/examples/mdm/commands/application.invitetoprogram/example1.plist new file mode 100644 index 0000000..dd96feb --- /dev/null +++ b/examples/mdm/commands/application.invitetoprogram/example1.plist @@ -0,0 +1,17 @@ + + + + + Command + + InvitationURL + https://invite.example.com/invitation?id=39E92FBA-C853-4973-9922-17AF04DDDB3C + ProgramID + com.apple.cloudvpp + RequestType + InviteToProgram + + CommandUUID + 0001_InviteToProgram + + diff --git a/examples/mdm/commands/application.invitetoprogram/example2.plist b/examples/mdm/commands/application.invitetoprogram/example2.plist new file mode 100644 index 0000000..cdebcdf --- /dev/null +++ b/examples/mdm/commands/application.invitetoprogram/example2.plist @@ -0,0 +1,14 @@ + + + + + CommandUUID + 0001_InviteToProgram + InvitationResult + Acknowledged + Status + Acknowledged + UDID + 00008020-000915083C80012E + + \ No newline at end of file diff --git a/examples/mdm/commands/application.managed.list/example1.plist b/examples/mdm/commands/application.managed.list/example1.plist new file mode 100644 index 0000000..1b4ff69 --- /dev/null +++ b/examples/mdm/commands/application.managed.list/example1.plist @@ -0,0 +1,13 @@ + + + + + Command + + RequestType + ManagedApplicationList + + CommandUUID + 0001_ManagedApplicationList + + \ No newline at end of file diff --git a/examples/mdm/commands/application.managed.list/example2.plist b/examples/mdm/commands/application.managed.list/example2.plist new file mode 100644 index 0000000..a4e1398 --- /dev/null +++ b/examples/mdm/commands/application.managed.list/example2.plist @@ -0,0 +1,30 @@ + + + + + CommandUUID + 0080_ManagedApplicationList + ManagedApplicationList + + com.acme.myenterpriseapp + + ExternalVersionIdentifier + 0 + HasConfiguration + + HasFeedback + + IsValidated + + ManagementFlags + 0 + Status + Managed + + + Status + Acknowledged + UDID + 00008020-000915083C80012E + + \ No newline at end of file diff --git a/examples/mdm/commands/application.redemptioncode/example1.plist b/examples/mdm/commands/application.redemptioncode/example1.plist new file mode 100644 index 0000000..d3ed74a --- /dev/null +++ b/examples/mdm/commands/application.redemptioncode/example1.plist @@ -0,0 +1,17 @@ + + + + + Command + + Identifier + com.example.app + RedemptionCode + SB56LT7YX8RH + RequestType + ApplyRedemptionCode + + CommandUUID + 0001_ApplyRedemptionCode + + \ No newline at end of file diff --git a/examples/mdm/commands/application.redemptioncode/example2.plist b/examples/mdm/commands/application.redemptioncode/example2.plist new file mode 100644 index 0000000..2abc958 --- /dev/null +++ b/examples/mdm/commands/application.redemptioncode/example2.plist @@ -0,0 +1,12 @@ + + + + + CommandUUID + 0001_ApplyRedemptionCode + Status + Acknowledged + UDID + 00008020-001305842600013A + + \ No newline at end of file diff --git a/examples/mdm/commands/application.remove/example1.plist b/examples/mdm/commands/application.remove/example1.plist new file mode 100644 index 0000000..c830041 --- /dev/null +++ b/examples/mdm/commands/application.remove/example1.plist @@ -0,0 +1,15 @@ + + + + + Command + + Identifier + com.acme.myenterpriseapp + RequestType + RemoveApplication + + CommandUUID + 0001_RemoveApplication + + \ No newline at end of file diff --git a/examples/mdm/commands/application.remove/example2.plist b/examples/mdm/commands/application.remove/example2.plist new file mode 100644 index 0000000..f8d4c42 --- /dev/null +++ b/examples/mdm/commands/application.remove/example2.plist @@ -0,0 +1,12 @@ + + + + + CommandUUID + 0001_RemoveApplication + Status + Acknowledged + UDID + 00008020-000915083C80012E + + \ No newline at end of file diff --git a/examples/mdm/commands/application.validate/example1.plist b/examples/mdm/commands/application.validate/example1.plist new file mode 100644 index 0000000..f2cc826 --- /dev/null +++ b/examples/mdm/commands/application.validate/example1.plist @@ -0,0 +1,13 @@ + + + + + Command + + RequestType + ValidateApplications + + CommandUUID + 0001_ValidateApplications + + \ No newline at end of file diff --git a/examples/mdm/commands/application.validate/example2.plist b/examples/mdm/commands/application.validate/example2.plist new file mode 100644 index 0000000..6b8c93d --- /dev/null +++ b/examples/mdm/commands/application.validate/example2.plist @@ -0,0 +1,12 @@ + + + + + CommandUUID + 0001_ValidateApplications + Status + Acknowledged + UDID + 00008020-000915083C80012E + + \ No newline at end of file diff --git a/examples/mdm/commands/certificate.list/example1.plist b/examples/mdm/commands/certificate.list/example1.plist new file mode 100644 index 0000000..6a87884 --- /dev/null +++ b/examples/mdm/commands/certificate.list/example1.plist @@ -0,0 +1,15 @@ + + + + + Command + + ManagedOnly + + RequestType + CertificateList + + CommandUUID + 0001_CertificateList + + \ No newline at end of file diff --git a/examples/mdm/commands/certificate.list/example2.plist b/examples/mdm/commands/certificate.list/example2.plist new file mode 100644 index 0000000..c2c0b9f --- /dev/null +++ b/examples/mdm/commands/certificate.list/example2.plist @@ -0,0 +1,98 @@ + + + + + CertificateList + + + CommonName + Example Root Cert + Data + + MIIFeDCCA2ACCQC1lXUyZrOlDjANBgkqhkiG9w0BAQsFADB+MQsw + CQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UE + BwwJQ3VwZXJ0aW5vMRMwEQYDVQQKDApBcHBsZSBJbmMuMRowGAYD + VQQLDBFEZXZpY2UgTWFuYWdlbWVudDEVMBMGA1UEAwwMTUMgUm9v + dCBDZXJ0MB4XDTE5MDUwMTA3MTQzMVoXDTI5MDQyODA3MTQzMVow + fjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExEjAQ + BgNVBAcMCUN1cGVydGlubzETMBEGA1UECgwKQXBwbGUgSW5jLjEa + MBgGA1UECwwRRGV2aWNlIE1hbmFnZW1lbnQxFTATBgNVBAMMDE1D + IFJvb3QgQ2VydDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC + ggIBAJYUAHIa+Dr5CBsxD962SE75XntS3fLF2DbHtqScpuzlEXDx + /2isUXuJVHXvSdZLwbjEDRJ11yZSoK1S12U8UTKUl+bGQ/Gn71VB + gnV6aqbdVW4E8lImMk7jZDMH1mxkw19fGtDDhEN105Gx7+dUnJs1 + 7s4p+jbHQ8po3Hck4nUz82U6JRbWuNRdSq5b/h3SW9A3iZ1tODyM + lLN+VrhtDbLaE/TFY5xZ/v4bRfvEFJ6/UT6lg7EZ+r0XvycWKo2v + T/fOuEGmNBs1rbcOgwiBVDR7WDnOotTVDm1LrtVEamVYcPwqJ9nc + MaJMxcMI4vCk4xxPp7/cxBspd0+gbGYXIYdbr9bS6CTa0y3Nb1x+ + vrY7TSXPGHTMC0/apPCmBF0rDWs6mYs+E+4PhCKh52xTQ8zyZ5Q6 + Nr9XjQRJj9vbJkjL1656rpTPEWmBS2qCVjMLilP80a505dwI1c6p + kSkP730kHhLmCTxfBpoRbwZy1kBMj3laZA9cmTRQbOZP2F35Unvl + 5/1n4nVwCxGS3se55lnw8wK5/FkAazmKWCw0NvcEG9OAmAB+5jZU + WMewhzqrMgLP1PnmjGKpzctto/NlPdOuAXggP4f9OiY26UxSGqny + GhWjiHm6Hyy/1cn5tXeSLqVHK6hirH6MhzK8+DyFH67Dwvb2NtJR + HZuHSoAWTpKfAgMBAAEwDQYJKoZIhvcNAQELBQADggIBAGUixT10 + inJqUjoCmMjG6Rp/XFEHg6hBiz8U/yRVPHo0oQ4TDvr0X0E9y7/+ + waw9rZHE7jwUNzwmYvEyl036BpT2UVAioX0206jreWJOgMV1lYAU + hXe65zivjOVDOkTQWiFJozcmv0uvZnk+EixxPrPBX98NXQ4AyUky + KngY5GJyOmnb+vgRQB3nrMzImr2zLMbZvomCOZDWAJdawRSYMpE8 + fkyPfv7C5V9wKVYqTRMwQDnMX/X9yATMutAet15w7kZ7rXzw8dLc + dPp2PRBBHzmdYawzflWVOgA+7GI70Vgm4DzRLBVbciG2eMfTKXzf + Wxg+lxPilZs/6Of5hocuTVyXDxrgE0D6KlUR+i47z/d4Sik+IWIF + LwcmW8HEzQ2W9SjApH4ShhD+0sQt6o6L604r0jO1mHXnHqJcFFeZ + b9N72k0IMe2o0Z+iwubbXjfPg9LWQ3jeI9ROfBsZP5fA52LbFPyR + bJLN89xrnCxKvO5lPzvXzpaykECVDmNkIY2TNXn2RufAWCazEUiK + wiOCRKf2RLpOfTonHaWHf/A70jY2WoRFCyZWPgCu6Amd0SM+zvrm + MB/R/6BaT/X1crAPGP+6EsSFxpdDrjeGKaiX3ytReAJqE0APakx8 + CWGhZ2EU9Igcyh516lf89yTq0DliBR3CYRenl0ba1+z3RzVVaEh/ + + IsIdentity + + + + CommonName + Device Certificate + Data + + MIIEQjCCAiqgAwIBAgICAaIwDQYJKoZIhvcNAQELBQAwfjELMAkG + A1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExEjAQBgNVBAcM + CUN1cGVydGlubzETMBEGA1UECgwKQXBwbGUgSW5jLjEaMBgGA1UE + CwwRRGV2aWNlIE1hbmFnZW1lbnQxFTATBgNVBAMMDE1DIFJvb3Qg + Q2VydDAiGA8yMDE5MDkvNDA0MDgyN1oYDzIwMTkxMDA0MDQwODI3 + WjAyMRMwEQYDVQQKEwpBY21lLCBJbmMuMRswGQYDVQQDExJEZXZp + Y2UgQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw + ggEKAoIBAQDHZSEI6rkl/ELttn5zIb+0R5N7sXKgXwrQhWRNIMys + xjql8LEDnPbIJnx0K2VrxjPrdAbHnirtwp9MmO//TUCtiHcIDtQT + K5YE6HZHjEeQDuqRhcTtSfCG6dhpdrO284XD57L3j8aHY65d+vi4 + RUnxS7SrOHUj4/C4XIpy+upEmvMuGyHJxzJJceRa+rhYqYoi3qkG + 4cWfPZ5zHV4kQF4DVZsIWFXry0IhnHjFTMMrmIUctK/zAd4ldVwl + f9Tt2y0g5F5nDatrVLKXce3avx21oVMh53Z7OlqQI7e2QhwmnMBP + rsIgO4RPpxcAw2JnZqWj9yE6y2zS6Eho1zYDldWxAgMBAAGjEjAQ + MA4GA1UdDwEB/wQEAwIFoDANBgkqhkiG9w0BAQsFAAOCAgEAauHB + JMkRqyVpKMOmc1dH3iA69AHbGGJlTht0gAZk9SksIbOQ1E2pIBBd + P8jBk+DMXTwXTcSpzHVw9cQroKj6U69U8w21y0d1S6Paw3xHp3HP + bd/zjU+jBO2QbPmS3yorYPeHWAmU/JQ1WsawjKCVAaLjckK3fjqM + fbdzq7oxON9wajsvx6aV+SGUfchvXYOV1aBLtMyDMeb397cRvHcD + AxWJF55f3vCfwtNJ2ByaC9UhSDpaLOWVea87zP6WZBQ8B2jsdu8y + sTSJdgAOjLYD0YD6DXBhxGixCGdaZpUPGsIQ8I1BNPmImKdnvxv2 + TaU1v6TqwOocbhngLszf3ZPXHAk/PGoLJGyHgov7qfoCkJFYLiEl + CJNQzBDER60Pm8RukbKBbZ0oGW6+BiRK32x41ICWXZ3QcEo/eRu4 + QRQB5h65k/xVyez2Fwj8kDut/F7W0OBnNHuMnH/UEftbO2OxbVY6 + psF7eZO+4XyTH3TaYkUeZDDgU6rvPmvcyzk4MDP0LnN8vcwex+N2 + G6hyZDLsyW351R3dBmCkm2kLjwNAzJqf3JKOk2f7N7HTvUby7X0j + JpOvmy4h56wW1vIYpt8LE/SBp7wldsLxiYsLBsbtBSh7w/7eAIU8 + lHsQh3MCk4mBRrrtedXGdwcmceXtXBJvvmogX8z+n3I4ItuE6IcU + 2sE= + + IsIdentity + + + + CommandUUID + 0001-CertificateList + Status + Acknowledged + UDID + 00008020-000915083C80012E + + \ No newline at end of file diff --git a/examples/mdm/commands/classroom.mirroring.request/example1.plist b/examples/mdm/commands/classroom.mirroring.request/example1.plist new file mode 100644 index 0000000..f4e9d31 --- /dev/null +++ b/examples/mdm/commands/classroom.mirroring.request/example1.plist @@ -0,0 +1,19 @@ + + + + + Command + + DestinationName + Apple TV + Password + password + RequestType + RequestMirroring + ScanTime + 30 + + CommandUUID + 0001_RequestMirroring + + \ No newline at end of file diff --git a/examples/mdm/commands/classroom.mirroring.request/example2.plist b/examples/mdm/commands/classroom.mirroring.request/example2.plist new file mode 100644 index 0000000..0f0c505 --- /dev/null +++ b/examples/mdm/commands/classroom.mirroring.request/example2.plist @@ -0,0 +1,14 @@ + + + + + CommandUUID + 0001_RequestMirroring + MirroringResult + Unknown + Status + Acknowledged + UDID + 00008020-000915083C80012E + + \ No newline at end of file diff --git a/examples/mdm/commands/classroom.mirroring.stop/example1.plist b/examples/mdm/commands/classroom.mirroring.stop/example1.plist new file mode 100644 index 0000000..4ad24b5 --- /dev/null +++ b/examples/mdm/commands/classroom.mirroring.stop/example1.plist @@ -0,0 +1,13 @@ + + + + + Command + + RequestType + StopMirroring + + CommandUUID + 0001_StopMirroring + + \ No newline at end of file diff --git a/examples/mdm/commands/classroom.mirroring.stop/example2.plist b/examples/mdm/commands/classroom.mirroring.stop/example2.plist new file mode 100644 index 0000000..108da86 --- /dev/null +++ b/examples/mdm/commands/classroom.mirroring.stop/example2.plist @@ -0,0 +1,12 @@ + + + + + CommandUUID + 0001_StopMirroring + Status + Acknowledged + UDID + 00008020-000915083C80012E + + \ No newline at end of file diff --git a/examples/mdm/commands/classroom.user.delete/example1.plist b/examples/mdm/commands/classroom.user.delete/example1.plist new file mode 100644 index 0000000..64d0d70 --- /dev/null +++ b/examples/mdm/commands/classroom.user.delete/example1.plist @@ -0,0 +1,17 @@ + + + + + Command + + ForceDeletion + + RequestType + DeleteUser + UserName + example@acme.com + + CommandUUID + 0001_DeleteUser + + \ No newline at end of file diff --git a/examples/mdm/commands/classroom.user.delete/example2.plist b/examples/mdm/commands/classroom.user.delete/example2.plist new file mode 100644 index 0000000..78d4769 --- /dev/null +++ b/examples/mdm/commands/classroom.user.delete/example2.plist @@ -0,0 +1,12 @@ + + + + + CommandUUID + 0001_DeleteUser + Status + Acknowledged + UDID + cf98820bd143abe0bbf151bed8e8e427594d2f88 + + \ No newline at end of file diff --git a/examples/mdm/commands/classroom.user.list/example1.plist b/examples/mdm/commands/classroom.user.list/example1.plist new file mode 100644 index 0000000..c94b7b3 --- /dev/null +++ b/examples/mdm/commands/classroom.user.list/example1.plist @@ -0,0 +1,13 @@ + + + + + Command + + RequestType + UserList + + CommandUUID + 0001_UserList + + \ No newline at end of file diff --git a/examples/mdm/commands/classroom.user.list/example2.plist b/examples/mdm/commands/classroom.user.list/example2.plist new file mode 100644 index 0000000..ffc0843 --- /dev/null +++ b/examples/mdm/commands/classroom.user.list/example2.plist @@ -0,0 +1,27 @@ + + + + + CommandUUID + 0001_UserList + Status + Acknowledged + UDID + cf98820bd143abe0bbf151bed8e8e427594d2f88 + Users + + + DataQuota + 10171187200 + DataUsed + 145625088 + HasDataToSync + + IsLoggedIn + + UserName + example@acme.com + + + + \ No newline at end of file diff --git a/examples/mdm/commands/classroom.user.logout/example1.plist b/examples/mdm/commands/classroom.user.logout/example1.plist new file mode 100644 index 0000000..ee85170 --- /dev/null +++ b/examples/mdm/commands/classroom.user.logout/example1.plist @@ -0,0 +1,13 @@ + + + + + Command + + RequestType + LogOutUser + + CommandUUID + 0001_LogOutUser + + \ No newline at end of file diff --git a/examples/mdm/commands/classroom.user.logout/example2.plist b/examples/mdm/commands/classroom.user.logout/example2.plist new file mode 100644 index 0000000..5ba06bd --- /dev/null +++ b/examples/mdm/commands/classroom.user.logout/example2.plist @@ -0,0 +1,12 @@ + + + + + CommandUUID + 0001_LogOutUser + Status + Acknowledged + UDID + cf98820bd143abe0bbf151bed8e8e427594d2f88 + + \ No newline at end of file diff --git a/examples/mdm/commands/classroom.user.unlock/example1.plist b/examples/mdm/commands/classroom.user.unlock/example1.plist new file mode 100644 index 0000000..cf2398f --- /dev/null +++ b/examples/mdm/commands/classroom.user.unlock/example1.plist @@ -0,0 +1,15 @@ + + + + + Command + + RequestType + UnlockUserAccount + UserName + graham + + CommandUUID + 0001_UnlockUserAccount + + \ No newline at end of file diff --git a/examples/mdm/commands/classroom.user.unlock/example2.plist b/examples/mdm/commands/classroom.user.unlock/example2.plist new file mode 100644 index 0000000..e92c242 --- /dev/null +++ b/examples/mdm/commands/classroom.user.unlock/example2.plist @@ -0,0 +1,12 @@ + + + + + CommandUUID + 0001_UnlockUserAccount + Status + Acknowledged + UDID + 91FE0F6E-F91C-589A-95E6-02835CE7126D + + \ No newline at end of file diff --git a/examples/mdm/commands/declarativemanagement/example1.plist b/examples/mdm/commands/declarativemanagement/example1.plist new file mode 100644 index 0000000..a77b66a --- /dev/null +++ b/examples/mdm/commands/declarativemanagement/example1.plist @@ -0,0 +1,23 @@ + + + + + Command + + CommandUUID + 0001_DeclarativeManagement + Command + + RequestType + DeclarativeManagement + Data + + eyJTeW5jVG9rZW5zIjogeyJUaW1lc3RhbXAiOiAiMjAyMS0wNi0wMlQwMToy + ODowMFoiLCAiRGVjbGFyYXRpb25zVG9rZW4iOiAiYjY1NDQwMjdhMzE1Y2Qw + MDg1ZDRjZjA4MTc0NjI0YzJkMTQyNDQ0ODA0MzBhODdiMTc2YTI3MjdlNzM2 + NjEzOCJ9fQ== + + + + + \ No newline at end of file diff --git a/examples/mdm/commands/declarativemanagement/example2.plist b/examples/mdm/commands/declarativemanagement/example2.plist new file mode 100644 index 0000000..ea2e43d --- /dev/null +++ b/examples/mdm/commands/declarativemanagement/example2.plist @@ -0,0 +1,12 @@ + + + + + CommandUUID + 0001_DeclarativeManagement + EnrollmentID + 8DB29EAB-A5BB-4B60-8DDA-F75517766FAC + Status + Acknowledged + + \ No newline at end of file diff --git a/examples/mdm/commands/device.activationlock.bypasscode/example1.plist b/examples/mdm/commands/device.activationlock.bypasscode/example1.plist new file mode 100644 index 0000000..bc4aec0 --- /dev/null +++ b/examples/mdm/commands/device.activationlock.bypasscode/example1.plist @@ -0,0 +1,13 @@ + + + + + Command + + RequestType + ActivationLockBypassCode + + CommandUUID + 0001_ActivationLockBypassCode + + \ No newline at end of file diff --git a/examples/mdm/commands/device.activationlock.bypasscode/example2.plist b/examples/mdm/commands/device.activationlock.bypasscode/example2.plist new file mode 100644 index 0000000..4fc2fe4 --- /dev/null +++ b/examples/mdm/commands/device.activationlock.bypasscode/example2.plist @@ -0,0 +1,14 @@ + + + + + ActivationLockBypassCode + A8QK7-GFG21-6RHT-V0U9-756P-L7E3 + CommandUUID + 0001_ActivationLockBypassCode + Status + Acknowledged + UDID + 00008020-000915083C80012E + + \ No newline at end of file diff --git a/examples/mdm/commands/device.activationlock.clearbypasscode/example1.plist b/examples/mdm/commands/device.activationlock.clearbypasscode/example1.plist new file mode 100644 index 0000000..02f88b8 --- /dev/null +++ b/examples/mdm/commands/device.activationlock.clearbypasscode/example1.plist @@ -0,0 +1,13 @@ + + + + + Command + + RequestType + ClearActivationLockBypassCode + + CommandUUID + 0001_ClearActivationLockBypassCode + + \ No newline at end of file diff --git a/examples/mdm/commands/device.activationlock.clearbypasscode/example2.plist b/examples/mdm/commands/device.activationlock.clearbypasscode/example2.plist new file mode 100644 index 0000000..e1d10e6 --- /dev/null +++ b/examples/mdm/commands/device.activationlock.clearbypasscode/example2.plist @@ -0,0 +1,12 @@ + + + + + CommandUUID + 0001_ClearActivationLockBypassCode + Status + Acknowledged + UDID + 00008020-000915083C80012E + + \ No newline at end of file diff --git a/examples/mdm/commands/device.configured/example1.plist b/examples/mdm/commands/device.configured/example1.plist new file mode 100644 index 0000000..732f95f --- /dev/null +++ b/examples/mdm/commands/device.configured/example1.plist @@ -0,0 +1,13 @@ + + + + + Command + + RequestType + DeviceConfigured + + CommandUUID + 0001_DeviceConfigured + + \ No newline at end of file diff --git a/examples/mdm/commands/device.configured/example2.plist b/examples/mdm/commands/device.configured/example2.plist new file mode 100644 index 0000000..dfa4238 --- /dev/null +++ b/examples/mdm/commands/device.configured/example2.plist @@ -0,0 +1,12 @@ + + + + + CommandUUID + 0001_DeviceConfigured + Status + Acknowledged + UDID + 00008020-000915083C80012E + + \ No newline at end of file diff --git a/examples/mdm/commands/device.erase/example1.plist b/examples/mdm/commands/device.erase/example1.plist new file mode 100644 index 0000000..79c63b2 --- /dev/null +++ b/examples/mdm/commands/device.erase/example1.plist @@ -0,0 +1,17 @@ + + + + + Command + + DisallowProximitySetup + + PreserveDataPlan + + RequestType + EraseDevice + + CommandUUID + 0001_EraseDevice + + \ No newline at end of file diff --git a/examples/mdm/commands/device.erase/example2.plist b/examples/mdm/commands/device.erase/example2.plist new file mode 100644 index 0000000..df4fa80 --- /dev/null +++ b/examples/mdm/commands/device.erase/example2.plist @@ -0,0 +1,12 @@ + + + + + CommandUUID + 0001_EraseDevice + Status + Acknowledged + UDID + 00008020-000915083C80012E + + \ No newline at end of file diff --git a/examples/mdm/commands/device.esim/example1.plist b/examples/mdm/commands/device.esim/example1.plist new file mode 100644 index 0000000..19999c5 --- /dev/null +++ b/examples/mdm/commands/device.esim/example1.plist @@ -0,0 +1,15 @@ + + + + + Command + + RequestType + RefreshCellularPlans + eSIMServerURL + http://server.example.com + + CommandUUID + 0001_RefreshCellularPlans + + \ No newline at end of file diff --git a/examples/mdm/commands/device.esim/example2.plist b/examples/mdm/commands/device.esim/example2.plist new file mode 100644 index 0000000..430c08e --- /dev/null +++ b/examples/mdm/commands/device.esim/example2.plist @@ -0,0 +1,12 @@ + + + + + CommandUUID + 0001_RefreshCellularPlans + Status + Acknowledged + UDID + 00008020-000915083C80012E + + \ No newline at end of file diff --git a/examples/mdm/commands/device.lock/example1.plist b/examples/mdm/commands/device.lock/example1.plist new file mode 100644 index 0000000..a6b9404 --- /dev/null +++ b/examples/mdm/commands/device.lock/example1.plist @@ -0,0 +1,17 @@ + + + + + Command + + Message + Lock Message + PhoneNumber + 408-555-5555 + RequestType + DeviceLock + + CommandUUID + 0001_DeviceLock + + \ No newline at end of file diff --git a/examples/mdm/commands/device.lock/example2.plist b/examples/mdm/commands/device.lock/example2.plist new file mode 100644 index 0000000..22f97c2 --- /dev/null +++ b/examples/mdm/commands/device.lock/example2.plist @@ -0,0 +1,14 @@ + + + + + CommandUUID + 0001_DeviceLock + MessageResult + Success + Status + Acknowledged + UDID + 00008020-000915083C80012E + + \ No newline at end of file diff --git a/examples/mdm/commands/device.lostmode.disable/example1.plist b/examples/mdm/commands/device.lostmode.disable/example1.plist new file mode 100644 index 0000000..8dbc1e7 --- /dev/null +++ b/examples/mdm/commands/device.lostmode.disable/example1.plist @@ -0,0 +1,13 @@ + + + + + Command + + RequestType + DisableLostMode + + CommandUUID + 0001_DisableLostMode + + \ No newline at end of file diff --git a/examples/mdm/commands/device.lostmode.disable/example2.plist b/examples/mdm/commands/device.lostmode.disable/example2.plist new file mode 100644 index 0000000..bd9fd0f --- /dev/null +++ b/examples/mdm/commands/device.lostmode.disable/example2.plist @@ -0,0 +1,12 @@ + + + + + CommandUUID + 0001_DisableLostMode + Status + Acknowledged + UDID + 00008020-000915083C80012E + + \ No newline at end of file diff --git a/examples/mdm/commands/device.lostmode.enable/example1.plist b/examples/mdm/commands/device.lostmode.enable/example1.plist new file mode 100644 index 0000000..73ab4c0 --- /dev/null +++ b/examples/mdm/commands/device.lostmode.enable/example1.plist @@ -0,0 +1,19 @@ + + + + + Command + + Footnote + Return to Acme, Inc. + Message + Lock Message + PhoneNumber + 408-555-555 + RequestType + EnableLostMode + + CommandUUID + 0001_EnableLostMode + + \ No newline at end of file diff --git a/examples/mdm/commands/device.lostmode.enable/example2.plist b/examples/mdm/commands/device.lostmode.enable/example2.plist new file mode 100644 index 0000000..24baa36 --- /dev/null +++ b/examples/mdm/commands/device.lostmode.enable/example2.plist @@ -0,0 +1,12 @@ + + + + + CommandUUID + 0001_EnableLostMode + Status + Acknowledged + UDID + 00008020-000915083C80012E + + \ No newline at end of file diff --git a/examples/mdm/commands/device.lostmode.location/example1.plist b/examples/mdm/commands/device.lostmode.location/example1.plist new file mode 100644 index 0000000..c91fb84 --- /dev/null +++ b/examples/mdm/commands/device.lostmode.location/example1.plist @@ -0,0 +1,13 @@ + + + + + Command + + RequestType + DeviceLocation + + CommandUUID + 0001_DeviceLocation + + \ No newline at end of file diff --git a/examples/mdm/commands/device.lostmode.location/example2.plist b/examples/mdm/commands/device.lostmode.location/example2.plist new file mode 100644 index 0000000..52ed8dd --- /dev/null +++ b/examples/mdm/commands/device.lostmode.location/example2.plist @@ -0,0 +1,28 @@ + + + + + Altitude + -1.0 + CommandUUID + 0246_DeviceLocation + Course + -1.0 + HorizontalAccuracy + 3.677859038862057 + Latitude + 37.33385013244351 + Longitude + -122.01079213269968 + Speed + -1.0 + Status + Acknowledged + Timestamp + 2019-09-04T22:35:52Z + UDID + 00008020-000915083C80012E + VerticalAccuracy + -1.0 + + \ No newline at end of file diff --git a/examples/mdm/commands/device.lostmode.playsound/example1.plist b/examples/mdm/commands/device.lostmode.playsound/example1.plist new file mode 100644 index 0000000..63085da --- /dev/null +++ b/examples/mdm/commands/device.lostmode.playsound/example1.plist @@ -0,0 +1,13 @@ + + + + + Command + + RequestType + PlayLostModeSound + + CommandUUID + 0001_PlayLostModeSound + + \ No newline at end of file diff --git a/examples/mdm/commands/device.lostmode.playsound/example2.plist b/examples/mdm/commands/device.lostmode.playsound/example2.plist new file mode 100644 index 0000000..f9fd475 --- /dev/null +++ b/examples/mdm/commands/device.lostmode.playsound/example2.plist @@ -0,0 +1,12 @@ + + + + + CommandUUID + 0001_PlayLostModeSound + Status + Acknowledged + UDID + 00008020-000915083C80012E + + \ No newline at end of file diff --git a/examples/mdm/commands/device.restart/example1.plist b/examples/mdm/commands/device.restart/example1.plist new file mode 100644 index 0000000..b64f532 --- /dev/null +++ b/examples/mdm/commands/device.restart/example1.plist @@ -0,0 +1,13 @@ + + + + + Command + + RequestType + RestartDevice + + CommandUUID + 0001_RestartDevice + + \ No newline at end of file diff --git a/examples/mdm/commands/device.restart/example2.plist b/examples/mdm/commands/device.restart/example2.plist new file mode 100644 index 0000000..c7733c2 --- /dev/null +++ b/examples/mdm/commands/device.restart/example2.plist @@ -0,0 +1,12 @@ + + + + + CommandUUID + 0001_RestartDevice + Status + Acknowledged + UDID + 00008020-000915083C80012E + + \ No newline at end of file diff --git a/examples/mdm/commands/device.restrictions.clearpassword/example1.plist b/examples/mdm/commands/device.restrictions.clearpassword/example1.plist new file mode 100644 index 0000000..7acd9a7 --- /dev/null +++ b/examples/mdm/commands/device.restrictions.clearpassword/example1.plist @@ -0,0 +1,13 @@ + + + + + Command + + RequestType + ClearRestrictionsPassword + + CommandUUID + 0001_ClearRestrictionsPassword + + \ No newline at end of file diff --git a/examples/mdm/commands/device.restrictions.clearpassword/example2.plist b/examples/mdm/commands/device.restrictions.clearpassword/example2.plist new file mode 100644 index 0000000..9f92692 --- /dev/null +++ b/examples/mdm/commands/device.restrictions.clearpassword/example2.plist @@ -0,0 +1,12 @@ + + + + + CommandUUID + 0001_ClearRestrictionsPassword + Status + Acknowledged + UDID + 00008020-000915083C80012E + + \ No newline at end of file diff --git a/examples/mdm/commands/device.restrictions.list/example1.plist b/examples/mdm/commands/device.restrictions.list/example1.plist new file mode 100644 index 0000000..66d9e32 --- /dev/null +++ b/examples/mdm/commands/device.restrictions.list/example1.plist @@ -0,0 +1,15 @@ + + + + + Command + + ProfileRestrictions + + RequestType + Restrictions + + CommandUUID + 0001_Restrictions + + \ No newline at end of file diff --git a/examples/mdm/commands/device.restrictions.list/example2.plist b/examples/mdm/commands/device.restrictions.list/example2.plist new file mode 100644 index 0000000..4b7c857 --- /dev/null +++ b/examples/mdm/commands/device.restrictions.list/example2.plist @@ -0,0 +1,23 @@ + + + + + CommandUUID + 0001_Restrictions + GlobalRestrictions + + restrictedBool + + allowCamera + + value + + + + + Status + Acknowledged + UDID + 00008020-000915083C80012E + + \ No newline at end of file diff --git a/examples/mdm/commands/device.shutdown/example1.plist b/examples/mdm/commands/device.shutdown/example1.plist new file mode 100644 index 0000000..b762f9d --- /dev/null +++ b/examples/mdm/commands/device.shutdown/example1.plist @@ -0,0 +1,13 @@ + + + + + Command + + RequestType + ShutDownDevice + + CommandUUID + 0001_ShutDownDevice + + \ No newline at end of file diff --git a/examples/mdm/commands/device.shutdown/example2.plist b/examples/mdm/commands/device.shutdown/example2.plist new file mode 100644 index 0000000..d4d2cbf --- /dev/null +++ b/examples/mdm/commands/device.shutdown/example2.plist @@ -0,0 +1,12 @@ + + + + + CommandUUID + 0001_ShutDownDevice + Status + Acknowledged + UDID + 00008020-000915083C80012E + + \ No newline at end of file diff --git a/examples/mdm/commands/information.device/example1.plist b/examples/mdm/commands/information.device/example1.plist new file mode 100644 index 0000000..ec50b8a --- /dev/null +++ b/examples/mdm/commands/information.device/example1.plist @@ -0,0 +1,89 @@ + + + + + Command + + Queries + + UDID + Languages + Locales + DeviceID + OrganizationInfo + LastCloudBackupDate + AwaitingConfiguration + MDMOptions + iTunesStoreAccountIsActive + iTunesStoreAccountHash + DeviceName + OSVersion + BuildVersion + ModelName + Model + ProductName + SerialNumber + DeviceCapacity + AvailableDeviceCapacity + BatteryLevel + CellularTechnology + ICCID + BluetoothMAC + WiFiMAC + EthernetMACs + CurrentCarrierNetwork + SubscriberCarrierNetwork + CurrentMCC + CurrentMNC + SubscriberMCC + SubscriberMNC + SIMMCC + SIMMNC + SIMCarrierNetwork + CarrierSettingsVersion + PhoneNumber + DataRoamingEnabled + VoiceRoamingEnabled + PersonalHotspotEnabled + IsRoaming + IMEI + MEID + ModemFirmwareVersion + IsSupervised + IsDeviceLocatorServiceEnabled + IsActivationLockEnabled + IsDoNotDisturbInEffect + EASDeviceIdentifier + IsCloudBackupEnabled + OSUpdateSettings + LocalHostName + HostName + CatalogURL + IsDefaultCatalog + PreviousScanDate + PreviousScanResult + PerformPeriodicCheck + AutomaticCheckEnabled + BackgroundDownloadEnabled + AutomaticAppInstallationEnabled + AutomaticOSInstallationEnabled + AutomaticSecurityUpdatesEnabled + OSUpdateSettings + LocalHostName + HostName + IsMultiUser + IsMDMLostModeEnabled + MaximumResidentUsers + PushToken + DiagnosticSubmissionEnabled + AppAnalyticsEnabled + IsNetworkTethered + ServiceSubscriptions + + RequestType + DeviceInformation + + CommandUUID + 0001_DeviceInformation + + \ No newline at end of file diff --git a/examples/mdm/commands/information.device/example2.plist b/examples/mdm/commands/information.device/example2.plist new file mode 100644 index 0000000..ebf0404 --- /dev/null +++ b/examples/mdm/commands/information.device/example2.plist @@ -0,0 +1,167 @@ + + + + + CommandUUID + 0001_DeviceInformation + QueryResponses + + AppAnalyticsEnabled + + AvailableDeviceCapacity + 225.2413330078125 + AwaitingConfiguration + + BatteryLevel + 1.0 + BluetoothMAC + 58:fe:f7:70:9d:9e + BuildVersion + 17A576 + CarrierSettingsVersion + 38.0 + CellularTechnology + 3 + CurrentMCC + 311 + CurrentMNC + 480 + DataRoamingEnabled + + DeviceCapacity + 230.26551818847656 + DeviceName + iPhone + DiagnosticSubmissionEnabled + + EASDeviceIdentifier + V2UVOT7J157L7C1FLLSAABSOV4 + ICCID + 8901 0030 0000 0336 1196 + IMEI + 35 735005 003432 4 + IsActivationLockEnabled + + IsCloudBackupEnabled + + IsDeviceLocatorServiceEnabled + + IsDoNotDisturbInEffect + + IsMDMLostModeEnabled + + IsMultiUser + + IsNetworkTethered + + IsRoaming + + IsSupervised + + MDMOptions + + + MEID + 35745019114431 + Model + 993-31388LL + ModelName + iPhone + ModemFirmwareVersion + 2.01.08 + OSVersion + 13.0 + PersonalHotspotEnabled + + PhoneNumber + + ProductName + iPhone11,8 + SerialNumber + C7CX706CKWTK + ServiceSubscriptions + + + CarrierSettingsVersion + 41.7.19 + CurrentCarrierNetwork + + CurrentMCC + 310 + CurrentMNC + 260 + ICCID + 8901 0030 0000 0336 1196 + IMEI + 35 734009 035404 0 + IsDataPreferred + + IsRoaming + + IsVoicePreferred + + Label + Primary + LabelID + EB91134A-B155-4DAB-9D35-CB2EAF82615D + MEID + 35735009002431 + PhoneNumber + +12018675309 + Slot + CTSubscriptionSlotOne + + + CarrierSettingsVersion + 41.7.46 + CurrentCarrierNetwork + AT&T + CurrentMCC + 310 + CurrentMNC + 410 + EID + 89049032004008882600004821436874 + ICCID + 6905 4911 1205 0650 3488 + IMEI + 35 309418 464558 9 + IsDataPreferred + + IsRoaming + + IsVoicePreferred + + Label + Secondary + LabelID + FDG4225C-L9OY-89BM-JF38-36JR4JOL76B3 + MEID + 35745008005631 + PhoneNumber + +14152739164 + Slot + CTSubscriptionSlotTwo + + + SubscriberCarrierNetwork + ExampleCarrier + SubscriberMCC + 001 + SubscriberMNC + 01 + UDID + 00008020-000915083C80012E + VoiceRoamingEnabled + + WiFiMAC + 58:fe:f5:80:29:f3 + iTunesStoreAccountIsActive + + + Status + Acknowledged + UDID + 00008020-000915083C80012E + + \ No newline at end of file diff --git a/examples/mdm/commands/information.security/example1.plist b/examples/mdm/commands/information.security/example1.plist new file mode 100644 index 0000000..b2c0deb --- /dev/null +++ b/examples/mdm/commands/information.security/example1.plist @@ -0,0 +1,13 @@ + + + + + Command + + RequestType + SecurityInfo + + CommandUUID + 0001_SecurityInfo + + \ No newline at end of file diff --git a/examples/mdm/commands/information.security/example2.plist b/examples/mdm/commands/information.security/example2.plist new file mode 100644 index 0000000..5a51b3d --- /dev/null +++ b/examples/mdm/commands/information.security/example2.plist @@ -0,0 +1,32 @@ + + + + + CommandUUID + 0011_SecurityInfo + SecurityInfo + + HardwareEncryptionCaps + 3 + ManagementStatus + + IsUserEnrollment + + + PasscodeCompliant + + PasscodeCompliantWithProfiles + + PasscodeLockGracePeriod + 0 + PasscodeLockGracePeriodEnforced + 0 + PasscodePresent + + + Status + Acknowledged + UDID + 00008020-000915083C80012E + + \ No newline at end of file diff --git a/examples/mdm/commands/lom.devicerequest/example1.plist b/examples/mdm/commands/lom.devicerequest/example1.plist new file mode 100644 index 0000000..fe9e78b --- /dev/null +++ b/examples/mdm/commands/lom.devicerequest/example1.plist @@ -0,0 +1,29 @@ + + + + + Command + + RequestList + + + DeviceDNSName + lomdevice.com + DeviceRequestType + Reset + DeviceRequestUUID + 0001 + PrimaryIPv6AddressList + + fe80::94f6:d6ff:fef3:c05b + fe80::94f6:d6ff:fef3:c1a4 + + SecondaryIPv6AddressList + + + + + CommandUUID + 0001_LOMDeviceRequest + + \ No newline at end of file diff --git a/examples/mdm/commands/lom.devicerequest/example2.plist b/examples/mdm/commands/lom.devicerequest/example2.plist new file mode 100644 index 0000000..92de1a5 --- /dev/null +++ b/examples/mdm/commands/lom.devicerequest/example2.plist @@ -0,0 +1,21 @@ + + + + + CommandUUID + 0001_LOMDeviceRequest + ResponseData + + + DeviceRequestSucess + + DeviceRequestUUID + 0001 + + + Status + Acknowledged + UDID + 37CECCAB-99C1-5ADF-8A9A-2AFA3B6387B5 + + \ No newline at end of file diff --git a/examples/mdm/commands/lom.setuprequest/example1.plist b/examples/mdm/commands/lom.setuprequest/example1.plist new file mode 100644 index 0000000..bb2fa85 --- /dev/null +++ b/examples/mdm/commands/lom.setuprequest/example1.plist @@ -0,0 +1,13 @@ + + + + + Command + + RequestType + LOMSetupRequest + + CommandUUID + 0001_LOMSetupRequest + + \ No newline at end of file diff --git a/examples/mdm/commands/lom.setuprequest/example2.plist b/examples/mdm/commands/lom.setuprequest/example2.plist new file mode 100644 index 0000000..c811981 --- /dev/null +++ b/examples/mdm/commands/lom.setuprequest/example2.plist @@ -0,0 +1,17 @@ + + + + + CommandUUID + 0001_LOMSetupRequest + PrimaryIPv6AddressList + + fe80::94f6:d6ff:fef3:c05b + fe80::94f6:d6ff:fef3:c1a4 + + Status + Acknowledged + UDID + 84341F79-92F5-5EF7-9A6A-3A7374613227 + + \ No newline at end of file diff --git a/examples/mdm/commands/managed.application.attributes/example1.plist b/examples/mdm/commands/managed.application.attributes/example1.plist new file mode 100644 index 0000000..3af791d --- /dev/null +++ b/examples/mdm/commands/managed.application.attributes/example1.plist @@ -0,0 +1,17 @@ + + + + + Command + + Identifiers + + com.acme.myenterpriseapp + + RequestType + ManagedApplicationAttributes + + CommandUUID + 0001_ManagedApplicationAttributes + + \ No newline at end of file diff --git a/examples/mdm/commands/managed.application.attributes/example2.plist b/examples/mdm/commands/managed.application.attributes/example2.plist new file mode 100644 index 0000000..3fb0b4f --- /dev/null +++ b/examples/mdm/commands/managed.application.attributes/example2.plist @@ -0,0 +1,24 @@ + + + + + ApplicationAttributes + + + Attributes + + VPNUUID + abcde + + Identifier + com.acme.myenterpriseapp + + + CommandUUID + 0001_ManagedApplicationAttributes + Status + Acknowledged + UDID + 00008020-000915083C80012E + + \ No newline at end of file diff --git a/examples/mdm/commands/managed.application.configuration/example1.plist b/examples/mdm/commands/managed.application.configuration/example1.plist new file mode 100644 index 0000000..2380bdf --- /dev/null +++ b/examples/mdm/commands/managed.application.configuration/example1.plist @@ -0,0 +1,17 @@ + + + + + Command + + Identifiers + + com.acme.myenterpriseapp + + RequestType + ManagedApplicationConfiguration + + CommandUUID + 0001_ManagedApplicationConfiguration + + \ No newline at end of file diff --git a/examples/mdm/commands/managed.application.configuration/example2.plist b/examples/mdm/commands/managed.application.configuration/example2.plist new file mode 100644 index 0000000..f0fcf49 --- /dev/null +++ b/examples/mdm/commands/managed.application.configuration/example2.plist @@ -0,0 +1,24 @@ + + + + + ApplicationConfigurations + + + Configuration + + text + myappsettings + + Identifier + com.acme.myenterpriseapp + + + CommandUUID + 0001_ManagedApplicationConfiguration + Status + Acknowledged + UDID + 00008020-000915083C80012E + + \ No newline at end of file diff --git a/examples/mdm/commands/managed.application.feedback/example1.plist b/examples/mdm/commands/managed.application.feedback/example1.plist new file mode 100644 index 0000000..fd9a0c0 --- /dev/null +++ b/examples/mdm/commands/managed.application.feedback/example1.plist @@ -0,0 +1,19 @@ + + + + + Command + + DeleteFeedback + + Identifiers + + com.acme.myenterpriseapp + + RequestType + ManagedApplicationFeedback + + CommandUUID + 0001_ManagedApplicationFeedback + + \ No newline at end of file diff --git a/examples/mdm/commands/managed.application.feedback/example2.plist b/examples/mdm/commands/managed.application.feedback/example2.plist new file mode 100644 index 0000000..0a9a841 --- /dev/null +++ b/examples/mdm/commands/managed.application.feedback/example2.plist @@ -0,0 +1,24 @@ + + + + + CommandUUID + 0090_ManagedApplicationFeedback + ManagedApplicationFeedback + + + Feedback + + feedback + Feedback + + Identifier + com.acme.myenterpriseapp + + + Status + Acknowledged + UDID + 00008020-000915083C80012E + + \ No newline at end of file diff --git a/examples/mdm/commands/media.install/example1.plist b/examples/mdm/commands/media.install/example1.plist new file mode 100644 index 0000000..6aa8b08 --- /dev/null +++ b/examples/mdm/commands/media.install/example1.plist @@ -0,0 +1,27 @@ + + + + + Command + + Author + Acme, Inc. + Kind + pdf + MediaType + Book + MediaURL + https://yourmdmhost.example.com/files/myenterprisebook.pdf + PersistentID + com.acme.pdf.myenterprisebook + RequestType + InstallMedia + Title + My Enterprise Book + Version + 1.0 + + CommandUUID + 0001_InstallMedia + + \ No newline at end of file diff --git a/examples/mdm/commands/media.install/example2.plist b/examples/mdm/commands/media.install/example2.plist new file mode 100644 index 0000000..d5bc592 --- /dev/null +++ b/examples/mdm/commands/media.install/example2.plist @@ -0,0 +1,20 @@ + + + + + CommandUUID + 0001_InstallMedia + MediaType + Book + MediaURL + https://yourmdmhost.example.com/files/myenterprisebook.pdf + PersistentID + com.acme.pdf.myenterprisebook + State + Installing + Status + Acknowledged + UDID + 00008020-000915083C80012E + + \ No newline at end of file diff --git a/examples/mdm/commands/media.install/example3.plist b/examples/mdm/commands/media.install/example3.plist new file mode 100644 index 0000000..cf777fe --- /dev/null +++ b/examples/mdm/commands/media.install/example3.plist @@ -0,0 +1,17 @@ + + + + + Command + + MediaType + Book + RequestType + InstallMedia + iTunesStoreID + 1420662672 + + CommandUUID + 0001_InstallMedia + + \ No newline at end of file diff --git a/examples/mdm/commands/media.install/example4.plist b/examples/mdm/commands/media.install/example4.plist new file mode 100644 index 0000000..17b9cf4 --- /dev/null +++ b/examples/mdm/commands/media.install/example4.plist @@ -0,0 +1,18 @@ + + + + + CommandUUID + 0001_InstallMedia + MediaType + Book + State + Installing + Status + Acknowledged + UDID + 00008020-000915083C80012E + iTunesStoreID + 1420662672 + + \ No newline at end of file diff --git a/examples/mdm/commands/media.managed.list/example1.plist b/examples/mdm/commands/media.managed.list/example1.plist new file mode 100644 index 0000000..3871642 --- /dev/null +++ b/examples/mdm/commands/media.managed.list/example1.plist @@ -0,0 +1,13 @@ + + + + + Command + + RequestType + ManagedMediaList + + CommandUUID + 0001_ManagedMediaList + + \ No newline at end of file diff --git a/examples/mdm/commands/media.managed.list/example2.plist b/examples/mdm/commands/media.managed.list/example2.plist new file mode 100644 index 0000000..5957aff --- /dev/null +++ b/examples/mdm/commands/media.managed.list/example2.plist @@ -0,0 +1,29 @@ + + + + + Books + + + Author + Acme, Inc. + Kind + pdf + PersistentID + com.acme.pdf.myenterprisebook + State + Managed + Title + My Enterprise Book + Version + 1.0 + + + CommandUUID + 0001_ManagedMediaList + Status + Acknowledged + UDID + 00008020-000915083C80012E + + \ No newline at end of file diff --git a/examples/mdm/commands/media.remove/example1.plist b/examples/mdm/commands/media.remove/example1.plist new file mode 100644 index 0000000..083fb25 --- /dev/null +++ b/examples/mdm/commands/media.remove/example1.plist @@ -0,0 +1,12 @@ + + + + + MediaType + Book + PersistentID + com.acme.pdf.myenterprisebook + RequestType + RemoveMedia + + \ No newline at end of file diff --git a/examples/mdm/commands/media.remove/example2.plist b/examples/mdm/commands/media.remove/example2.plist new file mode 100644 index 0000000..4af5411 --- /dev/null +++ b/examples/mdm/commands/media.remove/example2.plist @@ -0,0 +1,12 @@ + + + + + CommandUUID + 0001_RemoveMedia + Status + Acknowledged + UDID + 00008020-000915083C80012E + + \ No newline at end of file diff --git a/examples/mdm/commands/passcode.clear/example1.plist b/examples/mdm/commands/passcode.clear/example1.plist new file mode 100644 index 0000000..e64f2be --- /dev/null +++ b/examples/mdm/commands/passcode.clear/example1.plist @@ -0,0 +1,42 @@ + + + + + Command + + RequestType + ClearPasscode + UnlockToken + + REFUQQAABPRWRVJTAAAABAAAAAVUWVBFAAAABAAAAAJVVUlEAAAAEGHX7XgO5UNZsRiL + 9Kq3hSdITUNLAAAAKLUR5mc5hBzI4bEsbWacE/gmhdJS6rl3978V3DY9ylBbEBGgJ/fA + Ac9XUkFQAAAABAAAAAFTQUxUAAAAFIHju7P8BPFTz0JA8MDo+PsvcAAmSVRFUgAAAAQA + AEEaVVVJRAAAABC70Oy5TtZCGocX/i7orO/pQ0xBUwAAAAQAAAABV1JBUAAAAAQAAAAD + S1RZUAAAAAQAAAAAV1BLWQAAACjH8wUEvSkfgrEPSSQUazAz1eCuTXET3CkqgkNQZkjS + jZEHtWmXpC4IVVVJRAAAABBW4TUxIb1L7aNAmbmGkxiIQ0xBUwAAAAQAAAACV1JBUAAA + AAQAAAADS1RZUAAAAAQAAAABV1BLWQAAAChaDERvmDXtk9mikMCT30uDQ4XwrT9ifdmf + 3Hjz/6atBPq/1uNpm5TtUEJLWQAAACCypmyEJV4x4wV6CKfZFEmkYHf8kOXh5ONM1A6B + R26KM1VVSUQAAAAQH5Ol3/mLSM2dLvFxGTlf5kNMQVMAAAAEAAAAA1dSQVAAAAAEAAAA + A0tUWVAAAAAEAAAAAFdQS1kAAAAoxNNjRWfqvgqXMVyiqDH2LXJdpafgsm+8ovRQuzL4 + tp3Bs5y25bmRelVVSUQAAAAQB7drprzaR5aePknqFUjyWENMQVMAAAAEAAAABVdSQVAA + AAAEAAAAA0tUWVAAAAAEAAAAAFdQS1kAAAAoMCe2S7psda5AHw99a+DKV8m0hR6aKUKP + VG5oURKAJZSXJKYRRO2xKlVVSUQAAAAQMpEnWAWOS0qnOwWRdtSAlUNMQVMAAAAEAAAA + BldSQVAAAAAEAAAAA0tUWVAAAAAEAAAAAFdQS1kAAAAoyhn4O/EIo5Q1NLt0/wL1UZGA + EqTE45DEcNstAQZLk+1U/FSKOWtqrlVVSUQAAAAQFuJUehe6TC+3TImCkemk6kNMQVMA + AAAEAAAAB1dSQVAAAAAEAAAAA0tUWVAAAAAEAAAAAFdQS1kAAAAoMcyPJI8vNBh7j6je + VPu3zgDYTXAuoo68jqZU4kCubSGyRvIpa/O4n1VVSUQAAAAQF2v1dlxfRMqYs7swzn9s + nENMQVMAAAAEAAAACFdSQVAAAAAEAAAAA0tUWVAAAAAEAAAAAFdQS1kAAAAoSx2pMsvH + K2HNg9IIbrVEzX7T3Rw0vLEmwMJ3ignooj+3GMHeaJ0aplVVSUQAAAAQ8Qif3NCoTjiK + WRjgOIHG6ENMQVMAAAAEAAAACVdSQVAAAAAEAAAAA0tUWVAAAAAEAAAAAFdQS1kAAAAo + n2icCfaIRPbE7mzGqO7rOnuPhgUbYkcpAqf6RnAXljcpSxZqBiJtGlVVSUQAAAAQt9a3 + ThB7SwaGw50i9Hhfu0NMQVMAAAAEAAAACldSQVAAAAAEAAAAA0tUWVAAAAAEAAAAAFdQ + S1kAAAAoEW1/yC+YYXLVzyRxZwghOADACnWvOnHdBPhJ/z7VEkyHcObDPI9w41VVSUQA + AAAQ4vImTUp5S7qmyMDZ82nM70NMQVMAAAAEAAAAC1dSQVAAAAAEAAAAA0tUWVAAAAAE + AAAAAFdQS1kAAAAo8vkvhYNP7rTLdfXRifh+dcTIbj3EEJKyYXeCL9J9trYAo7B5mV5u + 41NJR04AAAAUtFVbS3MM33WvBsEis1imzvs069A= + + + CommandUUID + 0001_ClearPasscode + + \ No newline at end of file diff --git a/examples/mdm/commands/passcode.clear/example2.plist b/examples/mdm/commands/passcode.clear/example2.plist new file mode 100644 index 0000000..1986361 --- /dev/null +++ b/examples/mdm/commands/passcode.clear/example2.plist @@ -0,0 +1,12 @@ + + + + + CommandUUID + 0001_ClearPasscode + Status + Acknowledged + UDID + 00008020-000915083C80012E + + \ No newline at end of file diff --git a/examples/mdm/commands/passcode.firmware.set/example1.plist b/examples/mdm/commands/passcode.firmware.set/example1.plist new file mode 100644 index 0000000..7267b24 --- /dev/null +++ b/examples/mdm/commands/passcode.firmware.set/example1.plist @@ -0,0 +1,19 @@ + + + + + Command + + AllowOroms + + CurrentPassword + oldpassword + NewPassword + newpassword + RequestType + SetFirmwarePassword + + CommandUUID + 0001_SetFirmwarePassword + + \ No newline at end of file diff --git a/examples/mdm/commands/passcode.firmware.set/example2.plist b/examples/mdm/commands/passcode.firmware.set/example2.plist new file mode 100644 index 0000000..7d374c8 --- /dev/null +++ b/examples/mdm/commands/passcode.firmware.set/example2.plist @@ -0,0 +1,17 @@ + + + + + CommandUUID + 0001_SetFirmwarePassword + SetFirmwarePassword + + PasswordChanged + + + Status + Acknowledged + UDID + E84CD517-CB37-52F7-988C-DB5137B604B8 + + \ No newline at end of file diff --git a/examples/mdm/commands/passcode.firmware.verify/example1.plist b/examples/mdm/commands/passcode.firmware.verify/example1.plist new file mode 100644 index 0000000..29ef902 --- /dev/null +++ b/examples/mdm/commands/passcode.firmware.verify/example1.plist @@ -0,0 +1,15 @@ + + + + + Command + + Password + password + RequestType + VerifyFirmwarePassword + + CommandUUID + 0001_VerifyFirmwarePassword + + \ No newline at end of file diff --git a/examples/mdm/commands/passcode.firmware.verify/example2.plist b/examples/mdm/commands/passcode.firmware.verify/example2.plist new file mode 100644 index 0000000..db1fcbe --- /dev/null +++ b/examples/mdm/commands/passcode.firmware.verify/example2.plist @@ -0,0 +1,17 @@ + + + + + CommandUUID + 0001_VerifyFirmwarePassword + Status + Acknowledged + UDID + E84CD517-CB37-52F7-988C-DB5137B604B8 + VerifyFirmwarePassword + + PasswordVerified + + + + \ No newline at end of file diff --git a/examples/mdm/commands/passcode.recovery.set/example1.plist b/examples/mdm/commands/passcode.recovery.set/example1.plist new file mode 100644 index 0000000..8b6e94f --- /dev/null +++ b/examples/mdm/commands/passcode.recovery.set/example1.plist @@ -0,0 +1,13 @@ + + + + + Command + + RequestType + SetRecoveryLock + NewPassword + Apple + + + \ No newline at end of file diff --git a/examples/mdm/commands/passcode.recovery.set/example2.plist b/examples/mdm/commands/passcode.recovery.set/example2.plist new file mode 100644 index 0000000..141837b --- /dev/null +++ b/examples/mdm/commands/passcode.recovery.set/example2.plist @@ -0,0 +1,12 @@ + + + + + CommandUUID + 0001_SetRecoveryLock + Status + Acknowledged + UDID + 1AC99473-AE6F-5E59-BE5C-410D257D481E + + \ No newline at end of file diff --git a/examples/mdm/commands/passcode.recovery.verify/example1.plist b/examples/mdm/commands/passcode.recovery.verify/example1.plist new file mode 100644 index 0000000..d8cf08f --- /dev/null +++ b/examples/mdm/commands/passcode.recovery.verify/example1.plist @@ -0,0 +1,13 @@ + + + + + Command + + RequestType + VerifyRecoveryLock + Password + Apple + + + \ No newline at end of file diff --git a/examples/mdm/commands/passcode.recovery.verify/example2.plist b/examples/mdm/commands/passcode.recovery.verify/example2.plist new file mode 100644 index 0000000..82d2061 --- /dev/null +++ b/examples/mdm/commands/passcode.recovery.verify/example2.plist @@ -0,0 +1,14 @@ + + + + + CommandUUID + 0001_VerifyRecoveryLock + PasswordVerified + + Status + Acknowledged + UDID + 1AC99473-AE6F-5E59-BE5C-410D257D481E + + \ No newline at end of file diff --git a/examples/mdm/commands/profile.install/example1.plist b/examples/mdm/commands/profile.install/example1.plist new file mode 100644 index 0000000..6c90263 --- /dev/null +++ b/examples/mdm/commands/profile.install/example1.plist @@ -0,0 +1,41 @@ + + + + + Command + + Payload + + PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPCFET0NUWVBFIHBs + aXN0IFBVQkxJQyAiLS8vQXBwbGUvL0RURCBQTElTVCAxLjAvL0VOIiAiaHR0cDovL3d3 + dy5hcHBsZS5jb20vRFREcy9Qcm9wZXJ0eUxpc3QtMS4wLmR0ZCI+CjxwbGlzdCB2ZXJz + aW9uPSIxLjAiPgo8ZGljdD4KCTxrZXk+UGF5bG9hZENvbnRlbnQ8L2tleT4KCTxhcnJh + eT4KCQk8ZGljdD4KCQkJPGtleT5QYXlsb2FkRGVzY3JpcHRpb248L2tleT4KCQkJPHN0 + cmluZz5Db25maWd1cmVzIHJlc3RyaWN0aW9uczwvc3RyaW5nPgoJCQk8a2V5PlBheWxv + YWREaXNwbGF5TmFtZTwva2V5PgoJCQk8c3RyaW5nPlJlc3RyaWN0aW9uczwvc3RyaW5n + PgoJCQk8a2V5PlBheWxvYWRJZGVudGlmaWVyPC9rZXk+CgkJCTxzdHJpbmc+Y29tLmFw + cGxlLmFwcGxpY2F0aW9uYWNjZXNzLkVENzE2QUU5LUFFODktNENFQy1BNzE3LUYyMTU2 + N0UwRjUxMjwvc3RyaW5nPgoJCQk8a2V5PlBheWxvYWRUeXBlPC9rZXk+CgkJCTxzdHJp + bmc+Y29tLmFwcGxlLmFwcGxpY2F0aW9uYWNjZXNzPC9zdHJpbmc+CgkJCTxrZXk+UGF5 + bG9hZFVVSUQ8L2tleT4KCQkJPHN0dmluZz5FRDcxNkFFOS1BRTg5LTRDRUMtQTcxNy1G + MjE1NjdFMEY1MTI8L3N0cmluZz4KCQkJPGtleT5QYXlsb2FtVmVyc2lvbjwva2V5PgoJ + CQk8aW50ZWdlcj4xPC9pbnRlZ2VyPgoJCQk8a2V5PmFsbG93TG9ja1NjcmVlblRvZGF5 + Vmlldzwva2V5PgoJCQk8ZmFsc2UvPgoJCQk8a2V5PnJhdGluZ1JlZ2lvbjwva2V5PgoJ + CQk8c3RyaW5nPnVzPC9zdHJpbmc+CgkJPC9kaWN0PgoJPC9hcnJheT4KCTxrZXk+UGF5 + bG9hZERpc3BsYXlOYW1lPC9rZXk+Cgk8c3RyaW5nPihVKSBhbGxvd0xvY2tTY3JlZW5U + b2RheVZpZXc8L3N0cmluZz4KCTxrZXk+UGF5bG9hZElkZW50aWZpZXI8L2tleT4KCTxz + dHJpbmc+Y29tLmFwcGxlLmRtcy5yZXN0cmljdGlvbnMuYWxsb3dMb2NrU2NyZWVuVG9k + YXlWaWV3PC9zdHJpbmc+Cgk8a2V5PlBheWxwYWRSZW1vdmFsRGlzYWxsb3dlZDwva2V5 + PgoJPGZhbHNlLz4KCTxrZXk+UGF5bG9hZFR5cGU8L2tleT4KCTxzdHJpbmc+Q29uZmln + dXJhdGlvbjwvc3RyaW5nPgoJPGtleT5QYXlsb2FkVVVJRDwva2V5PgoJPHN0cmluZz42 + OUE0RTVGRS03NUQxLTQyOTctQkQzMi01NDA3MTBFRDYzNjA8L3N0cmluZz4KCTxrZXk+ + UGF5bG9hZFZlcnNpb248L2tleT4KCTxpbnRlZ2VyPjE8L2ludGVnZXI+CjwvZGljdD4K + PC9wbGlzdD4K + + RequestType + InstallProfile + + CommandUUID + 0001_InstallProfile + + \ No newline at end of file diff --git a/examples/mdm/commands/profile.install/example2.plist b/examples/mdm/commands/profile.install/example2.plist new file mode 100644 index 0000000..5c1ea71 --- /dev/null +++ b/examples/mdm/commands/profile.install/example2.plist @@ -0,0 +1,12 @@ + + + + + CommandUUID + 0001_InstallProfile + Status + Acknowledged + UDID + 00008020-000915083C80012E + + \ No newline at end of file diff --git a/examples/mdm/commands/profile.list/example1.plist b/examples/mdm/commands/profile.list/example1.plist new file mode 100644 index 0000000..1c53b0d --- /dev/null +++ b/examples/mdm/commands/profile.list/example1.plist @@ -0,0 +1,15 @@ + + + + + Command + + ManagedOnly + + RequestType + ProfileList + + CommandUUID + 0001_ProfileList + + \ No newline at end of file diff --git a/examples/mdm/commands/profile.list/example2.plist b/examples/mdm/commands/profile.list/example2.plist new file mode 100644 index 0000000..a761acd --- /dev/null +++ b/examples/mdm/commands/profile.list/example2.plist @@ -0,0 +1,82 @@ + + + + + CommandUUID + 0001_ProfileList + ProfileList + + + HasRemovalPasscode + + IsEncrypted + + IsManaged + + PayloadContent + + + PayloadDescription + Installs a PEM certificate payload. + PayloadDisplayName + PEM certificate payload + PayloadIdentifier + com.apple.security.pem.ea74b673-50b9-498c-8314-5cfef174d102 + PayloadOrganization + Acme, Inc. + PayloadType + com.apple.security.pem + PayloadVersion + 1 + + + PayloadDescription + Enrolls your device into SCEP on this MDM server. + PayloadDisplayName + MDM SCEP payload + PayloadIdentifier + com.apple.security.scep.aa48bb57-e657-4a87-b6b0-6f5159055304 + PayloadOrganization + Acme, Inc. + PayloadType + com.apple.security.scep + PayloadVersion + 1 + + + PayloadDescription + Enrolls your device into this MDM server. + PayloadDisplayName + MDM + PayloadIdentifier + com.apple.mdm.4e86d728-2c38-4410-bea2-fbe4b77619e3 + PayloadOrganization + Acme, Inc. + PayloadType + com.apple.mdm + PayloadVersion + 1 + + + PayloadDescription + Enrolls your device into this MDM server. + PayloadDisplayName + Python MDM + PayloadIdentifier + com.acme.mdm.mdm + PayloadOrganization + Acme, Inc. + PayloadRemovalDisallowed + + PayloadUUID + a96f429c-d881-47e7-ad07-eeca163976fb + PayloadVersion + 1 + + + Status + Acknowledged + UDID + 00008020-000915083C80012E + + \ No newline at end of file diff --git a/examples/mdm/commands/profile.provisioning.install/example1.plist b/examples/mdm/commands/profile.provisioning.install/example1.plist new file mode 100644 index 0000000..c6bee79 --- /dev/null +++ b/examples/mdm/commands/profile.provisioning.install/example1.plist @@ -0,0 +1,66 @@ + + + + + Command + + ProvisioningProfile + + TG9yZW0gaXBzdW0gZG9sb3Igc2l0IGFtZXQsIGNvbnNlY3RldHVyIGFkaXBpc2Npbmcg + ZWxpdC4gTWF1cmlzIGlwc3VtIGVyYXQsIHNlbXBlciBxdWlzIG1hc3NhIG5lYywgcHVs + dmluYXIgcHVsdmluYXIgbWF1cmlzLiBBbGlxdWFtIGNvbW1vZG8gaWQgdXJuYSBzZWQg + Y29uc2VxdWF0LiBEb25lYyBlZ2V0IGFsaXF1ZXQgYXVndWUuIEZ1c2NlIHF1aXMgdG9y + dG9yIHZlbGl0LiBFdGlhbSBhdWN0b3IgdmVsIG1hc3NhIHNpdCBhbWV0IG1vbGxpcy4g + TmFtIGVsZW1lbnR1bSB2aXRhZSBuZXF1ZSBhYyBhY2N1bXNhbi4gVml2YW11cyBpZCBs + ZW8gYXVndWUuIFByb2luIGlhY3VsaXMgdWxsYW1jb3JwZXIgc2VtLCB2ZWwgZGFwaWJ1 + cyBvcmNpIGNvbnNlcXVhdCBzaXQgYW1ldC4gQ3JhcyBhYyBtb2xlc3RpZSBleC4KCklu + IG1vbGVzdGllIGJpYmVuZHVtIG1hZ25hIGlkIHVsdHJpY2VzLiBOYW0gZmF1Y2lidXMg + anVzdG8gbmVjIGZlbGlzIHB1bHZpbmFyIGZhY2lsaXNpcy4gQ3JhcyBjb21tb2RvLCBk + aWFtIGluIHRpbmNpZHVudCB1bHRyaWNlcywgcXVhbSBlbmltIHNvbGxpY2l0dWRpbiB0 + dXJwaXMsIGV1IHRpbmNpZHVudCBuaXNpIGxvcmVtIGV0IGxpZ3VsYS4gU3VzcGVuZGlz + c2UgcG90ZW50aS4gVmVzdGlidWx1bSBuZWMgbWFnbmEgZXUgbWV0dXMgbWF4aW11cyB1 + bHRyaWNlcyBhIGNvbnZhbGxpcyBvcmNpLiBDcmFzIHF1aXMgdHVycGlzIHNvZGFsZXMs + IHZhcml1cyBmZWxpcyBzZWQsIHNhZ2l0dGlzIG1hc3NhLiBQcmFlc2VudCBmZXJtZW50 + dW0gbnVsbGEgZXUgbnVsbGEgcGhhcmV0cmEgY29tbW9kby4gSW50ZWdlciB1dCBkYXBp + YnVzIG5pc2kuIE51bGxhIHZlaGljdWxhIHV0IGVsaXQgc2VkIHZlbmVuYXRpcy4gRG9u + ZWMgZXQgZWdlc3RhcyBhbnRlLiBJbnRlcmR1bSBldCBtYWxlc3VhZGEgZmFtZXMgYWMg + YW50ZSBpcHN1bSBwcmltaXMgaW4gZmF1Y2lidXMuIE1hZWNlbmFzIHJob25jdXMgbmlz + aSByaXN1cywgZXQgc29kYWxlcyB2ZWxpdCB2b2x1dHBhdCBhdC4KClF1aXNxdWUgdmVo + aWN1bGEgZXJvcyBlZmZpY2l0dXIgc2FwaWVuIGx1Y3R1cywgYSByaG9uY3VzIG51bGxh + IHZlc3RpYnVsdW0uIFNlZCBzZW1wZXIganVzdG8gbm9uIHRyaXN0aXF1ZSBsb2JvcnRp + cy4gUGhhc2VsbHVzIGV0IGVyYXQgZXQgbmliaCB2aXZlcnJhIHZvbHV0cGF0IGlkIHZl + bCBtYXNzYS4gUGhhc2VsbHVzIHNlZCBhdWd1ZSBhIGVzdCBydXRydW0gZWZmaWNpdHVy + LiBWaXZhbXVzIHZ1bHB1dGF0ZSBzY2VsZXJpc3F1ZSBydXRydW0uIE1hdXJpcyBwb3J0 + YSBzYXBpZW4gdmVsIHNlbXBlciBzZW1wZXIuIEluIGhhYyBoYWJpdGFzc2UgcGxhdGVh + IGRpY3R1bXN0LgoKQWxpcXVhbSBwb3J0dGl0b3Igbm9uIG1hc3NhIGVnZXQgY29uc2Vj + dGV0dXIuIER1aXMgZWxlbWVudHVtIGxhY2luaWEgdG9ydG9yLCBhYyBwdWx2aW5hciBz + ZW0gcGhhcmV0cmEgc2VkLiBJbnRlZ2VyIHJ1dHJ1bSBhdWd1ZSBlc3QsIGEgcmhvbmN1 + cyBuaXNpIGNvbnZhbGxpcyBlZ2V0LiBDcmFzIGFjY3Vtc2FuIGZlbGlzIGlwc3VtLCBu + ZWMgdml2ZXJyYSBuaXNpIGZpbmlidXMgbmVjLiBGdXNjZSBhdCBsdWN0dXMgc2FwaWVu + LCBzZWQgdGluY2lkdW50IGVzdC4gUGVsbGVudGVzcXVlIGFsaXF1ZXQgYXVjdG9yIGRh + cGlidXMuIE1hZWNlbmFzIGVnZXQgZHVpIHRlbXB1cywgbW9sbGlzIGxvcmVtIGVnZXQs + IHZ1bHB1dGF0ZSBkdWkuIEluIGV1IGxpYmVybyBhcmN1LiBDcmFzIG1hdHRpcyBldWlz + bW9kIG5pYmgsIGF0IHNlbXBlciBvZGlvIGRhcGlidXMgaW4uCgpEb25lYyB2ZWwgc29k + YWxlcyBkb2xvci4gTWFlY2VuYXMgbWFsZXN1YWRhIGhlbmRyZXJpdCBuaXNpIHF1aXMg + ZmVybWVudHVtLiBDcmFzIG5vbiBjb25kaW1lbnR1bSBsZWN0dXMuIFV0IGZhY2lsaXNp + cyBmZWxpcyB2YXJpdXMgZXJhdCBhY2N1bXNhbiB2ZWhpY3VsYS4gTW9yYmkgbHVjdHVz + IHRvcnRvciB2ZWwgYW50ZSBwb3N1ZXJlLCBldCBwb3J0YSBhdWd1ZSBwb3N1ZXJlLiBT + dXNwZW5kaXNzZSBlZ2VzdGFzIGVmZmljaXR1ciB2ZW5lbmF0aXMuIE51bmMgZnJpbmdp + bGxhIGVyb3MgdXQgb2RpbyB2dWxwdXRhdGUgcG9zdWVyZS4gTmFtIGVzdCBkaWFtLCBz + Y2VsZXJpc3F1ZSBtb2xlc3RpZSBvZGlvIHNlZCwgbHVjdHVzIG1vbGVzdGllIHRvcnRv + ci4gTWF1cmlzIG9ybmFyZSBuZXF1ZSBpZCBpbnRlcmR1bSB0cmlzdGlxdWUuIFZpdmFt + dXMgdXQgcHVydXMgdmFyaXVzLCBwb3J0dGl0b3IgbG9yZW0gZXQsIGZhdWNpYnVzIGFu + dGUuIE51bGxhbSBub24gZGljdHVtIGFudGUuIFBlbGxlbnRlc3F1ZSB2dWxwdXRhdGUg + dHVycGlzIGF0IGFjY3Vtc2FuIHZvbHV0cGF0LiBEb25lYyBub24gbGliZXJvIGF0IGVu + aW0gdWxsYW1jb3JwZXIgYWxpcXVldC4gTmFtIGRpY3R1bSBkb2xvciBub24gZHVpIHRp + bmNpZHVudCBtYWxlc3VhZGEuIFV0IGNvbnZhbGxpcyBlbGl0IGF0IG1pIGRpZ25pc3Np + bSwgYWMgdWxsYW1jb3JwZXIgZmVsaXMgaW1wZXJkaWV0LiBOYW0gbm9uIHRyaXN0aXF1 + ZSBsZWN0dXMu + + RequestType + InstallProvisioningProfile + + CommandUUID + 0001_InstallProvisioningProfile + + \ No newline at end of file diff --git a/examples/mdm/commands/profile.provisioning.install/example2.plist b/examples/mdm/commands/profile.provisioning.install/example2.plist new file mode 100644 index 0000000..52a4c42 --- /dev/null +++ b/examples/mdm/commands/profile.provisioning.install/example2.plist @@ -0,0 +1,12 @@ + + + + + CommandUUID + 0001_InstallProvisioningProfile + Status + Acknowledged + UDID + 00008020-000915083C80012E + + \ No newline at end of file diff --git a/examples/mdm/commands/profile.provisioning.list/example1.plist b/examples/mdm/commands/profile.provisioning.list/example1.plist new file mode 100644 index 0000000..8f0bb01 --- /dev/null +++ b/examples/mdm/commands/profile.provisioning.list/example1.plist @@ -0,0 +1,15 @@ + + + + + Command + + ManagedOnly + + RequestType + ProvisioningProfileList + + CommandUUID + 0001_ProvisioningProfileList + + \ No newline at end of file diff --git a/examples/mdm/commands/profile.provisioning.list/example2.plist b/examples/mdm/commands/profile.provisioning.list/example2.plist new file mode 100644 index 0000000..bee8fa6 --- /dev/null +++ b/examples/mdm/commands/profile.provisioning.list/example2.plist @@ -0,0 +1,23 @@ + + + + + CommandUUID + 0001_ProvisioningProfileList + ProvisioningProfileList + + + ExpiryDate + 2020-02-12T20:58:40Z + Name + My Company (February 2019 - February 2020) + UUID + 493d9dc8-e4c0-4fd8-bd8e-8fd4c0dc7b0c + + + Status + Acknowledged + UDID + 00008020-000915083C80012E + + \ No newline at end of file diff --git a/examples/mdm/commands/profile.provisioning.remove/example1.plist b/examples/mdm/commands/profile.provisioning.remove/example1.plist new file mode 100644 index 0000000..6fe9b8c --- /dev/null +++ b/examples/mdm/commands/profile.provisioning.remove/example1.plist @@ -0,0 +1,15 @@ + + + + + Command + + RequestType + RemoveProvisioningProfile + UUID + 493d9dc8-e4c0-4fd8-bd8e-8fd4c0dc7b0c + + CommandUUID + 0001_RemoveProvisioningProfile + + \ No newline at end of file diff --git a/examples/mdm/commands/profile.provisioning.remove/example2.plist b/examples/mdm/commands/profile.provisioning.remove/example2.plist new file mode 100644 index 0000000..02b4b8d --- /dev/null +++ b/examples/mdm/commands/profile.provisioning.remove/example2.plist @@ -0,0 +1,12 @@ + + + + + CommandUUID + 0001_RemoveProvisioningProfile + Status + Acknowledged + UDID + 00008020-000915083C80012E + + \ No newline at end of file diff --git a/examples/mdm/commands/profile.remove/example1.plist b/examples/mdm/commands/profile.remove/example1.plist new file mode 100644 index 0000000..b5e83fb --- /dev/null +++ b/examples/mdm/commands/profile.remove/example1.plist @@ -0,0 +1,15 @@ + + + + + Command + + Identifier + com.acme.myprofile + RequestType + RemoveProfile + + CommandUUID + 0001_RemoveProfile + + \ No newline at end of file diff --git a/examples/mdm/commands/profile.remove/example2.plist b/examples/mdm/commands/profile.remove/example2.plist new file mode 100644 index 0000000..e5c96b1 --- /dev/null +++ b/examples/mdm/commands/profile.remove/example2.plist @@ -0,0 +1,12 @@ + + + + + CommandUUID + 0001_RemoveProfile + Status + Acknowledged + UDID + 00008020-000915083C80012E + + \ No newline at end of file diff --git a/examples/mdm/commands/remotedesktop.disable/example1.plist b/examples/mdm/commands/remotedesktop.disable/example1.plist new file mode 100644 index 0000000..7387388 --- /dev/null +++ b/examples/mdm/commands/remotedesktop.disable/example1.plist @@ -0,0 +1,13 @@ + + + + + Command + + RequestType + DisableRemoteDesktop + + CommandUUID + 0001_DisableRemoteDesktop + + \ No newline at end of file diff --git a/examples/mdm/commands/remotedesktop.disable/example2.plist b/examples/mdm/commands/remotedesktop.disable/example2.plist new file mode 100644 index 0000000..6de961d --- /dev/null +++ b/examples/mdm/commands/remotedesktop.disable/example2.plist @@ -0,0 +1,12 @@ + + + + + CommandUUID + 0001_DisableRemoteDesktop + Status + Acknowledged + UDID + E84CD517-CB37-52F7-988C-DB5137B604B8 + + \ No newline at end of file diff --git a/examples/mdm/commands/remotedesktop.enable/example1.plist b/examples/mdm/commands/remotedesktop.enable/example1.plist new file mode 100644 index 0000000..2771972 --- /dev/null +++ b/examples/mdm/commands/remotedesktop.enable/example1.plist @@ -0,0 +1,13 @@ + + + + + Command + + RequestType + EnableRemoteDesktop + + CommandUUID + 0001_EnableRemoteDesktop + + \ No newline at end of file diff --git a/examples/mdm/commands/remotedesktop.enable/example2.plist b/examples/mdm/commands/remotedesktop.enable/example2.plist new file mode 100644 index 0000000..5f61fd8 --- /dev/null +++ b/examples/mdm/commands/remotedesktop.enable/example2.plist @@ -0,0 +1,12 @@ + + + + + CommandUUID + 0001_EnableRemoteDesktop + Status + Acknowledged + UDID + E84CD517-CB37-52F7-988C-DB5137B604B8 + + \ No newline at end of file diff --git a/examples/mdm/commands/rotate.file.vault.key/example1.plist b/examples/mdm/commands/rotate.file.vault.key/example1.plist new file mode 100644 index 0000000..e5f02ae --- /dev/null +++ b/examples/mdm/commands/rotate.file.vault.key/example1.plist @@ -0,0 +1,39 @@ + + + + + Command + + FileVaultUnlock + + Password + mypassword + + KeyType + personal + ReplyEncryptionCertificate + + MIIDKTCCAhGgAwIBAgIFAKGAf9cwDQYJKoZIhvcNAQELBQAwRTEfMB0GA1UEAwwWRmls + ZVZhdWx0IFJlY292ZXJ5IEtleTEiMCAGA1UEDQwZR3JhaGFtcy1NYWNCb29rLVByby5s + b2NhbDAeFw0yMDA2MTEyMzIwMjNaFw0yMTA2MTEyMzIwMjNaMEUxHzAdBgNVBAMMFkZp + bGVWYXVsdCBSZWNvdmVyeSBLZXkxIjAgBgNVBA0MHNdyYWhhbXMtTWFjQm9vay1Qcm8u + bG9jYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDSNk47J9l7Amit4JPf + YEj6PvqZ5nH4kPsRmoAO1FfACpzskN7gA1qui7N+O0NNjtleUI2pX8X9NvINxfPX/KTy + eP0VXlhixvYgKMiEUkrVFBrxRtQ+7Ow80MQUAKlDBe5FVj4GyN9sAPuAu7WaJtvDAWAW + rBSRJNqdOYpKEkgK8N9a52BmuDEBtmpaq5o5JgR2Vc+OmjcogknZi++11dKI7sDCzF3e + jO28e9E8XNBFRO716XdyEd/VU6rE8SQmpYqrfun1pRNtiiv3dTKKn9Gl42kg7RQHjMjx + OjmBjzWLdFrO51crcJqbT/IQ0pjWqjDcwOz9Z2gWqbtxTrrWyuJZAgMBAAGjIDAeMAsG + A1UdDwQEAwICtDAPBgNVHRMBAf8EBTADAQEAMA0GCSqGSIb3DQEBCwUAA4IBAQCcA999 + lIN+t6u/DrTXhWlLKj8HXTmVVl8gkhxm42aZo/QsJr+gPsXF0yOWqkPpnhkrq6GVXgPx + T7xmNv5+nDIcHX/mKRXBAUdWi/HDa3Wiytk4g9wO4xYsnBIhL5y2PHid9bSA1peKZsLL + CX1v8vuA66trSp2fKYxW54VkLXR6xMqUcxTjp0qlfNRL6IHA6G/ogyjRkd0kt0+BwbYy + 81dDKJHVxsYOUtQlmfa8dUl20SmLwZ/bujPFetfuvWmSHrnM//J5OT4HLoGRzqXhuC/m + XEildp3HTCm6epem3cP6Sx99aGIi08xddDzmH/5XoPmuG4uw2+ry+qbhD/UYbJbX + + RequestType + RotateFileVaultKey + + CommandUUID + 0001_RotateFileVaultKey + + \ No newline at end of file diff --git a/examples/mdm/commands/rotate.file.vault.key/example2.plist b/examples/mdm/commands/rotate.file.vault.key/example2.plist new file mode 100644 index 0000000..bee1674 --- /dev/null +++ b/examples/mdm/commands/rotate.file.vault.key/example2.plist @@ -0,0 +1,29 @@ + + + + + CommandUUID + 0001_RotateFileVaultKey + RotateResult + + EncryptedNewRecoveryKey + + MIAGCSqGSIb3DQEHA6CAMIACAQAxggFqMIIBZgIBADBOMEUxHzAdBgNVBAMM + FkZpbGVWYXVsdCBSZWNvdmVyeSBLZXkxIjAgBgNVBA0MGUdyYWhhbXMtTWFj + Qm9vay1Qcm8ubG9jYWwCBQChgH/XMA0GDSqGSIb3DQEBAQUABIIBAFBvGbMf + 6D4hDmw3QenxL1/+3aiiMLR0Gb9hM60mnpOA9BA0o2G3QpjSRB1QBXx/Neiy + +p3Ov1YJRdTNoECTjUSJJhxrtnj4TBykqLBlDmkuykz38ykvH85OUP17LMRh + ThwmLVXPl9I+VZJHjFMRexjo1xiHDiIjji6o3FX2Ym0Vwt9j9+OlbN/7a6Zg + ojVvi6DTuqxOsdr6w5ASzenWoTnahzEDJ0gijHaVV2EQOuyeHGYiBO6Y4R5x + hpZPvw0YWY5cczRsUN+SmOuVpGNnL3wsUnDOrzbDM04u5jRkPG5v/kViTsPK + SKLZ3UXf4kuRzUuRDSY9ScjNKmw4z7VHSU0wgAYJKoZIhvcNAQcBMBQGCCqG + SIb3DQMHBAgwBpgbOFMR0qCABBip8ehhj0meZHHlEJYtifUFt7UIG37X/9IE + CFaxcdPJL8tsAAAAAAAAAAAAAA== + + + Status + Acknowledged + UDID + 99710D9B-9D05-5CC2-8BAE-590865D2753C + + \ No newline at end of file diff --git a/examples/mdm/commands/rotate.file.vault.key/example3.plist b/examples/mdm/commands/rotate.file.vault.key/example3.plist new file mode 100644 index 0000000..8c5d47e --- /dev/null +++ b/examples/mdm/commands/rotate.file.vault.key/example3.plist @@ -0,0 +1,39 @@ + + + + + Command + + FileVaultUnlock + + Password + mypassword + + KeyType + institutional + NewCertificate + + MIIDKTCCAhGgAwIBAgIFAKGAf9cwDQYJKoZIhvcNAQELBQAwRTEfMB0GA1UEAwwWRmls + ZVZhdWx0IFJlY292ZXJ5IEtleTEiMCAGA1UEDQwZR3JhaGFtcy1NYWNCb29rLVByby5s + b2NhbDAeFw0yMDA2MTEyMzIwMjNaFw0yMTA2MTEyMzIwMjNaMEUxHzAdBgNVBAMMFkZp + bGVWYXVsdCBSZWNvdmVyeSBLZXkxIjAgBgNVBA0MHNdyYWhhbXMtTWFjQm9vay1Qcm8u + bG9jYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDSNk47J9l7Amit4JPf + YEj6PvqZ5nH4kPsRmoAO1FfACpzskN7gA1qui7N+O0NNjtleUI2pX8X9NvINxfPX/KTy + eP0VXlhixvYgKMiEUkrVFBrxRtQ+7Ow80MQUAKlDBe5FVj4GyN9sAPuAu7WaJtvDAWAW + rBSRJNqdOYpKEkgK8N9a52BmuDEBtmpaq5o5JgR2Vc+OmjcogknZi++11dKI7sDCzF3e + jO28e9E8XNBFRO716XdyEd/VU6rE8SQmpYqrfun1pRNtiiv3dTKKn9Gl42kg7RQHjMjx + OjmBjzWLdFrO51crcJqbT/IQ0pjWqjDcwOz9Z2gWqbtxTrrWyuJZAgMBAAGjIDAeMAsG + A1UdDwQEAwICtDAPBgNVHRMBAf8EBTADAQEAMA0GCSqGSIb3DQEBCwUAA4IBAQCcA999 + lIN+t6u/DrTXhWlLKj8HXTmVVl8gkhxm42aZo/QsJr+gPsXF0yOWqkPpnhkrq6GVXgPx + T7xmNv5+nDIcHX/mKRXBAUdWi/HDa3Wiytk4g9wO4xYsnBIhL5y2PHid9bSA1peKZsLL + CX1v8vuA66trSp2fKYxW54VkLXR6xMqUcxTjp0qlfNRL6IHA6G/ogyjRkd0kt0+BwbYy + 81dDKJHVxsYOUtQlmfa8dUl20SmLwZ/bujPFetfuvWmSHrnM//J5OT4HLoGRzqXhuC/m + XEildp3HTCm6epem3cP6Sx99aGIi08xddDzmH/5XoPmuG4uw2+ry+qbhD/UYbJbX + + RequestType + RotateFileVaultKey + + CommandUUID + 0001_RotateFileVaultKey + + \ No newline at end of file diff --git a/examples/mdm/commands/rotate.file.vault.key/example4.plist b/examples/mdm/commands/rotate.file.vault.key/example4.plist new file mode 100644 index 0000000..a73713b --- /dev/null +++ b/examples/mdm/commands/rotate.file.vault.key/example4.plist @@ -0,0 +1,14 @@ + + + + + CommandUUID + 0001_RotateFileVaultKey + RotateResult + + Status + Acknowledged + UDID + 99710D9B-9D05-5CC2-8BAE-590865D2753C + + \ No newline at end of file diff --git a/examples/mdm/commands/set.auto.admin.password/example1.plist b/examples/mdm/commands/set.auto.admin.password/example1.plist new file mode 100644 index 0000000..b29bceb --- /dev/null +++ b/examples/mdm/commands/set.auto.admin.password/example1.plist @@ -0,0 +1,34 @@ + + + + + Command + + GUID + F7C60A02-E0AB-4C87-8356-E0CC11568043 + RequestType + SetAutoAdminPassword + passwordHash + + PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4K + PCFET0NUWVBFIHBsaXN0IFBVQkxJQyAiLS8vQXBwbGUvL0RURCBQ + TElTVCAxLjAvL0VOIiAiaHR0cDovL3d3dy5hcHBsZS5jb20vRFRE + cy9Qcm9wZXJ0eUxpc3QtMS4wLmR0ZCI+CjxwbGlzdCB2ZXJzaW9u + PSIxLjAiPgo8ZGljdD4KCTxrZXk+U0FMVEVELVNIQTUxMi1QQktE + RjI8L2tleT4KCTxkaWN0PgoJCTxrZXk+ZW50cm9weTwva2V5PgoJ + CTxkYXRhPgoJCVpxcWVkTU5Ya3BtVjhEbU5iRFdUYjBHTDNSNjAz + RHNVSllkb1BvV0NlK2gwRDNubC9mWCsxTlpKSUxPdgoJCTBxQTVC + Q0FBSEZCZ3REQzVqeEF3a2NyZ1puZVd4eWpGZGpvT0hsV2RoYWVF + T0MyaFBwVktIaC9WUk9uUQoJCXM2cWUvRGtaZ1djVDBQdk9VQ3NM + ZVhTd2dOTU9UNGFwMnJWR0IxOVFwSFBpdnJrNmp2dz0KCQk8L2Rh + dGE+CgkJPGtleT5pdGVyYXRpb25zPC9rZXk+CgkJPGludGVnZXI+ + NDAwMDA8L2ludGVnZXI+CgkJPGtleT5zYWx0PC9rZXk+CgkJPGRh + dGE+CgkJZUl3Q3hxUk1NVm0wWGZ3VmpvbERCNEFUc2I0K3ZWMjdL + Z1hDdU5ZMkNlOD0KCQk8L2RhdGE+Cgk8L2RpY3Q+CjwvZGljdD4K + PC9wbGlzdD4K + + + CommandUUID + 0001_SetAutoAdminPassword + + \ No newline at end of file diff --git a/examples/mdm/commands/set.auto.admin.password/example2.plist b/examples/mdm/commands/set.auto.admin.password/example2.plist new file mode 100644 index 0000000..3e34ac9 --- /dev/null +++ b/examples/mdm/commands/set.auto.admin.password/example2.plist @@ -0,0 +1,12 @@ + + + + + CommandUUID + 0001_SetAutoAdminPassword + Status + Acknowledged + UDID + 91FE0F6E-F91C-589A-95E6-02835CE7126D + + \ No newline at end of file diff --git a/examples/mdm/commands/settings/example1.plist b/examples/mdm/commands/settings/example1.plist new file mode 100644 index 0000000..7564459 --- /dev/null +++ b/examples/mdm/commands/settings/example1.plist @@ -0,0 +1,22 @@ + + + + + Command + + RequestType + Settings + Settings + + + DeviceName + NewName + Item + DeviceName + + + + CommandUUID + 0001_Settings + + \ No newline at end of file diff --git a/examples/mdm/commands/settings/example2.plist b/examples/mdm/commands/settings/example2.plist new file mode 100644 index 0000000..707fe27 --- /dev/null +++ b/examples/mdm/commands/settings/example2.plist @@ -0,0 +1,21 @@ + + + + + CommandUUID + 0001_Settings + Settings + + + Item + DeviceName + Status + Acknowledged + + + Status + Acknowledged + UDID + 00008020-000915083C80012E + + \ No newline at end of file diff --git a/examples/mdm/commands/system.update.available/example1.plist b/examples/mdm/commands/system.update.available/example1.plist new file mode 100644 index 0000000..ed58996 --- /dev/null +++ b/examples/mdm/commands/system.update.available/example1.plist @@ -0,0 +1,13 @@ + + + + + Command + + RequestType + AvailableOSUpdates + + CommandUUID + 0001_AvailableOSUpdates + + \ No newline at end of file diff --git a/examples/mdm/commands/system.update.available/example2.plist b/examples/mdm/commands/system.update.available/example2.plist new file mode 100644 index 0000000..1972b91 --- /dev/null +++ b/examples/mdm/commands/system.update.available/example2.plist @@ -0,0 +1,37 @@ + + + + + AvailableOSUpdates + + + AllowsInstallLater + + Build + 17A576 + DownloadSize + 251607570 + HumanReadableName + iOS 13.0 + InstallSize + 1809842176 + IsCritical + + ProductKey + iOSUpdate17A576 + ProductName + iOS + RestartRequired + + Version + 13.0 + + + CommandUUID + 0001_AvailableOSUpdates + Status + Acknowledged + UDID + 00008020-000915083C80012E + + \ No newline at end of file diff --git a/examples/mdm/commands/system.update.scan/example1.plist b/examples/mdm/commands/system.update.scan/example1.plist new file mode 100644 index 0000000..170cf8c --- /dev/null +++ b/examples/mdm/commands/system.update.scan/example1.plist @@ -0,0 +1,15 @@ + + + + + Command + + ForceUpdateScan + + RequestType + ScheduleOSUpdateScan + + CommandUUID + 0001_ScheduleOSUpdateScan + + \ No newline at end of file diff --git a/examples/mdm/commands/system.update.scan/example2.plist b/examples/mdm/commands/system.update.scan/example2.plist new file mode 100644 index 0000000..c8682c1 --- /dev/null +++ b/examples/mdm/commands/system.update.scan/example2.plist @@ -0,0 +1,16 @@ + + + + + CommandUUID + 0316_ScheduleOSUpdateScan + ScanInitiated + + ScanInititated + + Status + Acknowledged + UDID + E84CD517-CB37-52F7-988C-DB5137B604B8 + + \ No newline at end of file diff --git a/examples/mdm/commands/system.update.schedule/example1.plist b/examples/mdm/commands/system.update.schedule/example1.plist new file mode 100644 index 0000000..cc778e1 --- /dev/null +++ b/examples/mdm/commands/system.update.schedule/example1.plist @@ -0,0 +1,24 @@ + + + + + Command + + RequestType + ScheduleOSUpdate + Updates + + + InstallAction + DownloadOnly + ProductKey + iOSUpdate17A576 + ProductVersion + 13.0 + + + + CommandUUID + 0001_ScheduleOSUpdate + + \ No newline at end of file diff --git a/examples/mdm/commands/system.update.schedule/example2.plist b/examples/mdm/commands/system.update.schedule/example2.plist new file mode 100644 index 0000000..e17b0bd --- /dev/null +++ b/examples/mdm/commands/system.update.schedule/example2.plist @@ -0,0 +1,23 @@ + + + + + CommandUUID + 0001_ScheduleOSUpdate + Status + Acknowledged + UDID + 00008020-000915083C80012E + UpdateResults + + + InstallAction + DownloadOnly + ProductKey + iOSUpdate17A576 + Status + Downloading + + + + \ No newline at end of file diff --git a/examples/mdm/commands/system.update.status/example1.plist b/examples/mdm/commands/system.update.status/example1.plist new file mode 100644 index 0000000..3d5beaa --- /dev/null +++ b/examples/mdm/commands/system.update.status/example1.plist @@ -0,0 +1,13 @@ + + + + + Command + + RequestType + OSUpdateStatus + + CommandUUID + 0001_OSUpdateStatus + + \ No newline at end of file diff --git a/examples/mdm/commands/system.update.status/example2.plist b/examples/mdm/commands/system.update.status/example2.plist new file mode 100644 index 0000000..ae33d98 --- /dev/null +++ b/examples/mdm/commands/system.update.status/example2.plist @@ -0,0 +1,25 @@ + + + + + CommandUUID + 0001_OSUpdateStatus + OSUpdateStatus + + + DownloadPercentComplete + 0.5030184984207153 + IsDownloaded + + ProductKey + iOSUpdate17A576 + Status + Downloading + + + Status + Acknowledged + UDID + 00008020-000915083C80012E + + \ No newline at end of file diff --git a/examples/mdm/profiles/GlobalPreferences/example1.plist b/examples/mdm/profiles/GlobalPreferences/example1.plist new file mode 100644 index 0000000..b0e941a --- /dev/null +++ b/examples/mdm/profiles/GlobalPreferences/example1.plist @@ -0,0 +1,35 @@ + + + + + PayloadContent + + + MultipleSessionEnabled + + com.example.autologout.AutoLogOutDelay + 1800 + LULookupDisabled + + PayloadIdentifier + com.example.myglobalpayload + PayloadType + .GlobalPreferences + PayloadUUID + b5033127-c0ef-4055-8fc5-7db5a8216bc8 + PayloadVersion + 1 + + + PayloadDisplayName + Global Preferences + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + 52e0e1b6-067f-407a-a36c-7e7b917b2982 + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.ADCertificate.managed/example1.plist b/examples/mdm/profiles/com.apple.ADCertificate.managed/example1.plist new file mode 100644 index 0000000..66e0d3a --- /dev/null +++ b/examples/mdm/profiles/com.apple.ADCertificate.managed/example1.plist @@ -0,0 +1,41 @@ + + + + + PayloadContent + + + CertServer + server.example.com + CertTemplate + MachineUser + CertificateAcquisitionMechanism + RPC + CertificateAuthority + Example + Description + Active Directory Certificate + PromptForCredentials + + PayloadIdentifier + com.example.myADcertpayload + PayloadType + com.apple.myadcertificate.managed + PayloadUUID + 59729e65-4c09-4fa1-b367-7a38cfd1b190 + PayloadVersion + 1 + + + PayloadDisplayName + Active Directory Certificate + PayloadIdentifier + com.example.myprofile + PayloadType + com.apple.ADCertificate.managed + PayloadUUID + 55a22a34-02b7-49d8-8116-ea95c3545261 + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.AssetCache.managed/example1.plist b/examples/mdm/profiles/com.apple.AssetCache.managed/example1.plist new file mode 100644 index 0000000..9dfcabf --- /dev/null +++ b/examples/mdm/profiles/com.apple.AssetCache.managed/example1.plist @@ -0,0 +1,50 @@ + + + + PayloadContent + + + AllowPersonalCaching + + AllowSharedCaching + + AutoActivation + + CacheLimit + 180000000000 + DenyTetheredCaching + + ListenRangesOnly + + LocalSubnetsOnly + + LogClientIdentity + + ParentSelectionPolicy + round-robin + PeerLocalSubnetsOnly + + Port + 0 + PayloadIdentifier + com.example.mycontentcachingpayload + PayloadType + com.apple.AssetCache.managed + PayloadUUID + c7d8c850-e4ef-0135-0bd6-0c4de9ce4c04 + PayloadVersion + 1 + + + PayloadDisplayName + Content Caching + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + a430c370-b5d5-4e5b-b46b-137931e8b230 + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.Dictionary/example1.plist b/examples/mdm/profiles/com.apple.Dictionary/example1.plist new file mode 100644 index 0000000..3185725 --- /dev/null +++ b/examples/mdm/profiles/com.apple.Dictionary/example1.plist @@ -0,0 +1,31 @@ + + + + + PayloadContent + + + parentalControl + + PayloadIdentifier + com.example.mydictionarypayload + PayloadType + com.apple.Dictionary + PayloadUUID + 0158853b-e3d5-41d6-b4d2-ada868a36042 + PayloadVersion + 1 + + + PayloadDisplayName + Parental Controls Dictionary + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + 9b0ea70d-b1b1-4a96-81e7-3b33bfd563d5 + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.DirectoryService.managed/example1.plist b/examples/mdm/profiles/com.apple.DirectoryService.managed/example1.plist new file mode 100644 index 0000000..c4f165d --- /dev/null +++ b/examples/mdm/profiles/com.apple.DirectoryService.managed/example1.plist @@ -0,0 +1,35 @@ + + + + + PayloadContent + + + HostName + host.example.com + Password + Password123 + UserName + bind + PayloadIdentifier + com.example.mydspayload + PayloadType + com.apple.DirectoryService.managed + PayloadUUID + bb657e20-60b9-4c47-8730-51803ddf69e7 + PayloadVersion + 1 + + + PayloadDisplayName + Active Directory + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + 079b6bc3-4356-4d80-89b4-a4b8a82eb739 + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.DiscRecording/example1.plist b/examples/mdm/profiles/com.apple.DiscRecording/example1.plist new file mode 100644 index 0000000..c1fb9dc --- /dev/null +++ b/examples/mdm/profiles/com.apple.DiscRecording/example1.plist @@ -0,0 +1,31 @@ + + + + + PayloadContent + + + BurnSupport + authenticate + PayloadIdentifier + com.example.mymediamanagementpayload + PayloadType + com.apple.DiscRecording + PayloadUUID + c7d88693-77a2-4f4d-a782-6569a1c2d92c + PayloadVersion + 1 + + + PayloadDisplayName + Media Management + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + 8996588b-f785-4720-b68f-fa9c61d74bd4 + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.MCX(Accounts)/example1.plist b/examples/mdm/profiles/com.apple.MCX(Accounts)/example1.plist new file mode 100644 index 0000000..d2a8663 --- /dev/null +++ b/examples/mdm/profiles/com.apple.MCX(Accounts)/example1.plist @@ -0,0 +1,31 @@ + + + + + PayloadContent + + + EnableGuestAccount + + PayloadIdentifier + com.example.myaccountpayload + PayloadType + com.apple.MCX + PayloadUUID + 5d4e377c-108c-44af-a46e-97a5aac1e270 + PayloadVersion + 1 + + + PayloadDisplayName + Accounts + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + 8cd28a9d-625e-4056-bbd0-43617bb8efb7 + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.MCX(EnergySaver)/example1.plist b/examples/mdm/profiles/com.apple.MCX(EnergySaver)/example1.plist new file mode 100644 index 0000000..f608604 --- /dev/null +++ b/examples/mdm/profiles/com.apple.MCX(EnergySaver)/example1.plist @@ -0,0 +1,97 @@ + + + + + PayloadContent + + + com.apple.EnergySaver.desktop.ACPower + + Automatic Restart On Power Loss + 1 + Disk Sleep Timer + 180 + Display Sleep Timer + 60 + Sleep On Power Button + 0 + System Sleep Timer + 120 + Wake On LAN + 1 + + com.apple.EnergySaver.desktop.ACPower-ProfileNumber + -1 + com.apple.EnergySaver.desktop.Schedule + + RepeatingPowerOff + + eventtype + sleep + time + 0 + weekdays + 31 + + RepeatingPowerOn + + eventtype + wakepoweron + time + 0 + weekdays + 31 + + + com.apple.EnergySaver.portable.ACPower + + Automatic Restart On Power Loss + 1 + Disk Sleep Timer + 180 + Display Sleep Timer + 5 + System Sleep Timer + 10 + Wake On LAN + 1 + + com.apple.EnergySaver.portable.ACPower-ProfileNumber + -1 + com.apple.EnergySaver.portable.BatteryPower + + Automatic Restart On Power Loss + 1 + Disk Sleep Timer + 180 + Display Sleep Timer + 5 + System Sleep Timer + 10 + Wake On LAN + 1 + + com.apple.EnergySaver.portable.BatteryPower-ProfileNumber + -1 + PayloadIdentifier + com.example.myenergysaverpayload + PayloadType + com.apple.MCX + PayloadUUID + e66c94e5-f059-404e-9188-ff152cb80c64 + PayloadVersion + 1 + + + PayloadDisplayName + EnergySaver + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + 2627f09c-a6ea-4a2d-94b3-f6df28b3c6af + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.MCX(FileVault2)/example1.plist b/examples/mdm/profiles/com.apple.MCX(FileVault2)/example1.plist new file mode 100644 index 0000000..07cb41c --- /dev/null +++ b/examples/mdm/profiles/com.apple.MCX(FileVault2)/example1.plist @@ -0,0 +1,31 @@ + + + + + PayloadContent + + + dontAllowFDEDisable + + PayloadIdentifier + com.example.myfdefvoptionspayload + PayloadType + com.apple.MCX + PayloadUUID + 0a8f4102-0fbf-4d8c-b1e1-3d916f89d927 + PayloadVersion + 1 + + + PayloadDisplayName + FileVault 2 Options + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + 92821df0-7c04-4366-b805-eb51ed87541b + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.MCX(Mobility)/example1.plist b/examples/mdm/profiles/com.apple.MCX(Mobility)/example1.plist new file mode 100644 index 0000000..bf9244c --- /dev/null +++ b/examples/mdm/profiles/com.apple.MCX(Mobility)/example1.plist @@ -0,0 +1,31 @@ + + + + + PayloadContent + + + com.apple.cachedaccounts.CreateAtLogin + + PayloadIdentifier + com.example.mymobileccountpayload + PayloadType + com.apple.MCX + PayloadUUID + 93aa2058-4fe5-4f8b-a409-80f05b7fb2f0 + PayloadVersion + 1 + + + PayloadDisplayName + Mobility + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + b89ce975-801b-4994-8f68-dc5cad408ad1 + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.MCX(TimeServer)/example1.plist b/examples/mdm/profiles/com.apple.MCX(TimeServer)/example1.plist new file mode 100644 index 0000000..d087da3 --- /dev/null +++ b/examples/mdm/profiles/com.apple.MCX(TimeServer)/example1.plist @@ -0,0 +1,33 @@ + + + + + PayloadContent + + + timeServer + ntp.example.com + timeZone + America/Denver + PayloadIdentifier + com.example.mytimeserverpayload + PayloadType + com.apple.MCX + PayloadUUID + 7bc24f5a-5ad8-4ad0-b05e-8f5f4418ff05 + PayloadVersion + 1 + + + PayloadDisplayName + Time Server + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + a18b9fa3-dbdc-4e60-89e0-d785c7c6a1a0 + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.MCX(WiFi)/example1.plist b/examples/mdm/profiles/com.apple.MCX(WiFi)/example1.plist new file mode 100644 index 0000000..9293e83 --- /dev/null +++ b/examples/mdm/profiles/com.apple.MCX(WiFi)/example1.plist @@ -0,0 +1,35 @@ + + + + + PayloadContent + + + RequireAdminForAirPortNetworkChange + + RequireAdminForIBSS + + RequireAdminToTurnAirPortOnOff + + PayloadIdentifier + com.example.mymanagedwifipayload + PayloadType + com.apple.MCX + PayloadUUID + 8d527efa-0768-49e4-b328-9b222d23c379 + PayloadVersion + 1 + + + PayloadDisplayName + Managed Wi-Fi + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + 944429fb-2a8d-4d48-81ab-056428104593 + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.MCX.FileVault2/example1.plist b/examples/mdm/profiles/com.apple.MCX.FileVault2/example1.plist new file mode 100644 index 0000000..76fa8c6 --- /dev/null +++ b/examples/mdm/profiles/com.apple.MCX.FileVault2/example1.plist @@ -0,0 +1,41 @@ + + + + + PayloadContent + + + Defer + + Enable + On + ShowRecoveryKey + + UseKeychain + + UseRecoveryKey + + UserEntersMissingInfo + + PayloadIdentifier + com.example.myfdefilevaultpayload + PayloadType + com.apple.MCX.FileVault2 + PayloadUUID + c2c5f5e9-8ffc-4d8f-9108-fd655b90fdb2 + PayloadVersion + 1 + + + PayloadDisplayName + FDE File Vault + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + 5ba0de0e-ff06-4c0b-8dca-f5b55ed9de86 + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.MCX.TimeMachine/example1.plist b/examples/mdm/profiles/com.apple.MCX.TimeMachine/example1.plist new file mode 100644 index 0000000..c1f8293 --- /dev/null +++ b/examples/mdm/profiles/com.apple.MCX.TimeMachine/example1.plist @@ -0,0 +1,45 @@ + + + + + PayloadContent + + + AutoBackup + + BackupAllVolumes + + BackupDestURL + server.example.com + BackupSizeMB + 1000 + BackupSkipSys + + MobileBackups + + SkipPaths + + /Users/Shared + + PayloadIdentifier + com.example.mytimemachinepayload + PayloadType + com.apple.MCX.TimeMachine + PayloadUUID + 5f0be3a6-c9b8-44db-a2ae-414311772fdb + PayloadVersion + 1 + + + PayloadDisplayName + Time Machine + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + 68ca5f6c-13e8-43c3-b2ee-8bc405f5eed5 + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.ManagedClient.preferences/example1.plist b/examples/mdm/profiles/com.apple.ManagedClient.preferences/example1.plist new file mode 100644 index 0000000..4974ae7 --- /dev/null +++ b/examples/mdm/profiles/com.apple.ManagedClient.preferences/example1.plist @@ -0,0 +1,45 @@ + + + + + PayloadContent + + + PayloadContent + + com.example.myapp + + Forced + + + mcx_preference_settings + + MySetting + + + + + + + PayloadIdentifier + com.example.mymanprefpayload + PayloadType + com.apple.ManagedClient.preferences + PayloadUUID + 83c9f6e8-ef4b-4974-b83b-b2e7fe79b75c + PayloadVersion + 1 + + + PayloadDisplayName + Managed Preference + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + 54e23577-3424-4092-a9b4-a5e5af88fd52 + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.NSExtension/example1.plist b/examples/mdm/profiles/com.apple.NSExtension/example1.plist new file mode 100644 index 0000000..21706c0 --- /dev/null +++ b/examples/mdm/profiles/com.apple.NSExtension/example1.plist @@ -0,0 +1,41 @@ + + + + + PayloadContent + + + AllowedExtensions + + com.apple.share.AirDrop.send + + DeniedExtensions + + com.apple.ncplugin.stocks + + DeniedExtensionPoints + + com.apple.share-services + + PayloadIdentifier + com.example.mynsempayload + PayloadType + com.apple.nsextension + PayloadUUID + 9726bc46-1e51-466b-99e3-81b23561cf81 + PayloadVersion + 1 + + + PayloadDisplayName + NS Extension Management + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + 4cc87081-feee-46d1-b5d1-2a2fde9a8402 + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.SetupAssistant.managed/example1.plist b/examples/mdm/profiles/com.apple.SetupAssistant.managed/example1.plist new file mode 100644 index 0000000..d2f6c3c --- /dev/null +++ b/examples/mdm/profiles/com.apple.SetupAssistant.managed/example1.plist @@ -0,0 +1,47 @@ + + + + + PayloadContent + + + SkipCloudSetup + + SkipSiriSetup + + SkipPrivacySetup + + SkipiCloudStorageSetup + + SkipTrueTone + + SkipAppearance + + SkipTouchIDSetup + + SkipScreenTime + + SkipAccessibility + + PayloadIdentifier + com.example.mysetupassistantpayload + PayloadType + com.apple.SetupAssistant.managed + PayloadUUID + 0dfccedc-e28f-4df5-bca7-a0807deab543 + PayloadVersion + 1 + + + PayloadDisplayName + Setup Assistant + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + 4a66b685-604a-4558-92c7-ae3e082cf0ae + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.SoftwareUpdate/example1.plist b/examples/mdm/profiles/com.apple.SoftwareUpdate/example1.plist new file mode 100644 index 0000000..6ff8b62 --- /dev/null +++ b/examples/mdm/profiles/com.apple.SoftwareUpdate/example1.plist @@ -0,0 +1,31 @@ + + + + + PayloadContent + + + AutomaticallyInstallAppUpdates + + PayloadIdentifier + com.example.mysoftwareupdatepayload + PayloadType + com.apple.SoftwareUpdate + PayloadUUID + af3c6efa-0dd3-4021-814b-6f2dba91428b + PayloadVersion + 1 + + + PayloadDisplayName + Software Update + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + 8b6061ab-31c6-4eee-ba5b-8a09ea8f5fa7 + PayloadVersion + 1 + + diff --git a/examples/mdm/profiles/com.apple.SystemConfiguration/example1.plist b/examples/mdm/profiles/com.apple.SystemConfiguration/example1.plist new file mode 100644 index 0000000..5af7a63 --- /dev/null +++ b/examples/mdm/profiles/com.apple.SystemConfiguration/example1.plist @@ -0,0 +1,44 @@ + + + + + PayloadContent + + + Proxies + + Exceptions + + *.local, 169.254/16 + + HTTPEnable + 1 + HTTPProxy + proxy.example.com + HTTPPort + 8080 + FTPPassive + 1 + + PayloadIdentifier + com.example.myproxypayload + PayloadType + com.apple.SystemConfiguration + PayloadUUID + db29e77a-58ee-404b-8579-935a202cf16c + PayloadVersion + 1 + + + PayloadDisplayName + Network Proxy Configuration + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + b2b00925-6565-4e56-85ab-e012ee0ce4e9 + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.TCC.configuration-profile-policy/example1.plist b/examples/mdm/profiles/com.apple.TCC.configuration-profile-policy/example1.plist new file mode 100644 index 0000000..1c842c9 --- /dev/null +++ b/examples/mdm/profiles/com.apple.TCC.configuration-profile-policy/example1.plist @@ -0,0 +1,47 @@ + + + + + PayloadContent + + + Services + + PostEvent + + + Allowed + + CodeRequirement + identifier com.apple.screensharing.agent + Comment + Allow PostEvent control for ScreensharingAgent + Identifier + com.apple.screensharing.agent + IdentifierType + bundleID + + + + PayloadIdentifier + com.example.mytccpayload + PayloadType + com.apple.TCC.configuration-profile-policy + PayloadUUID + 5AAF51E3-D21F-4CE6-B0AA-074D75916F68 + PayloadVersion + 1 + + + PayloadDisplayName + Privacy Preferences Policy Control + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + 221000F0-D07A-11E8-811E-D0817ADA38E4 + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.airplay.security/example1.plist b/examples/mdm/profiles/com.apple.airplay.security/example1.plist new file mode 100644 index 0000000..fda5f78 --- /dev/null +++ b/examples/mdm/profiles/com.apple.airplay.security/example1.plist @@ -0,0 +1,35 @@ + + + + + PayloadContent + + + Password + MyPassword + PayloadIdentifier + com.example.myairplaysecuritypayload + PayloadType + com.apple.airplay.security + PayloadUUID + c0b60f19-91c7-482e-9a95-6ba71220d93e + PayloadVersion + 1 + SecurityType + PASSWORD + AccessType + ANY + + + PayloadDisplayName + AirPlay Security + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + 40dc47ea-41c9-4c79-8b30-a027cf6eacd6 + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.airplay/example1.plist b/examples/mdm/profiles/com.apple.airplay/example1.plist new file mode 100644 index 0000000..258cf21 --- /dev/null +++ b/examples/mdm/profiles/com.apple.airplay/example1.plist @@ -0,0 +1,45 @@ + + + + + PayloadContent + + + Passwords + + + DeviceName + Juan's Apple TV + Password + Password123 + + + Whitelist + + + DeviceID + 64:C7:53:EB:DB:B4 + + + PayloadIdentifier + com.example.myairplaysettingspayload + PayloadType + com.apple.airplay + PayloadUUID + dfb67669-67eb-4ed4-ad4f-1f8861029b42 + PayloadVersion + 1 + + + PayloadDisplayName + AirPlay + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + c6ec425e-b224-45fb-8889-7475cb3814cb + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.airprint/example1.plist b/examples/mdm/profiles/com.apple.airprint/example1.plist new file mode 100644 index 0000000..d01f172 --- /dev/null +++ b/examples/mdm/profiles/com.apple.airprint/example1.plist @@ -0,0 +1,42 @@ + + + + + PayloadContent + + + AirPrint + + + IPAddress + 10.0.1.42 + ResourcePath + /ipp/print + + + PayloadDescription + Configures AirPrint settings + PayloadDisplayName + AirPrint + PayloadIdentifier + com.example.myairprintpayload + PayloadType + com.apple.airprint + PayloadUUID + 01bd840a-42d2-4d7a-97d3-4580bc671ff9 + PayloadVersion + 1 + + + PayloadDisplayName + AirPrint + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + 159a5866-8323-4be1-84b1-fa4db5e04f0f + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.app.lock/example1.plist b/examples/mdm/profiles/com.apple.app.lock/example1.plist new file mode 100644 index 0000000..efaca70 --- /dev/null +++ b/examples/mdm/profiles/com.apple.app.lock/example1.plist @@ -0,0 +1,34 @@ + + + + + PayloadContent + + + App + + Identifier + com.apple.mobilenotes + + PayloadIdentifier + com.example.myapplockpayload + PayloadType + com.apple.app.lock + PayloadUUID + dc0c6fdd-aae0-4fd0-a19c-861ba28f4c55 + PayloadVersion + 1 + + + PayloadDisplayName + Single App Mode + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + 736f867e-3972-4889-aa68-7ce5be12eff6 + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.applicationaccess.new/example1.plist b/examples/mdm/profiles/com.apple.applicationaccess.new/example1.plist new file mode 100644 index 0000000..4f40c32 --- /dev/null +++ b/examples/mdm/profiles/com.apple.applicationaccess.new/example1.plist @@ -0,0 +1,54 @@ + + + + + PayloadContent + + + familyControlsEnabled + + pathBlackList + + /Applications/Utilities + + pathWhiteList + + /Applications/Utilities + + whiteList + + + appID + +t4MAAAAADAAAAABAAAABgAAAAIAAAASY29tLmFwcGxlLlRleHRFZGl0AAAAAAAD + appStore + + bundleID + com.example.myotherapp + displayName + My App + subApps + + + + PayloadIdentifier + com.example.myapplicationrestrictionspayload + PayloadType + com.apple.applicationaccess.new + PayloadUUID + e5af83ab-e936-495a-b6b7-05b113cf530e + PayloadVersion + 1 + + + PayloadDisplayName + Parental Controls Application Restrictions + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + 144fbebc-4db4-4642-83eb-78eed2992578 + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.applicationaccess/example1.plist b/examples/mdm/profiles/com.apple.applicationaccess/example1.plist new file mode 100644 index 0000000..df61097 --- /dev/null +++ b/examples/mdm/profiles/com.apple.applicationaccess/example1.plist @@ -0,0 +1,37 @@ + + + + + PayloadContent + + + allowActivityContinuation + + blockedAppBundleIDs + + com.apple.mobilesafari + + ratingApps + 500 + PayloadIdentifier + com.example.myrestrictionspayload + PayloadType + com.apple.applicationaccess + PayloadUUID + 53bec1be-ffec-4f88-acbd-b02aee8f04a9 + PayloadVersion + 1 + + + PayloadDisplayName + Restrictions + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + 6020206c-12c2-4ada-987a-dd4c560ca73a + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.appstore/example1.plist b/examples/mdm/profiles/com.apple.appstore/example1.plist new file mode 100644 index 0000000..3146f60 --- /dev/null +++ b/examples/mdm/profiles/com.apple.appstore/example1.plist @@ -0,0 +1,35 @@ + + + + + PayloadContent + + + DisableSoftwareUpdateNotifications + + restrict-store-disable-app-adoption + + restrict-store-softwareupdate-only + + PayloadIdentifier + com.example.myappstorepayload + PayloadType + com.apple.appstore + PayloadUUID + 44561b1a-c66c-42b8-80cd-c30a29766e34 + PayloadVersion + 1 + + + PayloadDisplayName + App Store + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + 61c30df8-92e8-4fc5-8623-8cfc294452ce + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.asam/example1.plist b/examples/mdm/profiles/com.apple.asam/example1.plist new file mode 100644 index 0000000..3f79f7e --- /dev/null +++ b/examples/mdm/profiles/com.apple.asam/example1.plist @@ -0,0 +1,38 @@ + + + + + PayloadContent + + + AllowedApplications + + + BundleIdentifier + com.apple.safari + TeamIdentifier + team-id + + + PayloadIdentifier + com.example.myasampayload + PayloadType + com.apple.asam + PayloadUUID + c324fd3e-d98a-4ea8-818a-5991024cddd0 + PayloadVersion + 1 + + + PayloadDisplayName + Autonomous Single App Mode + PayloadIdentifier + com.example.profile + PayloadType + Configuration + PayloadUUID + 467ab3a0-9423-4c16-a05c-5c99d771088f + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.associated-domains/example1.plist b/examples/mdm/profiles/com.apple.associated-domains/example1.plist new file mode 100644 index 0000000..48e97e4 --- /dev/null +++ b/examples/mdm/profiles/com.apple.associated-domains/example1.plist @@ -0,0 +1,40 @@ + + + + + PayloadContent + + + Configuration + + + ApplicationIdentifier + com.apple.mobilesafari + AssociatedDomains + + www.example.com + + + + PayloadIdentifier + com.example.myassociateddomainpayload + PayloadType + com.apple.associated-domains + PayloadUUID + 7f6e26da-c381-4666-9dc6-50b4cd418652 + PayloadVersion + 1 + + + PayloadDisplayName + Associated Domains + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + 2c8c95c4-fde5-4e90-9dea-f8e9ab633562 + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.caldav.account/example1.plist b/examples/mdm/profiles/com.apple.caldav.account/example1.plist new file mode 100644 index 0000000..be58290 --- /dev/null +++ b/examples/mdm/profiles/com.apple.caldav.account/example1.plist @@ -0,0 +1,41 @@ + + + + + PayloadContent + + + CalDAVAccountDescription + My CalDAV Account + CalDAVHostName + server.example.com + CalDAVPassword + Password123 + CalDAVPort + 443 + CalDAVUseSSL + + CalDAVUsername + juanchavez4@example.com + PayloadIdentifier + com.example.mycaldavpayload + PayloadType + com.apple.caldav.account + PayloadUUID + 603409f1-b611-459d-9584-0ed12bc25b5b + PayloadVersion + 1 + + + PayloadDisplayName + CalDAV + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + 5c8bb406-a74c-4338-93c6-b403a040cc91 + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.carddav.account/example1.plist b/examples/mdm/profiles/com.apple.carddav.account/example1.plist new file mode 100644 index 0000000..b69be33 --- /dev/null +++ b/examples/mdm/profiles/com.apple.carddav.account/example1.plist @@ -0,0 +1,41 @@ + + + + + PayloadContent + + + CardDAVAccountDescription + My CardDAV Account + CardDAVHostName + server.example.com + CardDAVPassword + Password123 + CardDAVPort + 443 + CardDAVUseSSL + + CardDAVUsername + juanchavez4 + PayloadIdentifier + com.example.mycardavpayload + PayloadType + com.apple.carddav.account + PayloadUUID + b23d14e3-2f9d-4087-a819-747903fbb176 + PayloadVersion + 1 + + + PayloadDisplayName + CardDAV + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + 4fdb234d-8c58-48de-a76d-9ed9d241d273 + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.cellular/example1.plist b/examples/mdm/profiles/com.apple.cellular/example1.plist new file mode 100644 index 0000000..a5e7c6b --- /dev/null +++ b/examples/mdm/profiles/com.apple.cellular/example1.plist @@ -0,0 +1,34 @@ + + + + + PayloadContent + + + AttachAPN + + Name + example.com + + PayloadIdentifier + com.example.mycellularnetworkpayload + PayloadType + com.apple.cellular + PayloadUUID + 5a024a67-119f-4b38-8648-4c28a054ec5f + PayloadVersion + 1 + + + PayloadDisplayName + Cellular + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + 07eeff13-902a-408b-9bec-2228b86f944f + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.cellularprivatenetwork.managed/example1.plist b/examples/mdm/profiles/com.apple.cellularprivatenetwork.managed/example1.plist new file mode 100644 index 0000000..ce4f5b2 --- /dev/null +++ b/examples/mdm/profiles/com.apple.cellularprivatenetwork.managed/example1.plist @@ -0,0 +1,52 @@ + + + + + PayloadContent + + + CellularDataPreferred + + DataSetName + ExamplePrivateNetwork + EnableNRStandalone + + Geofences + + + Longitude + -122.009 + Latitude + 37.3346 + Radius + 200 + GeofenceId + AppleParkGeofence + + + VersionNumber + 1.0 + PayloadIdentifier + com.example.cellularprivatenetwork + PayloadDescription + GeofenceData + PayloadType + com.apple.cellularprivatenetwork.managed + PayloadUUID + 1d6d6912-708e-441a-9272-526ef05bbe3c + PayloadVersion + 1 + + + PayloadDisplayName + Cellular Private Network + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + 3425E7C2-9B02-49EB-8818-F65AA36DDE83 + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.conferenceroomdisplay/example1.plist b/examples/mdm/profiles/com.apple.conferenceroomdisplay/example1.plist new file mode 100644 index 0000000..94c853a --- /dev/null +++ b/examples/mdm/profiles/com.apple.conferenceroomdisplay/example1.plist @@ -0,0 +1,31 @@ + + + + + PayloadContent + + + Message + Display Message + PayloadIdentifier + com.example.myconferenceroompayload + PayloadType + com.apple.conferenceroomdisplay + PayloadUUID + 2aff0bfa-62f4-4597-9714-3750f5e3d422 + PayloadVersion + 1 + + + PayloadDisplayName + Conference Room Display + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + c98885c9-12fe-43d2-8476-fb98bc959dd3 + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.configurationprofile.identification/example1.plist b/examples/mdm/profiles/com.apple.configurationprofile.identification/example1.plist new file mode 100644 index 0000000..1e2b2fa --- /dev/null +++ b/examples/mdm/profiles/com.apple.configurationprofile.identification/example1.plist @@ -0,0 +1,68 @@ + + + + + PayloadContent + + + CalDAVAccountDescription + My CalDAV Account + CalDAVHostName + server.example.com + CalDAVPassword + Password123 + CalDAVPort + 443 + CalDAVUseSSL + + CalDAVUsername + juanchaves4@example.com + PayloadIdentifier + com.example.mycaldavpayload + PayloadType + com.apple.caldav.account + PayloadUUID + 603409f1-b611-459d-9584-0ed12bc25b5b + PayloadVersion + 1 + + + PayloadIdentification + + UserName + juanchaves4@example.com + FullName + Juan Chavez + EmailAddress + juanchaves4@example.com + AuthMethod + UserEnteredPassword + Password + Password123 + Prompt + Prompt Hello + PromptMessage + Prompt Message + + PayloadType + com.apple.configurationprofile.identification + PayloadIdentifier + com.example.myidentificationpayload + PayloadUUID + 9afecc40-d89f-4d66-ba9a-73ce0f15f784 + PayloadVersion + 1 + + + PayloadDisplayName + Identification with CalDAV + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + 4a430145-e362-4808-957c-b784a1092777 + PayloadVersion + 1 + + diff --git a/examples/mdm/profiles/com.apple.declarations/example1.plist b/examples/mdm/profiles/com.apple.declarations/example1.plist new file mode 100644 index 0000000..d50bc56 --- /dev/null +++ b/examples/mdm/profiles/com.apple.declarations/example1.plist @@ -0,0 +1,58 @@ + + + + + PayloadContent + + + Declarations + + + ewogICJUeXBlIjogImNvbS5hcHBsZS5hY3RpdmF0aW9u + LnNpbXBsZSIsCiAgIklkZW50aWZpZXIiOiAiMzJGOUVF + RkMtQzM5QS00QjI5LUJCRjgtNUM5Q0RBQTIyMDU3IiwK + ICAiU2VydmVyVG9rZW4iOiAiODhFMjUzQjctNzYyNC00 + QUNGLTg1NTEtMzA4RDgyMUM0Njg0IiwKICAiUGF5bG9h + ZCI6IHsKICAgICJTdGFuZGFyZENvbmZpZ3VyYXRpb25z + IjogWwogICAgICAiMDdBMUUxNDgtMkM2Ri00Mzk0LTk4 + RTctNzRFMjA1RTAxQjIwIgogICAgXQogIH0KfQo= + + + ewogICJUeXBlIjogImNvbS5hcHBsZS5jb25maWd1cmF0 + aW9uLm1hbmFnZW1lbnQudGVzdCIsCiAgIklkZW50aWZp + ZXIiOiAiMDdBMUUxNDgtMkM2Ri00Mzk0LTk4RTctNzRF + MjA1RTAxQjIwIiwKICAiU2VydmVyVG9rZW4iOiAiRUIy + N0U5RjctRkZGQi00MUJFLTk4MEMtRThBNUZCODAxMzky + IiwKICAiUGF5bG9hZCI6IHsKICAgICJFY2hvIjogIkVj + aG8gdGhpcyBtZXNzYWdlIiwKICAgICJSZXR1cm5TdGF0 + dXMiOiAiSW5zdGFsbGVkIgogIH0KfQo= + + + PayloadDescription + Configures a set of declarations + PayloadDisplayName + Declarations profile + PayloadIdentifier + com.apple.declarations.2a3f8721-352d-48c0-a83d-737dc64589ad + PayloadType + com.apple.declarations + PayloadUUID + 5edd1fa1-31ce-43ee-a6dc-8e0bed5e9c20 + PayloadVersion + 1 + + + PayloadDisplayName + Test Declaration + PayloadIdentifier + declarations-5959abc0-1135-4d22-8ff0-a170bcceb3c8 + PayloadRemovalDisallowed + + PayloadType + Configuration + PayloadUUID + 5959abc0-1135-4d22-8ff0-a170bcceb3c8 + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.desktop/example1.plist b/examples/mdm/profiles/com.apple.desktop/example1.plist new file mode 100644 index 0000000..1d97d71 --- /dev/null +++ b/examples/mdm/profiles/com.apple.desktop/example1.plist @@ -0,0 +1,33 @@ + + + + + PayloadContent + + + locked + + override-picture-path + ~/Desktop/background.png + PayloadIdentifier + com.example.mydesktoppayload + PayloadType + com.apple.desktop + PayloadUUID + 77a7ad50-9e32-4afb-8aee-79ae0c392848 + PayloadVersion + 1 + + + PayloadDisplayName + Desktop + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + 2e00699a-8e37-417d-94b2-97b85ff722a2 + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.dnsProxy.managed/example1.plist b/examples/mdm/profiles/com.apple.dnsProxy.managed/example1.plist new file mode 100644 index 0000000..ed6b621 --- /dev/null +++ b/examples/mdm/profiles/com.apple.dnsProxy.managed/example1.plist @@ -0,0 +1,41 @@ + + + + + PayloadContent + + + AppBundleIdentifier + com.example.mydnsproxyapp + ProviderBundleIdentifier + com.example.mydnsproxyapp.mydnsproxyprovider + ProviderConfiguration + + resolver + + ipaddress + 9.9.9.9 + + + PayloadIdentifier + com.example.mydnsproxypayload + PayloadType + com.apple.dnsProxy.managed + PayloadUUID + D6B3F3E4-A72E-49F1-AE2E-742A3A11BE1D + PayloadVersion + 1 + + + PayloadDisplayName + DNS Proxy + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + 6a60bbe0-242c-493d-b338-c5885107f2af + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.dock/example1.plist b/examples/mdm/profiles/com.apple.dock/example1.plist new file mode 100644 index 0000000..cef25e1 --- /dev/null +++ b/examples/mdm/profiles/com.apple.dock/example1.plist @@ -0,0 +1,77 @@ + + + + + PayloadContent + + + tilesize + 40 + size-immutable + + magnification + + magnify-immutable + + largesize + 100 + magsize-immutable + + orientation + left + position-immutable + + mineffect + genie + mineffect-immutable + + windowtabbing + manual + windowtabbing-immutable + + dblclickbehavior + maximize + dblclickbehavior-immutable + + minimize-to-application + + minintoapp-immutable + + launchanim + + launchanim-immutable + + autohide + + autohide-immutable + + show-process-indicators + + showindicators-immutable + + show-recents + + showrecents-immutable + + PayloadIdentifier + com.example.mydockpayload + PayloadType + com.apple.dock + PayloadUUID + 8d443602-52f2-48ff-aaa9-35b16c7c54c9 + PayloadVersion + 1 + + + PayloadDisplayName + Dock + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + c139d3e0-5468-43b0-90bf-5e05b2e8cd6f + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.domains/example1.plist b/examples/mdm/profiles/com.apple.domains/example1.plist new file mode 100644 index 0000000..c2c185a --- /dev/null +++ b/examples/mdm/profiles/com.apple.domains/example1.plist @@ -0,0 +1,41 @@ + + + + + PayloadContent + + + EmailDomains + + example.com + + SafariPasswordAutoFillDomains + + example.com + + WebDomains + + example.com + + PayloadIdentifier + com.example.mysafaridomainspayload + PayloadType + com.apple.domains + PayloadUUID + 0f94e664-4c36-4637-b264-19a533adc8e1 + PayloadVersion + 1 + + + PayloadDisplayName + Domains + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + 0cf6d95f-8e9f-49f3-9cba-c5e78de5430e + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.eas.account/example1.plist b/examples/mdm/profiles/com.apple.eas.account/example1.plist new file mode 100644 index 0000000..e16aa77 --- /dev/null +++ b/examples/mdm/profiles/com.apple.eas.account/example1.plist @@ -0,0 +1,71 @@ + + + + + PayloadContent + + + EmailAddress + juanchavez4@example.com + EnableCalendars + + EnableCalendarsUserOverridable + + EnableContacts + + EnableContactsUserOverridable + + EnableMail + + EnableMailUserOverridable + + EnableNotes + + EnableNotesUserOverridable + + EnableReminders + + EnableRemindersUserOverridable + + Host + host.example.com + MailNumberOfPastDaysToSync + 7 + OAuth + + OverridePreviousPassword + + SMIMEEnabled + + SMIMEEncryptionEnabled + + SMIMESigningEnabled + + SSL + + UserName + juanchavez4@example.com + disableMailRecentsSyncing + + PayloadIdentifier + com.example.myeaspayload + PayloadType + com.apple.eas.account + PayloadUUID + de789252-dcf2-42e7-91c8-0ab9f50aafc5 + PayloadVersion + 1 + + + PayloadDisplayName + Exchange Active Sync + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + b8fd6fd7-a55e-4eb1-96af-d9c4d8562e38' + PayloadVersion + 1 + + diff --git a/examples/mdm/profiles/com.apple.education/example1.plist b/examples/mdm/profiles/com.apple.education/example1.plist new file mode 100644 index 0000000..b91c59e --- /dev/null +++ b/examples/mdm/profiles/com.apple.education/example1.plist @@ -0,0 +1,203 @@ + + + + + PayloadContent + + + Password + Password123 + PayloadCertificateFileName + TestServerCert.p12 + PayloadContent + ExampleD + PayloadDescription + Adds a PKCS#12-formatted certificate + PayloadDisplayName + LeaderIdentity.p12 + PayloadIdentifier + com.example.myedconfigpayload + PayloadType + com.apple.security.pkcs12 + PayloadUUID + c149dafb-033f-4894-8add-e1056dc1c420 + PayloadVersion + 1 + + + PayloadCertificateFileName + Cert.cer + PayloadContent + ExampleD + PayloadDescription + Adds a CA root certificate + PayloadDisplayName + leader: Catalyst Certificate + PayloadIdentifier + com.example.mycertpayload + PayloadType + com.apple.security.root + PayloadUUID + 0391e29c-f10d-4803-a749-d04ef7f6a8fa + PayloadVersion + 1 + + + OrganizationUUID + 24A9D6AC-9C34-45F3-B92F-88C4657204C9 + OrganizationName + Example Inc. + PayloadCertificateUUID + 8DBA6415-6F70-47FE-B0D2-C70B3D35B7A3 + LeaderPayloadCertificateAnchorUUID + + c2113db2-8ea9-456d-a2e7-e19f4a706b75 + + MemberPayloadCertificateAnchorUUID + + 82c3100d-e22c-42db-b70b-3b628992c757 + + Departments + + + Name + Phonetics + Identifier + NotNeeded + GroupBeaconIDs + + 1 + 2 + 3 + + + + Groups + + + BeaconID + 1 + Name + Phonetic Info Provided + LeaderIdentifiers + + can + + MemberIdentifiers + + juan + mei + tom + bill + + + + Users + + + Identifier + tom + Name + tom clark + GivenName + tom + FamilyName + clark + PhoneticGivenName + tom + PhoneticFamilyName + clark + AppleID + tom + ImageURL + https://url.example.com.jpg + PasscodeType + four + + + Identifier + Juan + Name + Juan Chavez + GivenName + Juan + FamilyName + Chavez + PhoneticGivenName + Juan + PhoneticFamilyName + Chavez + AppleID + Juan + ImageURL + https://url.example.com.jpg2 + PasscodeType + four + + + Identifier + mei + Name + mei chen + GivenName + mei + FamilyName + chen + PhoneticGivenName + Mei + PhoneticFamilyName + Chen + AppleID + mei + ImageURL + https://url.example.com.jpg.3 + PasscodeType + six + + + Identifier + bill + Name + bill james + GivenName + bill + FamilyName + james + PhoneticGivenName + Bill + PhoneticFamilyName + James + AppleID + bill + ImageURL + https://url.example.com.jpg.4 + PasscodeType + complex + + + PayloadDescription + Configures the Shared iPad loginwindow. + PayloadDisplayName + Shared iPad + PayloadIdentifier + com.example.myedconfigpayload + PayloadType + com.apple.education + PayloadUUID + 9AD88C7B-7478-44D0-BEDD-4B1709002916 + PayloadVersion + 1 + + + PayloadDisplayName + Education + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + 2E4F6563-21DE-499B-B834-4BCF1F08B5AD3 + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.ews.account/example1.plist b/examples/mdm/profiles/com.apple.ews.account/example1.plist new file mode 100644 index 0000000..f164820 --- /dev/null +++ b/examples/mdm/profiles/com.apple.ews.account/example1.plist @@ -0,0 +1,49 @@ + + + + + PayloadContent + + + EmailAddress + juanchavez4@example.com + ExternalHost + host.example.com + ExternalPath + + ExternalSSL + + Host + host.example.com + MailNumberOfPastDaysToSync + 0 + Password + Password123 + PayloadDisplayName + Exchange Web Service + PayloadIdentifier + com.example.myewspayload + PayloadType + com.apple.ews.account + PayloadUUID + bb4adbbc-5516-45bb-bdee-cc7e47a5c5b5 + PayloadVersion + 1 + SSL + + UserName + juanchavez4@example.com + + + PayloadDisplayName + Exchange Web Service + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + ccb3eded-4486-4af8-81a3-add2d39cdfe7 + PayloadVersion + 1 + + diff --git a/examples/mdm/profiles/com.apple.extensiblesso(kerberos)/example1.plist b/examples/mdm/profiles/com.apple.extensiblesso(kerberos)/example1.plist new file mode 100644 index 0000000..6053cf2 --- /dev/null +++ b/examples/mdm/profiles/com.apple.extensiblesso(kerberos)/example1.plist @@ -0,0 +1,46 @@ + + + + + PayloadContent + + + ExtensionData + + useSiteAutoDiscovery + + + ExtensionIdentifier + com.apple.Extension + TeamIdentifier + RandomTeamID + Hosts + + url.example.com + + Realm + COM.URL.COM + Type + Credential + PayloadIdentifier + com.example.myessokpayload + PayloadType + com.apple.extensiblesso + PayloadUUID + 86c12312-c278-41f1-bbe7-9422a1e40ca2 + PayloadVersion + 1 + + + PayloadDisplayName + Extensible SSO (Kerberos) + PayloadIdentifier + com.example.profile + PayloadType + Configuration + PayloadUUID + 60bb7b2e-b94b-4f0d-848d-13c3a9857258 + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.extensiblesso/example1.plist b/examples/mdm/profiles/com.apple.extensiblesso/example1.plist new file mode 100644 index 0000000..a86f542 --- /dev/null +++ b/examples/mdm/profiles/com.apple.extensiblesso/example1.plist @@ -0,0 +1,45 @@ + + + + PayloadContent + + + ExtensionData + + useSiteAutoDiscovery + + + ExtensionIdentifier + com.example.com + TeamIdentifier + RandomTeamID + Hosts + + .com.example.com + + Realm + COM.URL.COM + Type + Credential + PayloadIdentifier + com.example.myessopayload + PayloadType + com.apple.extensiblesso + PayloadUUID + dbed949d-39a2-440d-a84b-e0c825cdcb2e + PayloadVersion + 1 + + + PayloadDisplayName + Extensible SSO + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + da3bbbec-a753-4aa7-aeae-a74b7a65c0b5 + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.familycontrols.contentfilter/example1.plist b/examples/mdm/profiles/com.apple.familycontrols.contentfilter/example1.plist new file mode 100644 index 0000000..3c242fc --- /dev/null +++ b/examples/mdm/profiles/com.apple.familycontrols.contentfilter/example1.plist @@ -0,0 +1,54 @@ + + + + + PayloadContent + + + filterAllowList + + http://www.example.com + + filterDenyList + + http://www2.example.com + + siteAllowList + + + address + http://www3.example.com + bookmarkPath + / + pageTitle + example3 + + + restrictWeb + + useContentFilter + + allowListEnabled + + PayloadIdentifier + com.example.mycontentfilterpayload + PayloadType + com.apple.familycontrols.contentfilter + PayloadUUID + 342c6863-6e3c-4e00-893e-f76757ae41c7 + PayloadVersion + 1 + + + PayloadDisplayName + Parental Controls Content Filter + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + 764e94bc-ab75-456f-ac47-3a1062e70ffb + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.familycontrols.timelimits.v2/example1.plist b/examples/mdm/profiles/com.apple.familycontrols.timelimits.v2/example1.plist new file mode 100644 index 0000000..1678623 --- /dev/null +++ b/examples/mdm/profiles/com.apple.familycontrols.timelimits.v2/example1.plist @@ -0,0 +1,67 @@ + + + + + PayloadContent + + + familyControlsEnabled + + limits-list + + + allowancesActive + + groupID + __COMPUTER__ + itemType + com.apple.familycontrols.timelimits.computer + name + Computer + allowances + + + fromDay + 0 + span + 0 + toDay + 4 + timeLimitSeconds + 1800 + + + fromDay + 5 + span + 0 + toDay + 6 + timeLimitSeconds + 1800 + + + + + PayloadIdentifier + com.example.mytimelimitspayload + PayloadType + com.apple.familycontrols.timelimits.v2 + PayloadUUID + 0b17c132-352d-4a3a-9f76-b016f7f0ad6c + PayloadVersion + 1 + + + PayloadDisplayName + Parental Controls Time Limits + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + 5c7a4e4b-1a9e-4586-9f31-b04e818a84b2 + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.fileproviderd/example1.plist b/examples/mdm/profiles/com.apple.fileproviderd/example1.plist new file mode 100644 index 0000000..faafc1e --- /dev/null +++ b/examples/mdm/profiles/com.apple.fileproviderd/example1.plist @@ -0,0 +1,39 @@ + + + + + PayloadContent + + + ManagementAllowsRemoteSyncing + + AllowManagedFileProvidersToRequestAttribution + + ManagementAllowsKnownFolderSyncing + + ManagementKnownFolderSyncingAllowList + + com.example.myprovider (ABCD1234) + + PayloadIdentifier + com.example.myfileproviderpayload + PayloadType + com.apple.fileproviderd + PayloadUUID + 3ffb5741-f0f1-4fc2-9566-679ca8b10db1 + PayloadVersion + 1 + + + PayloadDisplayName + FileProvider + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + 8efec75c-f1d3-4aaa-a4ef-104dc25cfc3d + PayloadVersion + 1 + + diff --git a/examples/mdm/profiles/com.apple.finder/example1.plist b/examples/mdm/profiles/com.apple.finder/example1.plist new file mode 100644 index 0000000..dcf9773 --- /dev/null +++ b/examples/mdm/profiles/com.apple.finder/example1.plist @@ -0,0 +1,49 @@ + + + + + PayloadContent + + + InterfaceLevel + Full + ShowHardDrivesOnDesktop + + ShowExternalHardDrivesOnDesktop + + ShowRemovableMediaOnDesktop + + ShowMountedServersOnDesktop + + WarnOnEmptyTrash + + ProhibitConnectTo + + ProhibitEject + + ProhibitBurn + + ProhibitGoToFolder + + PayloadIdentifier + com.example.myfinderpayload + PayloadType + com.apple.finder + PayloadUUID + feea617a-c8f2-4dce-afae-20b2fe5f9c9b + PayloadVersion + 1 + + + PayloadDisplayName + Finder + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + 2527bd12-fbc4-4957-a9e7-4afeb64e0246 + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.firstactiveethernet.managed/example1.plist b/examples/mdm/profiles/com.apple.firstactiveethernet.managed/example1.plist new file mode 100644 index 0000000..f6d833c --- /dev/null +++ b/examples/mdm/profiles/com.apple.firstactiveethernet.managed/example1.plist @@ -0,0 +1,60 @@ + + + + + PayloadContent + + + AuthenticationMethod + + AutoJoin + + CaptiveBypass + + EAPClientConfiguration + + AcceptEAPTypes + + 25 + + UserName + user + UserPassword + password + + EncryptionType + WPA2 + HIDDEN_NETWORK + + Interface + FirstEthernet + Password + password + ProxyType + None + SetupModes + + System + + PayloadIdentifier + com.example.my8021xfaepayload + PayloadType + com.apple.firstactiveethernet.managed + PayloadUUID + 9a7d074f-5822-4507-8e8c-80e479d95001 + PayloadVersion + 1 + + + PayloadDisplayName + 802.1x First Active Ethernet + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + fea1c6f3-5d95-4db9-be46-c130fb475409 + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.firstethernet.managed/example1.plist b/examples/mdm/profiles/com.apple.firstethernet.managed/example1.plist new file mode 100644 index 0000000..9a0e944 --- /dev/null +++ b/examples/mdm/profiles/com.apple.firstethernet.managed/example1.plist @@ -0,0 +1,60 @@ + + + + + PayloadContent + + + AuthenticationMethod + + AutoJoin + + CaptiveBypass + + EAPClientConfiguration + + AcceptEAPTypes + + 25 + + UserName + user + UserPassword + password + + EncryptionType + WPA2 + HIDDEN_NETWORK + + Interface + FirstEthernet + Password + password + ProxyType + None + SetupModes + + System + + PayloadIdentifier + com.example.my8021Xfirstepayload + PayloadType + com.apple.firstethernet.managed + PayloadUUID + b0062f3a-8045-410b-82d2-a926a3957f02 + PayloadVersion + 1 + + + PayloadDisplayName + 802.1x First Ethernet + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + 72d32ec9-864e-4f8a-8645-25539172e921 + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.font/example1.plist b/examples/mdm/profiles/com.apple.font/example1.plist new file mode 100644 index 0000000..fa9ce2e --- /dev/null +++ b/examples/mdm/profiles/com.apple.font/example1.plist @@ -0,0 +1,33 @@ + + + + + PayloadContent + + + Font + YmFzZTY0ZW5jb2RlZGRhdGEK + Name + Font.ttf + PayloadIdentifier + com.example.myfontpayload + PayloadType + com.apple.font + PayloadUUID + 99659c06-bbbf-45aa-9674-06b378ec2cd5 + PayloadVersion + 1 + + + PayloadDisplayName + Fonts + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + 9800ea91-30c4-4212-8033-d21cad4fe99a + PayloadVersion + 1 + + diff --git a/examples/mdm/profiles/com.apple.gamed/example1.plist b/examples/mdm/profiles/com.apple.gamed/example1.plist new file mode 100644 index 0000000..2105907 --- /dev/null +++ b/examples/mdm/profiles/com.apple.gamed/example1.plist @@ -0,0 +1,31 @@ + + + + + PayloadContent + + + GKFeatureAccountModificationAllowed + + PayloadIdentifier + com.example.mygamecenterpayload + PayloadType + com.apple.gamed + PayloadUUID + 2967fc4d-2ab8-40db-8f3e-f6f4cfe3e408 + PayloadVersion + 1 + + + PayloadDisplayName + Parental Control Game Center + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + 73f89c96-6383-4db9-b879-9cc5bb8d9ad3 + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.globalethernet.managed/example1.plist b/examples/mdm/profiles/com.apple.globalethernet.managed/example1.plist new file mode 100644 index 0000000..8e91ec0 --- /dev/null +++ b/examples/mdm/profiles/com.apple.globalethernet.managed/example1.plist @@ -0,0 +1,60 @@ + + + + + PayloadContent + + + AuthenticationMethod + + AutoJoin + + CaptiveBypass + + EAPClientConfiguration + + AcceptEAPTypes + + 25 + + UserName + user + UserPassword + password + + EncryptionType + WPA2 + HIDDEN_NETWORK + + Interface + GlobalEthernet + Password + password + ProxyType + None + SetupModes + + System + + PayloadIdentifier + com.example.myglobalethpayload + PayloadType + com.apple.globalethernet.managed + PayloadUUID + f3d469f1-d7cc-45c5-ac2d-024195a6454b + PayloadVersion + 1 + + + PayloadDisplayName + 802.1x Global Ethernet + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + 9a0d652e-1ace-450c-9449-7bcc5d1d62c4 + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.google-oauth/example1.plist b/examples/mdm/profiles/com.apple.google-oauth/example1.plist new file mode 100644 index 0000000..b9b4065 --- /dev/null +++ b/examples/mdm/profiles/com.apple.google-oauth/example1.plist @@ -0,0 +1,35 @@ + + + + + PayloadContent + + + AccountDescription + Google Account + AccountName + Juan Chavez + EmailAddress + juanchavez4@example.com + PayloadIdentifier + com.example.mygoogleaccountpayload + PayloadType + com.apple.google-oauth + PayloadUUID + 0fe8f4dc-8cf0-4da3-9d5b-f734efb98a59 + PayloadVersion + 1 + + + PayloadDisplayName + GoogleAccount + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + 80141025-50d3-4a38-9387-ca610ff3a247 + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.homescreenlayout/example1.plist b/examples/mdm/profiles/com.apple.homescreenlayout/example1.plist new file mode 100644 index 0000000..ae7321c --- /dev/null +++ b/examples/mdm/profiles/com.apple.homescreenlayout/example1.plist @@ -0,0 +1,133 @@ + + + + + PayloadContent + + + Dock + + + Type + Application + BundleID + com.apple.mobilesafari + + + Type + Application + BundleID + com.apple.Preferences + + + Type + Folder + DisplayName + Example + Pages + + + + Type + WebClip + DisplayName + Example + URL + companyname.com + + + + + Type + Application + BundleID + com.apple.News + + + + + + Pages + + + + Type + Application + BundleID + com.apple.MobileSMS + + + Type + Application + BundleID + com.apple.camera + + + Type + Folder + DisplayName + Display Name exampler + Pages + + + + Type + Application + BundleID + com.apple.podcasts + + + + + + Type + WebClip + URL + https://www.example.com + DisplayName + Custom Home Screen Layout + + + Type + Application + BundleID + com.apple.AppStore + + + + + Type + Folder + DisplayName + Important Folder + + + Type + Application + BundleID + com.apple.Bridge + + + + PayloadIdentifier + com.example.myhomescreenlayoutpayload + PayloadType + com.apple.homescreenlayout + PayloadUUID + f0b2d13e-a985-4264-9901-707feabddfcd + PayloadVersion + 1 + + + PayloadDisplayName + Home Screen Layout + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + 24c41ae0-f8a9-4d9f-a007-d67b0dc15af4 + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.ldap.account/example1.plist b/examples/mdm/profiles/com.apple.ldap.account/example1.plist new file mode 100644 index 0000000..ac237b8 --- /dev/null +++ b/examples/mdm/profiles/com.apple.ldap.account/example1.plist @@ -0,0 +1,48 @@ + + + + + PayloadContent + + + LDAPAccountDescription + Company LDAP Account + LDAPAccountHostName + com.apple.ldap.account + LDAPAccountUseSSL + + LDAPAccountUserName + JuanChavez4 + LDAPSearchSettings + + + LDAPSearchSettingDescription + My Search + LDAPSearchSettingScope + LDAPSearchSettingScopeSubtree + LDAPSearchSettingSearchBase + o=My Company,ou=My Department + + + PayloadIdentifier + com.example.myldappayload + PayloadType + com.apple.ldap.account + PayloadUUID + 7f846724-1bf7-4501-b8cd-ce7026e95280 + PayloadVersion + 1 + + + PayloadDisplayName + LDAP + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + c5208028-7e96-4669-8d83-4fbbeb48845a + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.loginitems.managed/example1.plist b/examples/mdm/profiles/com.apple.loginitems.managed/example1.plist new file mode 100644 index 0000000..5134f64 --- /dev/null +++ b/examples/mdm/profiles/com.apple.loginitems.managed/example1.plist @@ -0,0 +1,38 @@ + + + + + PayloadContent + + + AutoLaunchedApplicationDictionary-managed + + + Path + /System/Applications/Example.app + Hide + + + + PayloadIdentifier + com.example.myloginitemsmanageditemspayload + PayloadType + com.apple.loginitems.managed + PayloadUUID + f19d4636-fa34-4a7c-8e8b-e92de516c893 + PayloadVersion + 1 + + + PayloadDisplayName + Login Items Managed Items + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + 98128de8-d76c-44fa-9509-5601c0d66281 + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.loginwindow/example1.plist b/examples/mdm/profiles/com.apple.loginwindow/example1.plist new file mode 100644 index 0000000..772e210 --- /dev/null +++ b/examples/mdm/profiles/com.apple.loginwindow/example1.plist @@ -0,0 +1,77 @@ + + + + + PayloadContent + + + AdminHostInfo + HostName + AdminMayDisableMCX + + AllowList + + AlwaysShowWorkgroupDialog + + CombineUserWorkgroups + + DenyList + + DisableConsoleAccess + + EnableExternalAccounts + + FlattenUserWorkgroups + + HideAdminUsers + + HideLocalUsers + + HideMobileAccounts + + IncludeNetworkUser + + LocalUserLoginEnabled + + LocalUsersHaveWorkgroups + + RestartDisabled + + RetriesUntilHint + 0 + SHOWFULLNAME + + SHOWOTHERUSERS_MANAGED + + ShutDownDisabled + + SleepDisabled + + UseComputerNameForComputerRecordName + + com.apple.login.mcx.DisableAutoLoginClient + + showInputMenu + + PayloadIdentifier + com.example.myloginwindowpayload + PayloadType + com.apple.loginwindow + PayloadUUID + fe9ba3c5-0f1a-45c7-b6df-a5f4489695fe + PayloadVersion + 1 + + + PayloadDisplayName + Login Window + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + 61bd7d63-4a4a-4b67-9112-5ceb16afb4dc + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.lom/example1.plist b/examples/mdm/profiles/com.apple.lom/example1.plist new file mode 100644 index 0000000..631e409 --- /dev/null +++ b/examples/mdm/profiles/com.apple.lom/example1.plist @@ -0,0 +1,266 @@ + + + + + PayloadContent + + + ControllerCACertificateUUIDs + + D99D951C-60CC-454D-B293-AF74ADB38738 + + ControllerCertificateUUID + 6B9162FB-8B4A-4241-8C6E-2A2E80E62CA2 + DeviceCACertificateUUIDs + + AF8A74BE-5B3E-47DC-83CD-279FC75DD63E + 4EC901FA-03F2-4374-A4BF-4B0BF8D249E2 + + PayloadDisplayName + LOM Enrollment + PayloadIdentifier + com.apple.controller1.pkcs12.lom + PayloadType + com.apple.lom + PayloadUUID + 79899C98-DA98-4A4D-8136-25E8CD33AE82 + PayloadVersion + 1 + + + PayloadContent + + MIIDjDCCAnSgAwIBAgIBATANBgkqhkiG9w0BAQsFADBmMRQwEgYD + VQQDDAtMT01fVGVzdF9DQTERMA8GA1UECgwITE9NIFRlc3QxETAP + BgNVBAsMCEFwcGxlTE9NMQswCQYDVQQGEwJVUzEbMBkGCSqGSIb3 + DQEJARYMYWJjQHRlc3QuY29tMB4XDTIwMDIxOTE0MTg1NloXDTIy + MDUyNDE0MTg1NlowZjEUMBIGA1UEAwwLTE9NX1Rlc3RfQ0ExETAP + BgNVBAoMCExPTSBUZXN0MREwDwYDVQQLDAhBcHBsZUxPTTELMAkG + A1UEBhMCVVMxGzAZBgkqhkiG9w0BCQEWDGFiY0B0ZXN0LmNvbTCC + ASIwDQYJKoZIhvcNAQEDDQADggEPADCCAQoCggEBAMOOHyldBKjc + ZlEGpJQY0OqOmLbmv4KSJzFDRT/EU5y12fBHxdCaZMwfRAOXpE8m + ygVQTZy3yd/r5cSrvWz6omLj5oLeBIlJ0VGnC2TGqvOWNQ45oeQh + zcMkwUTRFl1q7VqpL1lfz2VjcLg8Gode/e0nb+h/8YCm1T7xwHd0 + KqDZkpG9JGTv18DxdD6kaAMhLlcobRHXBS9uTNcI1zbdFHfFi6RO + aGIAMktdMF+M0zGOwDj34gJ9phUjF6bA4h90dqfMOWF8wyvRepF7 + P/OiPA6OaxzFG72u8GUe4V3PIE9byHDC3KlaFQZ2NfdT5s4As8Ql + R+fPrWoPIGcuor6ktzcCAwEAAaNFMEMwDwYDVR0TAQH/BAUwAwEB + /zAOBgNVHQ8BAf8EBAMCAqQwIAYDVR0lAQH/BBYwFAYIKwYBBQUH + AwIGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4IBAQBS0RdVijXq + lWhENTXO21/Q1echOi1NN17ib9bbMAlUYn1N6aFUNI0b4tN0yekR + DLdhUSGvdgGrtfwf0PLDH3F8hqjnG+8UZgjc7KyBvvzxpQ2E9wBj + kt2EvODKC58RFgHFF+vJiKNtMeXiHpb/KziUYeM6esM0PIZvysG8 + KZ5p6zD20R+IMBtoZZ85z/jr2SGD3FTFnDj2x/VBtGPzcabShnGo + RUArgDnCwPmsiB/ZnQZ2DQY355DqdaZJBq15dRTlpw61LJb8W+ZG + SsElPVrwA7MRSJSGqv2BFrrk0LFY2B7/YCM7NrxPjoFWCVSo0pYM + 7e1I6Zxa/FxXbeLaLN1R + + PayloadDisplayName + Root CA Cert + PayloadIdentifier + com.apple.controller1.pkcs1.ca.root.lom + PayloadType + com.apple.security.pkcs1 + PayloadUUID + D99D951C-60CC-454D-B293-AF74ADB38738 + PayloadVersion + 1 + + + PayloadContent + + MIIDrTCCApWgAwIBAgIQXSjTUKRckZNIzZs/jSenKDANBgkqhkiG + 9w0BAQsFADBdMRMwEQYKCZImiZPyLGQBGRYDY29tMRUwEwYKCZIm + iZPyLGQBGRYFYXBwbGUxFDASBgoJkiaJk/IsZAEZFgRjZWFkMRkw + FwYDVQQDExBjZWFkLUNBMDEtUm9vdENBMB4XDTE0MDIyNjIzMTEw + M1oXDTI0MDIyNjIzMjEwMlowXTETMBEGCgmSJomT8ixkARkWA2Nv + bTEVMBMGCgmSJomT8ixkARkWBWFwcGxlMRQwEgYKCZImiZPyLGQB + GRYEY2VhZDEZMBcGA1UEAxMQY2VhZC1DQTAxLVJvb3RDQTCCASIw + DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN7ulf8RZHWyHyC+ + m2n4QoLv+4EO/JrD5tODrAKdLEWEqi/8KoGN2SNha/DeGrYh0/AJ + fheR/z5Qwyarj8uGQbL+fiecU4el/nXgQ+ydxHs3Vno1+bBnExj5 + sLi3HvYgCm2LBKVmmWcpLplCDOG8QvXAjnPOHJ0NxAXx1eCAukws + QcnLLaAxz5uTa2PG09ED+5GkNie4d23ZZhnTsOBVJclX7DogGeW7 + CbsjkvYGxtYB6R2vAnRelFDc2kW78cBOG6t3mRYR4TJlXr/D8MXS + KLgFIHfMvlUEP5CZqsDzdu9S70aIyhyD/zTJoJctah3yZzPAuY6u + n5R7qyFWp2Adyf0CAwEAAaNpMGcwEwYJKwYBBAGCNxQCBAYeBABD + AEEwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYD + VR0OBBYEFELX+/xTbLy0seL8BxkG3oKQ3ZGoMBAGCSsGAQQBgjcV + AQQDAgEAMA0GCSqGSIb3DQEBCwUAA4IBAQB8RphLEJ2hjJ0tN9by + sjgte6EGwc1OKMbICJkP3ejJVmJd2pFHnAGsgCp92L+OYOup54Gz + ChrzrjA5857kk1KQ1OJfLmDZKS4KTg+SDquegYXSxg/BcdcchnS7 + wD7ZzIbfVSWe/BR8nyPzcETn9w53M5jipCZlKQ6ryQfg+7jrOSjZ + jtDW3xfx7OpUYXEm79098xQ7Xf7jkWreWPibFmBP3qCkzIEY4nsR + uEoRqOo2D1db/Jm52PrVOtGTyuIRpUAx9cVkQCVlOSLpuwVMx0dF + vLGZdDwv5m95FRWVQt6WGrmbgew4GrmWA1gGsBbgr9z7TUaLcy0H + KytyanwB8yw0 + + PayloadDisplayName + PKCS1 Root CA Cert + PayloadIdentifier + com.apple.device1.pkcs1.ca.root.lom + PayloadType + com.apple.security.pkcs1 + PayloadUUID + AF8A74BE-5B3E-47DC-83CD-279FC75DD63E + PayloadVersion + 1 + + + PayloadContent + + MIIGFDCCBPygAwIBAgIKWqUMLAAAAAABFDANBgkqhkiG9w0BAQsF + ADBdMRMwEQYKCZImiZPyLGQBGRYDY29tMRUwEwYKCZImiZPyLGQB + GRYFYXBwbGUxFDASBgoJkiaJk/IsZAEZFgRjZWFkMRkwFwYDVQQD + ExBjZWFkLUNBMDEtUm9vdENBMB4XDTIwMDEyMjIwMTczMloXDTIy + MDEyMjIwMjczMlowYTETMBEGCgmSJomT8ixkARkWA2NvbTEVMBMG + CgmSJomT8ixkARkWBWFwcGxlMRQwEgYKCZImiZPyLGQBGRYEY2Vh + ZDEdMBsGA1UEAxMUY2VhZC1DQTAyLUludGVybWVkQ0EwggEiMA0G + CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDXTuPXuPHvoPGN1aJl + im0YCrKEfZ4Ao46AXBG1K6+RgErOCKbOnCz2CInq0LS9/wqLA9Ce + vBMQNoQwS3YtQW+xRFav36peGU3ZD8TtbZOePWbD1TH3G/SATbzL + ibYrx/NZWD8mWvpd+pBRBztl0eDwAIvQB25i26JI5FMkOq9WkWO/ + 4nbkk7Du8TpGJ64J5K63IorHTiVvrZDQVYwyXpxmxyX8LG2b18Nw + 2eIZWovqgoVfeUFT+DqnDEQGdMRH7vBL3KiTO7lrkJREHNeL3OJ7 + 0Wz70/MTMwosi8nsXdgSJ3fmVajIR88A3/Xi7gLMwvQti6lYan+m + S28cdiOYHM3ZAgMBAAGjggLQMIICzDASBgkrBgEEAYI3FQEEBQID + AgADMCMGCSsGAQQBgjcVAgQWBBS7wOiIufG+Qb34wBO7pTsZKPY9 + jDAdBgNVHQ4EFgQUJyYvq0IIF4pnIVVUB5bs6isDpacwGQYJKwYB + BAGCNxQCBAweCgBTAHUAYgBDAEEwDgYDVR0PAQH/BAQDAgGGMA8G + A1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAUQtf7/FNsvLSx4vwH + GQbegpDdkagwgdEGA1UdHwSByTCBxjCBw6CBwKCBvYaBumxkYXA6 + Ly8vQ049Y2VhZC1DQTAxLVJvb3RDQSxDTj1jYTAxLENOPUNEUCxD + Tj1QdWJsaWMlMjBLZXklMjFGBXJ2aWNlcyxDTj1TZXJ2aWNlcyxD + Tj1Db25maWd1cmF0aW9uLERDPWNlYWQsREM9YXBwbGUsREM9Y29t + P2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RD + bGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDCCAT8GCCsGAQUFBwEB + BIIBMTCCAS0wgbUGCCsGAQUFBzAChoGobGRhcDovLy9DTj1jZWFk + LUNBMDEtUm9vdENBLENOPUFJQSxDTj1QdWJsaWMlMjBLZXklMjBT + ZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERD + PWNlYWQsREM9YXBwbGUsREM9Y29tP2NBQ2VydGlmaWNhdGU/YmFz + ZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MEYG + CCsGAQUFBzAChjpodHRwOi8vY2EwMi5jZWFkLmFwcGxlLmNvbS9D + ZXJ0RW5yb2xsL2NlYWQtQ0EwMS1Sb290Q0EuY2VyMCsGCCsGAQUF + BzABhh9odHRwOi8vY2EwMS5jZWFkLmFwcGxlLmNvbS9vY3NwMA0G + CSqGSIb3DQEBCwUAA4IBAQBl8UmBhzfH85sTARqU0G2tJkzBFJQm + fkOXdxdwGfY/6mXJ1Kcev3cxNzV0rhkTUEGJ6qVTQekn1hAywhev + WuK/ybWAHC9gSOw0175QiFZWDReZiHb/wSwFTVmedpG1kcAFKrtK + d3cv3o/LPmiBd4ZQn6xbttlJn05IkK6JtBNJ9UaejNGjKbwvnWcP + +MjTZhLoBUmpzYjF2R5G+GEm/Ju4EwBsdnHQwYw+TGVIkLqh1OrV + U4hpDuZr36xzqNMIe2zGqz7XvVCZ7poXueEyt2s1JMRCv+mS1DZu + OPNHFPG6OFfZWha1hkuVODACc34xHweJQxBAheB55w2cgF+iEcCL + + PayloadDescription + PKCS1Certificate + PayloadDisplayName + Intermediate CA Cert + PayloadIdentifier + com.apple.device1.pkcs1.ca.intermediate.lom + PayloadOrganization + Test + PayloadType + com.apple.security.pkcs1 + PayloadUUID + 4EC901FA-03F2-4374-A4BF-4B0BF8D249E2 + PayloadVersion + 1 + + + Password + test + PayloadCertificateFileName + LOM_Test_Client.p12 + PayloadContent + + MIIKFwIBAzCCCd4GCSqGSIb3DQEHAaCCCc8EggnLMIIJxzCCBE8G + CSqGSIb3DQEHBqCCBEAwggQ8AgGBMIIENQYJKoZIhvcNAQcBMBwG + CiqGSIb3DQEMAQYwDgQIcWeJpvkU/nkCAggAgIIECMU5tEzDlyqk + aEz4e8wXvBgCe5PouMwHyj/H4Kw4ypZ/Cfrw+VGziIk3BoOlwM8v + ItWflMB+tx6Kcld6Ih/dNEzCPOSoTLOSocFF2tY6CzUb7WZn5Jcz + wuawYJuwk0JaAMez3Zy+Tqeil96ezmy+LyRSmegS2TOwdUbcYWIn + wcY3yA/JHADvt/5ctMCprKgMPz9yTJJhexdx54PgkxF2Vd7CIpQ1 + 03J2TFMIbd4wzkt76f3gi/8utirdDuHcS6xxccA2LVlLOmjG8gk3 + M/AnUIa4ZuDTGE2sFo8nk1ehAnszo/sSJtm8mspALKNfHHflTv8v + +ii7ZGmmaxZmi/qQUc2ad0Czw6qiM6+E8QDUarRwb5C3EqHglgJn + 2UmRddOTuZqXcTavzZB1SI/kOnLTA0uW/yqYdZvFZksYKhWCYwh2 + 0TJJkbanxXZkIMPEp7xGCAupGVkc63T/dVRzBAwrpWrL1JzWmJmY + +QhfXb/oN4D7+oWfjPMd8IND7sAEYgfd1X+M4BC0A5kHTXkdV1eG + yIZC9p0c3cyyDZ+KQSGrJCoc3sBxc2Xo5LKa0kV67znlYVimwY3l + oPqC2xd/3lwjtR33ka1QzQw7V4RGSqPtH717qz9lnto8rTyogfY9 + rlDBi4PiwX1EoL+Sq2zFvqMYD3q8rcS5oAVwU39e6raWEZJxe10x + PPeDG/2BIitCe4VGk1DU0VjKK7LCIijVWcmVOVePIpn+OEDv3gtU + FujHDFxuYH0bwMfXhwDv/6bRVjMkyTP/wMMEgjUBDe4391BeidZ4 + OsbCBqTY1aqvddJ6EQJ8B4hKRTyB1PwAPB4bTwRYuy4NaZ7AXoX2 + pH5OcC4OSNMbBK1NERBAYnQbJM2KrMggXdHAOm2SAT6PBQj71nb8 + AMm+NA6BRwDAK41yBoh3SBC4ETDwdQz6bJPFGeWN7x9wZIoecUt0 + W94bwfgKvipLF8RWWqcQviyi8f2dUkYKcNtDMQ1aNGg7C3nmlGr3 + nhZSPcX/joTa0hzf1j+mY3PMFG0Ur/hNrdSVcXLSfhEfzUZCUg1C + Lgx905QNMcHfO0XNhMosqEoVTS7wHeX3h2i+vbntPqUCUDEhz6V/ + 2MRZrs4xT8dbq1PpLatyUNpzzDXacA99COJwCTcsRLCq1bpP5nFM + Y/VNzXz6MjzWGiDCTyth1cVVPeYhy1BNdt4EotGC6XNIiQ+B2Y+N + tOouIdAvoudbrw+PtCR4TdlHHREy84+mrA9rpgfNyWWedzQplEBU + SUKk6lGujliQB9viEsijpL5ZpihurZwXsf8T/IcY0/p00dsemwyB + 0K3NIBmYce5jbHIq5aQh606KAIvA8R3zqr7w4lCOTghsZrcfIOPz + YsRXsVltsCfmiTCCBXAGCSqGSIb3DQEHAaCCBWEEggVdMIIFWTCC + BVUGCyqGSIb3DQEMCgECoIIE7jCCBOowHAYKKoZIhvcNAQwBAzAO + BAisa5w3m1byvwICCAAEggTIUC3fuYuNrN32PQiE7UuiVXAunkcV + 0WGESI3YYRjluMoWAqaVMPuUEqFPJBXkQN1V47FFxWHgfGEC/6DW + AwGv2Khu7kjBqtmTCMaSxzvnSwMWP7PN1Ql5Ww7QC+XMtzG0gZgp + cl9z4fg3OWu2CP82NPbzn/9zUW7QH5123Lqk+di9lE4xJ0Dn6CvV + 45OQUCjtP4BY9io1wfDl5+pi2T72oDpYeMPjau79VVZmBKRJeysO + Tk32ML8v7oTifdf4hBUqKFFP59Vmo32FEIffKTsoklM3rDRDXwZU + tICsdK5Tzl55lEpX0jtBzEYxcLhdiJ+FcV4iDxerpjiEDnIqBwpd + Akea68gwe90oRe5epVoKzEqX8PSiWGhp+RJxowv28CaOQOvhO90I + 8+rXWkrz5WgIxzqTL5tc7eAcXs0RuD3jSUs0a+FUHJgp5W9Mi9J+ + YgV+yH00OM36iJHJl6QJAwpCAltGz6EZtG8ZO+QmEHcFVPRVFZaj + m9wzLiU2GimKtJSYWAunEjADuChcOok3gYVunR7gfXfmZXDMkXn1 + dGyoUgP1KQ6bRWFnkhwogDPfKHq06FQhnGkRSejovP4RmR1TQfYv + QMNjaWzgsBmuXw2n5u5yxYQ25ArhNsJNWuFg5j3yur1PFyDqH3Jr + 2uVBp5o4anoZ72obDjLpTBpXrQhAVfiMFiUTmMnM7lwSSiI6vxYq + bloX1OVWCmPuf9pyHaz4tbrvJymwbIHKkLHg9kiLb/e1Uh0UXZh1 + E04LWs+sGe3CzKDyzebRWdZj+ay4pL66q0HlN75fCkec9HIsAe47 + Bsx9iNbNqdFg4eqBWmsbXBlHyPHBlU+oIS2MJAfp6Onxsn0/aoMf + 1G3ZHdYRb+BVN3JaVPzXoLAuHLNBj+gq7jJalvvZN59Wpiwajfdy + Q0ilLKr994IDeoWxG2U7mdiWF4qnpONuv5BtCQyMB3N+6tk9P+vv + CrlvnWAxqGy5Lh6shmQzuO1qaiNNKQPwji0XylyLx5zge3IeNZRy + PTwJLR0/vKXM+jTuGEXCg1d/+smj9KYpPiScs5n78TaeRaECIMnT + pI9lP2ntNysAmAmLdyd5cHdDXdOGgcfm3xfXvPcHBnCUn13Qey3p + O1g5mnvefgTWH3D0v75rzZOXeL0gHlnvexeL/AJvg3rmqd9Q25MB + 3Epm4XSVIQKKAfzdzG4WNGMFQ3dXAqXF6u4faHairuif4q3RZO+Q + KHorIpPUUe64l8G8v2Ba6HsEq8mcmG+icRyY5PzAntIBrcbJzrMi + 7yaHiRyGVCxZNlJntAoE214h+sJFdyYGrBkW11MIezb/A9n8lWAq + kS+FFdt83S6ZdVaOvoH3UP2f0ueIHBPHg5pB6DQHs8zAqZE61T+i + BqGFW2z1g2cHM3PVTvGtObYTSIB0F65tOrWNI3D3CutZR47oqCTD + 8SOh3xrmcMurCf0mhVLSqFaMcgnF5TNMkQwMbBx+uWszqn5W28RV + ZAogYtZPRqTAas65j65cBwv+D8Lv/T+x6JmG8ed/9ofPrhmuodmV + P00m5ltxRrex4OgwyAcw5K4/9TaQo39FjxYxA/qDp+u9XYp7zwj8 + XYKWFVIOKoIkdQqtBA1WH5GwAui4fVSavhiyNV29qdzFMVQwLQYJ + KoZIhvcNAQkUMSAeHgBMAE8ATQBfAFQAZQBzAHQAXwBDAGwAaQBl + AG4AdDAjBgkqhkiG9w0BCRUxFgQUaPGNi2CHNid4WbbrQcmbllEf + NiMwMDAhMAkGBSsOAwIaBQAEFKRzkxujUoYI1qp7rOlfqNKmE91K + BAjSWtXqqFVswwIBAQ== + + PayloadDescription + Identity from LOM_Test_Client.p12 + PayloadDisplayName + AppleLOM_Test_controller + PayloadIdentifier + test.cert.LOM_Test_Client.p12.1 + PayloadType + com.apple.security.pkcs12 + PayloadUUID + 6B9162FB-8B4A-4241-8C6E-2A2E80E62CA2 + + + PayloadDisplayName + Lights Out Management Controller + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + 60f25f97-01ec-4016-a4d0-da42ae91a81d + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.mail.managed/example1.plist b/examples/mdm/profiles/com.apple.mail.managed/example1.plist new file mode 100644 index 0000000..2a63b1c --- /dev/null +++ b/examples/mdm/profiles/com.apple.mail.managed/example1.plist @@ -0,0 +1,75 @@ + + + + + PayloadContent + + + EmailAccountDescription + Company Mail Account + EmailAccountName + Juan Chavez + EmailAccountType + EmailTypeIMAP + EmailAddress + juanchavez4@example.com + IncomingMailServerAuthentication + EmailAuthPassword + IncomingMailServerHostName + imap.example.com + IncomingMailServerPortNumber + 993 + IncomingMailServerUseSSL + + IncomingMailServerUsername + juanchavez4@example.com + IncomingPassword + Password123 + OutgoingMailServerAuthentication + EmailAuthPassword + OutgoingMailServerHostName + smtp.example.com + OutgoingMailServerPortNumber + 587 + OutgoingMailServerUseSSL + + OutgoingMailServerUsername + juanchavez4@example.com + OutgoingPassword + Password123 + OutgoingPasswordSameAsIncomingPassword + + SMIMEEnablePerMessageSwitch + + SMIMEEnabled + + SMIMEEncryptionEnabled + + SMIMESigningEnabled + + allowMailDrop + + disableMailRecentsSyncing + + PayloadIdentifier + com.example.mymailpayload + PayloadType + com.apple.mail.managed + PayloadUUID + d6379d8d-9e05-4d99-80bc-0865f1fe0aca + PayloadVersion + 1 + + + PayloadDisplayName + Mail + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + 8e1961d8-898e-4d79-986f-c7a61af4103c + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.mcxMenuExtras/example1.plist b/examples/mdm/profiles/com.apple.mcxMenuExtras/example1.plist new file mode 100644 index 0000000..a953c75 --- /dev/null +++ b/examples/mdm/profiles/com.apple.mcxMenuExtras/example1.plist @@ -0,0 +1,35 @@ + + + + + PayloadContent + + + Battery.menu + + delaySeconds + 30 + maxWaitSeconds + 60 + PayloadIdentifier + com.example.mymanagedmenuextraspayload + PayloadType + com.apple.mcxMenuExtras + PayloadUUID + 93bd5b68-0141-4055-aaaf-a6cebc1cfeeb + PayloadVersion + 1 + + + PayloadDisplayName + Menu Extras + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + dc2618ce-736c-4af7-b652-f9cdf3eb9ce4 + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.mcxloginscripts/example1.plist b/examples/mdm/profiles/com.apple.mcxloginscripts/example1.plist new file mode 100644 index 0000000..91d48eb --- /dev/null +++ b/examples/mdm/profiles/com.apple.mcxloginscripts/example1.plist @@ -0,0 +1,42 @@ + + + + + PayloadContent + + + loginscripts + + + filedata + ExampleD + filename + ping.sh + + + skipLoginHook + + skipLogoutHook + + PayloadIdentifier + com.example.myloginwindowscriptspayload + PayloadType + com.apple.mcxloginscripts + PayloadUUID + 2bcd5563-f44d-4f74-b706-050a628c0caf + PayloadVersion + 1 + + + PayloadDisplayName + Login Window Scripts + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + 5cbf617d-16a5-4564-ba2c-728fd7f7d732 + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.mcxprinting/example1.plist b/examples/mdm/profiles/com.apple.mcxprinting/example1.plist new file mode 100644 index 0000000..5168362 --- /dev/null +++ b/examples/mdm/profiles/com.apple.mcxprinting/example1.plist @@ -0,0 +1,71 @@ + + + + + PayloadContent + + + + RequireAdminToAddPrinters + + AllowLocalPrinters + + RequireAdminToPrintLocally + + ShowOnlyManagedPrinters + + PrintFooter + + PrintMACAddress + + FooterFontSize + 7 + FooterFontName + Helvetica + DefaultPrinter + + DeviceURI + ipp://printer.example.com/ + DisplayName + printer.example.com + + UserPrinterList + + printer_example_com + + DeviceURI + ipp://printer.example.com/ + DisplayName + printer.example.com + Location + My Office + Model + PrinterModel1 + PrinterLocked + + PPDURL + file://localhost/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/PrintCore.framework/Resources/Generic.ppd + + + PayloadIdentifier + com.example.myprinterpayload + PayloadType + com.apple.mcxprinting + PayloadUUID + 8242d870-95c0-0135-0b44-0c4de9ce4c04 + PayloadVersion + 1 + + + PayloadDisplayName + Printing + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + ab59f143-1478-419a-885e-7994fb13c9c3 + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.mdm/example1.plist b/examples/mdm/profiles/com.apple.mdm/example1.plist new file mode 100644 index 0000000..35f5622 --- /dev/null +++ b/examples/mdm/profiles/com.apple.mdm/example1.plist @@ -0,0 +1,150 @@ + + + + + PayloadContent + + + PayloadContent + + LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZlRENDQTJB + Q0NRQzFsWFV5WnJPbERqQU5CZ2txaGtpRzl3MEJBUXNGQURCK01R + c3dDUVlEVlFRR0V3SlYKVXpFVE1CRUdBMVVFQ0F3S1EyRnNhV1p2 + Y201cFlURVNNQkFHQTFVRUJ3d0pRM1Z3WlhKMGFXNXZNUk13RVFZ + RApWUVFLREFwQmNIQnNaU0JKYm1NdU1Sb3dHQVlEVlFRTERCRkVa + WFpwWTJVZ1RXRnVZV2RsYldWdWRERVZNQk1HCkExVUVBd3dNVFVN + Z1VtOXZkQ0JEWlhKME1CNFhEVEU1TURVd01UQTNNVFF6TVZvWERU + STVNRFF5T0RBM01UUXoKTVZvd2ZqRUxNQWtHQTFVRUJoTUNWVk14 + RXpBUkJnTlZCQWdNQ2tOaGJHbG1iM0p1YVdFeEVqQVFCZ05WQkFj + TQpDVU4xY0dWeWRHbHViekVUTUJFR0ExVUVDZ3dLUVhCd2JHVWdT + VzVqTGpFYU1CZ0dBMVVFQ3d3UlJHVjJhV05sCklFMWhibUZuWlcx + bGJuUXhGVEFUQmdOVkJBTU1ERTFESUZKdmIzUWdRMlZ5ZERDQ0Fp + SXdEUVlKS29aSWh2Y04KQVFFQkJRQURnZ0lQQURDQ0Fnb0NnZ0lC + QUpZVUFISWErRHI1Q0JzeEQ5NjJTRTc1WG50UzNmTEYyRGJIdHFT + YwpwdXpsRVhEeC8yaXNVWHVKVkhYdlNkWkx3YmpFRFJKMTF5WlNv + SzFTMTJVOFVUS1VsK2JHUS9HbjcxVkJnblY2CmFxYmRWVzRFOGxJ + bU1rN2paRE1IMW14a3cxOWZHdEREaEVOMTA1R3g3K2RVbkpzMTdz + NHAramJIUThwbzNIY2sKNG5VejgyVTZKUmJXdU5SZFNxNWIvaDNT + VzlBM2laMXRPRHlNbExOK1ZyaHREYkxhRS9URlk1eFovdjRiUmZ2 + RQpGSjYvVVQ2bGc3RVorcjBYdnljV0tvMnZUL2ZPdUVHbU5CczFy + YmNPZ3dpQlZEUjdXRG5Pb3RUVkHtMUxydFZFCmFtVlljUHdxSjlu + Y01hSk14Y01JNHZDazR4eFBwNy9jeEJzcGQwK2diR1lYSVlkYnI5 + YlM2Q1RhMHkzTmIxeCsKdnJZN1RTWFBHSFRNQzAvYXBQQ21CRjBy + RFdzNm1ZcytFKzRQaENLaDUyeFRROHp5WjVRNk5yOVhqUVJKajl2 + YgpKa2pMMTY1NnJwVFBFV21CUzJxQ1ZqTUxpbFA4MGE1MDVkd0kx + YzZwa1NrUDczMGtIaExtQ1R4ZkJwb1Jid1p5CjFrQk1qM2xhWkE5 + Y21UUlFiT1pQMkYzNVVudmw1LzFuNG5Wd0N4R1Mzc2U1NWxudzh3 + SzUvRmtBYXptS1dDdzAKTnZjRUc5T0FtQUIrNWpaVVdNZXdoenFy + TWdMUDFQbm1qR0twemN0dG8vTmxQZE91QVhnZ1A0ZjlPaVkyNlV4 + UwpHcW55R2hXamlIbTZIeXkvMWNuNXRYZVNMcVZISzZoaXJINk1o + eks4K0R5Rkg2N0R3dmIyTnRKUkhadUhTb0FXClRwS2ZBZ01CQUFF + d0RRWUpLb1pJaHZjTkFSSUxCUUFEZ2dJQkFHVWl4VDEwaW5KcVVq + b0NtTWpHNlJwL1hGRUgKZzZoQml6OFUveVJWUEhvMG9RNFREdnIw + WDBFOXk3Lyt3YXc5clpIRTdqd1VOendtWXZFeWwwMzZCcFQyVVZB + aQpvWDAyMDZqcmVXSk9nTVYxbFlBVWhYZTY1eml2ak9WRE9rVFFX + aUZKb3pjbXYwdXZabmsrRWl4eFByUEJYOThOClhRNEF5VWt5S25n + WTVHSnlPbW5iK3ZnUlFCM25yTXpJbXIyekxNUlp2b21DT1pEV0FK + ZGF3UlNZTXBFOGZreVAKZnY3QzVWOXdLVllxVFJNd1FEbk1YL1g5 + eUFUTXV0QWV0MTV3N2taN3JYenc4ZFxjZFBwMlBSQkJIem1kWWF3 + egpmbFdWT2dBKzdHSTcwVkVtNER6UkxCVmJjaUcyZU1mVEtYemZX + eGcrbHhQaWxacy82T2Y1aG9jdVRWeVhEeHJnCkUwRDZLbFVSK2k0 + N3ovZDRTaWsrSVdJRkx3Y21XOEhFelEyVzlTakFwSDRTaGhEKzBz + UXQ2bzZMNjA0cjBqTzEKbUhYbkhxSmNGRmVaYjlONzJrMElNZTJv + MForaXd1YmJYamZQZzlMV1EzamVJOVJPZkJzWlA1ZkE1MkxiRlB5 + UgpiSkxOODl4cm5DeEt2TzVsUHp2WHpwYXlrRUNWRG1Oa0lZMlRO + WG4yUnVmQVdDYXpFVWlLd2lPQ1JLZjJSTHBPCmZUb25IYVdIZi9B + NzBqWTJXb1JGQ3laV1BnQ3U2QW1kMFNNK3p2cm1NQi9SLzZBYlQv + WDFjckFQR1ArNkVzU0YKeHBkRHJqZUdLYWlYM3l0UmVBSnFFMEFQ + YWt4OENXR2haMkVVOUlnY3loNTE2bGY4OXlUcTBEbGlCUjNDWVJl + bgpsMGJhMSt6M1J6VlZhRWgvCi0tLS0tRU5EIENFUlRJRklDQVRF + LS0tLS0K + + PayloadIdentifier + com.example.mypempayload + PayloadType + com.apple.security.pem + PayloadUUID + 0dfe81fe-e8f6-45c0-9860-2c893fe30114 + PayloadVersion + 1 + + + PayloadContent + + URL + https://mdm.example.com:2002/scep + Key Type + RSA + Key Usage + 5 + Keysize + 2048 + Subject + + + + O + Example, Inc. + + + + + CN + Device Certificate + + + + Challenge + MDMEnrollment + + PayloadIdentifier + com.example.mysceppayload + PayloadType + com.apple.security.scep + PayloadUUID + 47492623-e4e7-4a64-ba63-2f31d2ca1a5f + PayloadVersion + 1 + + + IdentityCertificateUUID + 47492623-e4e7-4a64-ba63-2f31d2ca1a5f + ServerURL + https://mdm.example.com:2001/mdm + Topic + com.apple.mgmt.External.c809ab17-1cbd-48f2-8dc7-e952131df20c + AccessRights + 8191 + ServerCapabilities + + com.apple.mdm.per-user-connections + com.apple.mdm.bootstraptoken + + CheckInURL + https://mdm.example.com:2001/checkin + CheckOutWhenRemoved + + PromptUserToAllowBootstrapTokenForAuthentication + + PayloadIdentifier + com.example.mymdmpayload + PayloadType + com.apple.mdm + PayloadUUID + 0ae4af50-590a-4478-b540-aa0a21da23f1 + PayloadVersion + 1 + + + PayloadDisplayName + MDM + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + 1f4ef23b-ab01-45b9-879c-7a036e47b083 + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.mobiledevice.passwordpolicy/example1.plist b/examples/mdm/profiles/com.apple.mobiledevice.passwordpolicy/example1.plist new file mode 100644 index 0000000..6fc0c87 --- /dev/null +++ b/examples/mdm/profiles/com.apple.mobiledevice.passwordpolicy/example1.plist @@ -0,0 +1,47 @@ + + + + + PayloadContent + + + allowSimple + + forcePIN + + maxFailedAttempts + 5 + maxGracePeriod + 1 + maxInactivity + 2 + maxPINAgeInDays + 30 + minLength + 8 + pinHistory + 2 + requireAlphanumeric + + PayloadIdentifier + com.example.mypasscodepayload + PayloadType + com.apple.mobiledevice.passwordpolicy + PayloadUUID + 2a8a75e5-d17d-44d5-b062-3cb92161af9f + PayloadVersion + 1 + + + PayloadDisplayName + Passcode + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + e044f50d-ff67-4bcd-9f3f-d7b678091061 + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.networkusagerules/example1.plist b/examples/mdm/profiles/com.apple.networkusagerules/example1.plist new file mode 100644 index 0000000..a2d45fa --- /dev/null +++ b/examples/mdm/profiles/com.apple.networkusagerules/example1.plist @@ -0,0 +1,42 @@ + + + + + PayloadContent + + + ApplicationRules + + + AllowCellularData + + AllowRoamingCellularData + + AppIdentifierMatches + + com.apple.appname + + + + PayloadIdentifier + com.example.mynetworkusagepayload + PayloadType + com.apple.networkusagerules + PayloadUUID + 'ef0250de-bfd4-4095-9ad3-34cf1281d5da + PayloadVersion + 1 + + + PayloadDisplayName + Network Usage + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + b724f950-5853-4b78-8f4a-9a37a0ccac1f + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.notificationsettings/example1.plist b/examples/mdm/profiles/com.apple.notificationsettings/example1.plist new file mode 100644 index 0000000..fe58802 --- /dev/null +++ b/examples/mdm/profiles/com.apple.notificationsettings/example1.plist @@ -0,0 +1,42 @@ + + + + + PayloadContent + + + NotificationSettings + + + AlertType + 0 + BundleIdentifier + com.apple.mobilemail + NotificationsEnabled + + + + ShowInLockScreen + + PayloadIdentifier + com.example.mynotificationspayload + PayloadType + com.apple.notificationsettings + PayloadUUID + d1cc23d9-f482-40c5-b7b1-332149659986 + PayloadVersion + 1 + + + PayloadDisplayName + Notification + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + 2bb0ab2e-1e0a-4c03-a662-b4ee2ffe224a + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.preference.security/example1.plist b/examples/mdm/profiles/com.apple.preference.security/example1.plist new file mode 100644 index 0000000..b8eda1b --- /dev/null +++ b/examples/mdm/profiles/com.apple.preference.security/example1.plist @@ -0,0 +1,31 @@ + + + + + PayloadContent + + + dontAllowFireWallUI + + PayloadIdentifier + com.example.mysecuritypreferencespayload + PayloadType + com.apple.preference.security + PayloadUUID + d99bb019-a61d-447f-8fed-8f223cc56be3 + PayloadVersion + 1 + + + PayloadDisplayName + Security Preferences + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + b44b6a04-6527-4333-87e5-46422e8a5844 + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.preferences.users/example1.plist b/examples/mdm/profiles/com.apple.preferences.users/example1.plist new file mode 100644 index 0000000..75bb373 --- /dev/null +++ b/examples/mdm/profiles/com.apple.preferences.users/example1.plist @@ -0,0 +1,31 @@ + + + + + PayloadContent + + + DisableUsingiCloudPassword + + PayloadIdentifier + com.example.myuserpayload + PayloadType + com.apple.preferences.users + PayloadUUID + 733ec67c-853c-45b2-9510-198e055e0723 + PayloadVersion + 1 + + + PayloadDisplayName + User + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + 1a5fe077-6146-44ae-82db-5cb938dddad4 + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.profileRemovalPassword/example1.plist b/examples/mdm/profiles/com.apple.profileRemovalPassword/example1.plist new file mode 100644 index 0000000..976b463 --- /dev/null +++ b/examples/mdm/profiles/com.apple.profileRemovalPassword/example1.plist @@ -0,0 +1,33 @@ + + + + + PayloadContent + + + RemovalPassword + Password123 + PayloadIdentifier + com.example.myprofileremovalpasswordprofile + PayloadType + com.apple.profileRemovalPassword + PayloadUUID + 55f87465-a869-4ab0-9031-11ca1073641b + PayloadVersion + 1 + + + PayloadDisplayName + Password Removal + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + a42bfe59-7f3a-46a0-9908-4a5095fd2c6d + PayloadVersion + 1 + HasRemovalPasscode + + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.proxy.http.global/example1.plist b/examples/mdm/profiles/com.apple.proxy.http.global/example1.plist new file mode 100644 index 0000000..c6a445b --- /dev/null +++ b/examples/mdm/profiles/com.apple.proxy.http.global/example1.plist @@ -0,0 +1,41 @@ + + + + + PayloadContent + + + ProxyCaptiveLoginAllowed + + ProxyPassword + password + ProxyServer + 10.0.1.42 + ProxyServerPort + 8080 + ProxyType + Manual + ProxyUsername + username + PayloadIdentifier + com.example.myglobalhttpproxypayload + PayloadType + com.apple.proxy.http.global + PayloadUUID + dee0892a-7d4c-41be-ac88-d87247dd076c + PayloadVersion + 1 + + + PayloadDisplayName + GlobalHTTPProxy + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + ee2f890c-6c9f-49be-9e19-b81c66d5cc0d + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.screensaver.user/example1.plist b/examples/mdm/profiles/com.apple.screensaver.user/example1.plist new file mode 100644 index 0000000..6cc1d94 --- /dev/null +++ b/examples/mdm/profiles/com.apple.screensaver.user/example1.plist @@ -0,0 +1,33 @@ + + + + + PayloadContent + + + idleTime + 60 + modulePath + /System/Library/Screen Savers/Name.saver + PayloadIdentifier + com.example.myscreensaverpayload + PayloadType + com.apple.screensaver.user + PayloadUUID + c5dceece-f633-44e6-b899-9d46631fd6e5 + PayloadVersion + 1 + + + PayloadDisplayName + Screen Saver User + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + 59332e00-d3c5-4d2a-a23a-ba36e45034e9 + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.screensaver/example1.plist b/examples/mdm/profiles/com.apple.screensaver/example1.plist new file mode 100644 index 0000000..9741a21 --- /dev/null +++ b/examples/mdm/profiles/com.apple.screensaver/example1.plist @@ -0,0 +1,41 @@ + + + + + PayloadContent + + + idleTime + 60 + loginWindowIdleTime + 60 + loginWindowModulePath + /System/Library/Screen Savers/Example-Name.saver + moduleName + Example Name + askForPassword + + askForPasswordDelay + 5 + PayloadIdentifier + com.example.myscreensaverpayload + PayloadType + com.apple.screensaver + PayloadUUID + ba9abec1-ee44-413d-b75f-63748644ca71 + PayloadVersion + 1 + + + PayloadDisplayName + Screen Saver Device + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + 4ffe721a-f2e6-4191-a3fe-1d1a463fbbac + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.secondactiveethernet.managed/example1.plist b/examples/mdm/profiles/com.apple.secondactiveethernet.managed/example1.plist new file mode 100644 index 0000000..69ce0de --- /dev/null +++ b/examples/mdm/profiles/com.apple.secondactiveethernet.managed/example1.plist @@ -0,0 +1,60 @@ + + + + + PayloadContent + + + AuthenticationMethod + + AutoJoin + + CaptiveBypass + + EAPClientConfiguration + + AcceptEAPTypes + + 25 + + UserName + user + UserPassword + password + + EncryptionType + WPA2 + HIDDEN_NETWORK + + Interface + SecondActiveEthernet + Password + password + ProxyType + None + SetupModes + + System + + PayloadIdentifier + com.example.my8021Xsecaepayload + PayloadType + com.apple.secondactiveethernet.managed + PayloadUUID + 38791a67-90ca-40e5-bddd-fc3dc85a447e + PayloadVersion + 1 + + + PayloadDisplayName + 802.1x Second Active Ethernet + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + 50939eda-ff93-4e0c-907b-159d8d5c1a1a + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.secondethernet.managed/example1.plist b/examples/mdm/profiles/com.apple.secondethernet.managed/example1.plist new file mode 100644 index 0000000..b5265dc --- /dev/null +++ b/examples/mdm/profiles/com.apple.secondethernet.managed/example1.plist @@ -0,0 +1,60 @@ + + + + + PayloadContent + + + AuthenticationMethod + + AutoJoin + + CaptiveBypass + + EAPClientConfiguration + + AcceptEAPTypes + + 25 + + UserName + user + UserPassword + password + + EncryptionType + WPA2 + HIDDEN_NETWORK + + Interface + SecondEthernet + Password + password + ProxyType + None + SetupModes + + System + + PayloadIdentifier + com.example.my8021XsecEpayload + PayloadType + com.apple.secondethernet.managed + PayloadUUID + 37d5702f-299a-4dbe-acd5-d7e8946222f1 + PayloadVersion + 1 + + + PayloadDisplayName + 802.1x Second Ethernet + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + 37490fd4-10c0-4154-8964-9b719e53de31 + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.security.FDERecoveryKeyEscrow/example1.plist b/examples/mdm/profiles/com.apple.security.FDERecoveryKeyEscrow/example1.plist new file mode 100644 index 0000000..c8410ef --- /dev/null +++ b/examples/mdm/profiles/com.apple.security.FDERecoveryKeyEscrow/example1.plist @@ -0,0 +1,97 @@ + + + + + PayloadContent + + + Password + Password123 + PayloadContent + + MIIDHjCCAgagAwIBAgIEeRGqmzANBgkqhkiG9w0BAQsFADBAMR8w + HQYDVQQDDBZGaWxlVmF1bHQgUmVjb3ZlcnkgS2V5MR0wGwYDVQQN + DBRpb3MtdGFyZGlzLmFwcGxlLmNvbTAeFw0xODA2MTkyMTA2Mzla + Fw0xOTA2MTkyMTA2MzlaMEAxHzAdBgNVBAMMFkZpbGVWYXVsdCBS + ZWNvdmVyeSBLZXkxHTAbBgNVBA0MFGlvcy10YXJkaXMuYXBwbGUu + Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtOPt + QOZ38VJMyMHWcWcs5S8D1xXVZ9OjQ7+8s7q+xNeGUZZXlHXehBHA + iV8o7F9LvkOuJuwiWuw+9xj+ye7G4EnAtDA0p3bqZNoBIc3HIqDE + BKTCPufqHEZfX6AH05mnYqr6fz8FbICQpx+1x6hO9f8ZSNrBJUxe + viPCkYTvRFel9VvBS06Jijn3THFBZ9UAJjxTjU8PGQYHNRpa4pVh + y1yIXjRwSKrmCv6NyF7vz9BQ8X4ExanGBG3P20tl5JhUTZlI+qo2 + B/ZYlQDvR+DMhrdaKtbJphdi4GNK8B87+bG7EmPCpiwLzVtkzSUK + Y4WNbYCwUhJTjOclQsZFQKvT4QIBAQABoyAwHjALBgNVHQ8EBAMC + ArQwDwYDVR0TAQH/BAUwAwEBADANBgkqhkiG9w0BAQsFAAOCAQEA + rPLq0RFfAJO0Hq/Z+NLZp/EI3mBXD8a5Gq5VUepB4AYgxbmtS5Dr + XJMlzi1ctYGj3+QN+9XbgNv/p3cphHvSBmvFmjL8gJ6AuqNG9/hV + TYEsoS5i9pGIlWozTziS+EPbdHt76g4xOOPoQ3SDur+qpc3Hfi1A + imCaRB2Ga/eIITDqQUi1Sfgz0r0Md0jIEpXnW8RSvAQm9tlt35os + onzTvHiKjXkOxBrXGg84YSK9/MsvwcPUM/XZ9HmZMTVYnPRacZlX + 9m4yKJligP7vmSjpbQ6u5zngsilhLUezX9stOyduAKLxk354yW85 + CQEgrRbwQQzGSWlf8KV0sbubwz4H8w== + + PayloadIdentifier + com.example.mypkcs1payload + PayloadType + com.apple.security.pkcs1 + PayloadUUID + 5ddd0439-620a-4939-8bbc-838ae490b12f + PayloadVersion + 1 + + + Defer + + DeferDontAskAtUserLogout + + DeferForceAtUserLoginMaxBypassAttempts + -1 + Enable + On + PayloadCertificateUUID + 5ddd0439-620a-4939-8bbc-838ae490b12f + ShowRecoveryKey + + UseKeychain + + UseRecoveryKey + + UserEntersMissingInfo + + PayloadIdentifier + com.example.myfv2payload + PayloadType + com.apple.MCX.FileVault2 + PayloadUUID + 8d5d8dfb-688a-436d-b827-b81e550702b3 + PayloadVersion + 1 + + + EncryptCertPayloadUUID + 5ddd0439-620a-4939-8bbc-838ae490b12f + Location + Your Information is now escrowed + PayloadIdentifier + com.example.myfderecoverykeyescrowpayload + PayloadType + com.apple.security.FDERecoveryKeyEscrow + PayloadUUID + 202ffa93-e1ae-43b5-b9de-e656ac0c2045 + PayloadVersion + 1 + + + PayloadDisplayName + FDE Recovery Key Escrow + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + bf625ece-5e99-489b-b197-6f1d7c52a601 + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.security.acme/example1.plist b/examples/mdm/profiles/com.apple.security.acme/example1.plist new file mode 100644 index 0000000..d4b8424 --- /dev/null +++ b/examples/mdm/profiles/com.apple.security.acme/example1.plist @@ -0,0 +1,71 @@ + + + + + PayloadContent + + + ClientIdentifier + this is an identifier + ExtendedKeyUsage + + 1.3.6.1.5.5.7.3.2 + + HardwareBound + + KeySize + 384 + KeyType + ECSECPrimeRandom + UsageFlags + 5 + PayloadIdentifier + com.example.myacmepayload + PayloadType + com.apple.security.acme + PayloadUUID + cbdc6238-feec-4171-878d-34e576bbb813 + PayloadVersion + 1 + Subject + + + + C + US + + + + + O + Example Inc. + + + + + 1.2.840.113635.100.6.99999.99999 + test custom OID value + + + + SubjectAltName + + dNSName + site.example.com + + DirectoryURL + https://acme.example.com/acme + + + PayloadDisplayName + ACME + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + ce876f81-abf0-46f9-9e68-9b3a7ede8097 + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.security.certificatepreference/example1.plist b/examples/mdm/profiles/com.apple.security.certificatepreference/example1.plist new file mode 100644 index 0000000..4f470ab --- /dev/null +++ b/examples/mdm/profiles/com.apple.security.certificatepreference/example1.plist @@ -0,0 +1,35 @@ + + + + + PayloadContent + + + Password + Password123 + PayloadContent + ExampleD + PayloadIdentifier + com.example.mypcertprefpayload + PayloadType + com.apple.security.certificatepreference + PayloadUUID + d669e184-6312-4214-9ebc-00346809f7f0 + PayloadVersion + 1 + updated_at_xid + 23387 + + + PayloadDisplayName + Certificate Preferences + PayloadIdentifier + com.example.profile + PayloadType + Configuration + PayloadUUID + 89d2e0a7-0821-45c2-a566-c23eb98b137e + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.security.certificaterevocation/example1.plist b/examples/mdm/profiles/com.apple.security.certificaterevocation/example1.plist new file mode 100644 index 0000000..e9b555a --- /dev/null +++ b/examples/mdm/profiles/com.apple.security.certificaterevocation/example1.plist @@ -0,0 +1,42 @@ + + + + + PayloadContent + + + EnabledForCerts + + + Algorithm + sha256 + Hash + ExampleDatY= + + + PayloadDescription + Configures certificate Revocation + PayloadDisplayName + Certificate Revocation + PayloadIdentifier + com.example.mycertrevpayload + PayloadType + com.apple.security.certificaterevocation + PayloadUUID + 2a4deb38-4c9f-43fd-a933-6598f4866e3b + PayloadVersion + 1 + + + PayloadDisplayName + Certificate Revocation + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + b548e6df-10ad-438a-a65b-6b39374b7aff + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.security.certificatetransparency/example1.plist b/examples/mdm/profiles/com.apple.security.certificatetransparency/example1.plist new file mode 100644 index 0000000..ff93003 --- /dev/null +++ b/examples/mdm/profiles/com.apple.security.certificatetransparency/example1.plist @@ -0,0 +1,46 @@ + + + + + PayloadContent + + + DisabledForCerts + + + Algorithm + sha256 + Hash + AAolBg== + + + DisabledForDomains + + example.com + + PayloadDescription + Configures Certificate Transparency + PayloadDisplayName + Domains + PayloadIdentifier + com.example.mycerttransparencypayload + PayloadType + com.apple.security.certificatetransparency + PayloadUUID + 0ae54b4a-cbf5-4323-8524-262a3cc4b733 + PayloadVersion + 1 + + + PayloadDisplayName + Certificate Transparancy + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + a54d018e-864e-4ec9-9638-85fc50410ae3 + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.security.firewall/example1.plist b/examples/mdm/profiles/com.apple.security.firewall/example1.plist new file mode 100644 index 0000000..bc55932 --- /dev/null +++ b/examples/mdm/profiles/com.apple.security.firewall/example1.plist @@ -0,0 +1,40 @@ + + + + + PayloadContent + + + EnableFirewall + + Applications + + + BundleID + com.example.myapp + Allowed + + + + PayloadIdentifier + com.example.myfirewallpayload + PayloadType + com.apple.security.firewall + PayloadUUID + 28b1fef7-ddb6-4d56-9a6a-6bb4e56e7f0b + PayloadVersion + 1 + + + PayloadDisplayName + Firewall + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + 8f2fa915-f2da-4034-9424-2218355a6f3c + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.security.identitypreference/example1.plist b/examples/mdm/profiles/com.apple.security.identitypreference/example1.plist new file mode 100644 index 0000000..4e72893 --- /dev/null +++ b/examples/mdm/profiles/com.apple.security.identitypreference/example1.plist @@ -0,0 +1,163 @@ + + + + + PayloadContent + + + Password + password + PayloadContent + + MIIJswIBAzCCCXoGCSqGSIb3DQEHAaCCCWsEgglnMIIJYzCCA98G + CSqGSIb3DQEHBqCCA9AwggPMAgEAMIIDxQYJKoZIhvcNAQcBMBwG + CiqGSIb3DQEMAQYwDgQIzcn2kFi+E2wCAggAgIIDmOGeHz7O3Z1w + UnOsg0+MdKppk40c03amc/pZS/xA+Pph2k8kyhdx34Gj6ml/trUF + 3QQzxItmaiwpMM1yMJWibtGwvPUFZgv7nu5WXhwz0UIme+f/f4KO + FXUaR2aKhEsHMSscmQYr3JKv4u3XXn9YWjOQWnaxE+wN+c56DVPU + tyFbUIBhJqZnOeq0HSWF9l+HxEA9jn/xNFfwEFY/AmOR4X3p6R9H + iAwI5w85Emb8pZeopeUsdgGmVEUM22Dhrpvml3MkVTr/9TXa4ekS + wLktW5QD9YY4kPMB49H8IJkGl8fPpklcZm/FIzGAekbGenObAhxH + rH2HW35PuC1WeLxn2SgJTTqi+3KaVpb2LVQq2+ddZFf4vzNoiKg/ + xl6bs0Ch5sKI6JwuUyMhv5Qp2UL/UOCwdDWtrX3E4Ad09HSF3XaA + 6ZpjcdS8E0uk9KuRxz+8+YJ0pvs7b3ZjuqP3S7lOOTKWrrzoY87s + 9K7qk4C8SK8wW/KLmhseQ4YhrAPqNvr5KiJO2QjVGtOpoT07xXwV + RPmL+xmdqy9Fg1c1dyVJcB1uQhyhL2CB79tO6yT/3I5nXKYs5dtc + vHy8LLA2Lo3qi9tsOhUXUkhHUfGayt0pP7fX6FVJhwoneooFonhY + lcwsZKgXHEOnqKf/Zv9hr72JyVMLCqJTdTyIPLIqVhALxRTC+v6s + veXiV3yje2JpSSjyOp/GPyVOkMGR+1V1N/dWoEC151WzQpodzsSR + vCn/wSAK9B2uu9sskHNPe48Kw5m6/SJ9whIwc2sX5GOB+7za9CaH + hYOyg3hkM1VHhgWZbX52cyUBBdggCQsFhFUf0CUpn0PAtH1nvacJ + oUEx8NTxvcXXlf1WyFrXSmK2VJK7fy5WhjlD3jXZlpInKBUXQXcs + 6cwt4dEKJGIao5Tg+cZCSunuS0P5jjaQYgkFLp0pmDYCU1C/1eBJ + MTGOjUg/g6ByL3+mV511EdGASmYwdjUpZ7p013fUQ9dWWo5PbKy4 + Xq5Gs/H+xXrMOQnf2wauR3hGqCGWf/PWc1zCcO4fdLjY+OUgrNGn + lXwuWJ0M/SANwXAxKi3XVlOKILDCfSJEvD1wZhp/G6TzM5fJNVOa + ZgON6fqWLYgXLiteqSfbIY3Rh7vu/1X+glQVWhsKs5TZM4A7mNpy + rqkZJLhiwudf9OrgMugyzmt24Xu585GmVpK8ODCrBsQhJyE7ceuk + LGhyyJe2d2Fq+LF0s4zeMIIFfAYJKoZIhvcNAQcBoIIFbQSCBWkw + ggVlMIIFYQYLKoZIhvcNAQwKAQKgggTuMIIE6jAcBgoqhkiG9w0B + DAEDMA4ECH3AYC/iqoA1AgIIAASCBMhuXQqb5dyYGNhvOU+KguyU + NqeoXJFs69tdLvz1bdXindBVurgSwpdhq5nyjDFTP4Vs4h/KeNId + Uxri7DQH10uYF1g/b2CcGjQOTbdWL77MO30fjE/vohxF6ANTE11j + 3LjMjGfFNr3eef6uGtWYaARzQpfSI2Be9T2ITUsdO+Ii6VnR20GK + Z2jvKTx1N+/z5N659V3oX6Wxgc0nst7Le3kCZHRwPdv8EFu3kdu9 + LyMxfuoffLQ28gvkK9/lfkjxngwvuI4FRigNKmbaAQ8LQ1oN1MK/ + c0tEbO/wdY5IoYWrbhspAT6lSniEoa8W5RVf40KpZWHBSoQ+u2NN + Oak0M1Gzzjy7NPGwzHsUJcjMYnEh51bN37nc6pJ9jzq98oozYE4N + 6WWapkBbO9i/BEqKMfTQbeNpElbtOqAoetjQjp1HKW0tyAS862hE + Dk1CxSG4zAjFyVFmtlrnttsHN3dkcpEaOHg0oJb31BqopFajvks/ + i0gwUN9R2zQzN5PhvEScPCX81whlWTswzx+aUYFPYHHzgATO7gbY + n3QBjfF9rwCbTdxlu1BvGIF2KONz5bOoJgHyNJij0XFF+pktvi+V + XPyuthzmb9Kcf91d9jyO/8A09LjTYhiks36hLuB4EH4vYukN/hDN + TKAxeXft5Y/NdSCgg3Tf+vWth03b0dIKJ59jCpi93xHzt5jALfT9 + XqbV1qaixtumXIoCN5+kO9SEsEnKbCF9xoulhlnrG6wpxRDy1JH6 + 2iNxq0v1pbrx91NQPnGFpCOgDUu/SVoy9nJ0uGogMCmkU0hGPdzp + vgDbbR0QaQ+24IvkSt0Yjf/lkYWhUrzr/BtFZd9iAAi0SX15L6dB + bsg6Vr6RnXsr5oElowBMYiqpD8Y0bO0i2KvWIF6S9AT/pVyQooF0 + AxikgpeASQsd2xa/bRUTLqGqut39dkf6rKatyTLCvf5jP9vlWDZK + nK4wNI6Ht8p26ne8wEMC5Ar/giiE5jnCkr8//Mbk3rfmXw1aETOI + ons/wsX+RMUMeHgtogH9AHgEJV5hG2mi0rHbAKtF8YWvNb0jzuNO + kNOJ6U/ieG6ijqJjV7DxOwCTGEOreKMYM8OjyCz2kzpv1kr4L+nc + NI8GmLIstEdyIcmvOdkSmOmS50sB5Kst83l5ewNgIvz8TJVXp0u6 + /pN6Kt5MyyKV3o0rMV+R/dPVslu1qcLcmMQW8a5uqyKIT53pRy3P + XtDHmEDDNqXIPCJQiA86aH4oZH7WVKZosgKRjIxHfZ5l5yXNb463 + Cq/RXNqoqlTl/KUYsl9IQnC/273naX8GgBzMdeU11kZoEdwPAB/q + 3NEepfmuvSrMeLH/3+Anbsb83iTMW9KX/B6uEeAswtWRDaSlcArt + XD3Enz9aIviu1vDjkDBDw0pxeWVtWlBN1hop2T1INJVClJm862AT + K/aWKmB4ucAn2ClhcX05fmqBYqsJ3YKJKhO+JrjRS9pyF3k6Pyp7 + XzVx+Fa/MTbf41aRz6zF/HdA3QbbrwUyBjUm9/sfe0wcDf1oeztO + r8svgt4MXf7RMNRDZaUNp0s1IKxc+/L2Zpu77nOulZImgult263m + 9mOpxyrfJsJcREl3bGLL2OC3Q9S0XlUbRAcKMPQOc+y0DkX0sGox + YDA5BgkqhkiG9w0BCRQxLB4qAEEAXwBUAEUAUwBUAF8AUwBNAEkA + TQBFAF8ASQBEAEUATgBUAEkAVABZMCMGCSqGSIb3DQEJFTEWBBQV + Ut44hB9wMqV2sbN63KczzmhcZTAwMCEwCQYFKw4DAhoFAAQUCTAV + n6tL4bFYqbqi6wUPeeQSFZEECIqI6EAjveRJAgEB + + updated_at_xid + 23387 + PayloadIdentifier + com.example.pkcs12payload + PayloadType + com.apple.security.pkcs12 + PayloadUUID + f0100f5d-1516-4646-8cff-f68ecef626e4 + PayloadVersion + 1 + + + PayloadContent + + MIIDAzCCAeugAwIBAgIBATANBgkqhkiG9w0BAQsFADAvMSAwHgYD + VQQDDBdBX1RFU1RfU01JTUVfQ0VSVElGQ0FURTELMAkGA1UEBhMC + VVMwHhcNMTYwMjI2MTMzMjI3WhcNMTcwMjI1MTMzMjI3WjAvMSAw + HgYDVQQDDBdBX1RFU1RfU01JTUVfQ0VSVElGQ0FURTELMAkGA1UE + BhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDO + gsJl1dKOINoO85qOl/Z8p6EXUEMxv4B5axYab1FUQp3jYa27q0Cb + /zLiJZQGbxcfAae559gfCJPXk07roX9lKr2OlcZDJXa28/GB8Nf9 + a1xZCdeN1cGeg8gs3hvmPCWScXc1q9yE8PdFVN30w60DGx8i+ITW + MOjySq0V3EAsmlhwxzY3w7OT9ov/1Bnnzybf+NV2m554S4zi1IY7 + yziswglf3uIGPsFGQkSZ5n6Uzlcslgw8ctp9jJD1g9Tg03LxpiQz + 6LvTjmJQvw0U1KAuBrcckVykNCYVGyxdhdZjXKylK6BKX428Ci1J + 7/NnexXyZ8k3OzH1bRZKD8roPHsbAgMBAAGjKjAoMA4GA1UdDwEB + /wQEAwIHgDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDBDANBgkqhkiG + 9w0BAQsFAAOCAQEAhVygfQK+hTxtQDOmk4ntEo3gI5HgUiiXUemA + ZZKULTnakh5XEJ5RKoDepvgX3/sjRDwdGzpHoK7DCLhmJXsxtIGG + drv5JitrbktWfKsWFVpnzKRWziEc6pMInzQZRyiue9ys91pbOOGo + tF58TDUVvNN72QpnCt0MJgNCLOJFDWwdJoiJsMbBByQiDjj+pEFj + 3l72D2ms0y2ot58kZodSArW4nIOnPKbXbjsjSQz4vSOysVoNZLN2 + cdACxPf1VIEEBVRbB+2Yr8qnpC3aOJ8SvfhHfy7Qcl+R8U3ATI8w + QO/xTI9TMNh/yMKPwsTyQKid3L2bTeTTUPC1wwyQvNwyhw== + + updated_at_xid + 23384 + PayloadIdentifier + com.example.rootpayload + PayloadType + com.apple.security.root + PayloadUUID + c4b9ede1-2018-45b0-8e15-eb5615599027 + PayloadVersion + 1 + + + Name + A_TEST_SMIME_IDENTITY_PREF + PayloadCertificateUUID + AF660801-04B9-4F1D-AD53-8DF76BA3F7DB + PayloadIdentifier + com.example.myidentitypreferencepayload + PayloadType + com.apple.security.identitypreference + PayloadUUID + e12219b3-464d-483a-84e2-069b51750c70 + PayloadVersion + 1 + + + Name + A_TEST_SMIME_CERTIFICATE_PREF + PayloadCertificateUUID + EE61473E-9D61-4A2C-8072-FA69B2CCF4AE + PayloadIdentifier + com.example.mycertificatepreferencepayload + PayloadType + com.apple.security.certificatepreference + PayloadUUID + 67a6046d-fd4f-4d00-9bc6-6f056bd8330f + PayloadVersion + 1 + + + PayloadDescription + Test SMIME Cert and Identity with Certificate Prefs + PayloadScope + User + PayloadType + Configuration + PayloadUUID + a0bc1f73-9e7d-413d-8a84-327e8e717059 + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.security.pem/example1.plist b/examples/mdm/profiles/com.apple.security.pem/example1.plist new file mode 100644 index 0000000..ac35ddd --- /dev/null +++ b/examples/mdm/profiles/com.apple.security.pem/example1.plist @@ -0,0 +1,63 @@ + + + + + PayloadContent + + + PayloadContent + + LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURTakNDQWpL + Z0F3SUJBZ0lCQVRBTkJna3Foa2lHOXcwQkFRc0ZBREJLTVJZd0ZB + WURWUVFEREExdFkzaDIKWVd4cFpHRjBhVzl1TVFzd0NRWURWUVFH + RXdKVlV6RWpNQ0VHQ1NxR1NJYjNEUUVKQVJZVWNtOWljMjl1WDJG + agpRR2xqYkc5MVpDNWpiMjB3SGhjTk1UZ3dNakUwTVRrMU9UUXpX + aGNOTWpBd01qRTBNVGsxT1RReldqQktNUll3CkZBWURWUVFEREEx + dFkzaDJZV3hwWkdGMGFXOXVNUXN3Q1FZRFZRUUdFd0pWVXpFak1D + RUdDU3FHU0liM0RRRUoKQVJZVWNtOWljMjl1WDJGalFHbGpiRzkx + WkM1amIyMHdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdB + dwpnZ0VLQW9JQkFRQ3luNzR2Szh2NXRHU2NqK1pieHZhWWl5ZFFD + cUtUNjFEVzlEdlM1bW4xcCtJcEp6M3hJdFI1Cnd6NCtXTmFzbWRt + ek11L3BuRUkwaXA0SUxYaHpFUVpieHlIZElGQU1LTWNHTzZuekla + S3NiZ2MveE1WcVJyM0YKWExTOTY4Vlg3djd2SFVxRFpveDhhMHVn + b1NlM2ZIeEl1Z2FMTldRL0RYeE1mbllJQ0k4azNndXFtQ3Zib3No + UwpaTnFhYXNLUlNzWWZFYlRZTUNkSVBYMnBDNDNGMzYyNE16R2RV + RDZSYjJWZDRUamNQZXVINjVkdDhrbXI3NTc0Cjc5MDF2Zlp3ZDds + UzFITHozcHdQa0s1UlZnOVU0dHJ5Y0xKUmJWSm9mTUhRUWJIMEZ4 + TWUxTUhpRmx4c1pwYjMKQTl1SDRjYzVyWlRocmpIeUlkTTZPZVoy + UWVWQ1ZMR3ZBZ01CQUFHak96QTVNQThHQTFVZEV3RUIvd1FGTUFN + QgpBUUF3RGdZRFZSMFBBCCgvQkFRREFnZUFNQllHQTFVZEpRRUIv + d1FNTUFvR0NDc0dBUVVGQndNQ01BMEdDU3FHClNJYjNEUUVCQ3dV + QUE0SUJBUUJ6RTdvdnRBRnVEWDNXQVFuMjc0K2NLTUsvT3JEK050 + dGJxZ2x0ZUFLV250ZlAKTk45VXFmSzhZaTBtZDEvQ3V4OEhWYXp5 + N0ZmdjlXZExHZjFJeDJoczAzcFVJalZUWmZHeWlac2Rhazd6NXZl + YgpmdXFZT3F5L0VDUElxR2ZSYkxFeW9SZ0RUeTM2ODIzWUJ4bVdm + bWV1SlFmQVdhTHFvbUd1Z0R6RDVPTFWKWHdHCml2MVdFc0dXYWhT + Vzlxb3llSkhFcE5tamZ1c1BmSTd4UnY3Q1ByeXh1U2hEakFYdXl5 + cmdqVm5HdjUrdENzNnIKODNQd1NjdUhydU41Ymc4THE5bW9pVnpa + Qy9WdGRFbTN6TzVwUnFjd0NRanZmUjUvVWJsT2Z5N2x5WkNlWUU3 + SApXKzlLUzdCbmVtRnBBSFhvU296b1M3WW1YQnhmT1BqbDB6MEhW + V2VsCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + + PayloadIdentifier + com.example.mycertpempayload + PayloadType + com.apple.security.pem + PayloadUUID + b740fbbc-ad70-4f59-b6f5-40887d284a70 + PayloadVersion + 1 + + + PayloadDisplayName + CertificatePEM + PayloadIdentifier + com.example.profile + PayloadType + Configuration + PayloadUUID + 0d198a1e-7d38-48f5-ad67-422382c1c9e7 + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.security.pkcs1/example1.plist b/examples/mdm/profiles/com.apple.security.pkcs1/example1.plist new file mode 100644 index 0000000..b7eddc4 --- /dev/null +++ b/examples/mdm/profiles/com.apple.security.pkcs1/example1.plist @@ -0,0 +1,54 @@ + + + + + PayloadContent + + + PayloadCertificateFileName + example-certificate.cer + PayloadContent + + MIIDXTCCAkWgAwIBAgIJAKoK/heBjcOuMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV + BAYTAkNBMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX + aWRnaXRzIFB0eSBMdGQwHhcNMjQwMTA1MjMwMDAwWhcNMjUwMTA1MjMwMDAwWjBF + MQswCQYDVQQGEwJDQTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50 + ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB + CgKCAQEA3VoPN9PKUjKFLMwOge6+G/T8+J8vJKHjadgNkK5HKaVFxnC1JJ8FLZ2K + 7qtgzbhI8WnqK3r5PjM+ZA5k8sW8e7VhqYi2gDhNJqFRe4XKqL9U7LnG5i9jHHk1 + 2nNSJd8HLZ8sW8e7VhqYi2gDhNJqFRe4XKqL9U7LnG5i9jHHk12nNSJd8HLZ8s7K + qtgzbhI8WnqK3r5PjM+ZA5k8sW8e7VhqYi2gDhNJqFRe4XKqL9U7LnG5i9jHHk12 + nNSJd8HLZZ2K7qtgzbhI8WnqK3r5PjM+ZA5k8sW8e7VhqYi2gDhNJqFRe4XKqL9U + 7LnG5i9jHHk12nNSJd8HLZ8sW8e7VhqYi2gDhNJqFRQIDAQABo1AwTjAdBgNVHQ4E + FgQUhKM6j7nHOBxp0eDe/N9vI4C/JM8wHwYDVR0jBBgwFoAUhKM6j7nHOBxp0eDe + /N9vI4C/JM8wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEA2Z8B+vMT + eW+/IEE8sJ8rI4w/b6VhW+j2R1L7R4m8tVz7qRxW2g3J8VzR8l1fYQ7p7R2kZ8u7 + 5nR4gF8sJ8rI4w/b6VhW+j2R1L7R4m8tVz7qRxW2g3J8VzR8l1fYQ7p7R2kZ8u75 + nR4gF8sJ8rI4w/b6VhW+j2R1L7R4m8tVz7qRxW2g3J8VzR8l1fYQ7p7R2kZ8u75n + R4gF8sJ8rI4w/b6VhW+j2R1L7R4m8tVz7qRxW2g3J8VzR8l1fYQ7p7R2kZ8u75nR + 4gF8sJ8rI4w== + + PayloadDisplayName + CertificatePKCS1 + PayloadIdentifier + com.example.mycertpkcs1payload + PayloadType + com.apple.security.pkcs1 + PayloadUUID + 72d2c549-2a97-4032-b818-d8ebf7cb88f2 + PayloadVersion + 1 + + + PayloadDisplayName + CertificatePKCS1 + PayloadIdentifier + com.example.profile + PayloadType + Configuration + PayloadUUID + d7d678c5-87ea-457d-82b9-25db21cd7868 + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.security.pkcs12/example1.plist b/examples/mdm/profiles/com.apple.security.pkcs12/example1.plist new file mode 100644 index 0000000..f9e598c --- /dev/null +++ b/examples/mdm/profiles/com.apple.security.pkcs12/example1.plist @@ -0,0 +1,101 @@ + + + + + PayloadContent + + + Password + Password123 + PayloadContent + + MIIJ0wIBAzCCCZoGCSqGSIb3DQEHAaCCCYsEggmHMIIJgzCCBAcG + CSqGSIb3DQEHBqCCA/gwggP0AgEAMIID7QYJKoZIhvcNAQcBMBwG + CiqGSIb3DQEMAQYwDgQI9ntjM/dRXJcCAggAgIIDwPCBNNqkaKJb + C7I+XkLqAUIAhusY/831rFEQ+Vw5cGXKP02cBACjphfNS6oDKXqv + mGF8T07DwdiZYrzrTxbLH1D1RPEvE8PFCEfl983N5ZaamgXYlYFp + Xo/HyZbB852DZovZGRYTzsZTEGEjnJZKSEa/kVBEz29fM0mCE7bo + 3z5ZNkNS1J/y31MIfQfLrIGkP/4CYK7TZNIBYvjvI1J5nubDntIH + l7N7UjA4xck3dSiueMLfn6uAYs4MprkcSH9poDDdaDEaduG3onJb + QMtCYmWaXhJBD3jsJ/Xtf8DbX2V+BqwltZRAf9u/2z8p6MME4BlH + a8uJs6NnplPPiXkc4ljfZaKUxtICv+ffEfb3RRvXr2B2yeV1SB1L + 3UbPoZkDwOD1lobmEk4JoFuHOlhrB6U8BE8iJSevS8izppEE/gEK + X3mBZOrriOB79Lba8o0TubXtXSNvZvQsNq/JyUMgnCLvZrrwtkgR + Yh0bAfn59BARj1kudJqHisBGMH6VxC3A4kvwiM/DWtair07XotuV + VIIVQrGQt+AKkVE+c0e9HtrIaiNwULSscwGtUZHyzhRp5XOcfvZc + YnF/mFZ8FXQ82iAgQ09W6xdyxhJVeD1QkvzTM71Lu27Qk0Jsyjd8 + XkwRx/+Txi0FeaNbfYxV9hezHug7nDpsnN15whlRFSf1mtppi9/c + HuE9uU9nXViBOepBIKQO4K1wzI0uApocSK5+9ov1bljPInos8DgE + NpDfK7nIi0FNVvC5qE3Mrh21OWQEIY3WfTmbXbL3y7H5RXhiziDh + uxy1ygiVXUN4wUDs6muUp6GAHbCmAhCfedoFuUnnQHlYOtU7/oUn + GHkCBrkbQmsUGn1WrFpfUcYKCYAZNkwe9afENpRHYsY343lB0ddV + +zUqE7eIe0YMcT+pT5VC5hECHfTiKyMACdyy9jxt+3D/rj0CaZgq + oEaWkXaJheASOC0LCltF5n0eXf0IsWg4+TlWa+bFyxXuns8bC1CW + kjkX3hs/T3ukobUOqcMa4DxqGdP0i7QJU6UwIBfLSZM39wYO1TSZ + SBgiFZteJcgAiZPHT+CGeCrHo3wJtK7tRwwClj0AKCj3bA6TZ+A9 + EYU7uk+yH6CmTokTqYP3HPtFepM1Egoq6HNzPtGL4MSENS8bv+MV + PgT+ngQ8jNv2JbTgV9+9S7aBVNRwmXTWsycIx09BwtIdd9yzdCdP + j2mpGNHb7Lp8hXrBBq/++YRsj6qzFc1mGRaSC2hvRikubv+VwlQO + OWYjdcN3oIJyKp1/bPQ4JDCCBXQGCSqGSIb3DQEHAaCCBWUEggVh + MIIFXTCCBVkGCyqGSIb3DQEMCgECoIIE7jCCBOowHAYKKoZIhvcN + AQwBAzAOBAj2uSTot7GrhwICCAAEggTIzC+4/R1SQCLyZN2OSghy + DAMNx+Y//FbgcOKOMMltOlt0Ppyx/GEbyl6e0H+SlBiLqbPIJUaW + oCcT8zLNKVrWSwVJyeINs64IS/xSlVjKxscpPyyTVQ4sBo0HMSZv + FtKTlZU+2YBOboHu7jMArr4r57JtV4k60JaPNLfpnWCHlqd985Cp + KzmYNgQJ4gwuvYSD8jJ+Sjf96DSrn8xzMPQGsOxVmjf5t7OcSQ5+ + 6zucqgfCNSfkdpcwMHFyW+JQGZwcdq4PKAxIrMqe3x2nVQTkdFuq + XCPd0Wqk//ZjubzymK80S0OoElfa30ahbRPTdYoHzE+w9GypviXl + tdUqIwxaKrfAt0cADb8gMIpQUQL6CXJrihxLTSsX5Ku4XMps3T5r + esshoCsPfLXGdiCmpU//ueRnEc8zBiBfcV65XO7LCmF9wj5jy1Ql + W/W2Lvs4CnKDZbl5wL2EaQAPaUjpBq0NpPW+xC92uvFWrDaB4pZp + xIVoiNrx8jOeHlXhxJvLAfCsJH65AHKYSlSW0bdVD8RhxVB4Cj0I + +vpj9M+4ZeGgF6JaT8LoJkpcNAZdsipUQJlWjNuPOeInyKnqONVA + 7tfL772m7AAKD564KY/D4iAu1j6kI/flLlJiulBRlJb0jMjiMszA + cGfb0WCKyIMGg6lNl999lk0w7Ib9aQ8OIM1PYqtx45CS0QNPlKEQ + 2esa0Npfr+ojhbWAKc1WdYbI/CKC4K4UdswBX8Kyq0yvhuuguAyi + ZBl3pPUSrV89WAjcHs0uKeC4k6GzBagRBpDz0evKwxwrW9bL5u5b + YYedFN6i/n7v+i6SsuQxNeXIBuldwf4Hu+an87FhJxIm/LTSJULk + IQ9Iz74XCMHnXOQL8aqZZG+ctRursHDRk43hHQ4W78dr7CWlACpo + w3+9ZyFaLSjzNcBGuozdSYM8o94gp9FNpPuqKHvv6CDD+MRG96Oa + 4ZCGYaY1byBBhHG+Yq7cQ1uHh59nlNk5xrOoJAHMPvP4n9WGyqeL + R66V9glFhbIm8wkJagXoVWgkOwfZm2UQsDEufVJEi0MjfU2pX0kj + DscWXETOmUT/b+KRpzanLpUhbpTS6VJY9+jobMGQE+PxzQVIAOMu + GJ9aK2aF7XbB/RyZaP/xYufqHyLtToZTtxYGV2UMqQ7FBdrmMw1u + O68ZXkL9H5GDfmWxJxQw+fvDeNkjZ752Up5DvH7myqvzZraoT26l + oUDv/F75YBG+HBnkUdzGwWlYT+bvJwDBsW3h4bkEtLKeSMmeGMYg + GfJp2K3QMiPFfJHw+G09etyZRv8gZbb0HJPRU/KFBpzxUg1K4PVe + JjHxrVrNPAGfMMH1pR7brys7PvU+LxMtvW2EhM2dhn/Lq8EtAm77 + SqZjcg+PS9gTdSy6C5MgZ0opQ04HbB/CBchj9ObxbUX9jznTFIfi + Cichl2NcoC7ATG1fR/Rwrb1LHSvnlaUG8wgWFRkttKcQtN0W51Cy + VYUx+LxXTfmqO69gKlDRM6wXpx2w32wlf55mq1e6MdAuT3tY2StP + gsxMbxpfBlqcUB8V9qtzi/WKwZTQWQy0HjRZvkMJKvRBsmbFypjy + NFdLpAkSCkXlgRU/gVfD7kvJsxPxwKBeOmkAFemznFyeEV7PhDti + MVgwMQYJKoZIhvcNAQkUMSQeIgBtAGMAeAB2AGEAbABpAGQAYQB0 + AGkAbwBuAF8AcAAxADIwIwYJKoZIhvcNAQkVMRYEFBUhAgMlyuWe + g9kWLfm1P6Zew/8xMDAwITAJBgUrDgMCGgUABBSdQ17+FKELEL1Y + BEdyH55ZZP2AuQQIXL1je1c7MRgCAQE= + + PayloadDisplayName + CertificatePKCS12 + PayloadIdentifier + com.example.mycertpkcs12payload + PayloadType + com.apple.security.pkcs12 + PayloadUUID + 25cdd076-f1e7-4932-aa30-1d4240534fb0 + PayloadVersion + 1 + + + PayloadDisplayName + CertificatePKCS12 + PayloadIdentifier + com.example.myprofile + PayloadType + com.apple.security.pkcs12 + PayloadUUID + 918ee83d-ebd5-4192-bcd4-8b4feb750e4b + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.security.root/example1.plist b/examples/mdm/profiles/com.apple.security.root/example1.plist new file mode 100644 index 0000000..940d50a --- /dev/null +++ b/examples/mdm/profiles/com.apple.security.root/example1.plist @@ -0,0 +1,75 @@ + + + + + PayloadContent + + + PayloadCertificateFileName + CertificateRoot + PayloadContent + + MIIFkjCCBHqgAwIBAgIGAVGFkFcjMA0GCSqGSIb3DQEBCwUAMIHN + MV8wXQYDVQQDDFZDaGFybGVzIFByb3h5IEN1c3RvbSBSb290IENl + cnRpZmljYXRlIChidWlsdCBvbiBHcmFoYW1zLU1hY0Jvb2stUHJv + LmxvY2FsLCA4IERlYyAyMDE1KTEkMCIGA1UECwwbaHR0cDovL2No + YXJsZXNwcm94eS5jb20vc3NsMREwDwYDVQQKDAhYSzcyIEx0ZDER + MA8GA1UEBwwIQXVja2xhbmQxETAPBgNVBAgMCEF1Y2tsYW5kMQsw + CQYDVQQGEwJOWjAeFw0wMDAxMDEwMDAwMDBaFw00NTAyMDQwNzA2 + NDdaMIHNMV8wXQYDVQQDDFZDaGFybGVzIFByb3h5IEN1c3RvbSBS + b290IENlcnRpZmljYXRlIChidWlsdCBvbiBHcmFoYW1zLU1hY0Jv + b2stUHJvLmxvY2FsLCA4IERlYyAyMDE1KTEkMCIGA1UECwwbaHR0 + cDovL2NoYXJsZXNwcm94eS5jb20vc3NsMREwDwYDVQQKDAhYSzcy + IEx0ZDERMA8GA1UEBwwIQXVja2xhbmQxETAPBgNVBAgMCEF1Y2ts + YW5kMQswCQYDVQQGEwJOWjCCASIwDQYJKoZIhvcNAQEBBQADggEP + ADCCAQoCggEBALZ+RVqfvyCzq6/q+kS3BdntLhaJi22GlOoHyx4L + qgZl7T+wjjZ8gdM6lIm6P7WiKN86tVEqP/7rH6m5t/3IHMnE279H + N6NSsiAkCw8WQiMkqxxJj4bBhuUcNP84d9b2zTqUqAbklQCuy/DA + /rxJqcsbvqkbToJA5bWBX0wrGlpXlGr5do/K5t7bxpERh6T/m7W6 + S4Gc7ad3+l6izeue+8M5onCqXyu9Xcj+3wrXmzcndlNCv4mMvHEj + Rpun/k5ECPBqju6jDou3YMCVOGMaRNZPagk2s/rFykY6mUfYG9Nl + XRHP7zvtlxWyocsP7MoiXF3RtKZ+/A58T3cOs9/ZsvMCAwEAAaOC + AXQwggFwMA8GA1UdEwEB/wQFMAMBAf8wggEsBglghkgBhvhCAQ0E + ggEdE4IBGVRoaXMgUm9vdCBjZXJ0aWZpY2F0ZSB3YXMgZ2VuZXJh + dGVkIGJ5IENoYXJsZXMgUHJveHkgZm9yIFNTTCBQcm94eWluZy4g + SWYgdGhpcyBjZXJ0aWZpY2F0GSBpcyBwYXJ0IG9mIGEgY2VydGlm + aWNhdGUgY2hhaW4sIHRoaXMgbWVhbnMgdGhhdCB5b3UncmUgYnJv + d3NpbmcgdGhyb3VnaCBDaGFybGVzIFByb3h5IHdpdGggU1NMIFBy + b3h5aW5nIGVuYWJsZWQgZm9yIHRoaXMgd2Vic2l0ZS4gUGxlYXNl + IHNlZSBodHRwOi8vY2hhcmxlc3Byb3h5LmNvbS9zc2wgZm9yIG1v + cmUgaW5mb3JtYXRpb24uMA4GA1UdDwEB/wQEAwICBDAdBgNVHQ4E + FgQUcc8I4xXSdaFRISmIwGeCqhY6nhwwDQYJKoZIhvcNAQELBQAD + ggEBADBuM0VZmxjQejORsGewl0Oy3K/Lfm5+STHiZH+cWACIQF4K + EUMuf13/Hxy9EZbtckgDyOlT4lMge7PKYw/qrVo2Zm4xj1cVOHef + +H4jRwoQ7UZBUAQhsQDMow408F6A6UY/AGdIGcrUp/ulQmMNr5+6 + yTnzm1RiMjajpTi9oxxV+1oUVSIMu7nk9qFplbCjEPxU8UB2R0YV + d2vhaEdrdq1LwGTWj5sJiVBaFdzIu/ABV+H2Frij2wASrv1JdR2b + uDTfgTacGqkfm6ajIlF5JyqXe1ZlIb38mlelg5maZNPjsljvNQ+F + SnOctNmcbAmvH9FxsQ/wYThbkYM63Dii9EQ= + + PayloadDescription + Adds Certificate Root + PayloadDisplayName + Example Root Certificate + PayloadIdentifier + com.example.mycertrootpayload + PayloadType + com.apple.security.root + PayloadUUID + 6a20a2f5-97e5-4fd5-ac76-0d7708778e68 + PayloadVersion + 1 + + + PayloadDisplayName + CertificateRoot + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + 6594337c-742b-4841-bbed-76d79cdef34e + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.security.scep/example1.plist b/examples/mdm/profiles/com.apple.security.scep/example1.plist new file mode 100644 index 0000000..eda3bde --- /dev/null +++ b/examples/mdm/profiles/com.apple.security.scep/example1.plist @@ -0,0 +1,72 @@ + + + + + PayloadContent + + + PayloadContent + + Challenge + Example + Key Type + RSA + Key Usage + 5 + Keysize + 0 + Name + example.org + Subject + + + + C + US + + + O + Example Inc. + + + CN + foo + + + 1.2.5.3 + bar + + + + SubjectAltName + + dNSName + example.com + ntPrincipalName + hostname.example.com + + URL + https://hostname.example.com/ + + PayloadIdentifier + com.example.myscepcertpayload + PayloadType + com.apple.security.scep + PayloadUUID + c0264fd7-1d89-4385-8806-759fbe78a622 + PayloadVersion + 1 + + + PayloadDisplayName + SCEP Certificate + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + bc0328a9-c199-4572-9e5e-ed59a73454fa + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.security.smartcard/example1.plist b/examples/mdm/profiles/com.apple.security.smartcard/example1.plist new file mode 100644 index 0000000..323ce0c --- /dev/null +++ b/examples/mdm/profiles/com.apple.security.smartcard/example1.plist @@ -0,0 +1,41 @@ + + + + + PayloadContent + + + UserPairing + + allowSmartCard + + checkCertificateTrust + + oneCardPerUser + + tokenRemovalAction + 1 + enforceSmartCard + + PayloadIdentifier + com.example.mysmartcardpayload + PayloadType + com.apple.security.smartcard + PayloadUUID + 88f7336c-d9f6-44d1-b486-11e4080e2223 + PayloadVersion + 1 + + + PayloadDisplayName + SmartCard + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + 85091214-a32f-4131-8b03-0045e5d81c42 + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.servicemanagement/example1.plist b/examples/mdm/profiles/com.apple.servicemanagement/example1.plist new file mode 100644 index 0000000..4a76338 --- /dev/null +++ b/examples/mdm/profiles/com.apple.servicemanagement/example1.plist @@ -0,0 +1,70 @@ + + + + + PayloadContent + + + PayloadIdentifier + com.example.myservicemanagementpayload + PayloadUUID + 0d4e2ece-dfa7-4103-97ff-e91a9f842a1d + PayloadType + com.apple.servicemanagement + Rules + + + RuleType + BundleIdentifier + RuleValue + com.example.myapp + Comment + My Example App + + + RuleType + BundleIdentifierPrefix + RuleValue + com.example + Comment + All apps from Example + + + RuleType + Label + RuleValue + com.example.internal.tool + Comment + Job to run an internal task here at Example + + + RuleType + LabelPrefix + RuleValue + com.example + Comment + All jobs to run internal tasks here at Example + + + RuleType + TeamIdentifier + RuleValue + ABCDE12345 + Comment + Another way to specify all apps from Example + + + + + PayloadDisplayName + Service Management + PayloadIdentifier + com.example.myprofile + PayloadUUID + 03cca12c-a610-44c2-96f9-fdabe3acd47d + PayloadType + Configuration + PayloadScope + System + + diff --git a/examples/mdm/profiles/com.apple.shareddeviceconfiguration/example1.plist b/examples/mdm/profiles/com.apple.shareddeviceconfiguration/example1.plist new file mode 100644 index 0000000..7ba85e4 --- /dev/null +++ b/examples/mdm/profiles/com.apple.shareddeviceconfiguration/example1.plist @@ -0,0 +1,33 @@ + + + + + PayloadContent + + + AssetTagInformation + 1234 + IfLostReturnToMessage + Example message + PayloadIdentifier + com.example.mylockscreenpayload + PayloadType + com.apple.shareddeviceconfiguration + PayloadUUID + b10c0436-a51b-4119-b604-bd580f396723 + PayloadVersion + 1 + + + PayloadDisplayName + Lock Screen Message + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + 588f1406-47be-47fc-9907-4e7955fb6d4a + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.sso/example1.plist b/examples/mdm/profiles/com.apple.sso/example1.plist new file mode 100644 index 0000000..286b6df --- /dev/null +++ b/examples/mdm/profiles/com.apple.sso/example1.plist @@ -0,0 +1,46 @@ + + + + + PayloadContent + + + ExtensionData + + useSiteAutoDiscovery + + + ExtensionIdentifier + com.apple.com + TeamIdentifier + RandomTeamID + Hosts + + .com.example.com + + Realm + com.example.com + Type + Credential + PayloadIdentifier + com.example.myssopayload + PayloadType + com.apple.sso + PayloadUUID + 02cdfc1c-3c53-434d-99db-c55ee62548bd + PayloadVersion + 1 + + + PayloadDisplayName + SSO + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + 00d92c73-9844-4dc6-b742-eda33efbbf23 + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.subscribedcalendar.account/example1.plist b/examples/mdm/profiles/com.apple.subscribedcalendar.account/example1.plist new file mode 100644 index 0000000..4384da6 --- /dev/null +++ b/examples/mdm/profiles/com.apple.subscribedcalendar.account/example1.plist @@ -0,0 +1,35 @@ + + + + + PayloadContent + + + SubCalAccountDescription + US Holiday Calendar + SubCalAccountHostName + https://holidays.example.com/USHolidays.ics + SubCalAccountUseSSL + + PayloadIdentifier + com.example.mysubscribedcalpayload + PayloadType + com.apple.subscribedcalendar.account + PayloadUUID + c23dd040-6f68-4af2-b840-62d1943236b5 + PayloadVersion + 1 + + + PayloadDisplayName + Subscribed Calendars + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + c360335c-3cfd-43d5-88c3-7e58e92821a9 + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.syspolicy.kernel-extension-policy/example1.plist b/examples/mdm/profiles/com.apple.syspolicy.kernel-extension-policy/example1.plist new file mode 100644 index 0000000..68bd1ff --- /dev/null +++ b/examples/mdm/profiles/com.apple.syspolicy.kernel-extension-policy/example1.plist @@ -0,0 +1,46 @@ + + + + + PayloadContent + + + AllowUserOverrides + + AllowedTeamIdentifiers + + ABCDE12345 + + AllowedKernelExtensions + + + + com.example.mydriver + + ABCDE12345 + + com.example.kext.mydriver + + + PayloadIdentifier + com.example.mysystempolicykernalextensionspayload + PayloadType + com.apple.syspolicy.kernel-extension-policy + PayloadUUID + 3202f59b-3583-4e6c-82ae-776f3c815df1 + PayloadVersion + 1 + + + PayloadDisplayName + System Policy Kernal Extension + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + d9fa7f5b-713d-48f8-a8bd-219cf3061873 + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.system-extension-policy/example1.plist b/examples/mdm/profiles/com.apple.system-extension-policy/example1.plist new file mode 100644 index 0000000..4cfc09c --- /dev/null +++ b/examples/mdm/profiles/com.apple.system-extension-policy/example1.plist @@ -0,0 +1,33 @@ + + + + + PayloadContent + + + AllowedExtensions + + com.apple.share.System.send + + PayloadIdentifier + com.example.mysystemextensionpayload + PayloadType + com.apple.nsextension + PayloadUUID + 3b378001-8cff-4bde-a6af-843fdb02f36d + PayloadVersion + 1 + + + PayloadDisplayName + System Extensions + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + 2e880ad8-e49e-47af-b416-7e6c3fba9df2 + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.systemmigration/example1.plist b/examples/mdm/profiles/com.apple.systemmigration/example1.plist new file mode 100644 index 0000000..36fd525 --- /dev/null +++ b/examples/mdm/profiles/com.apple.systemmigration/example1.plist @@ -0,0 +1,49 @@ + + + + + PayloadContent + + + CustomBehavior + + + Context + Windows + Paths + + + SourcePath + C:/Users/Documents + TargetPath + ~/Users/Documents + SourcePathInUserHome + + TargetPathInUserHome + + + + + + PayloadIdentifier + com.example.mysystemmigrationpayload + PayloadType + com.apple.systemmigration + PayloadUUID + 553d6db9-2704-4127-8384-003926e5b813 + PayloadVersion + 1 + + + PayloadDisplayName + System Migration + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + 75157e67-d7ff-44ec-9ccf-8496be33864a + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.systempolicy.control/example1.plist b/examples/mdm/profiles/com.apple.systempolicy.control/example1.plist new file mode 100644 index 0000000..faa9c35 --- /dev/null +++ b/examples/mdm/profiles/com.apple.systempolicy.control/example1.plist @@ -0,0 +1,33 @@ + + + + + PayloadContent + + + AllowIdentifiedDevelopers + + EnableAssessment + + PayloadIdentifier + com.example.mysystempolicycontrolpayload + PayloadType + com.apple.systempolicy.control + PayloadUUID + f26fc0a5-09f4-4d71-9a5c-6f1a7d30e905 + PayloadVersion + 1 + + + PayloadDisplayName + System Policy Control + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + f379ac8d-8b9e-4e36-98e7-a43094d51e38 + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.systempolicy.managed/example1.plist b/examples/mdm/profiles/com.apple.systempolicy.managed/example1.plist new file mode 100644 index 0000000..28d297f --- /dev/null +++ b/examples/mdm/profiles/com.apple.systempolicy.managed/example1.plist @@ -0,0 +1,31 @@ + + + + + PayloadContent + + + DisableOverride + + PayloadIdentifier + com.example.mysystempolicymanagedpayload + PayloadType + com.apple.systempolicy.managed + PayloadUUID + 4ceaeaba-dfb9-4eb2-a641-a89c472856f0 + PayloadVersion + 1 + + + PayloadDisplayName + System Policy Managed + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + 4899fa10-e6e6-4d74-9fa3-64a2feb57c8e + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.systempolicy.rule/example1.plist b/examples/mdm/profiles/com.apple.systempolicy.rule/example1.plist new file mode 100644 index 0000000..74b3bd4 --- /dev/null +++ b/examples/mdm/profiles/com.apple.systempolicy.rule/example1.plist @@ -0,0 +1,33 @@ + + + + + PayloadContent + + + Priority + 101 + Requirement + anchor apple generic and identifier "com.example.myapp" and (certificate leaf[field.9.8.765.432109.876.5.4.3] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.9.8.765.432109.876.5.4.3] /* exists */ and certificate leaf[subject.OU] = "ABCDE12345") + PayloadIdentifier + com.example.mysystempolicyrulepayload + PayloadType + com.apple.systempolicy.rule + PayloadUUID + 624b5152-a1cd-4bac-baa3-51fbb1f04973 + PayloadVersion + 1 + + + PayloadDisplayName + System Policy Rule + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + 7fa54f02-e6e1-4042-bb75-a2a4d962ac6d + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.systempreferences/example1.plist b/examples/mdm/profiles/com.apple.systempreferences/example1.plist new file mode 100644 index 0000000..ea27aca --- /dev/null +++ b/examples/mdm/profiles/com.apple.systempreferences/example1.plist @@ -0,0 +1,37 @@ + + + + + PayloadContent + + + EnabledPreferencePanes + + com.apple.preferences.users + + DisabledPreferencePanes + + com.apple.preference.dock + + PayloadIdentifier + com.example.mysystempayload + PayloadType + com.apple.systempreferences + PayloadUUID + 6e7d6ddc-70fc-4126-a0a3-c312c4e16e06 + PayloadVersion + 1 + + + PayloadDisplayName + System Preferences + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + 28114fac-d230-484f-8747-4f3f1077f95c + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.thirdactiveethernet.managed/example1.plist b/examples/mdm/profiles/com.apple.thirdactiveethernet.managed/example1.plist new file mode 100644 index 0000000..990d69a --- /dev/null +++ b/examples/mdm/profiles/com.apple.thirdactiveethernet.managed/example1.plist @@ -0,0 +1,60 @@ + + + + + PayloadContent + + + AuthenticationMethod + + AutoJoin + + CaptiveBypass + + EAPClientConfiguration + + AcceptEAPTypes + + 25 + + UserName + user + UserPassword + password + + EncryptionType + WPA2 + HIDDEN_NETWORK + + Interface + ThirdActiveEthernet + Password + password + ProxyType + None + SetupModes + + System + + PayloadIdentifier + com.example.my8021xthirdaepayload + PayloadType + com.apple.thirdactiveethernet.managed + PayloadUUID + a001a09a-d40d-4535-83ea-b21c409a5949 + PayloadVersion + 1 + + + PayloadDisplayName + 802.1x Third Active Ethernet + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + 77d92cd3-d303-4e2e-8c67-b6e67b30ba2c + PayloadVersion + 1 + + diff --git a/examples/mdm/profiles/com.apple.thirdethernet.managed/example1.plist b/examples/mdm/profiles/com.apple.thirdethernet.managed/example1.plist new file mode 100644 index 0000000..42a15c2 --- /dev/null +++ b/examples/mdm/profiles/com.apple.thirdethernet.managed/example1.plist @@ -0,0 +1,60 @@ + + + + + PayloadContent + + + AuthenticationMethod + + AutoJoin + + CaptiveBypass + + EAPClientConfiguration + + AcceptEAPTypes + + 25 + + UserName + user + UserPassword + password + + EncryptionType + WPA2 + HIDDEN_NETWORK + + Interface + ThirdEthernet + Password + password + ProxyType + None + SetupModes + + System + + PayloadIdentifier + com.example.my8021Xthirdepayload + PayloadType + com.apple.thirdethernet.managed + PayloadUUID + bffa7d6f-fd20-45c0-a5f4-6fc5bd37c23f + PayloadVersion + 1 + + + PayloadDisplayName + 802.1x Third Ethernet + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + 05c2aeaa-954e-4704-87a6-e4cff93cfd25 + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.tvremote/example1.plist b/examples/mdm/profiles/com.apple.tvremote/example1.plist new file mode 100644 index 0000000..12c2bda --- /dev/null +++ b/examples/mdm/profiles/com.apple.tvremote/example1.plist @@ -0,0 +1,38 @@ + + + + + PayloadContent + + + AllowedRemotes + + + RemoteDeviceID + 10:10:10:10:10:10 + + + AllowedTVs + + PayloadIdentifier + com.example.mytvremotepayload + PayloadType + com.apple.tvremote + PayloadUUID + 696eb2c4-df9d-463f-b74a-685dae845fac + PayloadVersion + 1 + + + PayloadDisplayName + TV Remote + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + 3de47695-ad92-44f5-9bc9-f1b2f2c7727b + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.universalaccess/example1.plist b/examples/mdm/profiles/com.apple.universalaccess/example1.plist new file mode 100644 index 0000000..838fbd5 --- /dev/null +++ b/examples/mdm/profiles/com.apple.universalaccess/example1.plist @@ -0,0 +1,31 @@ + + + + + PayloadContent + + + stickyKey + + PayloadIdentifier + com.example.myaccessibilitypayload + PayloadType + com.apple.universalaccess + PayloadUUID + bff2939d-cb4c-4f6d-8521-e26bc7c03e96 + PayloadVersion + 1 + + + PayloadDisplayName + Accessibility + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + e7b55cc7-0d94-4045-8868-dcc1b1c58159 + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.vpn.managed.applayer/example1.plist b/examples/mdm/profiles/com.apple.vpn.managed.applayer/example1.plist new file mode 100644 index 0000000..46983f9 --- /dev/null +++ b/examples/mdm/profiles/com.apple.vpn.managed.applayer/example1.plist @@ -0,0 +1,191 @@ + + + + + PayloadContent + + + IPSec + + AuthenticationMethod + SharedSecret + OnDemandEnabled + 0 + PromptForVPNPIN + + + IPv4 + + OverridePrimary + 0 + + OnDemandMatchAppEnabled + + Proxies + + SafariDomains + + foo.server.com + *.server.com + + MailDomains + + foo.server.com + *.server.com + + CalendarDomains + + foo.server.com + *.server.com + + ContactsDomains + + foo.server.com + *.server.com + + UserDefinedName + Per-App VPN + VPN + + AuthName + example + AuthPassword + password + AuthenticationMethod + Certificate + DisconnectOnIdle + 0 + OnDemandMatchAppEnabled + + PayloadCertificateUUID + C9BF4927-E819-4521-88DE-2AEB6E1DC3D8 + RemoteAddress + example.server.com + + VPNSubType + com.server.server-example.vpnplugin + VPNType + VPN + VPNUUID + 9F658A35-2B0F-4D5E-872D-61A9130FE882 + VendorConfig + + PerAppVpn + true + + PayloadIdentifier + com.example.myapplayervpnpayload + PayloadType + com.apple.vpn.managed.applayer + PayloadUUID + 5A015006-D559-4C5C-B197-737CF4DCFA96 + PayloadVersion + 1 + + + Password + password + PayloadCertificateFileName + identity.p12 + PayloadContent + + MIIL2QIBAzCCC58GCSqGSIb3DQEHAaCCC5AEgguMMIILiDCCBj8GC + SqGSIb3DQEHBqCCBjAwggYsAgEAMIIGJQYJKoZIhvcNAQcBMBwGCi + qGSIb3DQEMAQYwDgQIqckvWPHWFRUCAggAgIIF+N4kXpz9g4BBBmU + T/e+KS5OjAlhPyjtLfXvoKVo0G2MOF4cVrMXr3inoOUc+dOTYEN8y + 7Rt2ls3XzDZCHXikDYFGg8fz7sDgNMJGwsZFdkCqxo0OJcDdJY0e3 + GQZr6MfJlkADFBrJW8rTV2TPiClxUatTjEQBRUlEU0Z6x83f1LzoX + Xkkn5PFsd002Bjg2eVwe4bA9i2EbFbA2XVDXJ0AOnegV0GOXGJRfM + 4UWQZdR5mnLICTOzLAFi+k+MfkhBG3tTyiisRcSpDhxCWMIIVCjsR + 6TfDFt0PDi4OfmVqPyeRro2Kf8DjE6iZmc2rdin3d3YLOJAkixK/6 + gTMeCBXqv1IMDbIlOzOtM4dNopxZttzmuDg+vUWiworJVBnHfYMT0 + Vtimxv2ER7CAGNWD4pxhetR1iiBnaLQI1lU4DfcPpPxvL9uUx9PDX + AqAN6uAXoE4Sc0z5Dym73j6T6tb8mNB0Pf2TSxrm2af0bMTTPqEM2 + 6i0fqCGhLeU5eB2fq9ED5X6+JjB15Kns4bNVvetS+5HOC59UGBFSS + 9i3vj4SzLqIJ4zFbjltkTl/uWDr4BA3kydIbkD/RNqKlvGEjV3e59 + Y87H4LlN/xwAsM86ht8juR1IhzT6+fj4i2qXdrHRAWTovB6OtPMML + aAgiRgZqwxnx8UXEG3q6RkMqbhph7O4j3HNgKAW+Z72J/b39ZS0Yv + ghIfGFsHsrypD4BNqvHaYxJhT3ORscW+M05oQ0vn+hBMs5mPq3mJu + 3Lj2j8xA42Q+XAgZM8w+eCwgYx2AxtOYJuC+mOYTWpb1E7m5Kwx6m + gANXVurmhEL0KbzzgAg/FMW8EkI9+rZNXpo0wjxCsqSA8NFsAuCHl + gwJ+A5ifE19gOQqmZ6c4xtHRtxBQ/MO977UKJ8+gV/o/r+DVi5yQ/ + /4CSZkMgdb+kzoWVB/5wzOZrJKqCQJ/+3P0KEk3utamMy8Nq0ubyB + 7r5f6pGcIqQ/gyYqLVFszTYKgwqea22jydboJRXW6fiDXFvI42K3f + 9lQUw7BfwpKaCWo2/bEzYpAz0/EfVKnpQoyfMnnbE/ev8U2VLuiZ5 + 1DnLtsK6hS+rxQiH9yx7K+IQgGuj5ARuyQnwWgKrK6rna3b1GP8Fp + pVH/E+XR4k9q7aY8lyyDaz6kZ+78SveVNtbDE8ClhyVmqVWC67B7A + G7jq/61ovb1auN2nuY9QyTUKrEtVPmfoZmdE8rn7qkZUm/sQAQLB8 + E4bA1w7dlC6ENFKdHLsXNmow+nUuf+gumiD7T32pDtknVl4guQzbP + BXzTS3J6UyvkSA+TXGpzpbV47BFOeAgQMD1BX06vlIqqLkkaKu5hd + LdajmGKbZaL2RHgMsGIE0eRRN9725GNIH0PtytkqieuOdfft2D8Ug + CFtY/KJM9GystQDV6NggbgcHIFsLct8m+QqJRs3UlBKtqCs1pbySS + 8gdHERyFG/zC5T9yft/tLva0b/YDetq/YzwcZqbfcde/LimuQYe9z + RtQqVlYjpZctCJnIleIn1QtLNuf0GVVrFkHGz7zWhxU1VB8C0+jsB + Mz2BP9DZar3Gx4GVyizAf6i9DvyxlY0qjIo2cSAa9XvfVqrtCCPc5 + mu8c+oMlurUljmvcVKOsNsAPW6iB5o22mPFjr3quq1oNgBpmZ2Z7d + VmOEQww99Bi7FyHCe2Ti5IDXSzBklfeiYNyCgZnEjLbzEXMPK0sN2 + oFHwcdU6OWKfz5MjS4aMm7sUOULUAuP8xy7VArlyb14NVIzhJc5fu + RYc+vH+K+wHtpcQeNqdBftVd5SllVEgJTKqfSxZbPEC6u0skczudD + tCR4zHSvYbR1gvVAcpQ+XGBgNVqUCwwM+ctroWpKmYJ3YrwXtGf+T + KWV99IJLso7MtKBKUFQWXNOQBRgMFQuJ4i3hztaupTEQVuka3qhco + cak3R242G3P1prlvQNmi6HI3t4jFND+z5DzrsgW11fc/pOgEM6UpB + Al6WZrSKN+5rJEmGq8tB+GHQ0cELhaNlDgBtqkvcisdf/49VkU6aH + qJWafQ3HCkwggVBBgkqhkiG9w0BBwGgggUyBIIFLjCCBSowggUmBg + sqhkiG9w0BDAoBAqCCBO4wggTqMBwGCiqGSIb3DQEMAQMwDgQIrOA + 9tf9ADYICAggABIIEyBZLrSiXbZV1TOqk+2KsrCLj915uIgLakWDP + YE/f+Puxok/RW/ohdOEV2555WQxR4ip1edvCzKYGYomGLDqimo/c8 + /I0WEjlY7aOgxTz1Vd5MtFFYxRMlSpB+v9/hoR63VwH8VD9gHL3Xy + 8Dg/L0QsdUZ6UTjKD9Apl6L7FgmTczoalM1NBtuy4mMYtkzznZMmD + mgRsONa/nLB8XcCIoIycHA/qDtDDquNplPsFsoXqvUHsWhidP5jW0 + 2fg3WdT9TDPWiJ8qRhvii0LlNAGhjreH5/tClKiTj4ez+o8vmEn0O + s37jgtzutJYN2h5w2CnsgxGV6Ks2lxkowFx0WL3PHELIN7yWp9z9U + yY/OItkVLuJNxqk4+LkqIrL8M1aunp+c8CV1oT2sjg7uPQjm6ppoX + UmhpmY9UBBNhXVeN+ww6mAOCnz9XhwBW9vMTMf3vBjCl68ce4vTCX + qX7O8DHcPNQ1qhVl/3OlUnJQkqyuwBmd7PCDJuPcC1uNEnfQ9QvB1 + AQFzXeJkW3R0oQDM3uVLKcNN32XID0pD/Dq3DY2hA2XW8nP4Ihf4M + 3eirDu/s9CfmEJ0tDSlEBOYmwyFvsQqzFTtQ6I1yF7CzMCxmBHgmM + iq5j5zgwIGylWr2vgLT5zP9QFULxoR/CqiQxjXnOtrEjAR2EH4IpD + bd1nB+WXJdOLBQwWK9eNU1zLAiLP5wAHFVD1wJ4ULxxparWgyzPlM + pIjsVHgsosrOjZKCGHTiza5VE7Ww+0KeWDzoAz1gwsaqAosTy0Joa + PosbVLMPYXAvePR6Tz98vLUkGhIrZAFUxVSfUqKCCD9WhZ5gdAtPL + by88p2iJG/Vzd6Y1JwDbe1l80GuxDf/z0Z+mhErx6Y/teBIcGENsS + ysohOu65/i/3Ezu4CfKBdxKYx61BSBRrDHBqcb3Q3SUjI+Btg3iJ3 + ao26ZR+7Pb4qxCkrn5aEf+oHsUqNS2zpxXo4MEy0S0Tnn4KYCvtkW + m6/mHuWgqC/IYnFmDff4T+rngkgRQKqJ9eCbOMjqZCTY+UwvNHGxd + upnmHmiDDChB025QJJjCvSQbGA5p1FeKGUkfFb37VX0KpzoB0D7Us + KMu2lQxhCyS92dHd94ytlBFhMsFmduiz69IU1EosIEHqE2LiRjcAa + ZKPxOurKP7r+MwvUNbxSYfARrib9oWgj2YS+W27mZ5IAiGvPchuIM + 5yZ2uWgzOQdKhr5z8WUt2YF7g5hkcOwFY8krrMElqXEudAJv0CdW0 + dbQYg3mR4gbcNSgsg7w/iPlkRI/XIoxmlokjkO+wiZ1BJsE9kwSzU + olGKL9c/YPVGmtQjFS47DA/HmaELwZBUZl1ZCZ6EGrIeZQ6Dr/ZkK + XDpS2yOMAn3h3IKHT52dxO+Efb6YdELU7Bm8D3gL5TwvbjBcKDaf4 + GiZMTyGdw+ZH795Yuoj/F2HciMwqDTmrt/OFV5APjbZLx6FJrbC0r + AtrgGy54AMVDZMJnzZuc8SGgl8AN1u51zEr3b+KCGDunOYoLQZhs7 + 0IYDSOZmEBLFVUGNUgeG3p2At1OAnwpblRLg+Xw21JXNlk3KUYicK + uJaNkGRmKGxGhG4lFZhi/JZiwuBvCrPZd3CjUzDJ0JZPZDHgkAf7Y + 5XOwdkrTElMCMGCSqGSIb3DQEJFTEWBBQAFBOqYFJlbkBoqPfCMK5 + F1BXODDAxMCEwCQYFKw4DAhoFAAQUhxd6YPi7JKB/24dSls9gKO/D + HVoECHap2RUyKvQTAgIIAA== + + PayloadIdentifier + com.example.mypkcs12payload + PayloadType + com.apple.security.pkcs12 + PayloadUUID + C9BF4927-E819-4521-88DE-2AEB6E1DC3D8 + PayloadVersion + 1 + + + PayloadDisplayName + App-Layer VPN + PayloadIdentifier + com.example.myprofile.applayervpn + PayloadType + Configuration + PayloadUUID + D95CCE2A-F0A7-4687-B03E-5784F3F0F575 + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.vpn.managed.appmapping/example1.plist b/examples/mdm/profiles/com.apple.vpn.managed.appmapping/example1.plist new file mode 100644 index 0000000..98f6f2a --- /dev/null +++ b/examples/mdm/profiles/com.apple.vpn.managed.appmapping/example1.plist @@ -0,0 +1,104 @@ + + + + + PayloadContent + + + IPSec + + RemoteAddress + 10.0.1.42 + XAuthName + username + OnDemandEnabled + 0 + XAuthPassword + password + AuthenticationMethod + None + LocalIdentifier + outside-psk-full + PromptForVPNPIN + + + IPv4 + + OverridePrimary + 0 + + Proxies + + UserDefinedName + outside-asa-ipsec-full + VPN + + RemoteAddress + 10.0.1.42 + DisconnectOnIdle + 0 + AuthName + username + AuthPassword + + AuthenticationMethod + password + + VPNType + VPN + VendorConfig + + Group + + + VPNSubType + com.cisco.anyconnect.applevpn.plugin + VPNUUID + beb2dc33-280d-48ce-a2f6-9e164cccc18a + OnDemandMatchAppEnabled + + PayloadIdentifier + com.example.myvpnmanagedapplayerpayload + PayloadType + com.apple.vpn.managed.applayer + PayloadUUID + 6A0806DD-6BA7-41A0-A612-FDE7D4B6959D + PayloadVersion + 1 + + + AppLayerVPNMapping + + + VPNUUID + beb2dc33-280d-48ce-a2f6-9e164cccc18a + Identifier + come.example.firefox + DesignatedRequirement + anchor apple generic and certificate leaf[field.9.8.765.432109.876.5.4.3] /* exists */ or anchor apple generic and certificate 1[field.9.8.765.432109.876.5.4.3] /* exists */ and certificate leaf[field.9.8.765.432109.876.5.4.3] /* exists */ and certificate leaf[subject.OU] = "ABCDE12345" + SigningIdentifier + ABCDE12345 + + + PayloadIdentifier + com.example.myapplayvpnmappingpayload + PayloadType + com.apple.vpn.managed.appmapping + PayloadUUID + 3B9E6DC0-1644-4CD1-908B-C970F7213F2D + PayloadVersion + 1 + + + PayloadDisplayName + App to App Layer VPN Mapping + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + 6E65044E-AEDC-4671-ACF4-80042CD53B2D + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.vpn.managed/example1.plist b/examples/mdm/profiles/com.apple.vpn.managed/example1.plist new file mode 100644 index 0000000..3c3b15a --- /dev/null +++ b/examples/mdm/profiles/com.apple.vpn.managed/example1.plist @@ -0,0 +1,65 @@ + + + + + PayloadContent + + + IPSec + + AuthenticationMethod + SharedSecret + LocalIdentifierType + KeyID + SharedSecret + + UVhCd2JHVXhNak1o + + + IPv4 + + OverridePrimary + 0 + + PPP + + AuthName + username + AuthPassword + password + CommRemoteAddress + vpn.example.com + + Proxies + + HTTPEnable + 0 + HTTPSEnable + 0 + + UserDefinedName + VPN Server + VPNType + L2TP + PayloadIdentifier + com.example.myvpnmanagedprofile + PayloadType + com.apple.vpn.managed + PayloadUUID + 74615F25-3B51-4386-A31B-ACB1F1094EF9 + PayloadVersion + 1 + + + PayloadDisplayName + VPN + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + 01E7F1C0-2DD0-4E36-82FF-EC6F29BB6C45 + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.webClip.managed/example1.plist b/examples/mdm/profiles/com.apple.webClip.managed/example1.plist new file mode 100644 index 0000000..3e6213d --- /dev/null +++ b/examples/mdm/profiles/com.apple.webClip.managed/example1.plist @@ -0,0 +1,41 @@ + + + + + PayloadContent + + + FullScreen + + IgnoreManifestScope + + IsRemovable + + Label + Example + Precomposed + + URL + example.com + PayloadIdentifier + com.example.mywebclippayload + PayloadType + com.apple.webClip.managed + PayloadUUID + 1d6d6912-708e-441a-9272-526ef05bbe3c + PayloadVersion + 1 + + + PayloadDisplayName + Web Clip + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + 289fc7fc-2870-479d-b30f-8d0592b7ef04 + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.webcontent-filter/example1.plist b/examples/mdm/profiles/com.apple.webcontent-filter/example1.plist new file mode 100644 index 0000000..5f3c6b2 --- /dev/null +++ b/examples/mdm/profiles/com.apple.webcontent-filter/example1.plist @@ -0,0 +1,45 @@ + + + + + PayloadContent + + + AutoFilterEnabled + + DenylistURLs + + https://notallowed.example.com + + FilterBrowsers + + FilterSockets + + FilterType + BuiltIn + PermittedURLs + + https://allowed.example.com + + PayloadIdentifier + com.example.mywebcontentfilterpayload + PayloadType + com.apple.webcontent-filter + PayloadUUID + fb5d598f-0a96-4b77-9702-9edfc3417601 + PayloadVersion + 1 + + + PayloadDisplayName + Web Content Filter + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + b510e0c6-dc81-4b62-88d0-6a3ef82925e7 + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.wifi.managed/example1.plist b/examples/mdm/profiles/com.apple.wifi.managed/example1.plist new file mode 100644 index 0000000..d93430a --- /dev/null +++ b/examples/mdm/profiles/com.apple.wifi.managed/example1.plist @@ -0,0 +1,52 @@ + + + + + New item + + PayloadContent + + + AutoJoin + + CaptiveBypass + + DisableAssociationMACRandomization + + EncryptionType + WPA + HIDDEN_NETWORK + + IsHotspot + + Password + Password123 + PayloadDisplayName + Wi-Fi + ProxyType + None + SSID_STR + Example + PayloadIdentifier + com.example.mywifipayload + PayloadType + com.apple.wifi.managed + PayloadUUID + 94c487e0-d6f8-41e3-b66d-a89994e6919b + PayloadVersion + 1 + + + PayloadDisplayName + Wi-Fi + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + 71e9b0f7-02f8-4aea-b365-b381d872909a + PayloadVersion + 1 + + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.xsan.preferences/example1.plist b/examples/mdm/profiles/com.apple.xsan.preferences/example1.plist new file mode 100644 index 0000000..bc1f0ad --- /dev/null +++ b/examples/mdm/profiles/com.apple.xsan.preferences/example1.plist @@ -0,0 +1,47 @@ + + + + + PayloadContent + + + useDLC + + denyMount + + bob + + denyDLC + + bob + + preferDLC + + bob + + onlyMount + + bob + + PayloadIdentifier + com.example.myxsanpreferencespayload + PayloadType + com.apple.xsan.preferences + PayloadUUID + 1addfbe1-d696-4143-bec1-7cfa4121fa76 + PayloadVersion + 1 + + + PayloadDisplayName + Xsan Preferences + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + 63ebad99-1dbc-4b3b-a618-2789cda3eedd + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/com.apple.xsan/example1.plist b/examples/mdm/profiles/com.apple.xsan/example1.plist new file mode 100644 index 0000000..e46de9a --- /dev/null +++ b/examples/mdm/profiles/com.apple.xsan/example1.plist @@ -0,0 +1,39 @@ + + + + + PayloadContent + + + fsnameservers + + san.example.com + + sanAuthMethod + auth_secret + sanName + user_xsan + sharedSecret + shared_secret + PayloadIdentifier + com.example.myxsanpayload + PayloadType + com.apple.xsan + PayloadUUID + 015b6f29-6a6a-4e23-9305-a4182838516d + PayloadVersion + 1 + + + PayloadDisplayName + Xsan + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + e93b1eca-d07c-4383-8b4f-ca9db76f4aa8 + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/mdm/profiles/loginwindow/example1.plist b/examples/mdm/profiles/loginwindow/example1.plist new file mode 100644 index 0000000..81dc4c4 --- /dev/null +++ b/examples/mdm/profiles/loginwindow/example1.plist @@ -0,0 +1,31 @@ + + + + + PayloadContent + + + DisableLoginItemsSuppression + + PayloadIdentifier + com.example.myloginwindowloginitemspayload + PayloadType + loginwindow + PayloadUUID + e032844e-db81-4387-98d9-9ee7c6038275 + PayloadVersion + 1 + + + PayloadDisplayName + Login Window Login Items + PayloadIdentifier + com.example.myprofile + PayloadType + Configuration + PayloadUUID + 30724e47-e58e-447d-b21c-a65bbe184f98 + PayloadVersion + 1 + + \ No newline at end of file diff --git a/examples/other/manifesturl/example1.plist b/examples/other/manifesturl/example1.plist new file mode 100644 index 0000000..0ac68eb --- /dev/null +++ b/examples/other/manifesturl/example1.plist @@ -0,0 +1,39 @@ + + + + + items + + + assets + + + kind + display-image + url + https://data.example.com/sampleapp.png + + + kind + software-package + url + https://data.example.com/sampleapp.ipa + + + metadata + + bundle-identifier + com.example.sampleapp + bundle-version + 1.2 + developer-name + Example Inc. + kind + software + title + The Sample App + + + + + diff --git a/mdm/checkin/authenticate.yaml b/mdm/checkin/authenticate.yaml index d473edf..5a6186a 100644 --- a/mdm/checkin/authenticate.yaml +++ b/mdm/checkin/authenticate.yaml @@ -118,10 +118,8 @@ payloadkeys: introduced: n/a type: presence: optional - content: |- - The per-enrollment identifier for the device. The system requires this value if the enrollment type is a user enrollment. - - Available in iOS 13 and later, macOS 10.15 and later, and visionOS 2 and later. + content: The per-enrollment identifier for the device. The system requires this + value if the enrollment type is a user enrollment. - key: OSVersion supportedOS: iOS: diff --git a/mdm/checkin/checkout.yaml b/mdm/checkin/checkout.yaml index 0c6baa5..5b7c8d4 100644 --- a/mdm/checkin/checkout.yaml +++ b/mdm/checkin/checkout.yaml @@ -76,10 +76,8 @@ payloadkeys: introduced: n/a type: presence: required - content: |- - The per-enrollment identifier for the device. The system requires this value if the enrollment type is a user enrollment. - - Available in iOS 13 and later, macOS 10.15 and later, and visionOS 2 and later. + content: The per-enrollment identifier for the device. The system requires this + value if the enrollment type is a user enrollment. notes: - title: '' content: |- diff --git a/mdm/checkin/declarativemanagement.yaml b/mdm/checkin/declarativemanagement.yaml index 6d82546..e0b8e68 100644 --- a/mdm/checkin/declarativemanagement.yaml +++ b/mdm/checkin/declarativemanagement.yaml @@ -167,11 +167,11 @@ notes: content: |- The `Data` field is optional, depending on the `Endpoint` value, as described below: - - `tokens`: The client uses the `tokens` endpoint to request the current synchronization tokens from the server. It doesn't use the `Data` field. A successful response to this request is a `200 OK` HTTP status, with a response body that's a JSON object conforming to the `TokensResponse` schema. - - `declaration-items`: The client uses the `declaration-items` endpoint to request the current declaration manifest from the server. It doesn't use the `Data` field. A successful response to this request is a `200 OK` HTTP status, with a response body that's a JSON object conforming to the `DeclarationItemsResponse` schema. - - `declaration/…/…` : The client uses the `declaration/…/…` endpoint to request a specific declaration from the server. It doesn't use the `Data` field. + * `tokens`: The client uses the `tokens` endpoint to request the current synchronization tokens from the server. It doesn't use the `Data` field. A successful response to this request is a `200 OK` HTTP status, with a response body that's a JSON object conforming to the `TokensResponse` schema. + * `declaration-items`: The client uses the `declaration-items` endpoint to request the current declaration manifest from the server. It doesn't use the `Data` field. A successful response to this request is a `200 OK` HTTP status, with a response body that's a JSON object conforming to the `DeclarationItemsResponse` schema. + * `declaration/…/…` : The client uses the `declaration/…/…` endpoint to request a specific declaration from the server. It doesn't use the `Data` field. The endpoint value is a path with three segments separated by a slash character (`/`). The first segment is always `declaration`. The second segment indicates the declaration type and is one of `activation`, `asset`, `configuration`, or `management`. The third segment is the `Identifier` of the declaration to fetch. A successful response to this request is a `200 OK` HTTP status, with a response body that's a JSON object representing the requested declaration. If the declaration isn't present on the server, it needs to return a `404 Not Found` HTTP status response to the device. That causes the device to remove any corresponding declaration that is present on it. - - `status`: The client uses the `status` endpoint to send a status report to the server. The `Data` field needs to be present and set to a Base64-encoded JSON object conforming to the `StatusReport` schema. A successful response to this request is a `200 OK` HTTP status, with an empty response body. + * `status`: The client uses the `status` endpoint to send a status report to the server. The `Data` field needs to be present and set to a Base64-encoded JSON object conforming to the `StatusReport` schema. A successful response to this request is a `200 OK` HTTP status, with an empty response body. diff --git a/mdm/checkin/gettoken.yaml b/mdm/checkin/gettoken.yaml index 033c7da..44a9224 100644 --- a/mdm/checkin/gettoken.yaml +++ b/mdm/checkin/gettoken.yaml @@ -52,7 +52,7 @@ payloadkeys: content: Parameters that the system uses to generate the token. subkeys: - key: SecurityToken - title: Security Token + title: Security token supportedOS: iOS: sharedipad: @@ -65,10 +65,10 @@ payloadkeys: introduced: n/a type: presence: optional - content: A security token to generate the server token. Required by the `com.apple.watch.pairing` - service type. + content: A security token to generate the server token. The `com.apple.watch.pairing` + service type requires this key. - key: PhoneUDID - title: Phone Identifier + title: Phone identifier supportedOS: iOS: sharedipad: @@ -81,10 +81,10 @@ payloadkeys: introduced: n/a type: presence: optional - content: The identifier of the phone paired to the watch. Required by the `com.apple.watch.pairing` - service type. + content: The identifier of the phone paired to the watch. The `com.apple.watch.pairing` + service type requires this key. - key: WatchUDID - title: Watch Identifier + title: Watch identifier supportedOS: iOS: sharedipad: @@ -97,8 +97,8 @@ payloadkeys: introduced: n/a type: presence: optional - content: The identifier of the watch paired to the phone. Required by the `com.apple.watch.pairing` - service type. + content: The identifier of the watch paired to the phone. The `com.apple.watch.pairing` + service type requires this key. - key: UDID supportedOS: iOS: @@ -208,7 +208,7 @@ notes: - `jti`: A `String`, per RFC 7519 section 4.1.7, that the server sets to a unique identifier (a random UUID) for the JWT. The Apple Identity Service uses this value to ensure that it only uses the token once. - `service_type`: A `String` that the server sets to the value of the `TokenServiceType` key in the `CheckIn` request, which needs to be `com.apple.maid`. - Sign the JWT using the server's private key that corresponds to the RFC 3280 public key certificate that's registered with Apple Business Manager or Apple School Manager. + Sign the JWT using the server's private key that corresponds to the RFC 3280 public key certificate that's registered with Apple School Manager or Apple Business. The Apple Identity Service requires that the signing algorithm is "RS256" as defined in RFC 7518 section 3.1. - title: Support Apple Watch pairing content: For the service type `com.apple.watch.pairing`, the MDM server requests this token to enroll an Apple Watch, with the request coming from the phone that's diff --git a/mdm/checkin/returntoservice.yaml b/mdm/checkin/returntoservice.yaml index 96463f4..eb7d912 100644 --- a/mdm/checkin/returntoservice.yaml +++ b/mdm/checkin/returntoservice.yaml @@ -45,7 +45,7 @@ responsekeys: presence: optional default: false content: If `true`, the device preserves the data plan on an iPhone or iPad with - eSIM functionality, if one exists. This value is available in iOS 26.4 and later. + eSIM functionality, if one exists. - key: ReturnToService type: presence: required @@ -60,21 +60,32 @@ responsekeys: type: presence: optional content: The Wi-Fi profile that installs after erasure when using return to service. - This is required when the device doesn't have Ethernet access. + The device requires this when it doesn't have Ethernet access. - key: MDMProfileData type: presence: optional content: |- - The MDM profile that installs after erasure when using return to service. If provided, the device uses this profile directly instead of fetching it from the server. This key is required if the device's Automated Device Enrollment profile contains the `configuration-web-url` key. + The MDM profile that installs after erasure when using return to service. If provided, the device uses this profile directly instead of fetching it from the server. The device requires this key if its Automated Device Enrollment profile contains the `configuration-web-url` key. The device always downloads the Automated Device Enrollment profile even when this key is present, so the supervision identity, MDM removability, and other settings still apply. However, the device doesn't use the specified URL in the Automated Device Enrollment profile to fetch the MDM profile. - key: BootstrapToken type: presence: optional content: |- - The system uses the bootstrap token for return to service with app preservation. Required when Automated Device Enrollment enables return to service for the device. + The system uses the bootstrap token for return to service with app preservation. The device requires this key when Automated Device Enrollment enables return to service for the device. If the bootstrap token isn't present, the device performs a full erasure and a regular return to service, and can't preserve any data for app preservation. + - key: ShouldRetryEnrollment + supportedOS: + iOS: + introduced: '27.0' + visionOS: + introduced: n/a + type: + presence: optional + default: false + content: If `true`, the device retries service enrollment when the initial enrollment + fails after erasure. notes: - title: '' content: The device sends the `ReturnToService` message when the user triggers a diff --git a/mdm/checkin/tokenupdate.yaml b/mdm/checkin/tokenupdate.yaml index 78831e3..ae30a76 100644 --- a/mdm/checkin/tokenupdate.yaml +++ b/mdm/checkin/tokenupdate.yaml @@ -93,10 +93,8 @@ payloadkeys: introduced: n/a type: presence: required - content: |- - The per-enrollment identifier for the device. The system requires this value if the enrollment type is a user enrollment. - - Available in iOS 13 and later, macOS 10.15 and later, and visionOS 2 and later. + content: The per-enrollment identifier for the device. The system requires this + value if the enrollment type is a user enrollment. - key: EnrollmentUserID supportedOS: iOS: @@ -114,10 +112,8 @@ payloadkeys: introduced: n/a type: presence: required - content: |- - The per-enrollment identifier for the user. The system requires this value if the enrollment type is a user enrollment on the user channel. - - Available in macOS 10.15 and later. + content: The per-enrollment identifier for the user. The system requires this value + if the enrollment type is a user enrollment on the user channel. - key: UserShortName supportedOS: iOS: diff --git a/mdm/commands/account.configuration.yaml b/mdm/commands/account.configuration.yaml index cc7de20..cac4ad9 100644 --- a/mdm/commands/account.configuration.yaml +++ b/mdm/commands/account.configuration.yaml @@ -20,8 +20,8 @@ payload: introduced: n/a watchOS: introduced: n/a - content: When a macOS (v10.11 and later) device is configured via DEP to enroll - in an MDM server and the DEP profile has the await_device_configuration flag set + content: When a macOS (v10.11 and later) device is configured via ADE to enroll + in an MDM server and the ADE profile has the await_device_configuration flag set to true, the AccountConfiguration command can be sent to the device to have it create the local administrator account (thereby skipping the page to create this account in Setup Assistant). This command can only be sent to a macOS device that @@ -47,8 +47,7 @@ payloadkeys: presence: optional content: The full name for the primary account. If present, Setup Assistant uses this value to prefill the Full Name field. However, Setup Assistant ignores this - value if `DontAutoPopulatePrimaryAccountInfo` is `true`. This value is available - in macOS 10.15 and later. + value if `DontAutoPopulatePrimaryAccountInfo` is `true`. - key: PrimaryAccountUserName supportedOS: macOS: @@ -57,8 +56,7 @@ payloadkeys: presence: optional content: The account name for the primary account. If present, Setup Assistant uses this value to prefill the User Name field. However, Setup Assistant ignores this - value if `DontAutoPopulatePrimaryAccountInfo` is `true`. This value is available - in macOS 10.15 and later. + value if `DontAutoPopulatePrimaryAccountInfo` is `true`. - key: DontAutoPopulatePrimaryAccountInfo supportedOS: macOS: @@ -69,7 +67,7 @@ payloadkeys: content: If `true`, Setup Assistant ignores the primary account information and requires the user to enter that information. If `false`, Setup Assistant prefills the Full Name field with `PrimaryAccountFullName` and the User Name field with - `PrimaryAccountUserName`. This value is available in macOS 10.15 and later. + `PrimaryAccountUserName`. - key: LockPrimaryAccountInfo supportedOS: macOS: @@ -81,8 +79,6 @@ payloadkeys: If `true`, and you provide values for `PrimaryAccountFullName` or `PrimaryAccountUserName`, Setup Assistant disables editing for the corresponding fields. `DontAutoPopulatePrimaryAccountInfo` must also be 0 (or missing). If the user's password is also available from authentication through ConfigurationURL, Setup Assistant automatically creates the primary account with that information and skips showing the user interface to view or edit these fields. - - This value is available in macOS 10.15 and later. - key: AutoSetupAdminAccounts type: presence: optional @@ -108,10 +104,10 @@ payloadkeys: title: passwordHash type: presence: optional - content: Data that contains the pre-created salted PBKDF2 SHA512 password hash + content: Data that contains the pre-created salted PBKDF2 SHA512 `PasswordHash` for the account. - key: hidden - title: hidden + title: Hidden type: presence: optional default: false @@ -126,8 +122,13 @@ payloadkeys: content: If present, this is the short name of the local account to manage, which can also be the account that results from setting `AutoSetupAdminAccounts` to `true`. Otherwise, only the local account that Setup Assistant creates is a managed - account. This value is available in macOS 11 and later. + account. notes: - title: '' content: Refer to the following sections to determine supported channels and requirements, and to see an example request and response. +examples: + title: Example request and response + files: + - request-file: examples/mdm/commands/account.configuration/example1.plist + response-file: examples/mdm/commands/account.configuration/example2.plist diff --git a/mdm/commands/application.extensions.listactive.yaml b/mdm/commands/application.extensions.listactive.yaml index 4a546cd..60a4dab 100644 --- a/mdm/commands/application.extensions.listactive.yaml +++ b/mdm/commands/application.extensions.listactive.yaml @@ -89,3 +89,8 @@ notes: Extensions restricted from executing by Application Launch Restrictions or the `NSExtensionManagement` configuration profile won't appear in the response. Refer to the following sections to determine supported channels and requirements, and to see an example request and response. +examples: + title: Example request and response + files: + - request-file: examples/mdm/commands/application.extensions.listactive/example1.plist + response-file: examples/mdm/commands/application.extensions.listactive/example2.plist diff --git a/mdm/commands/application.extensions.mappings.yaml b/mdm/commands/application.extensions.mappings.yaml index 7e186ee..4e60103 100644 --- a/mdm/commands/application.extensions.mappings.yaml +++ b/mdm/commands/application.extensions.mappings.yaml @@ -55,3 +55,8 @@ notes: This list is a superset of the list that `ActiveNSExtensionsCommand` returns. It may contain extensions that the system never enables due to various restrictions. Refer to the following sections to determine supported channels and requirements, and to see an example request and response. +examples: + title: Example request and response + files: + - request-file: examples/mdm/commands/application.extensions.mappings/example1.plist + response-file: examples/mdm/commands/application.extensions.mappings/example2.plist diff --git a/mdm/commands/application.install.enterprise.yaml b/mdm/commands/application.install.enterprise.yaml index 00022b5..b42387a 100644 --- a/mdm/commands/application.install.enterprise.yaml +++ b/mdm/commands/application.install.enterprise.yaml @@ -66,8 +66,6 @@ payloadkeys: If `true`, install the app as a managed app. Otherwise, the system installs the app as unmanaged. If you reinstall a manged app and omit this value or set it to `false`, the app becomes unmanaged. For manifest-based installs, if `true`, the system only considers apps installed in `/Applications` as managed. In macOS 11 through 13, the system requires that the `pkg` only contains a single signed app. - - Available in macOS 11 and later. - key: ManagementFlags supportedOS: macOS: @@ -81,9 +79,7 @@ payloadkeys: content: |- The management flags. The possible values are: - - `1`: If `InstallAsManaged` is `true`, remove the app upon removal of the MDM profile. - - Available in macOS 11 and later. + * `1`: If `InstallAsManaged` is `true`, remove the app upon removal of the MDM profile. - key: Configuration supportedOS: macOS: @@ -91,7 +87,7 @@ payloadkeys: type: presence: optional content: A dictionary that contains the initial configuration of the app, if you - choose to provide it. Available in macOS 11 and later. + choose to provide it. subkeys: - key: ANY type: @@ -110,9 +106,7 @@ payloadkeys: content: |- The change management state. This value doesn't work with the user enrollments. The only possible value is: - - `Managed`: Take management of the app if the user installed it already and `InstallAsManaged` is `true`. - - Available in macOS 11 and later. + * `Managed`: Take management of the app if the user installed it already and `InstallAsManaged` is `true`. - key: iOSApp supportedOS: iOS: @@ -134,3 +128,8 @@ notes: This command fails if Declarative Device Management is managing the app. Refer to the following sections to determine supported channels and requirements, and to see an example request and response. +examples: + title: Example request and response + files: + - request-file: examples/mdm/commands/application.install.enterprise/example1.plist + response-file: examples/mdm/commands/application.install.enterprise/example2.plist diff --git a/mdm/commands/application.install.yaml b/mdm/commands/application.install.yaml index ab25aec..2fd2022 100644 --- a/mdm/commands/application.install.yaml +++ b/mdm/commands/application.install.yaml @@ -53,7 +53,7 @@ payloadkeys: The app's bundle identifier. > Important: - > For a watchOS app, the identifier needs to be the watch's bundle identifier, which differs from the main bundle identifier for the iPhone to which the watch is paired. Obtain the watch's bundle identifier for an app with a watch bundle, in the `watchBundleId` key that's part of the Content Metadata query. For more information on this query, see `Getting App and Book Information`. + > For a watchOS app, the identifier needs to be the watch's bundle identifier, which differs from the main bundle identifier for the iPhone the watch pairs with. Obtain the watch's bundle identifier for an app with a watch bundle, in the `watchBundleId` key that's part of the Content Metadata query. For more information on this query, see `Getting app and book information (Legacy)`. - key: Options supportedOS: iOS: @@ -82,8 +82,8 @@ payloadkeys: introduced: '7.0' type: presence: optional - content: The URL of the app manifest, which needs to begin with `https:`. The manifest - is returned as a property list that uses the `ManifestURL` format. + content: The URL of the app manifest, which needs to begin with `https:`. The server + returns the manifest as a property list that uses the `ManifestURL` format. - key: ManagementFlags supportedOS: macOS: @@ -102,8 +102,6 @@ payloadkeys: - `1`: If `InstallAsManaged` is `true`, remove the app upon removal of the MDM profile. - `4`: Prevent backup of app data. - `5`: Both `1` and `4`. - - Available in iOS 5 and later, macOS 11 and later, and tvOS 10.2 and later. - key: Configuration supportedOS: iOS: @@ -113,8 +111,7 @@ payloadkeys: type: presence: optional content: A dictionary that contains the initial configuration of the app, if you - choose to provide it. Available in iOS 7 and later, macOS 11 and later, and tvOS - 10.2 and later. + choose to provide it. subkeys: - key: ANY type: @@ -129,7 +126,7 @@ payloadkeys: type: presence: optional content: A dictionary that contains the initial attributes of the app, if you choose - to provide it. Available in iOS 7 and later, and tvOS 10.2 and later. + to provide it. subkeys: - key: VPNUUID supportedOS: @@ -137,8 +134,7 @@ payloadkeys: introduced: n/a type: presence: optional - content: A per-app VPN unique identifier for this app. Available in iOS 7 and - later. + content: A per-app VPN unique identifier for this app. - key: ContentFilterUUID supportedOS: iOS: @@ -149,7 +145,7 @@ payloadkeys: introduced: n/a type: presence: optional - content: The content filter UUID for this app. Available in iOS 16 and later. + content: The content filter UUID for this app. - key: DNSProxyUUID supportedOS: iOS: @@ -160,7 +156,7 @@ payloadkeys: introduced: n/a type: presence: optional - content: The DNS proxy UUID for this app. Available in iOS 16 and later. + content: The DNS proxy UUID for this app. - key: RelayUUID supportedOS: iOS: @@ -171,7 +167,7 @@ payloadkeys: introduced: n/a type: presence: optional - content: The relay UUID for this app. Available in iOS 17 and later. + content: The relay UUID for this app. - key: AssociatedDomains supportedOS: iOS: @@ -180,8 +176,7 @@ payloadkeys: introduced: n/a type: presence: optional - content: An array that contains the associated domains to add to this app. Available - in iOS 13 and later. + content: An array that contains the associated domains to add to this app. subkeys: - key: AssociatedDomain type: @@ -196,7 +191,7 @@ payloadkeys: default: false content: If `true`, perform claimed site association verification directly at the domain instead of on Apple's servers. Only set this to `true` for domains - that can't access the internet. Available in iOS 14 and later. + that can't access the internet. - key: Removable supportedOS: iOS: @@ -206,8 +201,7 @@ payloadkeys: type: presence: optional default: true - content: If `false`, this app isn't removable while it's a managed app. Available - in iOS 14 and later, and tvOS 14 and later. + content: If `false`, this app isn't removable while it's a managed app. - key: TapToPayScreenLock supportedOS: iOS: @@ -221,10 +215,9 @@ payloadkeys: type: presence: optional default: false - content: |- - If `true`, Tap to Pay on iPhone requires users to use Face ID or a passcode to unlock their device after every transaction that requires a customer's card PIN. If `false`, the user can configure this setting on their device. - - Available in iOS 16.4 and later. + content: If `true`, Tap to Pay on iPhone requires users to use Face ID or a passcode + to unlock their device after every transaction that requires a customer's card + PIN. If `false`, the user can configure this setting on their device. - key: CellularSliceUUID supportedOS: iOS: @@ -237,10 +230,9 @@ payloadkeys: introduced: n/a type: presence: optional - content: |- - The data network name (DNN) or app category. For DNN, the value is `DNN:name`, where `name` is the carrier-provided DNN name. For app category, the value is `AppCategory:category`, where `category` is a carrier-provided string like "Enterprise1". - - Available in iOS 17 and later. + content: The data network name (DNN) or app category. For DNN, the value is `DNN:name`, + where `name` is the carrier-provided DNN name. For app category, the value is + `AppCategory:category`, where `category` is a carrier-provided string like "Enterprise1". - key: Hideable supportedOS: iOS: @@ -290,9 +282,9 @@ payloadkeys: rangelist: - Managed content: |- - The change management state. This value doesn't work with the user enrollment feature introduced in iOS 13, or any type of account driven enrollment. Available in iOS 9 and later, macOS 11 and later, and tvOS 10.2 and later. The only possible value is: + The change management state. This value doesn't work with the user enrollment feature introduced in iOS 13, or any type of account driven enrollment. The only possible value is: - - `Managed`: Take management of the app if the user installed it already and `InstallAsManaged` is `true`. + * `Managed`: Take management of the app if the user installed it already and `InstallAsManaged` is `true`. - key: InstallAsManaged supportedOS: iOS: @@ -314,8 +306,6 @@ payloadkeys: If `true`, install the app as a managed app. Otherwise, the system installs the app as unmanaged. If you reinstall a manged app and omit this value or set it to `false`, the app becomes unmanaged. For manifest-based installs, if `true`, the system only considers apps installed in `/Applications` as managed. In macOS 11 through 13, the system requires that the `pkg` only contains a single signed app. - - Available in macOS 11 and later. - key: iOSApp supportedOS: iOS: @@ -341,7 +331,7 @@ responsekeys: The app's bundle identifier, if the user accepted the request. > Note: - > For a watchOS app, the identifier is the watch's bundle identifier, which differs from the main bundle identifier for the iPhone that the watch is paired to. + > For a watchOS app, the identifier is the watch's bundle identifier, which differs from the main bundle identifier for the iPhone the watch pairs with. - key: State type: presence: optional @@ -402,3 +392,14 @@ notes: Prior to iOS 16.0 and tvOS 16.0, this command would return `NotNow` when Setup Assistant was running. Starting in iOS 16.0 and tvOS 16.0, the command may be sent to supervised devices during Setup Assistant. However, you should only attempt to install device-based VPP apps or enterprise apps while in the awaiting configuration state, as it is unlikely the device would have an App Store account configured, and thus commands that depend on one will fail. Refer to the following sections to determine supported channels and requirements, and to see an example request and response. +examples: + title: Example request and response + files: + - tab: Enterprise + description: This command installs an enterprise app. + request-file: examples/mdm/commands/application.install/example1.plist + response-file: examples/mdm/commands/application.install/example2.plist + - tab: App Store + description: This command installs an App Store app. + request-file: examples/mdm/commands/application.install/example3.plist + response-file: examples/mdm/commands/application.install/example4.plist diff --git a/mdm/commands/application.installed.list.yaml b/mdm/commands/application.installed.list.yaml index ef5e907..4f560fe 100644 --- a/mdm/commands/application.installed.list.yaml +++ b/mdm/commands/application.installed.list.yaml @@ -48,10 +48,10 @@ payloadkeys: type: presence: optional content: |- - An array of app identifiers. Provide this value to limit the response to only include these apps. This value is available in iOS 7 and later, macOS 10.15 and later, tvOS 10.2 and later, visionOS 1.1 and later, and watchOS 10 and later. + An array of app identifiers. Provide this value to limit the response to only include these apps. > Important: - > For a watchOS app, the identifier needs to be the watch's bundle identifier, which differs from the main bundle identifier for the iPhone to which the watch is paired. Obtain the watch's bundle identifier for an app with a watch bundle, in the `watchBundleId` key that's part of the Content Metadata query. For more information on this query, see `Getting App and Book Information`. + > For a watchOS app, the identifier needs to be the watch's bundle identifier, which differs from the main bundle identifier for the iPhone the watch pairs with. Obtain the watch's bundle identifier for an app with a watch bundle, in the `watchBundleId` key that's part of the Content Metadata query. For more information on this query, see `Getting app and book information (Legacy)`. subkeys: - key: IdentifiersItem type: @@ -65,7 +65,7 @@ payloadkeys: presence: optional default: false content: |- - If `true`, only get a list of managed apps, excluding ones that Declarative Device Management is managing. This value is available in iOS 7 and later, macOS 10.15 and later, and tvOS 10.2 and later. + If `true`, only get a list of managed apps, excluding ones that Declarative Device Management is managing. > Note: > If the enrollment type is a user enrollment, the system always considers this key as set to `true` and only returns managed apps, excluding ones that Declarative Device Management is managing. @@ -121,7 +121,7 @@ responsekeys: The app's identifier. This key is always be present on iOS and tvOS, but may be missing on macOS. > Note: - > For a watchOS app, the identifier is the watch's bundle identifier, which differs from the main bundle identifier for the iPhone to which the watch is paired. + > For a watchOS app, the identifier is the watch's bundle identifier, which differs from the main bundle identifier for the iPhone the watch pairs with. - key: ExternalVersionIdentifier supportedOS: iOS: @@ -133,7 +133,7 @@ responsekeys: type: presence: optional content: |- - The app's external version identifier. You can also retrieve this value from the App Store. For more information, see `Apps and Books for Organizations`. + The app's external version identifier. You can also retrieve this value from the App Store. For more information, see `Apps and books metadata for organizations`. If the current external version identifier of an app on the App Store doesn't match the external version identifier reported by the device, there may be an app update available for the device. @@ -153,8 +153,7 @@ responsekeys: introduced: n/a type: presence: optional - content: The marketplace hosted application's distributor ID. This value is - available in iOS 17.4 and later. + content: The marketplace hosted application's distributor ID. - key: Version type: presence: optional @@ -170,6 +169,19 @@ responsekeys: type: presence: optional content: The app's name. + - key: Path + supportedOS: + iOS: + introduced: n/a + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a + type: + presence: optional + content: The app's path. - key: BundleSize supportedOS: macOS: @@ -178,9 +190,8 @@ responsekeys: presence: optional content: The app's static bundle size, in bytes. This value is expensive to calculate. Starting in iOS 26, macOS 26, tvOS 26, watchOS 26, and visionOS - 26 it isn't present in the response unless it is included in the `Items` request - key. This value is available in iOS 5 and later, and macOS 10.7 and later, - tvOS 10.2 and later, watchOS 10 and later, and visionOS 1.1 and later. + 26 it isn't present in the response unless it's included in the `Items` request + key. - key: DynamicSize supportedOS: iOS: @@ -192,9 +203,7 @@ responsekeys: content: The size of the app's file system in bytes, including the Documents, Library, and other directories. This value is expensive to calculate. Starting in iOS 26, tvOS 26, watchOS 26, and visionOS 26 it isn't present in the response - unless it is included in the `Items` request key. This value is available - in iOS 5 and later, tvOS 10.2 and later, watchOS 10 and later, and visionOS - 1.1 and later. + unless it's included in the `Items` request key. - key: IsValidated supportedOS: iOS: @@ -205,8 +214,7 @@ responsekeys: presence: optional content: If `true`, the app is valid and can run on the device. If the app is enterprise-distributed and unvalidated, it won't be able to run until validation - has occurred. This value is available in iOS 9.2 and later, and tvOS 10.2 - and later. + has occurred. - key: Installing type: presence: optional @@ -223,8 +231,7 @@ responsekeys: presence: optional content: If `true`, the app came from the App Store and can participate in store features. For device-based Volume Purchase Program (VPP) apps, this value - is `false`. This value is available in iOS 11.3 and later, and tvOS 11.3 and - later. + is `false`. - key: DeviceBasedVPP supportedOS: iOS: @@ -235,8 +242,7 @@ responsekeys: introduced: '11.3' type: presence: optional - content: If `true`, installing the app didn't require an Apple Account. This - value is available in iOS 11.3 and later, and tvOS 11.3 and later. + content: If `true`, installing the app didn't require an Apple Account. - key: BetaApp supportedOS: iOS: @@ -247,8 +253,7 @@ responsekeys: introduced: '11.3' type: presence: optional - content: If `true`, the app is part of the Apple Beta Software Program. This - value is available in iOS 11.3 and later, and tvOS 11.3 and later. + content: If `true`, the app is part of the Apple Beta Software Program. - key: AdHocCodeSigned supportedOS: iOS: @@ -259,8 +264,7 @@ responsekeys: introduced: '11.3' type: presence: optional - content: If `true`, the app is ad-hoc code signed. This query is available in - iOS 11.3 and later, and tvOS 11.3 and later. + content: If `true`, the app is ad-hoc code signed. - key: HasUpdateAvailable supportedOS: iOS: @@ -306,7 +310,7 @@ responsekeys: type: presence: optional default: false - content: If `true`, the app is an App Clip. Available in iOS 16 and later. + content: If `true`, the app is an App Clip. - key: Source supportedOS: iOS: @@ -321,8 +325,8 @@ responsekeys: introduced: n/a type: presence: optional - content: The source of the application. When the app is managed by Declarative - Device Management this value is `Declarative Device Management`. + content: The source of the application. When Declarative Device Management manages + the app, this value is `Declarative Device Management`. notes: - title: '' content: |- @@ -331,3 +335,15 @@ notes: This command doesn't return apps that Declarative Device Management is managing if the `ManagedAppsOnly` key is set to `true`, or if the enrollment type is a user enrollment. Refer to the following sections to determine supported channels and requirements, and to see request and response examples for iOS and macOS. +examples: + title: Example request and response + files: + - tab: Managed + description: This command lists only managed apps. + request-file: examples/mdm/commands/application.installed.list/example1.plist + response-file: examples/mdm/commands/application.installed.list/example2.plist + - tab: All + description: This command lists all apps. The example response shows a subset + of the full response. + request-file: examples/mdm/commands/application.installed.list/example3.plist + response-file: examples/mdm/commands/application.installed.list/example4.plist diff --git a/mdm/commands/application.invitetoprogram.yaml b/mdm/commands/application.invitetoprogram.yaml index 755f57f..6f12a0a 100644 --- a/mdm/commands/application.invitetoprogram.yaml +++ b/mdm/commands/application.invitetoprogram.yaml @@ -57,3 +57,8 @@ notes: The command doesn't work with Account Driven enrollments. Refer to the following sections to determine supported channels and requirements, and to see an example request and response. +examples: + title: Example request and response + files: + - request-file: examples/mdm/commands/application.invitetoprogram/example1.plist + response-file: examples/mdm/commands/application.invitetoprogram/example2.plist diff --git a/mdm/commands/application.managed.list.yaml b/mdm/commands/application.managed.list.yaml index 8f8bf48..138e308 100644 --- a/mdm/commands/application.managed.list.yaml +++ b/mdm/commands/application.managed.list.yaml @@ -49,7 +49,7 @@ payloadkeys: The bundle identifiers of the managed apps to include in the response. > Important: - > For a watchOS app, the identifier needs to be the watch's bundle identifier, which differs from the main bundle identifier for the iPhone to which the watch is paired. Obtain the watch's bundle identifier for an app with a watch bundle, in the `watchBundleId` key that's part of the Content Metadata query. For more information on this query, see `Getting App and Book Information`. + > For a watchOS app, the identifier needs to be the watch's bundle identifier, which differs from the main bundle identifier for the iPhone the watch pairs with. Obtain the watch's bundle identifier for an app with a watch bundle, in the `watchBundleId` key that's part of the Content Metadata query. For more information on this query, see `Getting app and book information (Legacy)`. subkeys: - key: IdentifiersItem type: @@ -133,8 +133,7 @@ responsekeys: type: presence: required content: If the user already purchased a paid app, this code is available for - use by another user. This code reports only once. This value is available - in iOS 5 and later. + use by another user. This code reports only once. - key: HasConfiguration supportedOS: iOS: @@ -143,10 +142,7 @@ responsekeys: introduced: '11.0' type: presence: required - content: If 'true', the app has an update available. This key is present only - for App Store apps. In macOS, this key is present only for Volume Purchase - Program (VPP) apps. This status updates daily and isn't always up-to-date - when installing an app. + content: If 'true', the app has a server-provided managed configuration. - key: HasFeedback supportedOS: iOS: @@ -156,9 +152,9 @@ responsekeys: devicechannel: false type: presence: required - content: If 'true', the app has feedback for the server. This value is available - in iOS 7 and later, and tvOS 10.2 and later. On macOS 11.3 and later, this - value is available if the request was sent on the user channel. + content: If 'true', the app has feedback for the server. On macOS 11.3 and later, + this value is available if the device management server sent the request on + the user channel. - key: IsValidated supportedOS: iOS: @@ -169,8 +165,7 @@ responsekeys: presence: required content: If 'true', the app is valid and can run on the device. If the app is enterprise-distributed and unvalidated, it won't be able to run until validation - has occurred. This value is available in iOS 9.2 and later, and tvOS 10.2 - and later. + has occurred. - key: ExternalVersionIdentifier supportedOS: iOS: @@ -182,12 +177,10 @@ responsekeys: type: presence: required content: |- - The app's external version identifier. You can also retrieve this value from the App Store. For more information, see `Apps and Books for Organizations`. + The app's external version identifier. You can also retrieve this value from the App Store. For more information, see `Apps and books metadata for organizations`. If the current external version identifier of an app on the App Store doesn't match the external version identifier reported by the device, there may be an app update available for the device. - Available in iOS 10.3 and later, macOS 11.3 and later, and tvOS 10.2 and later. - > Note: > A newer version of an app might not be available for installation on the device for a variety of reasons. A common reason is that the device's operating system version or hardware is incompatible with the available version of the app. notes: @@ -200,3 +193,8 @@ notes: This command doesn't return apps that Declarative Device Management is managing. Refer to the following sections to determine supported channels and requirements, and to see an example request and response. +examples: + title: Example request and response + files: + - request-file: examples/mdm/commands/application.managed.list/example1.plist + response-file: examples/mdm/commands/application.managed.list/example2.plist diff --git a/mdm/commands/application.redemptioncode.yaml b/mdm/commands/application.redemptioncode.yaml index 7fda06a..e442f2d 100644 --- a/mdm/commands/application.redemptioncode.yaml +++ b/mdm/commands/application.redemptioncode.yaml @@ -37,3 +37,8 @@ notes: Sending a redemption code to an app that doesn't need it produces an error. Refer to the following sections to determine supported channels and requirements, and to see an example request and response. +examples: + title: Example request and response + files: + - request-file: examples/mdm/commands/application.redemptioncode/example1.plist + response-file: examples/mdm/commands/application.redemptioncode/example2.plist diff --git a/mdm/commands/application.remove.yaml b/mdm/commands/application.remove.yaml index 4b012ae..26e4f0a 100644 --- a/mdm/commands/application.remove.yaml +++ b/mdm/commands/application.remove.yaml @@ -46,7 +46,7 @@ payloadkeys: The bundle identifier of the managed app. > Important: - > For a watchOS app, the identifier needs to be the watch's bundle identifier, which differs from the main bundle identifier for the iPhone to which the watch is paired. Obtain the watch's bundle identifier for an app with a watch bundle, in the `watchBundleId` key that's part of the Content Metadata query. For more information on this query, see `Getting App and Book Information`. + > For a watchOS app, the identifier needs to be the watch's bundle identifier, which differs from the main bundle identifier for the iPhone the watch pairs with. Obtain the watch's bundle identifier for an app with a watch bundle, in the `watchBundleId` key that's part of the Content Metadata query. For more information on this query, see `Getting app and book information (Legacy)`. notes: - title: '' content: |- @@ -55,3 +55,8 @@ notes: This command fails for apps that Declarative Device Management is managing. Refer to the following sections to determine supported channels and requirements, and to see an example request and response. +examples: + title: Example request and response + files: + - request-file: examples/mdm/commands/application.remove/example1.plist + response-file: examples/mdm/commands/application.remove/example2.plist diff --git a/mdm/commands/application.validate.yaml b/mdm/commands/application.validate.yaml index d031b20..21a0339 100644 --- a/mdm/commands/application.validate.yaml +++ b/mdm/commands/application.validate.yaml @@ -45,3 +45,8 @@ notes: - title: '' content: Refer to the following sections to determine supported channels and requirements, and to see an example request and response. +examples: + title: Example request and response + files: + - request-file: examples/mdm/commands/application.validate/example1.plist + response-file: examples/mdm/commands/application.validate/example2.plist diff --git a/mdm/commands/cancel.enhanced.log.collection.yaml b/mdm/commands/cancel.enhanced.log.collection.yaml new file mode 100644 index 0000000..a81c39f --- /dev/null +++ b/mdm/commands/cancel.enhanced.log.collection.yaml @@ -0,0 +1,33 @@ +title: Cancel Enhanced Log Collection Command +description: Cancel enhanced log collection on the device. +payload: + requesttype: CancelEnhancedLogCollection + supportedOS: + iOS: + introduced: '27.0' + supervised: true + requiresdep: false + sharedipad: + mode: allowed + devicechannel: true + userchannel: false + userenrollment: + mode: forbidden + macOS: + introduced: '27.0' + devicechannel: false + userchannel: true + supervised: true + requiresdep: false + userenrollment: + mode: forbidden + tvOS: + introduced: '27.0' + supervised: true + requiresdep: false + visionOS: + introduced: n/a + watchOS: + introduced: n/a + content: This command cancels any active enhanced log collection session on a supervised + device. If no session is in progress, the command does nothing and returns `Acknowledged`. diff --git a/mdm/commands/certificate.list.yaml b/mdm/commands/certificate.list.yaml index f97d6c5..f999a00 100644 --- a/mdm/commands/certificate.list.yaml +++ b/mdm/commands/certificate.list.yaml @@ -52,8 +52,7 @@ payloadkeys: default: false content: If `true`, only include certificates that MDM installed or that are in the same profile as the MDM payload. User-enrolled devices ignore this value and - always only include managed certificates. This value is available in iOS 13 and - later, macOS 10.15 and later, and tvOS 13 and later. + always only include managed certificates. responsekeys: - key: CertificateList type: @@ -86,3 +85,8 @@ notes: Starting with iOS 15.4, this command returns a Not Now response before the passcode-protected device's first unlock after a device boots. Between iOS 15.0 and iOS 15.4, devices in that state didn't respond with Not Now, but the response might not contain all identity certificates. Refer to the following sections to determine supported channels and requirements, and to see an example request and response. +examples: + title: Example request and response + files: + - request-file: examples/mdm/commands/certificate.list/example1.plist + response-file: examples/mdm/commands/certificate.list/example2.plist diff --git a/mdm/commands/declarativemanagement.yaml b/mdm/commands/declarativemanagement.yaml index 1c3e0e8..1042af3 100644 --- a/mdm/commands/declarativemanagement.yaml +++ b/mdm/commands/declarativemanagement.yaml @@ -48,3 +48,8 @@ notes: content: The server uses this command to turn on the declarative management engine on the device the first time the server sends it. Subsequent commands trigger a declarative management synchronization operation. +examples: + title: Example request and response + files: + - request-file: examples/mdm/commands/declarativemanagement/example1.plist + response-file: examples/mdm/commands/declarativemanagement/example2.plist diff --git a/mdm/commands/device.activationlock.bypasscode.yaml b/mdm/commands/device.activationlock.bypasscode.yaml index cb127a9..ef97f2d 100644 --- a/mdm/commands/device.activationlock.bypasscode.yaml +++ b/mdm/commands/device.activationlock.bypasscode.yaml @@ -44,10 +44,15 @@ notes: content: |- This command allows organizations to retrieve the device's bypass code. Organizations can use the bypass code to remove the Activation Lock from supervised devices prior to device activation without knowing the user's personal Apple Account and password. - Supervised devices generate a device-specific Activation Lock bypass code. The activation server verifies this code to bypass Activation Lock on the device. For more information, see `Creating and Using Bypass Codes`. + Supervised devices generate a device-specific Activation Lock bypass code. The activation server verifies this code to bypass Activation Lock on the device. For more information, see `Creating and using bypass codes`. A device creates a new bypass code when: - Setting up the device the first time. - Erasing and not restoring the device from a backup. - Erasing and restoring the device from a backup from a different device. +examples: + title: Example request and response + files: + - request-file: examples/mdm/commands/device.activationlock.bypasscode/example1.plist + response-file: examples/mdm/commands/device.activationlock.bypasscode/example2.plist diff --git a/mdm/commands/device.activationlock.clearbypasscode.yaml b/mdm/commands/device.activationlock.clearbypasscode.yaml index 8ad3a1c..6867dd1 100644 --- a/mdm/commands/device.activationlock.clearbypasscode.yaml +++ b/mdm/commands/device.activationlock.clearbypasscode.yaml @@ -37,3 +37,8 @@ notes: - title: '' content: Refer to the following sections to determine supported channels and requirements, and to see an example request and response. +examples: + title: Example request and response + files: + - request-file: examples/mdm/commands/device.activationlock.clearbypasscode/example1.plist + response-file: examples/mdm/commands/device.activationlock.clearbypasscode/example2.plist diff --git a/mdm/commands/device.configured.yaml b/mdm/commands/device.configured.yaml index 5c540ab..70d1991 100644 --- a/mdm/commands/device.configured.yaml +++ b/mdm/commands/device.configured.yaml @@ -36,11 +36,16 @@ payload: mode: forbidden watchOS: introduced: n/a - content: Informs the device that it can continue past DEP enrollment. Only works - on devices in DEP that have their cloud configuration set to await configuration. + content: Informs the device that it can continue past ADE enrollment. Only works + on devices in ADE that have their cloud configuration set to await configuration. notes: - title: '' content: |- - This command only works on Device Enrollment Program (DEP) devices that have their cloud configuration set to await configuration. + This command only works on Automated Device Enrollment (ADE) devices that have their cloud configuration set to await configuration. Refer to the following sections to determine supported channels and requirements, and to see an example request and response. +examples: + title: Example request and response + files: + - request-file: examples/mdm/commands/device.configured/example1.plist + response-file: examples/mdm/commands/device.configured/example2.plist diff --git a/mdm/commands/device.erase.yaml b/mdm/commands/device.erase.yaml index 26c6373..e430dbe 100644 --- a/mdm/commands/device.erase.yaml +++ b/mdm/commands/device.erase.yaml @@ -55,7 +55,7 @@ payloadkeys: presence: optional default: false content: If `true`, preserve the data plan on an iPhone or iPad with eSIM functionality, - if one exists. This value is available in iOS 11 and later. + if one exists. - key: DisallowProximitySetup supportedOS: iOS: @@ -74,8 +74,7 @@ payloadkeys: presence: optional default: false content: If `true`, disable Proximity Setup on the next reboot and skip the pane - in Setup Assistant. This value is available in iOS 11 and later. Prior to iOS - 14, don't use this option with any other option. + in Setup Assistant. Prior to iOS 14, don't use this option with any other option. - key: PIN supportedOS: iOS: @@ -90,8 +89,7 @@ payloadkeys: introduced: n/a type: presence: optional - content: The six-character PIN for Find My. This value is available in macOS 10.8 - and later. + content: The six-character PIN for Find My. - key: ObliterationBehavior supportedOS: iOS: @@ -141,9 +139,7 @@ payloadkeys: introduced: n/a type: presence: optional - content: The configuration settings for return to service. This value is available - in iOS 17 and later, with Shared iPad, in tvOS 18 and later, and in visionOS 26 - and later. + content: The configuration settings for return to service. subkeys: - key: Enabled title: Use return to service @@ -180,9 +176,31 @@ payloadkeys: content: The bootstrap token the system uses to implement return to service with app preservation. Required when enabling return to service through the cloud configuration. + - key: ShouldRetryEnrollment + supportedOS: + iOS: + introduced: '27.0' + macOS: + introduced: n/a + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a + type: + presence: optional + default: false + content: If `true`, the device retries service enrollment when the initial enrollment + fails after erasure. notes: - title: '' content: |- This command allows the server to immediately erase a device, even a locked device, without warning the user. The device sends a response to the server, but it doesn't retry if it isn't successful the first time. Refer to the following sections to determine supported channels and requirements, and to see an example request and response. +examples: + title: Example request and response + files: + - request-file: examples/mdm/commands/device.erase/example1.plist + response-file: examples/mdm/commands/device.erase/example2.plist diff --git a/mdm/commands/device.esim.yaml b/mdm/commands/device.esim.yaml index 5139d78..d442b4e 100644 --- a/mdm/commands/device.esim.yaml +++ b/mdm/commands/device.esim.yaml @@ -40,3 +40,8 @@ notes: - `36001`: Unable to communicate with the cellular software stack. - `36002`: The hardware doesn't support this command. - `36003`: The cellular stack was unable to perform the request. This error can also occur if the cellular stack is busy, in which case, retrying the command later may resolve the issue. +examples: + title: Example request and response + files: + - request-file: examples/mdm/commands/device.esim/example1.plist + response-file: examples/mdm/commands/device.esim/example2.plist diff --git a/mdm/commands/device.lock.yaml b/mdm/commands/device.lock.yaml index 7e0d477..9dc0efd 100644 --- a/mdm/commands/device.lock.yaml +++ b/mdm/commands/device.lock.yaml @@ -52,8 +52,7 @@ payloadkeys: type: presence: optional content: The message to display on the Lock Screen of the device. This value doesn't - apply to a Shared iPad device. This value is available in iOS 4 and later, and - macOS 10.14 and later. + apply to a Shared iPad device. - key: PhoneNumber supportedOS: iOS: @@ -67,8 +66,8 @@ payloadkeys: type: presence: optional content: The phone number to display on the Lock Screen. This value doesn't apply - to a Shared iPad device. This value is available in iOS 7 and later and macOS - 11.5 and later (for a Mac with Apple silicon only). + to a Shared iPad device. This value is available for a Mac with Apple silicon + only. - key: PIN supportedOS: iOS: @@ -81,8 +80,7 @@ payloadkeys: introduced: n/a type: presence: optional - content: The six-character PIN for Find My. This value is available in macOS 10.8 - and later. + content: The six-character PIN for Find My. responsekeys: - key: MessageResult type: @@ -103,3 +101,8 @@ notes: > Sending this command to a Mac with Apple silicon running a version of macOS before 11.5 deactivates the Mac. To reactivate that Mac, it needs a network connection and authentication by a local administrator with Secure Token enabled. Refer to the following sections to determine supported channels and requirements, and to see an example request and response. +examples: + title: Example request and response + files: + - request-file: examples/mdm/commands/device.lock/example1.plist + response-file: examples/mdm/commands/device.lock/example2.plist diff --git a/mdm/commands/device.lostmode.disable.yaml b/mdm/commands/device.lostmode.disable.yaml index 6457fe8..8948c45 100644 --- a/mdm/commands/device.lostmode.disable.yaml +++ b/mdm/commands/device.lostmode.disable.yaml @@ -35,3 +35,8 @@ notes: Erasing a device also disables Lost Mode. To reenable Lost Mode, the MDM server needs to store the device's Lost Mode state before erasing it, and restore that state if the device enrolls again. Refer to the following sections to determine supported channels and requirements, and to see an example request and response. +examples: + title: Example request and response + files: + - request-file: examples/mdm/commands/device.lostmode.disable/example1.plist + response-file: examples/mdm/commands/device.lostmode.disable/example2.plist diff --git a/mdm/commands/device.lostmode.enable.yaml b/mdm/commands/device.lostmode.enable.yaml index 3cbf57a..6dd8077 100644 --- a/mdm/commands/device.lostmode.enable.yaml +++ b/mdm/commands/device.lostmode.enable.yaml @@ -47,3 +47,8 @@ notes: While in Lost Mode, a device responds to invalid commands with error code `12078`. Refer to the following sections to determine supported channels and requirements, and to see an example request and response. +examples: + title: Example request and response + files: + - request-file: examples/mdm/commands/device.lostmode.enable/example1.plist + response-file: examples/mdm/commands/device.lostmode.enable/example2.plist diff --git a/mdm/commands/device.lostmode.location.yaml b/mdm/commands/device.lostmode.location.yaml index 41ff78f..0e08f7b 100644 --- a/mdm/commands/device.lostmode.location.yaml +++ b/mdm/commands/device.lostmode.location.yaml @@ -89,3 +89,8 @@ notes: - `12078`: If the command is invalid while in Lost Mode. Refer to the following sections to determine supported channels and requirements, and to see an example request and response. +examples: + title: Example request and response + files: + - request-file: examples/mdm/commands/device.lostmode.location/example1.plist + response-file: examples/mdm/commands/device.lostmode.location/example2.plist diff --git a/mdm/commands/device.lostmode.playsound.yaml b/mdm/commands/device.lostmode.playsound.yaml index 5ce8318..a15dfef 100644 --- a/mdm/commands/device.lostmode.playsound.yaml +++ b/mdm/commands/device.lostmode.playsound.yaml @@ -36,3 +36,8 @@ notes: The sound plays until the server disables Lost Mode or the user disables the sound on the device. Refer to the following sections to determine supported channels and requirements, and to see an example request and response. +examples: + title: Example request and response + files: + - request-file: examples/mdm/commands/device.lostmode.playsound/example1.plist + response-file: examples/mdm/commands/device.lostmode.playsound/example2.plist diff --git a/mdm/commands/device.restart.yaml b/mdm/commands/device.restart.yaml index 6cea5fd..242e157 100644 --- a/mdm/commands/device.restart.yaml +++ b/mdm/commands/device.restart.yaml @@ -48,7 +48,7 @@ payloadkeys: content: If `true`, the system rebuilds the kernel cache during a device restart. If `BootstrapTokenAllowedForAuthentication` is `true` in the `SecurityInfo` response, the device requests the bootstrap token from the MDM server prior to executing - this command. This value is available in macOS 11 and later. + this command. - key: KextPaths supportedOS: iOS: @@ -62,7 +62,6 @@ payloadkeys: content: If `RebuildKernelCache` is `true`, this value specifies the paths to kexts to add to the auxiliary kernel cache since the last kernel cache rebuild. If not present, the system only adds previously discovered kexts to the kernel cache. - This value is available in macOS 11 and later. subkeys: - key: KextPathsItem type: @@ -77,13 +76,18 @@ payloadkeys: type: presence: optional default: false - content: |- - If `true`, notifies the user to restart the device at their convenience. No forced restart occurs unless the device is at `loginwindow` with no logged-in users. The user can dismiss the notification and ignore the request. No further notifications display unless you resend the command. - - This value is available in macOS 11.3 and later. + content: If `true`, notifies the user to restart the device at their convenience. + No forced restart occurs unless the device is at `loginwindow` with no logged-in + users. The user can dismiss the notification and ignore the request. No further + notifications display unless you resend the command. notes: - title: '' content: |- A passcode-locked iOS device doesn't rejoin a Wi-Fi network after restarting, so it may not be able to communicate with the server. Refer to the following sections to determine supported channels and requirements, and to see an example request and response. +examples: + title: Example request and response + files: + - request-file: examples/mdm/commands/device.restart/example1.plist + response-file: examples/mdm/commands/device.restart/example2.plist diff --git a/mdm/commands/device.restrictions.clearpassword.yaml b/mdm/commands/device.restrictions.clearpassword.yaml index 8c95e34..f07434b 100644 --- a/mdm/commands/device.restrictions.clearpassword.yaml +++ b/mdm/commands/device.restrictions.clearpassword.yaml @@ -28,3 +28,8 @@ notes: In iOS 12.2 and later, if Screen Time uses iCloud to share its settings (Share Across Devices), this command disables Screen Time entirely and clears its restrictions. If the user is a child in an iCloud family, the command fails. Otherwise, if Screen Time isn't using iCloud, this command clears the passcode, but not the restrictions, and it leaves Screen Time enabled. Refer to the following sections to determine supported channels and requirements, and to see an example request and response. +examples: + title: Example request and response + files: + - request-file: examples/mdm/commands/device.restrictions.clearpassword/example1.plist + response-file: examples/mdm/commands/device.restrictions.clearpassword/example2.plist diff --git a/mdm/commands/device.restrictions.list.yaml b/mdm/commands/device.restrictions.list.yaml index a499a11..d500eb5 100644 --- a/mdm/commands/device.restrictions.list.yaml +++ b/mdm/commands/device.restrictions.list.yaml @@ -40,14 +40,12 @@ payloadkeys: type: presence: optional default: false - content: If `true`, the device reports restrictions from each profile. This value - is available in iOS 4 and later, and tvOS 6.1 and later. + content: If `true`, the device reports restrictions from each profile. responsekeys: - key: GlobalRestrictions type: presence: required - content: A dictionary that contains the global restrictions in effect. This value - is available in iOS 4 and later, and tvOS 6.1 and later. + content: A dictionary that contains the global restrictions in effect. subkeytype: RestrictionsDictionary subkeys: &id001 - key: restrictedBool @@ -124,8 +122,7 @@ responsekeys: presence: required content: A dictionary that contains dictionaries of restrictions from each profile. This value is only available when `ProfileRestrictions` is `true` in the command. - The keys are the identifiers of the profiles. This value is available in iOS 4 - and later, and tvOS 6.1 and later. + The keys are the identifiers of the profiles. subkeys: - key: ANY profile identifier type: @@ -138,3 +135,8 @@ notes: - title: '' content: Refer to the following sections to determine supported channels and requirements, and to see an example request and response. +examples: + title: Example request and response + files: + - request-file: examples/mdm/commands/device.restrictions.list/example1.plist + response-file: examples/mdm/commands/device.restrictions.list/example2.plist diff --git a/mdm/commands/device.shutdown.yaml b/mdm/commands/device.shutdown.yaml index 16b2f01..01bb83b 100644 --- a/mdm/commands/device.shutdown.yaml +++ b/mdm/commands/device.shutdown.yaml @@ -37,3 +37,8 @@ notes: A passcode-locked iOS device doesn't rejoin a Wi-Fi network after a user restarts it and before they unlock it for the first time, so it can't communicate with the server if it needs Wi-Fi to do so. Refer to the following sections to determine supported channels and requirements, and to see an example request and response. +examples: + title: Example request and response + files: + - request-file: examples/mdm/commands/device.shutdown/example1.plist + response-file: examples/mdm/commands/device.shutdown/example2.plist diff --git a/mdm/commands/information.device.yaml b/mdm/commands/information.device.yaml index bbdbba9..cb409b1 100644 --- a/mdm/commands/information.device.yaml +++ b/mdm/commands/information.device.yaml @@ -89,8 +89,7 @@ payloadkeys: type: presence: optional content: The key to get the device identifier for provisioning profiles. This - value differs from the UDID for a Mac with Apple silicon. Available in macOS - 11.3 and later. + value differs from the UDID for a Mac with Apple silicon. - key: OrganizationInfo supportedOS: iOS: @@ -142,8 +141,7 @@ payloadkeys: introduced: n/a type: presence: optional - content: The key to get the date of the most-recent iCloud backup. Available - in iOS 8 and later. + content: The key to get the date of the most-recent iCloud backup. - key: AwaitingConfiguration supportedOS: iOS: @@ -372,7 +370,7 @@ payloadkeys: type: presence: optional content: The key to determine whether the device is a Mac with Apple silicon - (for example, an Apple M1 chip). Available in macOS 12 and later. + (for example, an Apple M1 chip). - key: ProductName supportedOS: iOS: @@ -426,7 +424,7 @@ payloadkeys: type: presence: optional content: The key to get the device's total capacity. Requires the Device Information - access right. Available in iOS 4 and later, and macOS 10.7 and later. + access right. - key: AvailableDeviceCapacity supportedOS: iOS: @@ -442,7 +440,7 @@ payloadkeys: type: presence: optional content: The key to get the available capacity. Requires the Device Information - access right. Available in iOS 4 and later, and macOS 10.7 and later. + access right. - key: IMEI supportedOS: iOS: @@ -501,7 +499,7 @@ payloadkeys: type: presence: optional content: The key to get the modem firmware version. Requires the Device Information - access right. Available in iOS 4 and later. + access right. - key: CellularTechnology supportedOS: iOS: @@ -518,7 +516,7 @@ payloadkeys: type: presence: optional content: The key to get the cellular technology type. Requires the Device Information - access right. Available in iOS 4.2.6 and later. + access right. - key: BatteryLevel supportedOS: iOS: @@ -536,7 +534,7 @@ payloadkeys: type: presence: optional content: The key to get the battery level. Requires the Device Information access - right. Available in iOS 5 and later. + right. - key: HasBattery supportedOS: iOS: @@ -570,8 +568,7 @@ payloadkeys: type: presence: optional content: The key to determine whether the device is supervised. Requires the - Device Information access right. Available in iOS 6 and later, macOS 10.15 - and later, and tvOS 9 and later. + Device Information access right. - key: IsMultiUser supportedOS: iOS: @@ -588,7 +585,7 @@ payloadkeys: type: presence: optional content: The key to determine whether the device is a Shared iPad. Requires - the Device Information access right. Available in iOS 9.3 and later. + the Device Information access right. - key: IsDeviceLocatorServiceEnabled supportedOS: iOS: @@ -606,7 +603,6 @@ payloadkeys: presence: optional content: The key to determine whether the system enabled a device locator service such as Find My on the device. Requires the Device Information access right. - Available in iOS 7 and later. - key: IsActivationLockEnabled supportedOS: iOS: @@ -651,8 +647,7 @@ payloadkeys: type: presence: optional content: The key to determine whether the device supports Activation Lock. Also - see `IsActivationLockManageable` in `ManagementStatus`. Available in macOS - 10.9 and later. + see `IsActivationLockManageable` in `ManagementStatus`. - key: IsDoNotDisturbInEffect supportedOS: iOS: @@ -673,8 +668,7 @@ payloadkeys: type: presence: optional content: The key to determine whether the device is in Do Not Disturb (DND) - mode. Requires the Device Information access right. Available in iOS 7 and - later. + mode. Requires the Device Information access right. - key: DeviceID supportedOS: iOS: @@ -691,7 +685,7 @@ payloadkeys: type: presence: optional content: The key to get the device ID. Requires the Device Information access - right. Available in tvOS 6 and later. + right. - key: EASDeviceIdentifier supportedOS: iOS: @@ -708,7 +702,7 @@ payloadkeys: type: presence: optional content: The key to get the device identifier for Exchange ActiveSync (EAS). - Requires the Device Information access right. Available in iOS 7 and later. + Requires the Device Information access right. - key: IsCloudBackupEnabled supportedOS: iOS: @@ -729,8 +723,7 @@ payloadkeys: type: presence: optional content: The key to determine whether the system enabled iCloud Backup on the - device. Requires the Device Information access right. Available in iOS 7.1 - and later. + device. Requires the Device Information access right. - key: ActiveManagedUsers supportedOS: iOS: @@ -748,8 +741,7 @@ payloadkeys: type: presence: optional content: The key to get an array of directory GUIDs for logged-in managed users. - Requires the Device Information access right. Available in macOS 10.11 and - later. + Requires the Device Information access right. - key: OSUpdateSettings supportedOS: iOS: @@ -757,6 +749,7 @@ payloadkeys: macOS: introduced: '10.11' deprecated: '26.0' + removed: '27.0' accessrights: AllowQueryDeviceInformation userenrollment: mode: forbidden @@ -769,7 +762,7 @@ payloadkeys: type: presence: optional content: The key to get the contents of `OSUpdateSettings`. Requires the Device - Information access right. Available in macOS 10.11 and later. + Information access right. - key: LocalHostName supportedOS: iOS: @@ -785,8 +778,7 @@ payloadkeys: introduced: n/a type: presence: optional - content: The key to get the local hostname from Bonjour. Available in macOS - 10.11 and later. + content: The key to get the local hostname from Bonjour. - key: HostName supportedOS: iOS: @@ -802,7 +794,7 @@ payloadkeys: introduced: n/a type: presence: optional - content: The key to get the hostname. Available in macOS 10.11 and later. + content: The key to get the hostname. - key: AutoSetupAdminAccounts supportedOS: iOS: @@ -823,7 +815,7 @@ payloadkeys: presence: optional content: The key to get the contents of `AutoSetupAdminAccountsItem`, which Setup Assistant automatically creates during enrollment. Requires the Device - Information access right. Available in macOS 10.11 and later. + Information access right. - key: SystemIntegrityProtectionEnabled supportedOS: iOS: @@ -858,8 +850,7 @@ payloadkeys: type: presence: optional content: The key to determine whether the device can receive `PowerON`, `PowerOFF`, - and `Reset` commands from a lights-out management (LOM) controller. Available - in macOS 11 and later. + and `Reset` commands from a lights-out management (LOM) controller. - key: IsMDMLostModeEnabled supportedOS: iOS: @@ -878,8 +869,7 @@ payloadkeys: type: presence: optional content: The key to determine whether the system enabled Managed Lost Mode on - the device. Requires the Device Information access right. Available in iOS - 9.3 and later. + the device. Requires the Device Information access right. - key: MaximumResidentUsers supportedOS: iOS: @@ -905,7 +895,7 @@ payloadkeys: presence: optional content: The key to get the maximum number of users that can use this Shared iPad device. In iOS 13.4 and later, this value is always `32`. Requires the - Device Information access right. Available in iOS 9.3 and later. + Device Information access right. - key: EstimatedResidentUsers supportedOS: iOS: @@ -931,8 +921,7 @@ payloadkeys: presence: optional content: The key to get the estimated number of users that can use this Shared iPad device, according to the available space of the device and each user's - quota. Requires the Device Information access right. Available in iOS 14 and - later. + quota. Requires the Device Information access right. - key: QuotaSize supportedOS: iOS: @@ -957,7 +946,7 @@ payloadkeys: type: presence: optional content: The key to get the quota size for each user on this Shared iPad device. - Requires the Device Information access right. Available in iOS 13.4 and later. + Requires the Device Information access right. - key: ResidentUsers supportedOS: iOS: @@ -982,7 +971,7 @@ payloadkeys: type: presence: optional content: The key to get the number of users currently on this Shared iPad device. - Requires the Device Information access right. Available in iOS 13.4 and later. + Requires the Device Information access right. - key: UserSessionTimeout supportedOS: iOS: @@ -1079,7 +1068,7 @@ payloadkeys: type: presence: optional content: The key to get the list of domains that the device suggests on the - Shared iPad login screen. Available in iOS 16 and later. + Shared iPad login screen. - key: OnlineAuthenticationGracePeriod supportedOS: iOS: @@ -1104,7 +1093,7 @@ payloadkeys: type: presence: optional content: The key to get the grace period for Shared iPad online authentication - (in days). Available in iOS 16 and later. + (in days). - key: SkipLanguageAndLocaleSetupForNewUsers supportedOS: iOS: @@ -1151,8 +1140,7 @@ payloadkeys: presence: optional content: The key to get the push token for the current user-channel connection. The MDM server ignores this query for the device channel. Requires the Device - Information access right. Available in iOS 9.3 and later, and macOS 10.12 - and later. + Information access right. - key: DiagnosticSubmissionEnabled supportedOS: iOS: @@ -1169,8 +1157,7 @@ payloadkeys: type: presence: optional content: The key to determine whether the system enabled the diagnostic submission - setting on the device. Requires the Device Information access right. Available - in iOS 9.3 and later. + setting on the device. Requires the Device Information access right. - key: AppAnalyticsEnabled supportedOS: iOS: @@ -1187,8 +1174,7 @@ payloadkeys: type: presence: optional content: The key to determine whether the device is sharing app analytics. Requires - the Device Information access right. Available in iOS 4 and later, and macOS - 10.7 and later. + the Device Information access right. - key: TimeZone supportedOS: iOS: @@ -1208,9 +1194,7 @@ payloadkeys: type: presence: optional content: The key to get the current Internet Assigned Numbers Authority (IANA) - time zone database name. Requires the Device Information access right. Available - in macOS 26 and later, iOS 14 and later, tvOS 14 and later, and visionOS 2 - and later. + time zone database name. Requires the Device Information access right. - key: ICCID supportedOS: iOS: @@ -1293,7 +1277,7 @@ payloadkeys: type: presence: optional content: The key to get the primary Ethernet MAC address. Requires the Network - Information access right. Available in macOS 10.7 and later. + Information access right. - key: CurrentCarrierNetwork supportedOS: iOS: @@ -1414,8 +1398,7 @@ payloadkeys: type: presence: optional content: The key to determine whether the system enabled data roaming on the - device. Requires the Network Information access right. Available in iOS 5 - and later. + device. Requires the Network Information access right. - key: VoiceRoamingEnabled supportedOS: iOS: @@ -1457,7 +1440,7 @@ payloadkeys: presence: optional content: The key to determine whether the system enabled Personal Hotspot on the device, which isn't available for all carriers. Requires the Network Information - access right. Available in iOS 7 and later. + access right. - key: IsNetworkTethered supportedOS: iOS: @@ -1474,7 +1457,7 @@ payloadkeys: type: presence: optional content: The key to determine whether the device is network-tethered. Requires - the Network Information access right. Available in iOS 10.3 and later. + the Network Information access right. - key: IsRoaming supportedOS: iOS: @@ -1495,7 +1478,7 @@ payloadkeys: type: presence: optional content: The key to determine whether the device is roaming. Requires the Network - Information access right. Available in iOS 4.2 and later. + Information access right. - key: SubscriberMCC supportedOS: iOS: @@ -1617,7 +1600,6 @@ payloadkeys: type: presence: optional content: The key to determine whether the `EraseDeviceCommand` requires a PIN. - Available in macOS 11 and later. - key: PINRequiredForDeviceLock supportedOS: iOS: @@ -1636,7 +1618,6 @@ payloadkeys: type: presence: optional content: The key to determine whether the `DeviceLockCommand` requires a PIN. - Available in macOS 11 and later. - key: SupportsiOSAppInstalls supportedOS: iOS: @@ -1653,37 +1634,42 @@ payloadkeys: type: presence: optional content: The key to determine whether the macOS device supports iOS or iPadOS - app installs. Available in macOS 11 and later. + app installs. - key: SoftwareUpdateDeviceID supportedOS: iOS: introduced: '15.0' deprecated: '26.0' + removed: '27.0' userenrollment: mode: forbidden macOS: introduced: '12.0' deprecated: '26.0' + removed: '27.0' userenrollment: mode: forbidden tvOS: introduced: n/a visionOS: deprecated: '26.0' + removed: '27.0' userenrollment: mode: forbidden watchOS: introduced: n/a type: presence: optional - content: The key to get the device identifier to look up available OS updates - through [https://gdmf.apple.com/v2/pmv](https://gdmf.apple.com/v2/pmv). Available - in iOS 15 and later, and macOS 12 and later. + content: |- + The key to get the device identifier to look up available OS updates through [https://gdmf.apple.com/v2/pmv](https://gdmf.apple.com/v2/pmv). + + Removed: subscribe to the declarative management `softwareupdate.device-id` status item. - key: SoftwareUpdateSettings supportedOS: iOS: introduced: '14.5' deprecated: '26.0' + removed: '27.0' userenrollment: mode: forbidden macOS: @@ -1696,8 +1682,10 @@ payloadkeys: introduced: n/a type: presence: optional - content: The key to get the device settings that control which updates appear - in the Software Update pane in Settings. Available in iOS 14.5 and later. + content: |- + The key to get the device settings that control which updates appear in the Software Update pane in Settings. + + Removed: use the declarative management `com.apple.configuration.softwareupdate.settings` configuration to set values. - key: AccessibilitySettings supportedOS: iOS: @@ -1719,7 +1707,6 @@ payloadkeys: type: presence: optional content: The key to get the current state of settable accessibility settings. - Available in iOS 16 and later. - key: DevicePropertiesAttestation supportedOS: iOS: @@ -1735,9 +1722,8 @@ payloadkeys: mode: allowed type: presence: optional - content: The key to get an attestation of the device's properties. Available - in iOS 16 and later, macOS 14 and later, tvOS 16 and later, and watchOS 10 - and later. The hardware requirements for attestation are described below. + content: The key to get an attestation of the device's properties. See the hardware + requirements for attestation below. - key: EACSPreflight supportedOS: iOS: @@ -1776,9 +1762,9 @@ payloadkeys: content: |- A freshness code that appears in the resulting attestation. This value can contain up to 32 bytes of data. If specified, queries need to contain `DevicePropertiesAttestation`. - The MDM server uses this value to prove that an attestation was recently generated. The system caches the most recently generated attestation on the device. If omitted or if the value matches the cached attestation, the system returns the cached attestation. To request a new attestation, provide a new freshness code. Requests for new attestations are rate limited. If it is fewer than 7 days since the system generated an attestation, the device returns the cached attestation rather than generating a new one. + The MDM server uses this value to prove that an attestation was recently generated. The system caches the most recently generated attestation on the device. If omitted or if the value matches the cached attestation, the system returns the cached attestation. To request a new attestation, provide a new freshness code. Requests for new attestations are rate limited. If it's fewer than 7 days since the system generated an attestation, the device returns the cached attestation rather than generating a new one. - Available in iOS 16 and later, macOS 14 and later, tvOS 16 and later, and watchOS 10 and later. The hardware requirements for attestation are described below. + See the hardware requirements for attestation below. responsekeys: - key: QueryResponses type: @@ -1805,7 +1791,7 @@ responsekeys: introduced: n/a type: content: The device identifier to use in provisioning profiles. This value differs - from the UDID on a Mac with Apple silicon. Available in macOS 11.3 and later. + from the UDID on a Mac with Apple silicon. - key: OrganizationInfo supportedOS: iOS: @@ -1821,30 +1807,24 @@ responsekeys: type: presence: required content: A string that describes the organization operating the MDM server. - This value is available in iOS 7 and later, macOS 10.11 and later, and tvOS - 9 and later. - key: OrganizationAddress type: presence: optional content: The organization's address. Use the LF character (` `) to insert - line breaks. This value is available in iOS 7 and later, macOS 10.11 and later, - and tvOS 9 and later. + line breaks. - key: OrganizationPhone type: presence: optional - content: The organization's phone number. This value is available in iOS 7 and - later, macOS 10.11 and later, and tvOS 9 and later. + content: The organization's phone number. - key: OrganizationEmail type: presence: optional - content: The organization's support email address. This value is available in - iOS 7 and later, macOS 10.11 and later, and tvOS 9 and later. + content: The organization's support email address. - key: OrganizationMagic type: presence: optional content: A unique identifier for the various services a single organization - manages. This value is available in iOS 7 and later, macOS 10.11 and later, - and tvOS 9 and later. + manages. - key: MDMOptions supportedOS: iOS: @@ -1866,9 +1846,7 @@ responsekeys: presence: optional default: false content: If `true`, a supervised device registers itself with Activation Lock - when the user enables Find My. Unsupervised devices ignore this value. This - value is available in iOS 7 and later, macOS 11 and later, and tvOS 9 and - later. + when the user enables Find My. Unsupervised devices ignore this value. - key: BootstrapTokenAllowed supportedOS: iOS: @@ -1884,8 +1862,7 @@ responsekeys: type: presence: optional default: false - content: If `true`, the server supports Bootstrap Token commands. This value - is available in macOS 11 and later. + content: If `true`, the server supports Bootstrap Token commands. - key: PromptUserToAllowBootstrapTokenForAuthentication supportedOS: iOS: @@ -1917,7 +1894,7 @@ responsekeys: watchOS: introduced: n/a type: - content: The date of the last iCloud backup. Available in iOS 8 and later. + content: The date of the last iCloud backup. - key: AwaitingConfiguration supportedOS: iOS: @@ -2033,8 +2010,7 @@ responsekeys: type: content: The total capacity in floating-point base-10 gigabytes (GB) on iOS and macOS 12 or later. The capacity is in base-2 gibibytes (GiB) on macOS 11 and - earlier. Requires the Device Information access right. Available in iOS 4 and - later, and macOS 10.7 and later. + earlier. Requires the Device Information access right. - key: AvailableDeviceCapacity supportedOS: tvOS: @@ -2042,8 +2018,7 @@ responsekeys: type: content: The available capacity in floating-point base-10 gigabytes (GB) in iOS and macOS 12 or later. The capacity is in base-2 gibibytes (GiB) in macOS 11 - and earlier. Requires the Device Information access right. Available in iOS - 4 and later, and macOS 10.7 and later. + and earlier. Requires the Device Information access right. - key: IMEI supportedOS: iOS: @@ -2089,7 +2064,6 @@ responsekeys: introduced: n/a type: content: The modem firmware version. Requires the Device Information access right. - Available in iOS 4 and later. - key: CellularTechnology supportedOS: iOS: @@ -2115,7 +2089,7 @@ responsekeys: - `2`: CDMA - `3`: GSM and CDMA - Requires the Device Information access right. Available in iOS 4.2.6 and later. + Requires the Device Information access right. - key: BatteryLevel supportedOS: iOS: @@ -2126,8 +2100,7 @@ responsekeys: introduced: n/a type: content: The battery level, between `0.0` and `1.0`, or `-1.0` if MDM can't determine - the battery level. Requires the Device Information access right. Available in - iOS 5 and later, and macOS 13.3 and later. + the battery level. Requires the Device Information access right. - key: HasBattery supportedOS: iOS: @@ -2152,8 +2125,7 @@ responsekeys: introduced: '9.0' type: content: If `true`, it's a supervised device. Requires the Device Information - access right. Available in iOS 6 and later, macOS 10.15 and later, and tvOS - 9 and later. + access right. - key: IsMultiUser supportedOS: iOS: @@ -2168,7 +2140,7 @@ responsekeys: introduced: n/a type: content: If `true`, the device is a Shared iPad. Requires the Device Information - access right. Available in iOS 9.3 and later. + access right. - key: IsDeviceLocatorServiceEnabled supportedOS: iOS: @@ -2179,7 +2151,7 @@ responsekeys: introduced: n/a type: content: If `true`, the device has enabled a device locator service, such as Find - My. Requires the Device Information access right. Available in iOS 7 and later. + My. Requires the Device Information access right. - key: IsActivationLockEnabled supportedOS: iOS: @@ -2212,7 +2184,7 @@ responsekeys: introduced: n/a type: content: If `true`, the device supports Activation Lock. Also see `IsActivationLockManageable` - in `ManagementStatus`. Available in macOS 10.9 and later. + in `ManagementStatus`. - key: IsDoNotDisturbInEffect supportedOS: iOS: @@ -2224,7 +2196,7 @@ responsekeys: type: content: If `true`, the device is in Do Not Disturb (DND) mode. This value is `true` even if DND is only in effect for a locked device. Requires the Device - Information access right. Available in iOS 7 and later. + Information access right. - key: SupportsLOMDevice supportedOS: iOS: @@ -2239,8 +2211,7 @@ responsekeys: introduced: n/a type: content: If `true`, the device can receive `PowerON`, `PowerOFF`, and `Reset` - commands from a lights-out management (LOM) controller. Available in macOS 11 - and later. + commands from a lights-out management (LOM) controller. - key: DeviceID supportedOS: iOS: @@ -2255,7 +2226,6 @@ responsekeys: introduced: n/a type: content: The device identifier. Requires the Device Information access right. - Available in tvOS 6 and later. - key: EASDeviceIdentifier supportedOS: iOS: @@ -2268,7 +2238,7 @@ responsekeys: introduced: n/a type: content: The device identifier for Exchange Active Sync (EAS). Requires the Device - Information access right. Available in iOS 7 and later. + Information access right. - key: IsCloudBackupEnabled supportedOS: iOS: @@ -2281,7 +2251,7 @@ responsekeys: introduced: n/a type: content: If `true`, the device has enabled iCloud backup. Requires the Device - Information access right. Available in iOS 7.1 and later. + Information access right. - key: ActiveManagedUsers supportedOS: iOS: @@ -2298,7 +2268,6 @@ responsekeys: content: An array of the directory GUIDs of the logged-in managed users. If one of these users is currently logged in to the console, the `CurrentConsoleManagedUser` key returns the GUID of that user. Requires the Device Information access right. - Available in macOS 10.11 and later. subkeys: - key: ActiveManagedUsersItems type: @@ -2309,6 +2278,7 @@ responsekeys: macOS: introduced: '10.11' deprecated: '26.0' + removed: '27.0' tvOS: introduced: n/a visionOS: @@ -2316,22 +2286,21 @@ responsekeys: watchOS: introduced: n/a type: - content: The contents of ``OSUpdateSettings-dictionary``. Requires the Device - Information access right. Available in macOS 10.11 and later. + content: |- + The contents of ``OSUpdateSettings-dictionary``. Requires the Device Information access right. + + Removed: use the declarative management `com.apple.configuration.softwareupdate.settings` configuration to set values. subkeys: - key: CatalogURL type: presence: optional - content: The URL to the software update catalog the client is using. This value - is available in macOS 10.11 and later. + content: The URL to the software update catalog the client is using. - key: IsDefaultCatalog type: - content: If `true`, `CatalogURL` is the default catalog. This value is available - in macOS 10.11 and later. + content: If `true`, `CatalogURL` is the default catalog. - key: PreviousScanDate type: - content: The date of the last software update scan. This value is available - in macOS 10.11 and later. + content: The date of the last software update scan. - key: PreviousScanResult supportedOS: macOS: @@ -2339,32 +2308,26 @@ responsekeys: removed: '15.0' type: presence: optional - content: The result code of last software update scan; `0` = success. This value - is available in macOS 10.11 and no longer available in macOS 15 and later. + content: The result code of last software update scan; `0` = success. - key: PerformPeriodicCheck type: - content: If `true`, start a new scan. This value is available in macOS 10.11 - and later. + content: If `true`, start a new scan. - key: AutoCheckEnabled type: - content: The preference to automatically check for app updates. This value is - available in macOS 10.11 and later. + content: The preference to automatically check for app updates. - key: BackgroundDownloadEnabled type: - content: The preference to download app updates in the background. This value - is available in macOS 10.11 and later. + content: The preference to download app updates in the background. - key: AutomaticAppInstallationEnabled type: - content: The preference to automatically install app updates. This value is - available in macOS 10.11 and later. + content: The preference to automatically install app updates. - key: AutomaticOSInstallationEnabled type: - content: The preference to automatically install operating system updates. This - value is available in macOS 10.11 and later. + content: The preference to automatically install operating system updates. - key: AutomaticSecurityUpdatesEnabled type: content: The preference to automatically install system data files and security - updates. This value is available in macOS 10.11 and later. + updates. - key: LocalHostName supportedOS: iOS: @@ -2378,7 +2341,7 @@ responsekeys: watchOS: introduced: n/a type: - content: The local host name from Bonjour. Available in macOS 10.11 and later. + content: The local host name from Bonjour. - key: HostName supportedOS: iOS: @@ -2392,7 +2355,7 @@ responsekeys: watchOS: introduced: n/a type: - content: The host name. Available in macOS 10.11 and later. + content: The host name. - key: AutoSetupAdminAccounts supportedOS: iOS: @@ -2407,8 +2370,8 @@ responsekeys: introduced: n/a type: content: The contents of ``AutoSetupAdminAccountsItem``, which Setup Assistant - automatically creates during DEP enrollment. Requires the Device Information - access right. Available in macOS 10.11 and later. + automatically creates during ADE enrollment. Requires the Device Information + access right. subkeys: - key: AutoSetupAdminAccountsItem type: @@ -2416,12 +2379,10 @@ responsekeys: subkeys: - key: GUID type: - content: The `GeneratedUID` of the administrator account. This value is available - in macOS 10.11 and later. + content: The `GeneratedUID` of the administrator account. - key: shortName type: - content: The short name of the administrator account. This value is available - in macOS 10.11 and later. + content: The short name of the administrator account. - key: SystemIntegrityProtectionEnabled supportedOS: iOS: @@ -2436,7 +2397,7 @@ responsekeys: introduced: n/a type: content: If `true`, the device has enabled System Integrity Protection. Requires - the Device Information access right. Available in macOS 10.12 and later. + the Device Information access right. - key: IsMDMLostModeEnabled supportedOS: iOS: @@ -2449,7 +2410,7 @@ responsekeys: introduced: n/a type: content: If `true`, the device has enabled Managed Lost Mode. Requires the Device - Information access right. Available in iOS 9.3 and later. + Information access right. - key: MaximumResidentUsers supportedOS: iOS: @@ -2465,7 +2426,7 @@ responsekeys: type: content: The maximum number of users that can use this Shared iPad device. Starting with iOS 13.4, the value that returns is always `32`. Requires the Device Information - access right. Available in iOS 9.3 and later. + access right. - key: EstimatedResidentUsers supportedOS: iOS: @@ -2481,7 +2442,7 @@ responsekeys: type: content: The estimated number of users that can use this Shared iPad device, according to the space available on the device and each user's quota. Requires the Device - Information access right. Available in iOS 14 and later. + Information access right. - key: QuotaSize supportedOS: iOS: @@ -2496,7 +2457,7 @@ responsekeys: introduced: n/a type: content: The quota size in megabytes for each user on this Shared iPad device. - Requires the Device Information access right. Available in iOS 13.4 and later. + Requires the Device Information access right. - key: ResidentUsers supportedOS: iOS: @@ -2511,7 +2472,7 @@ responsekeys: introduced: n/a type: content: The number of users currently on this Shared iPad device. Requires the - Device Information access right. Available in iOS 13.4 and later. + Device Information access right. - key: UserSessionTimeout supportedOS: iOS: @@ -2570,7 +2531,7 @@ responsekeys: introduced: n/a type: content: The list of domains that the device suggests on the Shared iPad login - screen. Available in iOS 16 and later. + screen. subkeys: - key: AppleID domain type: @@ -2589,7 +2550,6 @@ responsekeys: type: content: The grace period for Shared iPad online authentication (in days). A value of `0` indicates that the device requires online authentication for every login. - Available in iOS 16 and later. - key: SkipLanguageAndLocaleSetupForNewUsers supportedOS: iOS: @@ -2620,8 +2580,7 @@ responsekeys: type: content: The push token for the user-channel connection, in the same format as in `TokenUpdateRequest`. MDM ignores this query for the device channel. Requires - the Device Information access right. Available in iOS 9.3 and later, and macOS - 10.12 and later. + the Device Information access right. - key: DiagnosticSubmissionEnabled supportedOS: iOS: @@ -2632,7 +2591,7 @@ responsekeys: introduced: n/a type: content: If `true`, the device has enabled diagnostic submission. Requires the - Device Information access right. Available in iOS 9.3 and later. + Device Information access right. - key: AppAnalyticsEnabled supportedOS: iOS: @@ -2643,7 +2602,7 @@ responsekeys: introduced: n/a type: content: If `true`, the device is sharing app analytics. Requires the Device Information - access right. Available in iOS 9.3 and later. + access right. - key: TimeZone supportedOS: iOS: @@ -2654,8 +2613,7 @@ responsekeys: introduced: '14.0' type: content: The current Internet Assigned Numbers Authority (IANA) time zone database - name. Requires the Device Information access right. Available in iOS 14 and - later, and tvOS 14 and later. + name. Requires the Device Information access right. - key: ICCID supportedOS: iOS: @@ -2695,7 +2653,7 @@ responsekeys: introduced: n/a type: content: The primary Ethernet MAC address. Requires the Network Information access - right. Available in macOS 10.7 and later. + right. - key: CurrentCarrierNetwork supportedOS: iOS: @@ -2790,7 +2748,7 @@ responsekeys: introduced: n/a type: content: If `true`, the device has enabled data roaming. Requires the Network - Information access right. Available in iOS 5 and later. + Information access right. - key: VoiceRoamingEnabled supportedOS: iOS: @@ -2824,8 +2782,7 @@ responsekeys: introduced: n/a type: content: If `true,` the device has enabled Personal Hotspot, which isn't available - for all carriers. Requires the Network Information access right. Available in - iOS 7 and later. + for all carriers. Requires the Network Information access right. - key: IsNetworkTethered supportedOS: iOS: @@ -2840,7 +2797,7 @@ responsekeys: introduced: n/a type: content: If `true`, the device is network-tethered. Requires the Network Information - access right. Available in iOS 10.3 and later. + access right. - key: IsRoaming supportedOS: iOS: @@ -2974,24 +2931,19 @@ responsekeys: subkeys: - key: CarrierSettingsVersion type: - content: The version of the carrier settings. This value is available in iOS - 12 and later. + content: The version of the carrier settings. - key: CurrentCarrierNetwork type: - content: The name of the current carrier network. This value is available - in iOS 12 and later. + content: The name of the current carrier network. - key: CurrentMCC type: - content: The current mobile country code (MCC). This value is available in - iOS 12 and later. + content: The current mobile country code (MCC). - key: CurrentMNC type: - content: The current mobile network code (MNC). This value is available in - iOS 12 and later. + content: The current mobile network code (MNC). - key: ICCID type: - content: The integrated circuit card identifier (ICCID) value. This value - is available in iOS 12 and later. + content: The integrated circuit card identifier (ICCID) value. - key: EID supportedOS: iOS: @@ -3001,43 +2953,35 @@ responsekeys: tvOS: introduced: n/a type: - content: The eSIM identifier. This value is available in iOS 14 and later. + content: The eSIM identifier. - key: IMEI type: content: The device International Mobile Equipment Identity (IMEI) number. - This value is available in iOS 12 and later. - key: IsDataPreferred type: - content: If `true`, this subscription is the preference for data. This value - is available in iOS 12 and later. + content: If `true`, this subscription is the preference for data. - key: IsRoaming type: - content: If `true`, the phone is roaming. This value is available in iOS 12 - and later. + content: If `true`, the phone is roaming. - key: IsVoicePreferred type: - content: If `true`, this subscription is the preference for voice. This value - is available in iOS 12 and later. + content: If `true`, this subscription is the preference for voice. - key: Label type: - content: The label of this subscription. This value is available in iOS 12 - and later. + content: The label of this subscription. - key: LabelID type: - content: The unique identifier for this subscription. This value is available - in iOS 12 and later. + content: The unique identifier for this subscription. - key: MEID type: - content: The device Mobile Equipment Identifier (MEID) number. This query - is available in iOS 12 and later. + content: The device Mobile Equipment Identifier (MEID) number. - key: PhoneNumber type: content: The raw phone number without punctuation and including country code. - This value is available in iOS 12 and later. - key: Slot type: content: The description of the slot that contains the SIM representing this - subscription. This value is available in iOS 12 and later. + subscription. - key: SubscriberCarrierNetwork supportedOS: iOS: @@ -3047,8 +2991,7 @@ responsekeys: tvOS: introduced: n/a type: - content: The name of the home carrier network. This value is available in - iOS 16 and later. + content: The name of the home carrier network. - key: PINRequiredForEraseDevice supportedOS: iOS: @@ -3062,8 +3005,7 @@ responsekeys: watchOS: introduced: n/a type: - content: If `true`, the `EraseDeviceCommand` requires a PIN. Available in macOS - 11 and later. + content: If `true`, the `EraseDeviceCommand` requires a PIN. - key: PINRequiredForDeviceLock supportedOS: iOS: @@ -3077,8 +3019,7 @@ responsekeys: watchOS: introduced: n/a type: - content: If `true`, the `DeviceLockCommand` requires a PIN. Available in macOS - 11 and later. + content: If `true`, the `DeviceLockCommand` requires a PIN. - key: SupportsiOSAppInstalls supportedOS: iOS: @@ -3093,35 +3034,40 @@ responsekeys: introduced: n/a type: content: If `true`, the device supports iOS or iPadOS app installs through MDM. - Available in macOS 11 and later. - key: SoftwareUpdateDeviceID supportedOS: iOS: introduced: '15.0' deprecated: '26.0' + removed: '27.0' userenrollment: mode: forbidden macOS: introduced: '12.0' deprecated: '26.0' + removed: '27.0' userenrollment: mode: forbidden tvOS: introduced: n/a visionOS: deprecated: '26.0' + removed: '27.0' userenrollment: mode: forbidden watchOS: introduced: n/a type: - content: The device identifier to look up available OS updates through [https://gdmf.apple.com/v2/pmv](https://gdmf.apple.com/v2/pmv). - Available in iOS 15 and later, and macOS 12 and later. + content: |- + The device identifier to look up available OS updates through [https://gdmf.apple.com/v2/pmv](https://gdmf.apple.com/v2/pmv). + + Removed: subscribe to the declarative management `softwareupdate.device-id` status item. - key: SoftwareUpdateSettings supportedOS: iOS: introduced: '14.5' deprecated: '26.0' + removed: '27.0' userenrollment: mode: forbidden macOS: @@ -3133,10 +3079,12 @@ responsekeys: watchOS: introduced: n/a type: - content: The device settings that control which updates appear in the Software - Update pane in Settings. Available in iOS 14.5 and later. + content: |- + The device settings that control which updates appear in the Software Update pane in Settings. + + Removed: use the declarative management `com.apple.configuration.softwareupdate.settings` configuration to set values. subkeys: - - key: RecommendationsCadence + - key: RecommendationCadence type: content: |- Which software updates to present to the user. @@ -3165,8 +3113,7 @@ responsekeys: watchOS: supervised: true type: - content: The current state of settable accessibility settings. Available in iOS - 16 and later. + content: The current state of settable accessibility settings. subkeys: - key: BoldTextEnabled type: @@ -3233,20 +3180,20 @@ responsekeys: mode: allowed type: content: |- - The key to get an attestation of the device's properties. Available in iOS 16 and later, macOS 14 and later, tvOS 16 and later, and watchOS 10 and later. The hardware requirements for attestation are described below. + The key to get an attestation of the device's properties. See the hardware requirements for attestation below. The value is an array of certificates in DER form that forms a certificate chain. The chain is rooted with the Apple CA `Apple Enterprise Attestation Root CA`. The first array item is the leaf certificate. The leaf certificate contains custom OIDs describing a device. The OS version of the device, and the type of enrollment, determine which OIDs are present in the certificate. If Apple's attestation servers are unable to verify a device property they generate a blank value, omit the OID entirely, or refuse to issue an attestation certificate. The following OIDs were introduced in iOS 16, iPadOS 16, tvOS 16, watchOS 10, visionOS 1 and macOS 14: - - `1.2.840.113635.100.8.9.1` serial number: This is the serial number of the device. It is omitted if the enrollment is a user enrollment. - - `1.2.840.113635.100.8.9.2` UDID: For a Mac this has the same value as the `ProvisioningUDID` key, and does not match the UDID used elsewhere in the MDM protocol. It is omitted if the enrollment is a user enrollment. + - `1.2.840.113635.100.8.9.1` serial number: This is the serial number of the device. It's omitted if the enrollment is a user enrollment. + - `1.2.840.113635.100.8.9.2` UDID: For a Mac this has the same value as the `ProvisioningUDID` key, and doesn't match the UDID used elsewhere in the MDM protocol. It's omitted if the enrollment is a user enrollment. - `1.2.840.113635.100.8.10.2` sepOS version: This is the version of the operating system running on the Secure Enclave when the attestation is generated. Typically this matches the version of the main operating system. - - `1.2.840.113635.100.8.11.1` Freshness code: This is the freshness code. See the `DeviceAttestationNonce`. This may not match the requested freshness code if a cached attestation was returned. + - `1.2.840.113635.100.8.11.1` Freshness code: This is the freshness code. See the `DeviceAttestationNonce`. This may not match the requested freshness code if the device returned a cached attestation. The following OIDs were introduced in iOS 17.2, iPadOS 17.2, tvOS 17.2, watchOS 10.2, visionOS 1.l0, and macOS 14.2: - - `1.2.840.113635.100.8.9.4` Software Update Device ID: This is an identifier of the device model. It is expected to match the `SoftwareUpdateDeviceID` in the `DeviceInformation`` response. This is the device identifier to use when looking up available OS updates through . + - `1.2.840.113635.100.8.9.4` Software Update Device ID: This is an identifier of the device model. It's expected to match the `SoftwareUpdateDeviceID` in the `DeviceInformation`` response. This is the device identifier to use when looking up available OS updates through . - `1.2.840.113635.100.8.10.1` OS Version: This is the version of iOS, iPadOS or tvOS running on the device when the attestation is generated. - `1.2.840.113635.100.8.10.3` LLB Version: This is the version of the Low Level Bootloader firmware running on the device when the attestation is generated. For more information about the boot process, see the documentation of the boot process in the Apple Platform Security guide. @@ -3254,7 +3201,7 @@ responsekeys: - `1.2.840.113635.100.8.13.1` System Integrity Protection (SIP) status: This indicates whether SIP is enabled or disabled when the attestation is generated. `0` indicates enabled, `1` indicates disabled. - `1.2.840.113635.100.8.13.2` Secure boot status: This describes part of the configuration of the LocalPolicy when the attestation is generated. The values are `Full Security`, `Reduced Security`, or `Permissive Security`. For a description of these values see the Apple Platform Security guide. - - `1.2.840.113635.100.8.13.3` Third party kernel extensions allowed: This indicates whether third party kernel extensions are allowed. A value of `0` indicates third party kernel extensions are not allowed. Any other value means that some kinds of third party kernel extensions are allowed. + - `1.2.840.113635.100.8.13.3` Third party kernel extensions allowed: This indicates whether third party kernel extensions are allowed. A value of `0` indicates third party kernel extensions aren't allowed. Any other value means that some kinds of third party kernel extensions are allowed. subkeys: - key: AttestationCertificate type: @@ -3275,10 +3222,10 @@ responsekeys: type: content: |- Specifies whether the device can perform an `EraseDeviceCommand` using Erase All Content and Settings (EACS), which is one of the following values: - - `success`: The device supports EACS. - - `not supported`: The device is too old to support EACS. - - `unknown failure`: A problem occurred for which there isn't a more specific error message. - - `(other string)`: A reason why the device can't perform EACS, such as "System is not sealed" + * `success`: The device supports EACS. + * `not supported`: The device is too old to support EACS. + * `unknown failure`: A problem occurred for which there isn't a more specific error message. + * `(other string)`: A reason why the device can't perform EACS, such as "System is not sealed" notes: - title: '' content: Refer to the following sections to determine supported channels and requirements, @@ -3291,4 +3238,9 @@ notes: | Support status | iPhone, iPad | Mac | Apple TV | Apple Watch | Vision Pro | |----------------|--------------------------------------|---------------|-------------------------|----------------|------------| | Unsupported | A10x Fusion and earlier | Intel | A10x Fusion and earlier | S3 and earlier | none | - | Supported | A11 Bionic and later
All M series | Apple Silicon | A12 Bionic and later | S4 and later | All | + | Supported | A11 Bionic and later
All M series | Apple silicon | A12 Bionic and later | S4 and later | All | +examples: + title: Example request and response + files: + - request-file: examples/mdm/commands/information.device/example1.plist + response-file: examples/mdm/commands/information.device/example2.plist diff --git a/mdm/commands/information.security.yaml b/mdm/commands/information.security.yaml index 74fe3df..f53d280 100644 --- a/mdm/commands/information.security.yaml +++ b/mdm/commands/information.security.yaml @@ -60,8 +60,6 @@ responsekeys: > Important: > For a device to have data protection, `HardwareEncryptionCaps` must be `3` and `PasscodePresent` must `true`. - - This value is available in iOS 4 and later, and tvOS 6 and later. - key: PasscodePresent supportedOS: iOS: @@ -74,15 +72,14 @@ responsekeys: mode: forbidden type: content: If `true`, the device has a passcode. This key doesn't apply to User-Enrolled - devices. This value is available in iOS 4 and later, and tvOS 6 and later. + devices. - key: PasscodeCompliant supportedOS: macOS: introduced: n/a type: content: If `true`, the user's passcode is compliant with all requirements on - the device, including Exchange and other accounts. This value is available in - iOS 4 and later, and tvOS 6 and later. + the device, including Exchange and other accounts. - key: PasscodeCompliantWithProfiles supportedOS: iOS: @@ -95,8 +92,7 @@ responsekeys: mode: forbidden type: content: If `true`, the user's passcode is compliant with requirements from profiles. - This key doesn't apply to User-Enrolled devices. This value is available in - iOS 4 and later, and tvOS 6 and later. + This key doesn't apply to User-Enrolled devices. - key: PasscodeLockGracePeriod supportedOS: iOS: @@ -162,7 +158,6 @@ responsekeys: introduced: n/a type: content: If `true`, the device has enabled FileVault full disk encryption (FDE). - This value is available in macOS 10.9 and later. - key: FDE_HasPersonalRecoveryKey supportedOS: iOS: @@ -179,8 +174,7 @@ responsekeys: watchOS: introduced: n/a type: - content: If `true`, FileVault FDE has a personal recovery key. This value is available - in macOS 10.9 and later. + content: If `true`, FileVault FDE has a personal recovery key. - key: FDE_HasInstitutionalRecoveryKey supportedOS: iOS: @@ -197,8 +191,7 @@ responsekeys: watchOS: introduced: n/a type: - content: If `true`, FileVault FDE has an institutional recovery key. This value - is available in macOS 10.9 and later. + content: If `true`, FileVault FDE has an institutional recovery key. - key: FDE_PersonalRecoveryKeyCMS supportedOS: iOS: @@ -217,8 +210,7 @@ responsekeys: type: content: If the FileVault personal recovery key has enabled escrow with a recovery key, this value contains the key. The certificate from the `FDERecoveryKeyEscrow` - profile encrypts the key and wraps it as CMS data. This value is available in - macOS 10.13 and later. + profile encrypts the key and wraps it as CMS data. - key: FDE_PersonalRecoveryKeyDeviceKey supportedOS: iOS: @@ -240,8 +232,7 @@ responsekeys: to the user at the EFI Login Window as part of the help message if they enter their password incorrectly three times. The server also uses this value as an index when saving the device personal recovery key. This replaces the `recordNumber` - that the server returned in the previous escrow mechanism. This value is available - in macOS 10.13 and later. + that the server returned in the previous escrow mechanism. - key: SystemIntegrityProtectionEnabled supportedOS: iOS: @@ -257,7 +248,6 @@ responsekeys: introduced: n/a type: content: If `true`, System Integrity Protection (SIP) is active on the device. - This value is available in macOS 10.12 and later. - key: FirewallSettings supportedOS: iOS: @@ -272,8 +262,7 @@ responsekeys: watchOS: introduced: n/a type: - content: A dictionary that contains the firewall settings. This value is available - in macOS 10.12 and later. + content: A dictionary that contains the firewall settings. subkeys: - key: FirewallEnabled type: @@ -336,8 +325,7 @@ responsekeys: watchOS: introduced: n/a type: - content: A dictionary that contains the status of the EFI firmware password. This - value is available in macOS 10.13 and later. + content: A dictionary that contains the status of the EFI firmware password. subkeys: - key: PasswordExists type: @@ -374,8 +362,8 @@ responsekeys: watchOS: introduced: n/a type: - content: If `true`, the device enrolled in MDM through the Device Enrollment - Program (DEP). This value is available in macOS 10.13.2 and later. + content: If `true`, the device enrolled in MDM through Automated Device Enrollment + (ADE). - key: UserApprovedEnrollment supportedOS: iOS: @@ -388,15 +376,13 @@ responsekeys: introduced: n/a type: content: If `true`, the enrollment was user-approved. If `false`, the device - may reject certain security-sensitive payloads or commands. This value is - available in macOS 10.13.2 and later. + may reject certain security-sensitive payloads or commands. - key: IsUserEnrollment supportedOS: macOS: introduced: '10.15' type: - content: If `true`, the device is user-enrolled. This value is available in - iOS 13 and later, and macOS 10.15 and later. + content: If `true`, the device is user-enrolled. - key: IsActivationLockManageable supportedOS: iOS: @@ -411,7 +397,7 @@ responsekeys: introduced: n/a type: content: If `true`, the type of enrollment allows the MDM to manage Activation - Lock for this device. This value is available in macOS 10.15 and later. + Lock for this device. - key: SecureBoot supportedOS: iOS: @@ -426,8 +412,7 @@ responsekeys: watchOS: introduced: n/a type: - content: A dictionary that contains the device's Secure Boot settings. This value - is available in macOS 10.15 and later. + content: A dictionary that contains the device's Secure Boot settings. subkeys: - key: SecureBootLevel type: @@ -450,10 +435,9 @@ responsekeys: macOS: introduced: '11.0' type: - content: |- - Reports which security features the user disables in `recoveryOS`. This property is only present for a Mac with Apple silicon when `SecureBootLevel` is `medium`. - - Available in iOS 11 and later. + content: Reports which security features the user disables in `recoveryOS`. + This property is only present for a Mac with Apple silicon when `SecureBootLevel` + is `medium`. subkeys: - key: ReducedSecurityItems type: @@ -485,8 +469,7 @@ responsekeys: watchOS: introduced: n/a type: - content: If `true`, Remote Desktop is active on the device. This value is available - in macOS 10.14.4 and later. + content: If `true`, Remote Desktop is active on the device. - key: AuthenticatedRootVolumeEnabled supportedOS: iOS: @@ -501,8 +484,7 @@ responsekeys: watchOS: introduced: n/a type: - content: If `true`, the system booted using an Authenticated Root Volume. This - value is available in macOS 11 and later. + content: If `true`, the system booted using an Authenticated Root Volume. - key: BootstrapTokenAllowedForAuthentication supportedOS: iOS: @@ -524,7 +506,7 @@ responsekeys: - disallowed - not supported content: |- - This value specifies whether the Secure Enclave Processor (SEP) supports and allows secure operations to use the Bootstrap Token. The value is automatically set for devices enrolled through the Device Enrollment Program (DEP). The user can also manually set this value in the RecoveryOS. + This value specifies whether the Secure Enclave Processor (SEP) supports and allows secure operations to use the Bootstrap Token. The device automatically sets this value if enrolled through Automated Device Enrollment (ADE). The user can also manually set this value in the RecoveryOS. This value is available for a Mac with Apple silicon in macOS 11 and later. Not available for user enrollment. - key: BootstrapTokenRequiredForSoftwareUpdate @@ -589,3 +571,8 @@ notes: - title: '' content: Refer to the following sections to determine supported channels and requirements, and to see an example request and response. +examples: + title: Example request and response + files: + - request-file: examples/mdm/commands/information.security/example1.plist + response-file: examples/mdm/commands/information.security/example2.plist diff --git a/mdm/commands/lom.devicerequest.yaml b/mdm/commands/lom.devicerequest.yaml index a5dc474..6d1c28e 100644 --- a/mdm/commands/lom.devicerequest.yaml +++ b/mdm/commands/lom.devicerequest.yaml @@ -103,3 +103,8 @@ notes: This command requires the `DeviceLockAndRemovePasscode` access right, `LightsOutManagementLOM` configuration and is available in macOS 11 and later on [supported macOS devices](https://support.apple.com/guide/deployment/lights-out-management-payload-settings-dep580cf25bc/web). `DeviceDNSName` is the `CommonName` in the Identity issued on the client certificate from `LightsOutManagementLOM`. `LOMSetupRequestResponse` returns `PrimaryIPv6AddressList` and `SecondaryIPv6AddressList` after a successful deployment of Lights Out management configuration payload and subsequent `LOMSetupRequestCommand`. +examples: + title: Example request and response + files: + - request-file: examples/mdm/commands/lom.devicerequest/example1.plist + response-file: examples/mdm/commands/lom.devicerequest/example2.plist diff --git a/mdm/commands/lom.setuprequest.yaml b/mdm/commands/lom.setuprequest.yaml index 0fce9ad..259c341 100644 --- a/mdm/commands/lom.setuprequest.yaml +++ b/mdm/commands/lom.setuprequest.yaml @@ -50,3 +50,8 @@ notes: - title: '' content: This command requires the `DeviceLockAndRemovePasscode` access right, `LightsOutManagementLOM` configuration and is available in macOS 11 and later on [supported macOS devices](https://support.apple.com/guide/deployment/lights-out-management-payload-settings-dep580cf25bc/web). +examples: + title: Example request and response + files: + - request-file: examples/mdm/commands/lom.setuprequest/example1.plist + response-file: examples/mdm/commands/lom.setuprequest/example2.plist diff --git a/mdm/commands/managed.application.attributes.yaml b/mdm/commands/managed.application.attributes.yaml index 5005da0..c1408d2 100644 --- a/mdm/commands/managed.application.attributes.yaml +++ b/mdm/commands/managed.application.attributes.yaml @@ -39,7 +39,7 @@ payloadkeys: The bundle identifiers of the managed apps. > Important: - > For a watchOS app, the identifier needs to be the watch's bundle identifier, which differs from the main bundle identifier for the iPhone to which the watch is paired. Obtain the watch's bundle identifier for an app with a watch bundle, in the `watchBundleId` key that's part of the Content Metadata query. For more information on this query, see `Getting App and Book Information`. + > For a watchOS app, the identifier needs to be the watch's bundle identifier, which differs from the main bundle identifier for the iPhone the watch pairs with. Obtain the watch's bundle identifier for an app with a watch bundle, in the `watchBundleId` key that's part of the Content Metadata query. For more information on this query, see `Getting app and book information (Legacy)`. subkeys: - key: IdentifiersItem type: @@ -60,7 +60,7 @@ responsekeys: The app's bundle identifier. > Note: - > For a watchOS app, the identifier is the watch's bundle identifier, which differs from the main bundle identifier for the iPhone to which the watch is paired. + > For a watchOS app, the identifier is the watch's bundle identifier, which differs from the main bundle identifier for the iPhone the watch pairs with. - key: Attributes type: presence: optional @@ -83,10 +83,7 @@ responsekeys: introduced: n/a type: presence: optional - content: |- - The content Filter UUID assigned to this app. - - Available in iOS 16 and later. + content: The content Filter UUID assigned to this app. - key: DNSProxyUUID supportedOS: iOS: @@ -97,10 +94,7 @@ responsekeys: introduced: n/a type: presence: optional - content: |- - The DNS Proxy UUID assigned to this app. - - Available in iOS 16 and later. + content: The DNS Proxy UUID assigned to this app. - key: RelayUUID supportedOS: iOS: @@ -120,8 +114,7 @@ responsekeys: introduced: n/a type: presence: optional - content: This app's associated domains. This value is available in iOS 13 - and later. + content: This app's associated domains. subkeys: - key: AssociatedDomain type: @@ -136,8 +129,7 @@ responsekeys: default: false content: If `true`, perform claimed site association verification directly at the domain instead of on Apple's servers. Only set this to `true` for - domains that can't access the internet. This value is available in iOS 14 - and later. + domains that can't access the internet. - key: Removable supportedOS: iOS: @@ -147,8 +139,7 @@ responsekeys: type: presence: optional default: true - content: If `false`, this app isn't removable while it's a managed app. This - value is available in iOS 14 and later. + content: If `false`, this app isn't removable while it's a managed app. - key: TapToPayScreenLock supportedOS: iOS: @@ -162,10 +153,10 @@ responsekeys: type: presence: optional default: false - content: |- - If `true`, Tap to Pay on iPhone requires users to use Face ID or a passcode to unlock their device after every transaction that requires a customer's card PIN. If `false`, the user can configure this setting on their device. - - Available in iOS 16.4 and later. + content: If `true`, Tap to Pay on iPhone requires users to use Face ID or + a passcode to unlock their device after every transaction that requires + a customer's card PIN. If `false`, the user can configure this setting on + their device. - key: CellularSliceUUID supportedOS: iOS: @@ -178,10 +169,10 @@ responsekeys: introduced: n/a type: presence: optional - content: |- - The data network name (DNN) or app category. For DNN, the value is `DNN:name`, where `name` is the carrier-provided DNN name. For app category, the value is `AppCategory:category`, where `category` is a carrier-provided string like "Enterprise1". - - Available in iOS 17 and later. + content: The data network name (DNN) or app category. For DNN, the value is + `DNN:name`, where `name` is the carrier-provided DNN name. For app category, + the value is `AppCategory:category`, where `category` is a carrier-provided + string like "Enterprise1". - key: Hideable supportedOS: iOS: @@ -221,3 +212,8 @@ notes: The response doesn't include apps that Declarative Device Management is managing. Refer to the following sections to determine supported channels and requirements, and to see an example request and response. +examples: + title: Example request and response + files: + - request-file: examples/mdm/commands/managed.application.attributes/example1.plist + response-file: examples/mdm/commands/managed.application.attributes/example2.plist diff --git a/mdm/commands/managed.application.configuration.yaml b/mdm/commands/managed.application.configuration.yaml index 56fa9dd..0698e75 100644 --- a/mdm/commands/managed.application.configuration.yaml +++ b/mdm/commands/managed.application.configuration.yaml @@ -46,7 +46,7 @@ payloadkeys: The bundle identifiers of the managed apps. > Important: - > For a watchOS app, the identifier needs to be the watch's bundle identifier, which differs from the main bundle identifier for the iPhone to which the watch is paired. Obtain the watch's bundle identifier for an app with a watch bundle, in the `watchBundleId` key that's part of the Content Metadata query. For more information on this query, see `Getting App and Book Information`. + > For a watchOS app, the identifier needs to be the watch's bundle identifier, which differs from the main bundle identifier for the iPhone the watch pairs with. Obtain the watch's bundle identifier for an app with a watch bundle, in the `watchBundleId` key that's part of the Content Metadata query. For more information on this query, see `Getting app and book information (Legacy)`. subkeys: - key: IdentifiersItem type: @@ -67,7 +67,7 @@ responsekeys: The app's bundle identifier. > Note: - > For a watchOS app, the identifier is the watch's bundle identifier, which differs from the main bundle identifier for the iPhone to which the watch is paired. + > For a watchOS app, the identifier is the watch's bundle identifier, which differs from the main bundle identifier for the iPhone the watch pairs with. - key: Configuration type: presence: optional @@ -85,3 +85,8 @@ notes: The response doesn't include apps that Declarative Device Management is managing. Refer to the following sections to determine supported channels and requirements, and to see an example request and response. +examples: + title: Example request and response + files: + - request-file: examples/mdm/commands/managed.application.configuration/example1.plist + response-file: examples/mdm/commands/managed.application.configuration/example2.plist diff --git a/mdm/commands/managed.application.feedback.yaml b/mdm/commands/managed.application.feedback.yaml index 43b578d..cf46cce 100644 --- a/mdm/commands/managed.application.feedback.yaml +++ b/mdm/commands/managed.application.feedback.yaml @@ -79,3 +79,8 @@ notes: The response doesn't include apps that Declarative Device Management is managing. Refer to the following sections to determine supported channels and requirements, and to see an example request and response. +examples: + title: Example request and response + files: + - request-file: examples/mdm/commands/managed.application.feedback/example1.plist + response-file: examples/mdm/commands/managed.application.feedback/example2.plist diff --git a/mdm/commands/media.install.yaml b/mdm/commands/media.install.yaml index 332b882..d0ecb46 100644 --- a/mdm/commands/media.install.yaml +++ b/mdm/commands/media.install.yaml @@ -44,7 +44,7 @@ payloadkeys: introduced: n/a type: presence: optional - content: The URL to retrieve the book. This value is available in iOS 8 and later. + content: The URL to retrieve the book. - key: MediaType type: presence: required @@ -58,7 +58,6 @@ payloadkeys: type: presence: optional content: The book's persistent identifier in reverse-DNS form; for example, `com.acme.manuals.training`. - This value is available in iOS 8 and later. - key: Kind supportedOS: macOS: @@ -76,28 +75,28 @@ payloadkeys: - `epub`: An EPUB file in `gzip` format. - `ibooks`: An iBooks Author file in `gzip` format. - If you omit this value, its value is the file extension in the URL. This value is available in iOS 8 and later. + If you omit this value, its value is the file extension in the URL. - key: Version supportedOS: macOS: introduced: n/a type: presence: optional - content: The book's version number. This value is available in iOS 8 and later. + content: The book's version number. - key: Author supportedOS: macOS: introduced: n/a type: presence: optional - content: The name of the book's author. This value is available in iOS 8 and later. + content: The name of the book's author. - key: Title supportedOS: macOS: introduced: n/a type: presence: optional - content: The book's title. This value is available in iOS 8 and later. + content: The book's title. responsekeys: - key: iTunesStoreID type: @@ -109,16 +108,14 @@ responsekeys: introduced: n/a type: presence: optional - content: The URL to retrieve the book, if present in the command. This value is - available in iOS 8 and later. + content: The URL to retrieve the book, if present in the command. - key: PersistentID supportedOS: macOS: introduced: n/a type: presence: optional - content: The book's persistent identifier, if present in the command. This value - is available in iOS 8 and later. + content: The book's persistent identifier, if present in the command. - key: MediaType type: presence: optional @@ -175,3 +172,14 @@ notes: If you install a book that isn't from the Book Store with the same `PersistentID` as an existing book that also isn't from the Book Store, the new book replaces the existing one. Refer to the following sections to determine supported channels and requirements, and to see an example request and response. +examples: + title: Example request and response + files: + - tab: Enterprise + description: This command installs an enterprise book. + request-file: examples/mdm/commands/media.install/example1.plist + response-file: examples/mdm/commands/media.install/example2.plist + - tab: Book Store + description: This command installs a book from the Book Store. + request-file: examples/mdm/commands/media.install/example3.plist + response-file: examples/mdm/commands/media.install/example4.plist diff --git a/mdm/commands/media.managed.list.yaml b/mdm/commands/media.managed.list.yaml index 7a22fd5..0d0624a 100644 --- a/mdm/commands/media.managed.list.yaml +++ b/mdm/commands/media.managed.list.yaml @@ -70,8 +70,6 @@ responsekeys: - `epub`: An EPUB file in `gzip` format - `ibooks`: An iBooks Author file in `gzip` format - The file extension in the URL - - This value is available in iOS 8 and later. - key: Version type: presence: optional @@ -88,3 +86,8 @@ notes: - title: '' content: Refer to the following sections to determine supported channels and requirements, and to see an example request and response. +examples: + title: Example request and response + files: + - request-file: examples/mdm/commands/media.managed.list/example1.plist + response-file: examples/mdm/commands/media.managed.list/example2.plist diff --git a/mdm/commands/media.remove.yaml b/mdm/commands/media.remove.yaml index 3b99ab3..fd3894b 100644 --- a/mdm/commands/media.remove.yaml +++ b/mdm/commands/media.remove.yaml @@ -43,3 +43,8 @@ notes: - title: '' content: Refer to the following sections to determine supported channels and requirements, and to see an example request and response. +examples: + title: Example request and response + files: + - request-file: examples/mdm/commands/media.remove/example1.plist + response-file: examples/mdm/commands/media.remove/example2.plist diff --git a/mdm/commands/mirroring.request.yaml b/mdm/commands/mirroring.request.yaml index fe6d003..f78a3ac 100644 --- a/mdm/commands/mirroring.request.yaml +++ b/mdm/commands/mirroring.request.yaml @@ -69,3 +69,8 @@ notes: Provide either the `DestinationName` or the `DestinationDeviceID`. If you provide both values, MDM uses `DestinationDeviceID`. Refer to the following sections to determine supported channels and requirements, and to see an example request and response. +examples: + title: Example request and response + files: + - request-file: examples/mdm/commands/classroom.mirroring.request/example1.plist + response-file: examples/mdm/commands/classroom.mirroring.request/example2.plist diff --git a/mdm/commands/mirroring.stop.yaml b/mdm/commands/mirroring.stop.yaml index 23ce02b..0db3e3f 100644 --- a/mdm/commands/mirroring.stop.yaml +++ b/mdm/commands/mirroring.stop.yaml @@ -34,3 +34,8 @@ notes: - title: '' content: Refer to the following sections to determine supported channels and requirements, and to see an example request and response. +examples: + title: Example request and response + files: + - request-file: examples/mdm/commands/classroom.mirroring.stop/example1.plist + response-file: examples/mdm/commands/classroom.mirroring.stop/example2.plist diff --git a/mdm/commands/passcode.clear.yaml b/mdm/commands/passcode.clear.yaml index ae660a3..9d6e665 100644 --- a/mdm/commands/passcode.clear.yaml +++ b/mdm/commands/passcode.clear.yaml @@ -41,3 +41,8 @@ notes: Clearing the passcode in iOS 16 no longer adds the passcode to the history of passcodes. Therefore, the user can reuse the cleared passcode even when the `Passcode` payload has the `pinHistory` key set. Refer to the following sections to determine supported channels and requirements, and to see an example request and response. +examples: + title: Example request and response + files: + - request-file: examples/mdm/commands/passcode.clear/example1.plist + response-file: examples/mdm/commands/passcode.clear/example2.plist diff --git a/mdm/commands/passcode.firmware.set.yaml b/mdm/commands/passcode.firmware.set.yaml index cb3023c..227a3f7 100644 --- a/mdm/commands/passcode.firmware.set.yaml +++ b/mdm/commands/passcode.firmware.set.yaml @@ -62,3 +62,8 @@ notes: Refer to the following sections to determine supported channels and requirements, and to see an example request and response. This command isn't supported on a Mac with Apple silicon. +examples: + title: Example request and response + files: + - request-file: examples/mdm/commands/passcode.firmware.set/example1.plist + response-file: examples/mdm/commands/passcode.firmware.set/example2.plist diff --git a/mdm/commands/passcode.firmware.verify.yaml b/mdm/commands/passcode.firmware.verify.yaml index a4cf91e..4d81bd7 100644 --- a/mdm/commands/passcode.firmware.verify.yaml +++ b/mdm/commands/passcode.firmware.verify.yaml @@ -46,3 +46,8 @@ notes: Refer to the following sections to determine supported channels and requirements, and to see an example request and response. This command isn't supported on a Mac with Apple silicon. +examples: + title: Example request and response + files: + - request-file: examples/mdm/commands/passcode.firmware.verify/example1.plist + response-file: examples/mdm/commands/passcode.firmware.verify/example2.plist diff --git a/mdm/commands/passcode.recovery.set.yaml b/mdm/commands/passcode.recovery.set.yaml index c57fa06..9ffecda 100644 --- a/mdm/commands/passcode.recovery.set.yaml +++ b/mdm/commands/passcode.recovery.set.yaml @@ -20,7 +20,7 @@ payload: introduced: n/a watchOS: introduced: n/a - content: Sets or clears the recovery lock password (Apple Silicon devices only). + content: Sets or clears the recovery lock password (Apple silicon devices only). Requires the "Device lock and passcode removal right". payloadkeys: - key: CurrentPassword @@ -39,3 +39,8 @@ notes: This command sets, or clears, a password on booting to recoveryOS. When the device unenrolls MDM the system removes the recovery password. This command is only available on a Mac with Apple silicon. +examples: + title: Example request and response + files: + - request-file: examples/mdm/commands/passcode.recovery.set/example1.plist + response-file: examples/mdm/commands/passcode.recovery.set/example2.plist diff --git a/mdm/commands/passcode.recovery.verify.yaml b/mdm/commands/passcode.recovery.verify.yaml index 1dd3e18..93cdd3e 100644 --- a/mdm/commands/passcode.recovery.verify.yaml +++ b/mdm/commands/passcode.recovery.verify.yaml @@ -34,3 +34,8 @@ responsekeys: notes: - title: '' content: This command is only available on a Mac with Apple silicon. +examples: + title: Example request and response + files: + - request-file: examples/mdm/commands/passcode.recovery.verify/example1.plist + response-file: examples/mdm/commands/passcode.recovery.verify/example2.plist diff --git a/mdm/commands/profile.install.yaml b/mdm/commands/profile.install.yaml index 21c7d68..e503fea 100644 --- a/mdm/commands/profile.install.yaml +++ b/mdm/commands/profile.install.yaml @@ -52,3 +52,8 @@ notes: - title: '' content: Refer to the following sections to determine supported channels and requirements, and to see an example request and response. +examples: + title: Example request and response + files: + - request-file: examples/mdm/commands/profile.install/example1.plist + response-file: examples/mdm/commands/profile.install/example2.plist diff --git a/mdm/commands/profile.list.yaml b/mdm/commands/profile.list.yaml index 2c5e6cd..8d8579c 100644 --- a/mdm/commands/profile.list.yaml +++ b/mdm/commands/profile.list.yaml @@ -55,8 +55,6 @@ payloadkeys: default: false content: If `true`, only include profiles that MDM has installed. For user enrollments, the device ignores this key and always limits the results to managed profiles. - This value is available in iOS 13 and later, macOS 10.5 and later, and tvOS 13 - and later. responsekeys: - key: ProfileList type: @@ -125,9 +123,8 @@ responsekeys: type: presence: optional default: false - content: If `true`, the current MDM service installed the profile. MDM doesn't - return this value for supervised devices, and can remove or replace all profiles - on supervised devices. + content: If `true`, the current MDM service installed the profile. MDM can remove + or replace all profiles on supervised devices. - key: Source supportedOS: iOS: @@ -195,3 +192,8 @@ notes: - title: '' content: Refer to the following sections to determine supported channels and requirements, and to see an example request and response. +examples: + title: Example request and response + files: + - request-file: examples/mdm/commands/profile.list/example1.plist + response-file: examples/mdm/commands/profile.list/example2.plist diff --git a/mdm/commands/profile.provisioning.install.yaml b/mdm/commands/profile.provisioning.install.yaml index ea09672..ade85a6 100644 --- a/mdm/commands/profile.provisioning.install.yaml +++ b/mdm/commands/profile.provisioning.install.yaml @@ -53,3 +53,8 @@ notes: No error occurs if the provisioning profile is already present. Refer to the following sections to determine supported channels and requirements, and to see an example request and response. +examples: + title: Example request and response + files: + - request-file: examples/mdm/commands/profile.provisioning.install/example1.plist + response-file: examples/mdm/commands/profile.provisioning.install/example2.plist diff --git a/mdm/commands/profile.provisioning.list.yaml b/mdm/commands/profile.provisioning.list.yaml index 20bb611..29ac9e6 100644 --- a/mdm/commands/profile.provisioning.list.yaml +++ b/mdm/commands/profile.provisioning.list.yaml @@ -54,7 +54,6 @@ payloadkeys: default: false content: If `true`, only include profiles that MDM has installed. For user enrollments, the device ignores this key and always limits the results to managed profiles. - This value is available in iOS 13 and later, and tvOS 13 and later. responsekeys: - key: ProvisioningProfileList type: @@ -81,3 +80,8 @@ notes: - title: '' content: Refer to the following sections to determine supported channels and requirements, and to see an example request and response. +examples: + title: Example request and response + files: + - request-file: examples/mdm/commands/profile.provisioning.list/example1.plist + response-file: examples/mdm/commands/profile.provisioning.list/example2.plist diff --git a/mdm/commands/profile.provisioning.remove.yaml b/mdm/commands/profile.provisioning.remove.yaml index 75fff51..7c10fd4 100644 --- a/mdm/commands/profile.provisioning.remove.yaml +++ b/mdm/commands/profile.provisioning.remove.yaml @@ -53,3 +53,8 @@ notes: > Note: > Don't remove a provisioning profile to revoke access to an enterprise app. An app continues to be usable until the device restarts, even with no provisioning profile. Provisioning profiles also synchronize with iTunes and the system reinstalls them when users sync devices. For more information on removing apps, see `Remove-Application-Command`. +examples: + title: Example request and response + files: + - request-file: examples/mdm/commands/profile.provisioning.remove/example1.plist + response-file: examples/mdm/commands/profile.provisioning.remove/example2.plist diff --git a/mdm/commands/profile.remove.yaml b/mdm/commands/profile.remove.yaml index 69b167b..ed68d73 100644 --- a/mdm/commands/profile.remove.yaml +++ b/mdm/commands/profile.remove.yaml @@ -49,3 +49,8 @@ notes: - title: '' content: Refer to the following sections to determine supported channels and requirements, and to see an example request and response. +examples: + title: Example request and response + files: + - request-file: examples/mdm/commands/profile.remove/example1.plist + response-file: examples/mdm/commands/profile.remove/example2.plist diff --git a/mdm/commands/remotedesktop.disable.yaml b/mdm/commands/remotedesktop.disable.yaml index d36ae8c..49f6d3d 100644 --- a/mdm/commands/remotedesktop.disable.yaml +++ b/mdm/commands/remotedesktop.disable.yaml @@ -26,3 +26,8 @@ notes: This command disables Remote Desktop on the device, and prevents any further remote event processing. It removes any `PostEvent` Transparency Consent and Control (TCC) ability, unless the device already has an installed TCC configuration profile with that ability enabled. Refer to the following sections to determine supported channels and requirements, and to see an example request and response. +examples: + title: Example request and response + files: + - request-file: examples/mdm/commands/remotedesktop.disable/example1.plist + response-file: examples/mdm/commands/remotedesktop.disable/example2.plist diff --git a/mdm/commands/remotedesktop.enable.yaml b/mdm/commands/remotedesktop.enable.yaml index 04760f1..5175060 100644 --- a/mdm/commands/remotedesktop.enable.yaml +++ b/mdm/commands/remotedesktop.enable.yaml @@ -32,3 +32,8 @@ notes: All other options remain unchanged. Refer to the following sections to determine supported channels and requirements, and to see an example request and response. +examples: + title: Example request and response + files: + - request-file: examples/mdm/commands/remotedesktop.enable/example1.plist + response-file: examples/mdm/commands/remotedesktop.enable/example2.plist diff --git a/mdm/commands/rotate.file.vault.key.yaml b/mdm/commands/rotate.file.vault.key.yaml index 7f0e38e..d5b41a3 100644 --- a/mdm/commands/rotate.file.vault.key.yaml +++ b/mdm/commands/rotate.file.vault.key.yaml @@ -84,7 +84,7 @@ responsekeys: - key: EncryptedNewRecoveryKey type: presence: optional - content: A new personal recovery key that is encrypted using a `ReplyEncryptionCertificate` + content: A new personal recovery key that's encrypted using a `ReplyEncryptionCertificate` as a CMS-compliant envelope. notes: - title: '' @@ -92,3 +92,14 @@ notes: Change the FileVault password periodically to mitigate the security risk of deployed devices. Refer to the following sections to determine supported channels and requirements, and to see an example request and response. +examples: + title: Example request and response + files: + - tab: Personal + description: This command changes the File Vault personal password. + request-file: examples/mdm/commands/rotate.file.vault.key/example1.plist + response-file: examples/mdm/commands/rotate.file.vault.key/example2.plist + - tab: Institutional + description: This command changes the File Vault institutional recovery key. + request-file: examples/mdm/commands/rotate.file.vault.key/example3.plist + response-file: examples/mdm/commands/rotate.file.vault.key/example4.plist diff --git a/mdm/commands/set.auto.admin.password.yaml b/mdm/commands/set.auto.admin.password.yaml index e77ba92..458ab3e 100644 --- a/mdm/commands/set.auto.admin.password.yaml +++ b/mdm/commands/set.auto.admin.password.yaml @@ -21,14 +21,14 @@ payload: watchOS: introduced: n/a content: Allows changing the password of a local admin account that was created - by Setup Assistant during DEP enrollment via the AccountConfiguration command. + by Setup Assistant during ADE enrollment via the AccountConfiguration command. payloadkeys: - key: GUID type: presence: required content: The unique identifier of the local administrator account. If this value - doesn't match the GUID of an administrator account that MDM created during Device - Enrollment Program (DEP) enrollment, the command returns an error. + doesn't match the GUID of an administrator account that MDM created during Automated + Device Enrollment (ADE) enrollment, the command returns an error. - key: passwordHash type: presence: required @@ -46,3 +46,8 @@ notes: - title: '' content: Refer to the following sections to determine supported channels and requirements, and to see an example request and response. +examples: + title: Example request and response + files: + - request-file: examples/mdm/commands/set.auto.admin.password/example1.plist + response-file: examples/mdm/commands/set.auto.admin.password/example2.plist diff --git a/mdm/commands/settings.yaml b/mdm/commands/settings.yaml index 36eae47..7ceca16 100644 --- a/mdm/commands/settings.yaml +++ b/mdm/commands/settings.yaml @@ -69,9 +69,9 @@ payloadkeys: type: presence: optional content: A dictionary that contains wallpaper settings. This setting doesn't support - user enrollment. Available in iOS 8 and later. Starting in iOS 16 and iPadOS - 17, when setting the wallpaper for the first time, both locations update. After - that, you can set either location separately. + user enrollment. Starting in iOS 16 and iPadOS 17, when setting the wallpaper + for the first time, both locations update. After that, you can set either location + separately. subkeys: - key: Item type: @@ -118,8 +118,7 @@ payloadkeys: type: presence: optional content: A dictionary that contains data roaming settings. This setting requires - the Network Information access right, and doesn't support user enrollment. Available - in iOS 5 and later. + the Network Information access right, and doesn't support user enrollment. subkeys: - key: Item type: @@ -131,7 +130,8 @@ payloadkeys: type: presence: required content: If `true`, enable data roaming, which also enables voice roaming. If - `false`, disable data roaming. + `false`, disable data roaming. The device only applies this setting to the + primary SIM. - key: VoiceRoaming supportedOS: iOS: @@ -153,8 +153,7 @@ payloadkeys: type: presence: optional content: A dictionary that contains voice roaming settings. This setting requires - the Network Information access right, and doesn't support user enrollment. Available - in iOS 5 and later. + the Network Information access right, and doesn't support user enrollment. subkeys: - key: Item type: @@ -189,8 +188,7 @@ payloadkeys: type: presence: optional content: A dictionary that contains Personal Hotspot settings. This setting requires - the Network Information access right, and doesn't support user enrollment. Available - in iOS 5 and later. + the Network Information access right, and doesn't support user enrollment. subkeys: - key: Item type: @@ -228,8 +226,7 @@ payloadkeys: presence: optional content: A dictionary that contains Bluetooth settings. This setting requires the Network Information access right, doesn't support user enrollment, and is - available only on supervised devices. Available in iOS 11.3 and later, and macOS - 10.13.4 and later. + available only on supervised devices. subkeys: - key: Item type: @@ -266,9 +263,8 @@ payloadkeys: presence: optional content: A dictionary that contains the configurations to apply to the app. Omit this setting to remove existing configurations. This setting requires the App - Management access right, supports user enrollment, and is available in iOS 7 - and later, macOS 10.15 and later, and tvOS 10.2 and later. This setting fails - for apps that Declarative Device Management manages. + Management access right, supports user enrollment. This setting fails for apps + that Declarative Device Management manages. subkeys: - key: Item type: @@ -283,7 +279,7 @@ payloadkeys: The bundle identifier of the managed app. > Important: - > For a watchOS app, the identifier needs to be the watch's bundle identifier, which differs from the main bundle identifier for the iPhone to which the watch is paired. Obtain the watch's bundle identifier for an app with a watch bundle, in the `watchBundleId` key that's part of the Content Metadata query. For more information on this query, see `Getting App and Book Information`. + > For a watchOS app, the identifier needs to be the watch's bundle identifier, which differs from the main bundle identifier for the iPhone the watch pairs with. Obtain the watch's bundle identifier for an app with a watch bundle, in the `watchBundleId` key that's part of the Content Metadata query. For more information on this query, see `Getting app and book information (Legacy)`. - key: Configuration type: presence: optional @@ -315,9 +311,8 @@ payloadkeys: type: presence: optional content: A dictionary that contains the attributes to apply to the app. Omit this - setting to remove existing attributes. This setting supports user enrollment, - is available in iOS 7 and later, and tvOS 10.2 and later. This setting fails - for apps that Declarative Device Management manages. + setting to remove existing attributes. This setting supports user enrollment. + This setting fails for apps that Declarative Device Management manages. subkeys: - key: Item type: @@ -332,13 +327,12 @@ payloadkeys: The bundle identifier of the app. > Important: - > For a watchOS app, the identifier needs to be the watch's bundle identifier, which differs from the main bundle identifier for the iPhone to which the watch is paired. Obtain the watch's bundle identifier for an app with a watch bundle, in the `watchBundleId` key that's part of the Content Metadata query. For more information on this query, see `Getting App and Book Information`. + > For a watchOS app, the identifier needs to be the watch's bundle identifier, which differs from the main bundle identifier for the iPhone the watch pairs with. Obtain the watch's bundle identifier for an app with a watch bundle, in the `watchBundleId` key that's part of the Content Metadata query. For more information on this query, see `Getting app and book information (Legacy)`. - key: Attributes type: presence: optional content: A dictionary that contains the attributes to apply to the app. Omit - this setting to remove existing attributes. This setting is available in iOS - 7 and later, and tvOS 10.2 and later. + this setting to remove existing attributes. subkeys: - key: VPNUUID supportedOS: @@ -346,8 +340,7 @@ payloadkeys: introduced: n/a type: presence: optional - content: A per-app VPN unique identifier for this app. Available in iOS 7 - and later. + content: A per-app VPN unique identifier for this app. - key: ContentFilterUUID supportedOS: iOS: @@ -358,7 +351,7 @@ payloadkeys: introduced: n/a type: presence: optional - content: The content filter UUID for this app. Available in iOS 16 and later. + content: The content filter UUID for this app. - key: DNSProxyUUID supportedOS: iOS: @@ -369,7 +362,7 @@ payloadkeys: introduced: n/a type: presence: optional - content: The DNS proxy UUID for this app. Available in iOS 16 and later. + content: The DNS proxy UUID for this app. - key: RelayUUID supportedOS: iOS: @@ -380,7 +373,7 @@ payloadkeys: introduced: n/a type: presence: optional - content: The relay UUID for this app. Available in iOS 17 and later. + content: The relay UUID for this app. - key: AssociatedDomains supportedOS: iOS: @@ -390,7 +383,6 @@ payloadkeys: type: presence: optional content: An array that contains the associated domains to add to this app. - Available in iOS 13 and later. subkeys: - key: AssociatedDomain type: @@ -405,7 +397,7 @@ payloadkeys: default: false content: If `true`, perform claimed site association verification directly at the domain, instead of on Apple's servers. Only set this to `true` for - domains that can't access the internet. Available in iOS 14 and later. + domains that can't access the internet. - key: Removable supportedOS: iOS: @@ -415,8 +407,7 @@ payloadkeys: type: presence: optional default: true - content: If `false`, this app isn't removable while it's managed. Available - in iOS 14 and later, and tvOS 14 and later. + content: If `false`, this app isn't removable while it's managed. - key: TapToPayScreenLock supportedOS: iOS: @@ -430,10 +421,10 @@ payloadkeys: type: presence: optional default: false - content: |- - If true, the system require Tap to Pay on iPhone users to use Face ID or a passcode to unlock their device after every transaction that requires a customer's card PIN. If `false`, the user can configure this setting on their device. - - Available in iOS 16.4 and later. + content: If true, the system require Tap to Pay on iPhone users to use Face + ID or a passcode to unlock their device after every transaction that requires + a customer's card PIN. If `false`, the user can configure this setting on + their device. - key: CellularSliceUUID supportedOS: iOS: @@ -446,10 +437,10 @@ payloadkeys: introduced: n/a type: presence: optional - content: |- - The data network name (DNN) or app category. For DNN, the value is `DNN:name`, where `name` is the carrier-provided DNN name. For app category, the value is `AppCategory:category`, where `category` is a carrier-provided string like "Enterprise1"`.` - - Available in iOS 17 and later. + content: The data network name (DNN) or app category. For DNN, the value is + `DNN:name`, where `name` is the carrier-provided DNN name. For app category, + the value is `AppCategory:category`, where `category` is a carrier-provided + string like "Enterprise1"`.` - key: Hideable supportedOS: iOS: @@ -506,8 +497,7 @@ payloadkeys: type: presence: optional content: A dictionary that contains device name settings. This setting doesn't - support user enrollment, and is available only on supervised devices. Available - in iOS 5 and later, macOS 10.10 and later, and visionOS 2 and later. + support user enrollment, and is available only on supervised devices. subkeys: - key: Item type: @@ -537,7 +527,7 @@ payloadkeys: type: presence: optional content: A dictionary that contains hostname settings. This setting doesn't support - user enrollment, and is available in macOS 10.11 and later. + user enrollment. subkeys: - key: Item type: @@ -562,8 +552,7 @@ payloadkeys: type: presence: optional content: A dictionary that contains settings about the organization operating - the MDM server. This setting supports user enrollment. Available in iOS 5 and - later. + the MDM server. This setting supports user enrollment. subkeys: - key: Item type: @@ -619,7 +608,9 @@ payloadkeys: iOS: introduced: '18.2' sharedipad: - mode: forbidden + mode: allowed + devicechannel: false + userchannel: true userenrollment: mode: forbidden macOS: @@ -646,10 +637,6 @@ payloadkeys: supportedOS: iOS: introduced: '26.0' - sharedipad: - mode: forbidden - userenrollment: - mode: forbidden macOS: introduced: n/a tvOS: @@ -666,10 +653,6 @@ payloadkeys: supportedOS: iOS: introduced: '26.0' - sharedipad: - mode: forbidden - userenrollment: - mode: forbidden macOS: introduced: n/a tvOS: @@ -704,8 +687,7 @@ payloadkeys: type: presence: optional content: A dictionary that contains settings related to the MDM protocol. This - setting doesn't support user enrollment. Available in iOS 7 and later, macOS - 10.15 and later, and visionOS 2 and later. + setting doesn't support user enrollment. subkeys: - key: Item type: @@ -783,8 +765,10 @@ payloadkeys: presence: optional default: false content: If `true`, the device automatically reboots while locked after several - days of inactivity. This is set to `false` by default when a supervised - device enrolls. + days of inactivity. The device sets this to `false` by default for a supervised + enrollment. Starting in iOS 26.6 and iPadOS 26.6, changing the effective + value from reboot allowed to reboot disallowed requires a reboot or a device + unlock before the change takes effect. - key: MaximumResidentUsers supportedOS: iOS: @@ -876,10 +860,9 @@ payloadkeys: introduced: '14.5' type: presence: optional - content: |- - The timeout, in seconds, for the user session. The user session logs out automatically after the specified period of inactivity. The minimum value is 30 seconds. Setting this value to `0` removes the timeout. - - Available in iOS 14.5 and later. + content: The timeout, in seconds, for the user session. The user session logs + out automatically after the specified period of inactivity. The minimum value + is 30 seconds. Setting this value to `0` removes the timeout. - key: TemporarySessionTimeout supportedOS: iOS: @@ -889,10 +872,9 @@ payloadkeys: supervised: true type: presence: optional - content: |- - The timeout, in seconds, for the temporary session. The temporary session logs out automatically after the specified period of inactivity. The minimum value is 30 seconds. Setting this value to `0` removes the timeout. - - Available in iOS 14.5 and later. + content: The timeout, in seconds, for the temporary session. The temporary session + logs out automatically after the specified period of inactivity. The minimum + value is 30 seconds. Setting this value to `0` removes the timeout. - key: TemporarySessionOnly supportedOS: iOS: @@ -904,8 +886,6 @@ payloadkeys: If `true`, the user only sees the Guest Welcome pane and can only log in as a guest user. If `false`, the user can sign in with a Managed Apple Account (the existing behavior). - - Available in iOS 14.5 and later. - key: ManagedAppleIDDefaultDomains supportedOS: iOS: @@ -915,7 +895,7 @@ payloadkeys: content: |- A list of domains that the Shared iPad login screen displays. The user can pick a domain from the list to complete their Managed Apple Account. - If this list contains more than 3 domains, the system picks 3 at random for display. Available in iOS 16 and later. + If this list contains more than 3 domains, the system picks 3 at random for display. subkeys: - key: AppleID domain type: @@ -929,8 +909,6 @@ payloadkeys: A grace period (in days) for Shared iPad online authentication. The Shared iPad only verifies the user's passcode locally during login for users that already exist on the device. However, the system requires an online authentication (against Apple's identity server) after the number of days specified by this setting. Setting this value to 0 enforces online authentication every time. - - Available in iOS 16 and later. - key: SkipLanguageAndLocaleSetupForNewUsers supportedOS: iOS: @@ -938,20 +916,19 @@ payloadkeys: type: presence: optional default: false - content: |- - If `true`, the system picks the system language and locale automatically for the new Shared iPad user. - - Available in iOS 16.2 and later. + content: If `true`, the system picks the system language and locale automatically + for the new Shared iPad user. - key: AwaitUserConfiguration supportedOS: iOS: introduced: '17.0' type: presence: optional - content: |- - If enabled, the Shared iPad device enters Setup Assistant after the user triggers a login. The MDM server has a chance to configure the device and user. After configuration, the server needs to send a `User-Configured-Command` command to the user channel to unblock the login. This feature requires the device to have network access during the login process. - - Available in iOS 17 and later. + content: If enabled, the Shared iPad device enters Setup Assistant after the + user triggers a login. The MDM server has a chance to configure the device + and user. After configuration, the server needs to send a `User-Configured-Command` + command to the user channel to unblock the login. This feature requires the + device to have network access during the login process. subkeys: - key: Enabled type: @@ -1133,8 +1110,7 @@ payloadkeys: type: presence: optional content: A dictionary that contains time zone settings. This setting is available - only on supervised devices and doesn't support user enrollment. Available in - iOS 14 and later, tvOS 14 and later, and visionOS 2 and later. + only on supervised devices and doesn't support user enrollment. subkeys: - key: Item type: @@ -1154,6 +1130,7 @@ payloadkeys: iOS: introduced: '14.5' deprecated: '26.0' + removed: '27.0' supervised: true sharedipad: mode: allowed @@ -1171,8 +1148,10 @@ payloadkeys: introduced: n/a type: presence: optional - content: A dictionary that contains software update settings. This setting doesn't - support user enrollment. Available in iOS 14.5 and later. + content: |- + A dictionary that contains software update settings. This setting doesn't support user enrollment. + + Removed: use the declarative management `com.apple.configuration.softwareupdate.settings` configuration. subkeys: - key: Item type: @@ -1196,8 +1175,6 @@ payloadkeys: - `2`: Presents only the highest numbered (most recent) release available for the device. This value has no effect when there's only one available update; the system shows the single available update to the user regardless of the value of this setting. - - Available in iOS 14.5 and later. - key: AccessibilitySettings supportedOS: iOS: @@ -1218,8 +1195,7 @@ payloadkeys: supervised: true type: presence: optional - content: A dictionary that contains accessibility settings. Available in iOS 16 - and later. + content: A dictionary that contains accessibility settings. subkeys: - key: Item type: @@ -1336,10 +1312,15 @@ responsekeys: The app identifier to which this error applies. > Note: - > For a watchOS app, the identifier is the watch's bundle identifier, which differs from the main bundle identifier for the iPhone to which the watch is paired. + > For a watchOS app, the identifier is the watch's bundle identifier, which differs from the main bundle identifier for the iPhone the watch pairs with. notes: - title: '' content: |- Users may be able to change the settings later if a profile isn't set to restrict such changes. Refer to the following sections to determine supported channels and requirements, and to see an example request and response. +examples: + title: Example request and response (DeviceName) + files: + - request-file: examples/mdm/commands/settings/example1.plist + response-file: examples/mdm/commands/settings/example2.plist diff --git a/mdm/commands/system.update.available.yaml b/mdm/commands/system.update.available.yaml index be0387d..cbcf065 100644 --- a/mdm/commands/system.update.available.yaml +++ b/mdm/commands/system.update.available.yaml @@ -1,11 +1,14 @@ title: Available OS Updates Command -description: Get a list of available operating-system updates for a device. +description: 'Get a list of available operating-system updates for a device. Removed: + use the declarative management `com.apple.configuration.softwareupdate.enforcement.specific` + configuration.' payload: requesttype: AvailableOSUpdates supportedOS: iOS: introduced: '9.0' deprecated: '26.0' + removed: '27.0' accessrights: AllowAppInstallation supervised: true requiresdep: false @@ -18,6 +21,7 @@ payload: macOS: introduced: '10.11' deprecated: '26.0' + removed: '27.0' accessrights: None devicechannel: true userchannel: false @@ -28,6 +32,7 @@ payload: tvOS: introduced: '12.0' deprecated: '26.0' + removed: '27.0' accessrights: AllowAppInstallation devicechannel: true supervised: true @@ -36,7 +41,7 @@ payload: introduced: n/a watchOS: introduced: n/a - content: Queries the device for a list of available OS updates. On OS X, a ScheduleOSUpdateScan + content: Queries the device for a list of available OS updates. On macOS, a ScheduleOSUpdateScan must be performed to update the results returned by this query. responsekeys: - key: AvailableOSUpdates @@ -73,7 +78,7 @@ responsekeys: type: presence: required content: The locale, in IOS639-1 Alpha-2 code format, of the `HumanReadableName` - value. This value is available in macOS 10.11 and later. + value. - key: MetadataURL supportedOS: iOS: @@ -84,16 +89,14 @@ responsekeys: presence: required content: A URL where the MDM server can request additional localized names for this update. This key isn't present for certain updates, such as mobile software - updates (MSUs) or major OS updates. This value is available in macOS 10.11 - and later. + updates (MSUs) or major OS updates. - key: ProductName supportedOS: macOS: introduced: n/a type: presence: required - content: The product name; for example, _iOS_. This value is available in iOS - 9.0 and later, and tvOS 12.0 and later. + content: The product name; for example, _iOS_. - key: Version type: presence: required @@ -117,8 +120,7 @@ responsekeys: introduced: n/a type: presence: required - content: The storage size necessary to install the update. This value is available - in iOS 9.0 and later, and tvOS 12.0 and later. + content: The storage size necessary to install the update. - key: AppIdentifiersToClose supportedOS: iOS: @@ -128,7 +130,7 @@ responsekeys: type: presence: required content: An array that contains app identifiers of apps to close so you can - install the update. This value is available in macOS 10.11 and later. + install the update. subkeys: - key: AppIdentifiersToCloseItem type: @@ -146,8 +148,7 @@ responsekeys: type: presence: optional default: false - content: If `true`, this is an update to a configuration file. This value is - available in macOS 10.11 and later. + content: If `true`, this is an update to a configuration file. - key: IsFirmwareUpdate supportedOS: iOS: @@ -157,8 +158,7 @@ responsekeys: type: presence: optional default: false - content: If `true`, this is an update to firmware. This value is available in - macOS 10.11 and later. + content: If `true`, this is an update to firmware. - key: IsMajorOSUpdate supportedOS: iOS: @@ -170,8 +170,7 @@ responsekeys: type: presence: optional default: false - content: If `true`, this is a major update; for example, 10.15.x to 11. This - value is available in macOS 10.11 and later. + content: If `true`, this is a major update; for example, 10.15.x to 11. - key: RestartRequired type: presence: optional @@ -192,8 +191,7 @@ responsekeys: introduced: n/a type: presence: optional - content: If present, the date when you want the update to install. This value - is available in macOS 10.12.4 and later. + content: If present, the date when you want the update to install. - key: RequiresBootstrapToken supportedOS: iOS: @@ -251,3 +249,8 @@ notes: A device must have a total of `DownloadSize` + `InstallSize` bytes available to successfully install a software update. In macOS, execute the `ScheduleOSUpdateScan` command to update the results that this command returns. In iOS and tvOS, the list only contains the latest available updates. Refer to the following sections to determine supported channels and requirements, and to see an example request and response. +examples: + title: Example request and response + files: + - request-file: examples/mdm/commands/system.update.available/example1.plist + response-file: examples/mdm/commands/system.update.available/example2.plist diff --git a/mdm/commands/system.update.scan.yaml b/mdm/commands/system.update.scan.yaml index 9d2a1ee..1020419 100644 --- a/mdm/commands/system.update.scan.yaml +++ b/mdm/commands/system.update.scan.yaml @@ -1,5 +1,7 @@ title: Schedule OS Update Scan Command -description: Schedule a background scan for operating-system updates on a device. +description: 'Schedule a background scan for operating-system updates on a device. + Removed: use the declarative management `com.apple.configuration.softwareupdate.enforcement.specific` + configuration.' payload: requesttype: ScheduleOSUpdateScan supportedOS: @@ -8,6 +10,7 @@ payload: macOS: introduced: '10.11' deprecated: '26.0' + removed: '27.0' accessrights: None devicechannel: true userchannel: false @@ -38,3 +41,8 @@ notes: - title: '' content: Refer to the following sections to determine supported channels and requirements, and to see an example request and response. +examples: + title: Example request and response + files: + - request-file: examples/mdm/commands/system.update.scan/example1.plist + response-file: examples/mdm/commands/system.update.scan/example2.plist diff --git a/mdm/commands/system.update.schedule.yaml b/mdm/commands/system.update.schedule.yaml index 1701da4..09a4fe9 100644 --- a/mdm/commands/system.update.schedule.yaml +++ b/mdm/commands/system.update.schedule.yaml @@ -1,11 +1,14 @@ title: Schedule OS Update Command -description: Schedule an update of the operating system on a device. +description: 'Schedule an update of the operating system on a device. Removed: use + the declarative management `com.apple.configuration.softwareupdate.enforcement.specific` + configuration.' payload: requesttype: ScheduleOSUpdate supportedOS: iOS: introduced: '9.0' deprecated: '26.0' + removed: '27.0' accessrights: AllowAppInstallation supervised: true requiresdep: false @@ -18,6 +21,7 @@ payload: macOS: introduced: '10.11' deprecated: '26.0' + removed: '27.0' accessrights: None devicechannel: true userchannel: false @@ -28,6 +32,7 @@ payload: tvOS: introduced: '12.0' deprecated: '26.0' + removed: '27.0' accessrights: AllowAppInstallation devicechannel: true supervised: true @@ -43,7 +48,7 @@ payloadkeys: presence: required content: |- An array of dictionaries specifying the updates to download or install. If this value is missing, the device applies the default behavior for handling updates. - The device ignores this command and an informational error is returned, if a software update is managed by a Declarative Device Management `SoftwareUpdateEnforcementSpecific` configuration, as the configuration takes precedence. + The device ignores this command and returns an informational error if a Declarative Device Management `SoftwareUpdateEnforcementSpecific` configuration manages the software update, as the configuration takes precedence. subkeys: - key: UpdatesItem type: @@ -65,7 +70,7 @@ payloadkeys: type: presence: optional content: |- - The version of the update, which the system requires if `ProductKey` isn't present. This value is available in iOS 11.3 and later, macOS 12 and later, and tvOS 12.2 and later. + The version of the update, which the system requires if `ProductKey` isn't present. > Note: > This value isn't available for use with Background Security Improvement updates. @@ -82,12 +87,12 @@ payloadkeys: content: |- The install action, which is one of the following values: - - `Default`: Download or install the update, depending on the current state. You can check the `UpdateResults` dictionary to review scheduled updates. This value is available in iOS 9 and later, macOS 10.11 and later, and tvOS 12 and later. - - `DownloadOnly`: Download the software update without installing it. This value is available in iOS 9 and later, macOS 11 and later, and tvOS 12 and later. - - `InstallASAP`: In iOS and tvOS, install a previously downloaded software update. In macOS, download the software update and trigger the restart countdown notification. This value is available in iOS 9 and later, macOS 10.11 and later, and tvOS 12 and later. - - `NotifyOnly`: Download the software update and notify the user through the App Store. This value is available in macOS 10.11 and later. - - `InstallLater`: Download the software update and install it at a later time. This value is available in macOS 10.11 and later. - - `InstallForceRestart`: Perform the `Default` action, and then force a restart if the update requires it. This value is available in macOS 11 and later. + * `Default`: Download or install the update, depending on the current state. You can check the `UpdateResults` dictionary to review scheduled updates. This value is available in iOS 9 and later, macOS 10.11 and later, and tvOS 12 and later. + * `DownloadOnly`: Download the software update without installing it. This value is available in iOS 9 and later, macOS 11 and later, and tvOS 12 and later. + * `InstallASAP`: In iOS and tvOS, install a previously downloaded software update. In macOS, download the software update and trigger the restart countdown notification. This value is available in iOS 9 and later, macOS 10.11 and later, and tvOS 12 and later. + * `NotifyOnly`: Download the software update and notify the user through the App Store. This value is available in macOS 10.11 and later. + * `InstallLater`: Download the software update and install it at a later time. This value is available in macOS 10.11 and later. + * `InstallForceRestart`: Perform the `Default` action, and then force a restart if the update requires it. This value is available in macOS 11 and later. > Warning: @@ -123,7 +128,7 @@ payloadkeys: content: |- The scheduling priority for downloading and preparing the requested update. This is only supported for minor OS updates (macOS 12.x to 12.y). - Available in macOS 12.3 and later. Prior versions of macOS used a priority of `Low`. + Prior versions of macOS used a priority of `Low`. responsekeys: - key: UpdateResults type: @@ -218,3 +223,8 @@ notes: A device may return a different `InstallAction` than requested. Refer to the following sections to determine supported channels and requirements, and to see an example request and response. +examples: + title: Example request and response + files: + - request-file: examples/mdm/commands/system.update.schedule/example1.plist + response-file: examples/mdm/commands/system.update.schedule/example2.plist diff --git a/mdm/commands/system.update.status.yaml b/mdm/commands/system.update.status.yaml index 5135bc8..7fa14a9 100644 --- a/mdm/commands/system.update.status.yaml +++ b/mdm/commands/system.update.status.yaml @@ -1,11 +1,13 @@ title: OS Update Status Command -description: Get the status of operating-system updates on a device. +description: 'Get the status of operating-system updates on a device. Removed: subscribe + to the declarative management `softwareupdate.install-state` status item.' payload: requesttype: OSUpdateStatus supportedOS: iOS: introduced: '9.0' deprecated: '26.0' + removed: '27.0' accessrights: AllowAppInstallation supervised: true requiresdep: false @@ -18,6 +20,7 @@ payload: macOS: introduced: 10.11.5 deprecated: '26.0' + removed: '27.0' accessrights: None devicechannel: true userchannel: false @@ -28,6 +31,7 @@ payload: tvOS: introduced: '12.0' deprecated: '26.0' + removed: '27.0' accessrights: AllowAppInstallation devicechannel: true supervised: true @@ -43,7 +47,7 @@ responsekeys: presence: required content: |- An array of dictionaries that describes the statuses of software updates. The array is empty if there are no software updates currently in progress. - This command only returns the status for System Applications and Configuration Data updates when a software update is managed by a Declarative Device Management `SoftwareUpdateEnforcementSpecific` configuration. + This command only returns the status for System Applications and Configuration Data updates when a Declarative Device Management `SoftwareUpdateEnforcementSpecific` configuration manages a software update. subkeys: - key: OSUpdateStatusItem type: @@ -82,10 +86,7 @@ responsekeys: introduced: n/a type: presence: optional - content: |- - The number of times a user can defer this OS update. - - Available in macOS 12.3 and later. + content: The number of times a user can defer this OS update. - key: DeferralsRemaining supportedOS: iOS: @@ -96,10 +97,7 @@ responsekeys: introduced: n/a type: presence: optional - content: |- - The number of remaining user deferrals for this OS update. - - Available in macOS 12.3 and later. + content: The number of remaining user deferrals for this OS update. - key: NextScheduledInstall supportedOS: iOS: @@ -110,10 +108,7 @@ responsekeys: introduced: n/a type: presence: optional - content: |- - The date of the next attempt at installing this OS update. - - Available in macOS 12.3 and later. + content: The date of the next attempt at installing this OS update. - key: PastNotifications supportedOS: iOS: @@ -124,15 +119,18 @@ responsekeys: introduced: n/a type: presence: optional - content: |- - The dates/times when the OS notified the user about installing this OS update. - - Available in macOS 12.3 and later. + content: The dates/times when the OS notified the user about installing this + OS update. subkeys: - key: PastNotificationDate - title: Past Notification Date + title: Past notification date type: notes: - title: '' content: Refer to the following sections to determine supported channels and requirements, and to see an example request and response. +examples: + title: Example request and response + files: + - request-file: examples/mdm/commands/system.update.status/example1.plist + response-file: examples/mdm/commands/system.update.status/example2.plist diff --git a/mdm/commands/trigger.enhanced.log.collection.yaml b/mdm/commands/trigger.enhanced.log.collection.yaml new file mode 100644 index 0000000..47174e1 --- /dev/null +++ b/mdm/commands/trigger.enhanced.log.collection.yaml @@ -0,0 +1,68 @@ +title: Trigger Enhanced Log Collection Command +description: Trigger enhanced log collection on the device. +payload: + requesttype: TriggerEnhancedLogCollection + supportedOS: + iOS: + introduced: '27.0' + supervised: true + requiresdep: false + sharedipad: + mode: allowed + devicechannel: true + userchannel: false + userenrollment: + mode: forbidden + macOS: + introduced: '27.0' + devicechannel: false + userchannel: true + supervised: true + requiresdep: false + userenrollment: + mode: forbidden + tvOS: + introduced: '27.0' + supervised: true + requiresdep: false + visionOS: + introduced: n/a + watchOS: + introduced: n/a + content: This command allows supervised devices to collect enhanced log and upload + it to a remote server. +payloadkeys: +- key: AppleCareToken + type: + presence: required + content: The AppleCare token the device uses for authorizing the enhanced log collection + session. +notes: +- title: '' + content: |- + When the organization's IT support reports a problem to AppleCare, AppleCare may request that the device runs enhanced log collection. AppleCare provides a token to IT support, and they send the `TriggerEnhancedLogCollection` command to the device, with the token, to initiate the enhanced log collection procedure. + + When the device processes the command it starts the enhanced log collection operation. There are two modes: + + * `interactive`: the device shows the user a notification that allows the user to initiate the enhanced log collection. The device prompts the user to consent to both log collection and log upload at the appropriate times. The user can decline to proceed with enhanced log collection or upload. This mode is required for macOS devices. This mode isn't available on tvOS devices or Shared iPad. + * `non-interactive`: the device shows a notification that enhanced log collection is in progress. The device collects and uploads the logs in the background without any user intervention. This mode is always available for tvOS devices and Shared iPad. This mode is only available for iOS devices when all these conditions are met: + * There's no passcode on the device. + * There are no accounts on the device. For example, iCloud, App Store, mail, calendar, or contacts accounts. + + AppleCare, in conjunction with IT support, determines the mode and the token encodes the mode. + + You can cancel an active enhanced log collection session by sending the `Cancel-Enhanced-Log-Collection-Command` to the device. +- title: Declarative status + content: |- + The enhanced log collection process reports declarative status to the device management service using the following status items: + + * `enhanced-logging.status`: Reports the device's enhanced log collection session state. See `StatusEnhancedLogging`. + * `enhanced-logging.applecare-token`: Reports the device's enhanced log collection session AppleCare token. See `StatusEnhancedLoggingAppleCareToken`. + * `enhanced-logging.timestamp`: Reports the device's enhanced log collection session timestamp. See `StatusEnhancedLoggingTimestamp`. +- title: Tokens for testing + content: |- + You can use a set of test tokens to verify correct operation of your device management service product. The set of tokens are: + + * `test-token-normal`: This token activates an interactive enhanced log collection session that results in the device reporting the `finished` declarative state if all parts of the flow succeed. Any failure, cancellation, or decline, result in the device reporting the corresponding state. + * `test-token-normal-headless`: This token activates a non-interactive enhanced log collection session that results in the device reporting the `finished` declarative state if all parts of the flow succeed. Any failure, cancellation, or decline, result in the device reporting the corresponding state. + * `test-token-failed`: This token activates an interactive enhanced log collection session that results in the device reporting the `failed` declarative state if all parts of the flow succeed. Any failure, cancellation, or decline, result in the device reporting the corresponding state. diff --git a/mdm/commands/user.configured.yaml b/mdm/commands/user.configured.yaml index af1b683..05a3d1f 100644 --- a/mdm/commands/user.configured.yaml +++ b/mdm/commands/user.configured.yaml @@ -24,8 +24,8 @@ payload: watchOS: introduced: n/a content: Inform the device that it can continue past Setup Assistant and finish - login. Only works on Shared iPads that have the AwaitUserConfiguration feature - enabled. + login. Only works on Shared iPad devices that have the AwaitUserConfiguration + feature enabled. notes: - title: '' content: Refer to the following sections to determine supported channels and requirements. diff --git a/mdm/commands/user.delete.yaml b/mdm/commands/user.delete.yaml index be58985..1a1626b 100644 --- a/mdm/commands/user.delete.yaml +++ b/mdm/commands/user.delete.yaml @@ -35,8 +35,8 @@ payloadkeys: - key: UserName type: presence: optional - content: The user name of the account to delete. This key is required when the value - for `DeleteAllUsers` is absent or `false`. + content: The user name of the account to delete. The device requires this key when + the value for `DeleteAllUsers` is absent or `false`. - key: ForceDeletion supportedOS: macOS: @@ -45,7 +45,7 @@ payloadkeys: presence: optional default: false content: If `true`, the system deletes the account even if the user has data that's - pending sync to the cloud. This value is available on iOS 9.3 and later. + pending sync to the cloud. - key: DeleteAllUsers supportedOS: iOS: @@ -57,8 +57,7 @@ payloadkeys: default: false content: If `true`, the system attempts to delete all users from the device. If `ForceDeletion` is `false`, the system generates an error instead and doesn't - delete users who have data that's pending sync. This value is available in iOS - 14 and later. + delete users who have data that's pending sync. notes: - title: '' content: Refer to the following sections to determine supported channels and requirements, @@ -71,3 +70,8 @@ notes: - `12072`: The user is currently logged in. - `12073`: The user has data to sync and ForceDeletion is false or unspecified. - `12074`: Unable to delete the user. In macOS, this error code also returns for an attempt to delete the last administrator account. +examples: + title: Example request and response + files: + - request-file: examples/mdm/commands/classroom.user.delete/example1.plist + response-file: examples/mdm/commands/classroom.user.delete/example2.plist diff --git a/mdm/commands/user.list.yaml b/mdm/commands/user.list.yaml index dca9107..dddc963 100644 --- a/mdm/commands/user.list.yaml +++ b/mdm/commands/user.list.yaml @@ -47,44 +47,39 @@ responsekeys: type: presence: required content: The user name for the account. In macOS, this is the short name of - the user account. This value is available in iOS 9.3 and later, and macOS - 10.13 and later. + the user account. - key: FullName supportedOS: iOS: introduced: n/a type: presence: required - content: The user's full name. This value is available in macOS 10.13 and later. + content: The user's full name. - key: UID supportedOS: iOS: introduced: n/a type: presence: required - content: The user's unique identifier. This value is available in macOS 10.13 - and later. + content: The user's unique identifier. - key: UserGUID supportedOS: iOS: introduced: n/a type: presence: required - content: The user's `GeneratedUID`. This value is available in macOS 10.13 and - later. + content: The user's `GeneratedUID`. - key: IsLoggedIn type: presence: required - content: If `true`, the user is currently logged in on the device. This value - is available in iOS 9.3 and later, and macOS 10.13 and later. + content: If `true`, the user is currently logged in on the device. - key: HasDataToSync supportedOS: macOS: introduced: n/a type: presence: required - content: If `true`, the user has data to sync to the cloud. This value is available - in iOS 9.3 and later. + content: If `true`, the user has data to sync to the cloud. - key: DataQuota supportedOS: macOS: @@ -92,23 +87,21 @@ responsekeys: type: presence: required content: If present, the user's data quota in bytes. This isn't present if the - account doesn't enforce a quota. This value is available in iOS 9.3 and later. + account doesn't enforce a quota. - key: DataUsed supportedOS: macOS: introduced: n/a type: presence: required - content: The amount of data, in bytes, that the user has used. This value is - available in iOS 9.3 and later. + content: The amount of data, in bytes, that the user has used. - key: MobileAccount supportedOS: iOS: introduced: n/a type: presence: required - content: If `true`, the account is a mobile account. This value is available - in macOS 10.13 and later. + content: If `true`, the account is a mobile account. - key: HasSecureToken supportedOS: iOS: @@ -117,9 +110,13 @@ responsekeys: introduced: '11.0' type: presence: required - content: If `true`, the user currently has a secure token set. This value is - available in macOS 11 and later. + content: If `true`, the user currently has a secure token set. notes: - title: '' content: Refer to the following sections to determine supported channels and requirements, and to see an example request and response. +examples: + title: Example request and response + files: + - request-file: examples/mdm/commands/classroom.user.list/example1.plist + response-file: examples/mdm/commands/classroom.user.list/example2.plist diff --git a/mdm/commands/user.logout.yaml b/mdm/commands/user.logout.yaml index 28adf75..e9b9ba3 100644 --- a/mdm/commands/user.logout.yaml +++ b/mdm/commands/user.logout.yaml @@ -29,3 +29,8 @@ notes: After logging out the user, MDM commands aren't available on the device for up to 2 minutes. Refer to the following sections to determine supported channels and requirements, and to see an example request and response. +examples: + title: Example request and response + files: + - request-file: examples/mdm/commands/classroom.user.logout/example1.plist + response-file: examples/mdm/commands/classroom.user.logout/example2.plist diff --git a/mdm/commands/user.unlock.yaml b/mdm/commands/user.unlock.yaml index dcad0b2..e1539b4 100644 --- a/mdm/commands/user.unlock.yaml +++ b/mdm/commands/user.unlock.yaml @@ -34,3 +34,8 @@ notes: - title: '' content: Refer to the following sections to determine supported channels and requirements, and to see an example request and response. +examples: + title: Example request and response + files: + - request-file: examples/mdm/commands/classroom.user.unlock/example1.plist + response-file: examples/mdm/commands/classroom.user.unlock/example2.plist diff --git a/mdm/errors/unrecognized.device.yaml b/mdm/errors/unrecognized.device.yaml index dfa6657..ddefb21 100644 --- a/mdm/errors/unrecognized.device.yaml +++ b/mdm/errors/unrecognized.device.yaml @@ -18,8 +18,8 @@ payloadkeys: presence: required rangelist: - com.apple.unrecognized.device - content: Indicates that the device is not recognized by the server. This causes - the device to unenroll from MDM. + content: Indicates that the device isn't recognized by the server. This causes the + device to unenroll from MDM. - key: description type: presence: optional diff --git a/mdm/profiles/GlobalPreferences.yaml b/mdm/profiles/GlobalPreferences.yaml index 73643f8..54a5c9e 100644 --- a/mdm/profiles/GlobalPreferences.yaml +++ b/mdm/profiles/GlobalPreferences.yaml @@ -35,3 +35,7 @@ payloadkeys: content: The `autologout` delay, in seconds. A value of `0` means `autologout` is off. In some cases, this delay may be restricted to values between 5 minutes and 24 hours. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/GlobalPreferences/example1.plist diff --git a/mdm/profiles/TopLevel.yaml b/mdm/profiles/TopLevel.yaml index c21207c..088579f 100644 --- a/mdm/profiles/TopLevel.yaml +++ b/mdm/profiles/TopLevel.yaml @@ -70,8 +70,7 @@ payloadkeys: - key: PayloadContent type: presence: required - content: The array of payload dictionaries. If `IsEncrypted` is `true`, this array - isn't needed. + content: The array of payload dictionaries. Not present for encrypted payloads. subkeys: - key: PayloadContentItem type: @@ -84,7 +83,7 @@ payloadkeys: - key: EncryptedPayloadContent type: presence: optional - content: Enabled if `IsEncrypted` is `true`. + content: The encrypted payload content. Only present for encrypted payloads. - key: PayloadDescription type: presence: optional diff --git a/mdm/profiles/com.apple.ADCertificate.managed.yaml b/mdm/profiles/com.apple.ADCertificate.managed.yaml index daa608c..ee3ecfd 100644 --- a/mdm/profiles/com.apple.ADCertificate.managed.yaml +++ b/mdm/profiles/com.apple.ADCertificate.managed.yaml @@ -27,12 +27,12 @@ payload: detailed at support.apple.com/kb/HT5357. payloadkeys: - key: CertServer - title: Certificate Server + title: Certificate server type: presence: required content: The fully qualified host name of the CA. - key: CertTemplate - title: Certificate Template + title: Certificate template type: presence: required content: The certificate template for your environment. The default user certificate @@ -43,20 +43,20 @@ payloadkeys: presence: optional content: A user-friendly description of the certification identity. - key: CertificateRenewalTimeInterval - title: Certificate Renewal Time Interval + title: Certificate renewal time interval type: presence: optional content: The number of days in advance of certificate expiration that the notification center notifies the user. - key: CertificateAuthority - title: Certificate Authority + title: Certificate authority supportedOS: macOS: introduced: '10.8' type: presence: optional content: |- - The name of the certificate authority (CA), which is determined from the common name (CN) of the Active Directory entry. Available in macOS 10.8 and later. Valid values: + The name of the certificate authority (CA), which the device determines from the common name (CN) of the Active Directory entry. Valid values: - CN= - CN=`Certification Authorities` @@ -65,26 +65,24 @@ payloadkeys: - CN=`Configuration` - CN= - key: CertificateAcquisitionMechanism - title: Certificate Acquisition Mechanism + title: Certificate acquisition mechanism supportedOS: macOS: introduced: '10.8' type: presence: optional content: This value is most commonly `RPC`; if using web enrollment, use `HTTP`. - Available in macOS 10.8 and later. - key: AllowAllAppsAccess - title: Allow All Apps Access + title: Allow all apps access supportedOS: macOS: introduced: '10.10' type: presence: optional default: false - content: If `true`, gives apps access to the private key. Available in macOS 10.10 - and later. + content: If `true`, gives apps access to the private key. - key: PromptForCredentials - title: Prompt for Credentials + title: Prompt for credentials supportedOS: macOS: introduced: '10.8' @@ -93,30 +91,27 @@ payloadkeys: default: false content: If `true`, the system prompts the user for credentials when is installs the profile. This key applies only to user certificates with the Manual Download - profile delivery method. Omit this key for computer certificates. Available in - macOS 10.8 and later. + profile delivery method. Omit this key for computer certificates. - key: KeyIsExtractable - title: Key Is Extractable + title: Key is extractable supportedOS: macOS: introduced: '10.10' type: presence: optional default: false - content: If `true`, the system allows exporting the private key. Available in macOS - 10.10 and later. + content: If `true`, the system allows exporting the private key. - key: Keysize - title: Key Size + title: Key size supportedOS: macOS: introduced: '10.11' type: presence: optional default: 2048 - content: The RSA key size for the certificate signing request (CSR). Available in - macOS 10.11 and later. + content: The RSA key size for the certificate signing request (CSR). - key: EnableAutoRenewal - title: Enable Auto Renewal + title: Enable auto renewal supportedOS: macOS: introduced: 10.13.4 @@ -125,8 +120,11 @@ payloadkeys: default: false content: If `true`, the certificate obtained with this payload attempts auto-renewal. Auto-renewal can only be used with device Active Directory certificate payloads. - Available in macOS 10.13.4 and later. notes: - title: '' content: To get a certificate from a Microsoft CA, follow the instructions at [Request a certificate from a Microsoft Certificate Authority](https://support.apple.com/en-us/HT204602). +examples: + title: Example profile + files: + - file: examples/mdm/profiles/com.apple.ADCertificate.managed/example1.plist diff --git a/mdm/profiles/com.apple.AIM.account.yaml b/mdm/profiles/com.apple.AIM.account.yaml index b47373c..fdcf7d9 100644 --- a/mdm/profiles/com.apple.AIM.account.yaml +++ b/mdm/profiles/com.apple.AIM.account.yaml @@ -27,24 +27,24 @@ payload: content: An AIM payload creates an AIM account on the device. payloadkeys: - key: AIMAccountDescription - title: Account Description + title: Account description type: presence: optional content: The description of the account. - key: AIMHostName - title: Account Hostname + title: Account hostname type: presence: required rangelist: - slogin.oscar.aol.com content: The server address. - key: AIMUserName - title: Account Username + title: Account username type: presence: optional content: The user's login name. - key: AIMPassword - title: Account Password + title: Account password type: presence: optional content: The user's password. @@ -55,7 +55,7 @@ payloadkeys: default: true content: If `true`, enables SSL. - key: AIMPort - title: Port Number + title: Port number type: presence: optional range: @@ -64,7 +64,7 @@ payloadkeys: default: 5190 content: The connection port for the server. - key: AIMAuthentication - title: AIM Authentication + title: AIM authentication type: presence: required rangelist: diff --git a/mdm/profiles/com.apple.AssetCache.managed.yaml b/mdm/profiles/com.apple.AssetCache.managed.yaml index 49aa62b..4a1d6df 100644 --- a/mdm/profiles/com.apple.AssetCache.managed.yaml +++ b/mdm/profiles/com.apple.AssetCache.managed.yaml @@ -1,4 +1,4 @@ -title: Content Caching +title: Content Caching Service description: The payload that configures the Content Caching service. payload: payloadtype: com.apple.AssetCache.managed @@ -7,6 +7,7 @@ payload: introduced: n/a macOS: introduced: 10.13.4 + deprecated: '27.0' multiple: false devicechannel: true userchannel: false @@ -32,8 +33,7 @@ payloadkeys: default: true content: If true, the system purges content from the cache automatically when it needs disk space for other apps when free disk space runs low on the computer. - Set to `false` to maximize effectiveness of Content Caching. Available in macOS - 10.15 and later. + Set to `false` to maximize effectiveness of Content Caching. - key: AllowPersonalCaching supportedOS: macOS: @@ -76,10 +76,9 @@ payloadkeys: type: presence: optional default: false - content: |- - If `true`, the system automatically enables Internet connection sharing when possible and prevent disabling Internet connection sharing. `DenyTetheredCaching` overrides `AutoEnableTetheredCaching`. Tethered caching requires Content Caching. - - Available in macOS 10.15.4 and later. + content: If `true`, the system automatically enables Internet connection sharing + when possible and prevent disabling Internet connection sharing. `DenyTetheredCaching` + overrides `AutoEnableTetheredCaching`. Tethered caching requires Content Caching. - key: CacheLimit supportedOS: macOS: @@ -116,9 +115,9 @@ payloadkeys: presence: optional default: false content: If `true`, Content Caching displays exceptional conditions (alerts) as - system notifications in the upper corner of the screen. Alerts were automatically - displayed starting in macOS 10.13. In macOS 10.15 the alerts are off by default, - but still available through this setting. Available in macOS 10.15 and later. + system notifications in the upper corner of the screen. The device automatically + displayed alerts starting in macOS 10.13. In macOS 10.15 the alerts are off by + default, but still available through this setting. - key: KeepAwake supportedOS: macOS: @@ -129,7 +128,7 @@ payloadkeys: content: If `true`, the system prevents the computer from sleeping as long as Content Caching is on (System Preferences > Sharing > Content Caching is on). Customers who want Content Caching to be as available as much as possible should turn this - setting on. Available in macOS 10.15 and later. + setting on. - key: ListenRanges supportedOS: macOS: @@ -239,11 +238,11 @@ payloadkeys: content: |- The policy to implement when choosing among more than one configured parent content cache. With every policy, the system skips parent caches that are temporarily unavailable. Allowed values: - - `first-available`: Always use the first available parent in the Parents list. Use this policy to designate permanent primary, secondary, and subsequent parents. - - `url-path-hash`: Hash the path part of the requested URL so that the same parent is always used for the same URL. This is useful for maximizing the size of the combined caches of the parents. - - `random`: Choose a parent at random. Use this policy for load balancing. - - `round-robin`: Rotate through the parents in order. Use this policy for load balancing. - - `sticky-available`: Use the first available parent in the Parents list until it becomes unavailable, then advance to the next one. Use this policy for designating floating primary, secondary, and subsequent parents. + * `first-available`: Always use the first available parent in the Parents list. Use this policy to designate permanent primary, secondary, and subsequent parents. + * `url-path-hash`: Hash the path part of the requested URL so that the same parent is always used for the same URL. This is useful for maximizing the size of the combined caches of the parents. + * `random`: Choose a parent at random. Use this policy for load balancing. + * `round-robin`: Rotate through the parents in order. Use this policy for load balancing. + * `sticky-available`: Use the first available parent in the Parents list until it becomes unavailable, then advance to the next one. Use this policy for designating floating primary, secondary, and subsequent parents. - key: PeerFilterRanges supportedOS: macOS: @@ -300,3 +299,7 @@ payloadkeys: the cloud servers should use for matching clients to content caches. subkeytype: Ranges subkeys: *id001 +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.AssetCache.managed/example1.plist diff --git a/mdm/profiles/com.apple.Dictionary.yaml b/mdm/profiles/com.apple.Dictionary.yaml index a1e70ed..40bcfc5 100644 --- a/mdm/profiles/com.apple.Dictionary.yaml +++ b/mdm/profiles/com.apple.Dictionary.yaml @@ -28,3 +28,7 @@ payloadkeys: type: presence: required content: If `true`, enables parental controls dictionary restrictions. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.Dictionary/example1.plist diff --git a/mdm/profiles/com.apple.DirectoryService.managed.yaml b/mdm/profiles/com.apple.DirectoryService.managed.yaml index 9102048..627cdf4 100644 --- a/mdm/profiles/com.apple.DirectoryService.managed.yaml +++ b/mdm/profiles/com.apple.DirectoryService.managed.yaml @@ -272,3 +272,7 @@ payloadkeys: presence: optional content: The number of days before requiring a change of the computer trust account password. Set to `0` to disable the feature. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.DirectoryService.managed/example1.plist diff --git a/mdm/profiles/com.apple.DiscRecording.yaml b/mdm/profiles/com.apple.DiscRecording.yaml index fc9239d..926fd39 100644 --- a/mdm/profiles/com.apple.DiscRecording.yaml +++ b/mdm/profiles/com.apple.DiscRecording.yaml @@ -32,6 +32,10 @@ payloadkeys: - 'on' content: |- Configure disc-burn. Allowed values: - - `off`: The system disables disc burning. - - `on`: The system allows normal default operation. Setting this key to `on` doesn't enable disc burn support if other mechanisms or preferences disabled it. Needs to be enabled with the `Finder` profile. - - `authenticate`: The system requires authentication. + * `off`: The system disables disc burning. + * `on`: The system allows normal default operation. Setting this key to `on` doesn't enable disc burn support if other mechanisms or preferences disabled it. Needs to be enabled with the `Finder` profile. + * `authenticate`: The system requires authentication. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.DiscRecording/example1.plist diff --git a/mdm/profiles/com.apple.MCX(Accounts).yaml b/mdm/profiles/com.apple.MCX(Accounts).yaml index 1d30336..18e822b 100644 --- a/mdm/profiles/com.apple.MCX(Accounts).yaml +++ b/mdm/profiles/com.apple.MCX(Accounts).yaml @@ -39,3 +39,7 @@ payloadkeys: default: false content: If `true`, the system disables the guest account. This property has no effect if `EnableGuestAccount` is `true`. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.MCX(Accounts)/example1.plist diff --git a/mdm/profiles/com.apple.MCX(EnergySaver).yaml b/mdm/profiles/com.apple.MCX(EnergySaver).yaml index cd43751..8a4deab 100644 --- a/mdm/profiles/com.apple.MCX(EnergySaver).yaml +++ b/mdm/profiles/com.apple.MCX(EnergySaver).yaml @@ -147,3 +147,7 @@ payloadkeys: presence: optional default: false content: If `true`, disables sleep. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.MCX(EnergySaver)/example1.plist diff --git a/mdm/profiles/com.apple.MCX(FileVault2).yaml b/mdm/profiles/com.apple.MCX(FileVault2).yaml index 1e2fa26..506903e 100644 --- a/mdm/profiles/com.apple.MCX(FileVault2).yaml +++ b/mdm/profiles/com.apple.MCX(FileVault2).yaml @@ -41,3 +41,7 @@ payloadkeys: presence: optional default: false content: If `true`, the system won't store th FileVault key across restarts. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.MCX(FileVault2)/example1.plist diff --git a/mdm/profiles/com.apple.MCX(Mobililty).yaml b/mdm/profiles/com.apple.MCX(Mobility).yaml similarity index 94% rename from mdm/profiles/com.apple.MCX(Mobililty).yaml rename to mdm/profiles/com.apple.MCX(Mobility).yaml index 49eab48..61afbce 100644 --- a/mdm/profiles/com.apple.MCX(Mobililty).yaml +++ b/mdm/profiles/com.apple.MCX(Mobility).yaml @@ -56,3 +56,7 @@ payloadkeys: default: false content: If `true`, the system bypasses the secure token authorization dialog. This dialog only appears on APFS volumes. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.MCX(Mobility)/example1.plist diff --git a/mdm/profiles/com.apple.MCX(TimeServer).yaml b/mdm/profiles/com.apple.MCX(TimeServer).yaml index a61f946..583a844 100644 --- a/mdm/profiles/com.apple.MCX(TimeServer).yaml +++ b/mdm/profiles/com.apple.MCX(TimeServer).yaml @@ -41,3 +41,7 @@ notes: content: If multiple profiles with this payload are sent, the system sets the device's time server to the value in the last payload installed. Removing the payload won't change the settings back to the prior settings. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.MCX(TimeServer)/example1.plist diff --git a/mdm/profiles/com.apple.MCX(WiFi).yaml b/mdm/profiles/com.apple.MCX(WiFi).yaml index 132254d..20c3b80 100644 --- a/mdm/profiles/com.apple.MCX(WiFi).yaml +++ b/mdm/profiles/com.apple.MCX(WiFi).yaml @@ -46,3 +46,7 @@ payloadkeys: presence: optional default: false content: If `true`, requires administrator authorization to turn Wi-Fi on or off. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.MCX(WiFi)/example1.plist diff --git a/mdm/profiles/com.apple.MCX.FileVault2.yaml b/mdm/profiles/com.apple.MCX.FileVault2.yaml index 8e9ae61..eb3010f 100644 --- a/mdm/profiles/com.apple.MCX.FileVault2.yaml +++ b/mdm/profiles/com.apple.MCX.FileVault2.yaml @@ -122,12 +122,16 @@ payloadkeys: content: |- If `true`, and installation of this payload occurs after enrolling with MDM in Setup Assistant, the system requests Setup Assistant to enable FileVault at setup time. - To use this, enable the Await Device Configured DEP configuration option and send this profile with this key set, before sending the `DeviceConfiguredCommand`. + To use this, enable the Await Device Configured ADE configuration option and send this profile with this key set, before sending the `DeviceConfiguredCommand`. - An admin SecureToken user is required, otherwise the FileVault pane does not appear. + An admin SecureToken user is required, otherwise the FileVault pane doesn't appear. notes: - title: '' content: |- FileVault 2 performs full XTS-AES 128 encryption on the contents of a volume. Removing the FileVault payload doesn't disable FileVault. As of macOS 10.15, FileVault settings require supervision or user approval when installed manually. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.MCX.FileVault2/example1.plist diff --git a/mdm/profiles/com.apple.MCX.TimeMachine.yaml b/mdm/profiles/com.apple.MCX.TimeMachine.yaml index 2d7e238..3b276c7 100644 --- a/mdm/profiles/com.apple.MCX.TimeMachine.yaml +++ b/mdm/profiles/com.apple.MCX.TimeMachine.yaml @@ -67,3 +67,7 @@ payloadkeys: - key: SkipPathItem type: presence: required +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.MCX.TimeMachine/example1.plist diff --git a/mdm/profiles/com.apple.ManagedClient.preferences.yaml b/mdm/profiles/com.apple.ManagedClient.preferences.yaml index f0b654c..b648bc3 100644 --- a/mdm/profiles/com.apple.ManagedClient.preferences.yaml +++ b/mdm/profiles/com.apple.ManagedClient.preferences.yaml @@ -60,3 +60,7 @@ payloadkeys: presence: optional content: The dictionary of one-time settings. subkeys: *id001 +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.ManagedClient.preferences/example1.plist diff --git a/mdm/profiles/com.apple.NSExtension.yaml b/mdm/profiles/com.apple.NSExtension.yaml index 83f194c..ad81f35 100644 --- a/mdm/profiles/com.apple.NSExtension.yaml +++ b/mdm/profiles/com.apple.NSExtension.yaml @@ -62,3 +62,7 @@ notes: You can manage extensions by bundle identifiers in allow and deny lists, or by a deny list of extension points. You can also start with all public extensions disallowed. To do so, include `AllPublicExtensionPoints` in `DeniedExtensionPoints`. This causes the system to expand the list to include all extensions that belong to any public extension points. This expansion occurs at evaluation time. The list of extension points can change from release to release. The expanded list disallows Apple and third-party extensions, but still allows extensions that belong to system-critcial extension points to execute. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.NSExtension/example1.plist diff --git a/mdm/profiles/com.apple.SetupAssistant.managed.yaml b/mdm/profiles/com.apple.SetupAssistant.managed.yaml index 9f4483d..9a31c7a 100644 --- a/mdm/profiles/com.apple.SetupAssistant.managed.yaml +++ b/mdm/profiles/com.apple.SetupAssistant.managed.yaml @@ -140,8 +140,7 @@ payloadkeys: type: presence: optional content: An array of strings that describe the setup items to skip. `SkipKeys` provides - a list of valid strings and their meanings. Available in iOS 14 and later, and - macOS 15 and later. + a list of valid strings and their meanings. subkeys: - key: SkipSetupItems type: @@ -167,3 +166,7 @@ payloadkeys: presence: optional default: false content: If 'true', the system skips the Wallpaper selection window. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.SetupAssistant.managed/example1.plist diff --git a/mdm/profiles/com.apple.ShareKitHelper.yaml b/mdm/profiles/com.apple.ShareKitHelper.yaml index 8d1f590..d9b6957 100644 --- a/mdm/profiles/com.apple.ShareKitHelper.yaml +++ b/mdm/profiles/com.apple.ShareKitHelper.yaml @@ -40,7 +40,7 @@ payloadkeys: type: presence: optional content: The list of plugin IDs that won't show up in the user's Share menu. This - key is used only if there is no `SHKAllowedShareServices` key. + key is used only if there's no `SHKAllowedShareServices` key. subkeys: - key: SHKDeniedShareServicesItem type: diff --git a/mdm/profiles/com.apple.SoftwareUpdate.yaml b/mdm/profiles/com.apple.SoftwareUpdate.yaml index 944c647..3996a97 100644 --- a/mdm/profiles/com.apple.SoftwareUpdate.yaml +++ b/mdm/profiles/com.apple.SoftwareUpdate.yaml @@ -1,5 +1,6 @@ title: Software Update -description: The payload that configures the software update policy. +description: 'The payload that configures the software update policy. Removed: use + the declarative management `com.apple.configuration.softwareupdate.settings` configuration.' payload: payloadtype: com.apple.SoftwareUpdate supportedOS: @@ -8,6 +9,7 @@ payload: macOS: introduced: '10.7' deprecated: '26.0' + removed: '27.0' multiple: false devicechannel: true userchannel: false @@ -33,10 +35,10 @@ payloadkeys: mode: forbidden type: presence: optional - content: The URL of the software update catalog. This property is not supported - in macOS 11 and later. + content: The URL of the software update catalog. This property isn't supported in + macOS 11 and later. - key: AllowPreReleaseInstallation - title: Allow Pre-Release Update Installation + title: Allow pre-release update installation supportedOS: macOS: introduced: '10.9' @@ -108,3 +110,7 @@ payloadkeys: presence: optional default: true content: If `false`, restricts the automatic installation of configuration data. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.SoftwareUpdate/example1.plist diff --git a/mdm/profiles/com.apple.SystemConfiguration.yaml b/mdm/profiles/com.apple.SystemConfiguration.yaml index 3a465a8..cc031e7 100644 --- a/mdm/profiles/com.apple.SystemConfiguration.yaml +++ b/mdm/profiles/com.apple.SystemConfiguration.yaml @@ -134,3 +134,7 @@ payloadkeys: type: presence: required content: Bypass proxy settings for these Hosts & Domains +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.SystemConfiguration/example1.plist diff --git a/mdm/profiles/com.apple.TCC.configuration-profile-policy.yaml b/mdm/profiles/com.apple.TCC.configuration-profile-policy.yaml index 80a2a9c..68a8c6b 100644 --- a/mdm/profiles/com.apple.TCC.configuration-profile-policy.yaml +++ b/mdm/profiles/com.apple.TCC.configuration-profile-policy.yaml @@ -60,7 +60,7 @@ payloadkeys: - key: CodeRequirement type: presence: required - content: Obtained via the command `codesign -display -r -`. + content: Obtain this value by running `codesign -display -r -`. - key: StaticCode type: presence: optional @@ -94,8 +94,6 @@ payloadkeys: > Note: > Every payload needs to include either `Authorization` or `Allowed`, but not both. - - Available in macOS 11 and later. - key: Comment type: presence: optional @@ -139,25 +137,35 @@ payloadkeys: subkeytype: Identity subkeys: *id001 - key: Camera + supportedOS: + macOS: + deprecated: '27.0' type: presence: optional - content: A system camera. Access to the camera can't be given in a profile; it - can only be denied. + content: A system camera. A profile can't grant access to the camera; it can only + deny it. subkeytype: Identity subkeys: *id001 - key: Microphone + supportedOS: + macOS: + deprecated: '27.0' type: presence: optional - content: A system microphone. Access to the microphone can't be given in a profile; - it can only be denied. + content: A system microphone. A profile can't grant access to the microphone; + it can only deny it. subkeytype: Identity subkeys: *id001 - key: Accessibility + supportedOS: + macOS: + deprecated: '27.0' type: presence: optional - content: Specifies the policies for the app via the Accessibility subsystem. The - ability to grant access by this profile is deprecated as of macOS 26.2, and - will be removed in macOS 27.0. + content: |- + Specifies the policies for the app via the Accessibility subsystem. This profile deprecated its ability to grant access as of macOS 26.2, and removes that ability in macOS 27.0. + + Deprecated: use the `Privacy` key in the declarative management `com.apple.configuration.app-settings` configuration. subkeytype: Identity subkeys: *id001 - key: PostEvent @@ -214,8 +222,8 @@ payloadkeys: type: presence: optional content: Allows the application to use CoreGraphics and HID APIs to listen to - (receive) CGEvents and HID events from all processes. Access to these events - can't be given in a profile; it can only be denied. + (receive) CGEvents and HID events from all processes. A profile can't grant + access to these events; it can only deny it. subkeytype: Identity subkeys: *id001 - key: ScreenCapture @@ -225,17 +233,20 @@ payloadkeys: type: presence: optional content: Allows the application to capture (read) the contents of the system display. - Access to the contents can't be given in a profile; it can only be denied. + A profile can't grant access to the contents; it can only deny it. subkeytype: Identity subkeys: *id001 - key: SpeechRecognition supportedOS: macOS: introduced: '10.15' + deprecated: '27.0' type: presence: optional - content: Allows the application to use the system Speech Recognition facility - and to send speech data to Apple. + content: |- + Allows the application to use the system Speech Recognition facility and to send speech data to Apple. + + Deprecated: use the `Privacy` key in the declarative management `com.apple.configuration.app-settings` configuration. subkeytype: Identity subkeys: *id001 - key: SystemPolicyDesktopFolder @@ -289,8 +300,7 @@ payloadkeys: introduced: '13.0' type: presence: optional - content: Allows the application to update or delete other apps. Available in macOS - 13 and later. + content: Allows the application to update or delete other apps. subkeytype: Identity subkeys: *id001 - key: SystemPolicyAppData @@ -306,8 +316,16 @@ payloadkeys: supportedOS: macOS: introduced: '11.0' + deprecated: '27.0' type: presence: optional - content: Specifies the policies for the app to access Bluetooth devices. + content: |- + Specifies the policies for the app to access Bluetooth devices. + + Deprecated: use the `Privacy` key in the declarative management `com.apple.configuration.app-settings` configuration. subkeytype: Identity subkeys: *id001 +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.TCC.configuration-profile-policy/example1.plist diff --git a/mdm/profiles/com.apple.airplay.security.yaml b/mdm/profiles/com.apple.airplay.security.yaml index 693eb42..c26b551 100644 --- a/mdm/profiles/com.apple.airplay.security.yaml +++ b/mdm/profiles/com.apple.airplay.security.yaml @@ -23,7 +23,7 @@ payload: password phrase. payloadkeys: - key: SecurityType - title: Security Type + title: Security type type: presence: required rangelist: @@ -33,14 +33,14 @@ payloadkeys: content: |- The security policy for AirPlay. Allowed values: - - `PASSCODE_ONCE`: Requires an onscreen passcode on first connection from a device. Subsequent connections from the same device aren't prompted. - - `PASSCODE_ALWAYS`: Requires an onscreen passcode for every AirPlay connection. After an AirPlay connection ends, the system allows reconnecting within 30 seconds without a password. - - `PASSWORD`: Requires the passphrase set for `Password`. + * `PASSCODE_ONCE`: Requires an onscreen passcode on first connection from a device. Subsequent connections from the same device aren't prompted. + * `PASSCODE_ALWAYS`: Requires an onscreen passcode for every AirPlay connection. After an AirPlay connection ends, the system allows reconnecting within 30 seconds without a password. + * `PASSWORD`: Requires the passphrase set for `Password`. > Note: > `NONE` was deprecated in tvOS 11.3. Existing profiles that use `NONE` get the `PASSWORD_ONCE` behavior. - key: AccessType - title: Access Type + title: Access type type: presence: required rangelist: @@ -57,3 +57,7 @@ payloadkeys: type: presence: optional content: The AirPlay password; required if `SecurityType` is `PASSWORD`. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.airplay.security/example1.plist diff --git a/mdm/profiles/com.apple.airplay.yaml b/mdm/profiles/com.apple.airplay.yaml index 85bff41..44065bc 100644 --- a/mdm/profiles/com.apple.airplay.yaml +++ b/mdm/profiles/com.apple.airplay.yaml @@ -52,7 +52,7 @@ payloadkeys: device. This allow list applies to supervised devices. subkeys: &id001 - key: AllowListItem - title: AllowList Content Item + title: AllowList content item supportedOS: iOS: introduced: '7.0' @@ -85,7 +85,7 @@ payloadkeys: As of tvOS 18, `DeviceID` isn't supported. - key: DeviceName - title: Device Name + title: Device name supportedOS: iOS: introduced: '18.0' @@ -106,19 +106,18 @@ payloadkeys: installed payloads, is an error and results in undefined behavior. subkeys: - key: PasswordsItem - title: Password Content Item + title: Password content item type: presence: required subkeys: - key: DeviceName - title: Device Name + title: Device name supportedOS: macOS: introduced: '15.0' type: presence: optional - content: The name of the AirPlay destination; used in iOS, and available in - macOS 15 and later. + content: The name of the AirPlay destination. - key: Password title: Password type: @@ -152,3 +151,7 @@ payloadkeys: presence: optional content: Use `AllowList` instead. This key is deprecated in iOS 14.5 and macOS 11.3. subkeys: *id001 +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.airplay/example1.plist diff --git a/mdm/profiles/com.apple.airprint.yaml b/mdm/profiles/com.apple.airprint.yaml index f6995c8..edd5a1b 100644 --- a/mdm/profiles/com.apple.airprint.yaml +++ b/mdm/profiles/com.apple.airprint.yaml @@ -49,7 +49,7 @@ payloadkeys: type: subkeys: - key: IPAddress - title: IP Address + title: IP address supportedOS: iOS: introduced: '7.0' @@ -57,7 +57,7 @@ payloadkeys: presence: required content: The IP address or hostname of the AirPrint destination. - key: ResourcePath - title: Resource Path + title: Resource path supportedOS: iOS: introduced: '7.0' @@ -71,7 +71,7 @@ payloadkeys: - `ipp/print` - `Epson_IPP_Printer` - key: Port - title: Port Number + title: Port number supportedOS: iOS: introduced: '11.0' @@ -94,5 +94,9 @@ payloadkeys: type: presence: optional default: false - content: If `true`, AirPrint connections are secured by Transport Layer Security - (TLS). Available only in iOS 11 and later. + content: If `true`, Transport Layer Security (TLS) secures AirPrint connections. + Available only in iOS 11 and later. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.airprint/example1.plist diff --git a/mdm/profiles/com.apple.app.lock.yaml b/mdm/profiles/com.apple.app.lock.yaml index 33b4632..860cfa8 100644 --- a/mdm/profiles/com.apple.app.lock.yaml +++ b/mdm/profiles/com.apple.app.lock.yaml @@ -47,14 +47,14 @@ payloadkeys: content: A dictionary of options that the user can't change. subkeys: - key: DisableTouch - title: Disable Touch + title: Disable touch type: presence: optional default: false content: If `true`, the system disables the touch screen. In tvOS, it disables the touch surface on the Apple TV Remote. - key: DisableDeviceRotation - title: Disable Device Rotation + title: Disable device rotation supportedOS: tvOS: introduced: n/a @@ -63,7 +63,7 @@ payloadkeys: default: false content: If `true`, the system disables device rotation sensing. - key: DisableVolumeButtons - title: Disable Volume Buttons + title: Disable volume buttons supportedOS: tvOS: introduced: n/a @@ -72,7 +72,7 @@ payloadkeys: default: false content: If `true`, the system disables the volume buttons. - key: DisableRingerSwitch - title: Disable Ringer Switch + title: Disable ringer switch supportedOS: tvOS: introduced: n/a @@ -83,7 +83,7 @@ payloadkeys: ringer behavior depends on what position the switch was in when it was first disabled. - key: DisableSleepWakeButton - title: Disable Sleep Wake Button + title: Disable sleep wake button supportedOS: tvOS: introduced: n/a @@ -92,14 +92,14 @@ payloadkeys: default: false content: If `true`, the system disables the sleep/wake button. - key: DisableAutoLock - title: Disable Auto Lock + title: Disable auto lock type: presence: optional default: false content: If `true`, the device doesn't automatically go to sleep after an idle period. - key: EnableVoiceOver - title: Enable Voice Over + title: Enable VoiceOver type: presence: optional default: false @@ -117,7 +117,7 @@ payloadkeys: default: false content: If `true`, the system enables Invert Colors. - key: EnableAssistiveTouch - title: Enable Assistive Touch + title: Enable AssistiveTouch supportedOS: tvOS: introduced: n/a @@ -155,7 +155,7 @@ payloadkeys: default: false content: If `true`, the system enables Voice Control. - key: UserEnabledOptions - title: User Enabled Options + title: User enabled options supportedOS: iOS: introduced: '7.0' @@ -175,7 +175,7 @@ payloadkeys: default: false content: If `true`, the system allows the user to toggle Voice Control. - key: VoiceOver - title: Voice Over + title: VoiceOver type: presence: optional default: false @@ -193,7 +193,7 @@ payloadkeys: default: false content: If `true`, the system allows the user to toggle Invert Colors. - key: AssistiveTouch - title: Assistive Touch + title: AssistiveTouch supportedOS: tvOS: introduced: n/a @@ -207,3 +207,7 @@ notes: With an app lock profile, the device locks to the specified app until removal of the profile. The device returns to the app automatically upon wake or restart. Only use an app lock payload after installing the target app. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.app.lock/example1.plist diff --git a/mdm/profiles/com.apple.applicationaccess.new.yaml b/mdm/profiles/com.apple.applicationaccess.new.yaml index 1b1f17a..64c9d1f 100644 --- a/mdm/profiles/com.apple.applicationaccess.new.yaml +++ b/mdm/profiles/com.apple.applicationaccess.new.yaml @@ -7,6 +7,7 @@ payload: introduced: n/a macOS: introduced: '10.7' + deprecated: '27.0' multiple: true devicechannel: true userchannel: true @@ -26,24 +27,27 @@ payload: Parental controls application restrictions. Order of evaluation: (1) Certain system applications and utilities are always allowed to run - (2) The "whiteList" is searched to see if a matching entry is found by bundleID. If a match is found, the "appID" and "detachedSignature" + (2) The "allowList" is searched to see if a matching entry is found by bundleID. If a match is found, the "appID" and "detachedSignature" (if present) are used to verify the signature of the application being launched. If the signature is valid and matches the designated requirement (in the "appID" key), the application is allowed to launch. - (3) (deprecated) If the path to the binary being launched matches (or is in a subdirectory) of a path in "pathBlackList", the binary is denied. - (4) (deprecated) If the path to the binary being launched matches (or is a subdirectory) of a path in "pathWhiteList", the binary is allowed to launch. + (3) (deprecated) If the path to the binary being launched matches (or is in a subdirectory) of a path in "pathDenyList", the binary is denied. + (4) (deprecated) If the path to the binary being launched matches (or is a subdirectory) of a path in "pathAllowList", the binary is allowed to launch. (5) The binary is denied permission to launch. payloadkeys: - key: familyControlsEnabled type: presence: required content: If `true`, enables app access restrictions. -- key: whiteList +- key: allowList + supportedOS: + macOS: + introduced: '10.15' type: presence: optional content: The allow list of app item dictionaries. subkeytype: ApplicationItem subkeys: &id001 - - key: whiteListItem + - key: allowListItem type: content: A dictionary defining an app for parental control. subkeys: @@ -75,6 +79,28 @@ payloadkeys: type: presence: optional content: The name used for display purposes. +- key: whiteList + supportedOS: + macOS: + deprecated: '10.15' + type: + presence: optional + content: The allow list of app item dictionaries. This property is deprecated in + macOS 10.15 and later - use `allowList` instead. + subkeytype: ApplicationItem + subkeys: *id001 +- key: pathDenyList + supportedOS: + macOS: + introduced: '10.15' + type: + presence: optional + content: The paths to apps in the deny list. + subkeys: + - key: pathDenyListItem + type: + presence: required + content: A path. - key: pathBlackList supportedOS: macOS: @@ -82,12 +108,24 @@ payloadkeys: type: presence: optional content: The paths to apps in the deny list. This property is deprecated in macOS - 10.15 and later. + 10.15 and later - use `pathDenyList` instead. subkeys: - key: pathBlackListItem type: presence: required content: A path. +- key: pathAllowList + supportedOS: + macOS: + introduced: '10.15' + type: + presence: optional + content: The paths to apps in the allow list. + subkeys: + - key: pathAllowListItem + type: + presence: required + content: A path. - key: pathWhiteList supportedOS: macOS: @@ -95,7 +133,7 @@ payloadkeys: type: presence: optional content: The paths to apps in the allow list. This property is deprecated in macOS - 10.15 and later. + 10.15 and later - use `pathAllowList` instead. subkeys: - key: pathWhiteListItem type: @@ -111,3 +149,7 @@ notes: - If the path to the binary being launched matches or is in a subdirectory of a path in the deny list, the binary is denied. - If the path to the binary being launched matches or is a subdirectory of a path in the allow list, the binary is allowed to launch. - The binary is denied permission to launch. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.applicationaccess.new/example1.plist diff --git a/mdm/profiles/com.apple.applicationaccess.yaml b/mdm/profiles/com.apple.applicationaccess.yaml index ade62cc..6116d26 100644 --- a/mdm/profiles/com.apple.applicationaccess.yaml +++ b/mdm/profiles/com.apple.applicationaccess.yaml @@ -69,7 +69,7 @@ payloadkeys: content: If `false`, the system disables modification of accounts, such as Apple Accounts, and internet-based accounts, such as Mail, Contacts, and Calendar. - key: allowActivityContinuation - title: Allow Handoff + title: Allow handoff supportedOS: iOS: introduced: '8.0' @@ -95,7 +95,7 @@ payloadkeys: In a future release, this restriction will begin requiring supervision and will apply to personal Apple Accounts only. - key: allowAddingGameCenterFriends - title: Allow Adding Game Center Friends + title: Allow adding Game Center friends supportedOS: iOS: introduced: 4.2.1 @@ -182,7 +182,7 @@ payloadkeys: default: true content: If `false`, the system disables AirPrint. - key: allowAirPrintCredentialsStorage - title: Allow storage of AirPrint credentials in Keychain + title: Allow storage of AirPrint credentials in keychain supportedOS: iOS: introduced: '11.0' @@ -224,7 +224,7 @@ payloadkeys: content: If `false`, the system disables iBeacon discovery of AirPrint printers, which prevents spurious AirPrint Bluetooth beacons from phishing for network traffic. - key: allowAppCellularDataModification - title: Allow Modifying Cellular Data Usage for Apps Settings + title: Allow modifying cellular data usage for apps settings supportedOS: iOS: introduced: '7.0' @@ -266,7 +266,7 @@ payloadkeys: content: If `false`, the system prevents a user from adding any App Clips, and removes any existing App Clips on the device. - key: allowAppInstallation - title: Allow App Installation + title: Allow app installation supportedOS: iOS: supervised: true @@ -291,7 +291,7 @@ payloadkeys: In iOS 10 and later, MDM commands can override this restriction. Requires a supervised device in iOS 13 and later. - key: allowAppleIntelligenceReport - title: Allow Apple Intelligence Report + title: Allow Apple Intelligence report supportedOS: iOS: introduced: '18.4' @@ -315,7 +315,10 @@ payloadkeys: type: presence: optional default: true - content: If `false`, the system disables Apple Intelligence reports. + content: |- + If `false`, the system disables Apple Intelligence reports. + + Deprecated: use the declarative management `com.apple.configuration.intelligence.settings` configuration. - key: allowApplePersonalizedAdvertising supportedOS: iOS: @@ -341,7 +344,7 @@ payloadkeys: default: true content: If `false`, the system limits Apple personalized advertising. - key: allowAppRemoval - title: Allow App Removal + title: Allow app removal supportedOS: iOS: introduced: 4.2.1 @@ -363,7 +366,7 @@ payloadkeys: applies to App Store apps, marketplace apps, and locally installed apps (using Configurator, Xcode, and so forth). - key: allowAppsToBeHidden - title: Allow Hiding Apps + title: Allow hiding apps supportedOS: iOS: introduced: '18.0' @@ -387,7 +390,7 @@ payloadkeys: affect the user's ability to leave it in the App Library, while removing it from the Home Screen. - key: allowAppsToBeLocked - title: Allow Locking Apps + title: Allow locking apps supportedOS: iOS: introduced: '18.0' @@ -450,7 +453,10 @@ payloadkeys: type: presence: optional default: true - content: If `false`, the system disables Siri. + content: |- + If `false`, the system disables Siri. + + Deprecated: use the declarative management `com.apple.configuration.siri.settings` configuration. - key: allowAssistantUserGeneratedContent supportedOS: iOS: @@ -471,10 +477,12 @@ payloadkeys: type: presence: optional default: true - content: If `false`, the system prevents Siri from querying user-generated content - from the web. + content: |- + If `false`, the system prevents Siri from querying user-generated content from the web. + + Deprecated: use the declarative management `com.apple.configuration.siri.settings` configuration. - key: allowAssistantWhileLocked - title: Allow Siri While Locked + title: Allow Siri while locked supportedOS: iOS: introduced: '5.1' @@ -490,10 +498,12 @@ payloadkeys: type: presence: optional default: true - content: If `false`, the system disables Siri when the device is locked. The system - ignores this restriction if the device doesn't have a passcode set. + content: |- + If `false`, the system disables Siri when the device is locked. The system ignores this restriction if the device doesn't have a passcode set. + + Deprecated: use the declarative management `com.apple.configuration.siri.settings` configuration. - key: allowAutoCorrection - title: Allow Auto Correction + title: Allow auto correction supportedOS: iOS: introduced: 8.1.3 @@ -512,9 +522,12 @@ payloadkeys: type: presence: optional default: true - content: If `false`, the system disables keyboard autocorrection. + content: |- + If `false`, the system disables keyboard autocorrection. + + Deprecated: use the declarative management `com.apple.configuration.keyboard.settings` configuration. - key: allowAutoDim - title: Allow Auto Dim + title: Allow auto dim supportedOS: iOS: introduced: '17.4' @@ -536,7 +549,7 @@ payloadkeys: default: true content: If `false`, disables auto dim on iPads with OLED displays. - key: allowAutomaticAppDownloads - title: Allow Automatic App Downloads + title: Allow automatic app downloads supportedOS: iOS: introduced: '9.0' @@ -611,7 +624,10 @@ payloadkeys: tvOS: introduced: n/a visionOS: - introduced: n/a + introduced: '27.0' + supervised: true + userenrollment: + mode: forbidden watchOS: introduced: n/a type: @@ -619,7 +635,7 @@ payloadkeys: default: true content: If `false`, the system prevents modification of Bluetooth settings. - key: allowBluetoothSharingModification - title: Allow modifying Bluetooth Sharing setting + title: Allow modifying Bluetooth sharing setting supportedOS: iOS: introduced: n/a @@ -639,7 +655,7 @@ payloadkeys: content: If `false`, the system prevents modifying Bluetooth settings in System Settings. - key: allowBookstore - title: Allow Bookstore + title: Allow Book Store supportedOS: iOS: introduced: '6.0' @@ -661,7 +677,7 @@ payloadkeys: default: true content: If `false`, the system removes the Book Store tab from the Books app. - key: allowBookstoreErotica - title: Allow Bookstore Erotica + title: Allow Book Store erotica supportedOS: iOS: introduced: '6.0' @@ -685,7 +701,7 @@ payloadkeys: that's tagged as erotica. Support for this restriction on unsupervised devices is deprecated. - key: allowCallRecording - title: Allow Call Recording + title: Allow call recording supportedOS: iOS: introduced: '18.1' @@ -709,7 +725,7 @@ payloadkeys: default: true content: If `false`, disables call recording. - key: allowCamera - title: Allow Camera Use + title: Allow camera use supportedOS: iOS: userenrollment: @@ -765,7 +781,10 @@ payloadkeys: tvOS: introduced: n/a visionOS: - introduced: n/a + introduced: '27.0' + supervised: true + userenrollment: + mode: forbidden watchOS: introduced: n/a type: @@ -793,7 +812,7 @@ payloadkeys: default: true content: If `false`, the system disables iCloud Contacts services. - key: allowCloudBackup - title: Allow iCloud Backup + title: Allow iCloud backup supportedOS: iOS: introduced: '5.0' @@ -869,7 +888,7 @@ payloadkeys: default: true content: If `false`, the system disables iCloud Desktop and Document services. - key: allowCloudDocumentSync - title: Allow iCloud Document Sync + title: Allow iCloud document sync supportedOS: iOS: introduced: '5.0' @@ -977,7 +996,7 @@ payloadkeys: default: true content: If `false`, the system disables iCloud Notes services. - key: allowCloudPhotoLibrary - title: Allow iCloud Photo Library + title: Allow iCloud photo library supportedOS: iOS: introduced: '9.0' @@ -1066,7 +1085,7 @@ payloadkeys: content: If `false`, the system disables content caching. This restriction is not supported on the user channel. - key: allowContinuousPathKeyboard - title: Allow Continuous Path Keyboard + title: Allow continuous path keyboard supportedOS: iOS: introduced: '13.0' @@ -1085,7 +1104,10 @@ payloadkeys: type: presence: optional default: true - content: If `false`, the system disables QuickPath keyboard. + content: |- + If `false`, the system disables QuickPath keyboard. + + Deprecated: use the declarative management `com.apple.configuration.keyboard.settings` configuration. - key: allowDefaultBrowserModification title: Allow default browser modification supportedOS: @@ -1152,7 +1174,7 @@ payloadkeys: MDM Settings command to set the default messaging app preference still works when applying this. - key: allowDefinitionLookup - title: Allow Define + title: Allow definition lookup supportedOS: iOS: introduced: 8.1.3 @@ -1174,9 +1196,12 @@ payloadkeys: type: presence: optional default: true - content: If `false`, the system disables definition lookup. + content: |- + If `false`, the system disables definition lookup. + + Deprecated: use the declarative management `com.apple.configuration.keyboard.settings` configuration. - key: allowDeviceNameModification - title: Allow Modifying Device Name + title: Allow modifying device name supportedOS: iOS: introduced: '9.0' @@ -1202,7 +1227,7 @@ payloadkeys: default: true content: If `false`, the system prevents the user from changing the device name. - key: allowDeviceSleep - title: Allow Device Sleep + title: Allow device sleep supportedOS: iOS: introduced: n/a @@ -1282,9 +1307,12 @@ payloadkeys: type: presence: optional default: true - content: If `false`, the system disallows dictation input. + content: |- + If `false`, the system disallows dictation input. + + Deprecated: use the declarative management `com.apple.configuration.keyboard.settings` configuration. - key: allowedCameraRestrictionBundleIDs - title: Allowed Exceptions to Camera Restriction + title: Allowed exceptions to camera restriction supportedOS: iOS: introduced: '26.0' @@ -1314,7 +1342,7 @@ payloadkeys: title: Bundle ID to be excepted type: - key: allowedExternalIntelligenceWorkspaceIDs - title: Allowed External Intelligence Workspace IDs + title: Allowed external intelligence workspace IDs supportedOS: iOS: introduced: '18.3' @@ -1344,18 +1372,16 @@ payloadkeys: introduced: n/a type: presence: optional - content: An array of strings, but currently restricted to a single element. If present, - Apple Intelligence allows use of only the given external integration workspace - ID, and requires a sign-in to make requests. The user is required to sign in to - integrations that support signing in. Multiple payloads combine using an intersect - operation. This means the allowed set of workspace IDs can become the empty set - if multiple payloads specify conflicting values. + content: |- + An array of strings, but currently restricted to a single element. If present, Apple Intelligence allows use of only the given external integration workspace ID, and requires a sign-in to make requests. The user is required to sign in to integrations that support signing in. Multiple payloads combine using an intersect operation. This means the allowed set of workspace IDs can become the empty set if multiple payloads specify conflicting values. + + Deprecated: use the declarative management `com.apple.configuration.external-intelligence.settings` configuration. subkeys: - key: allowedWorkspaceID - title: Allowed Workspace ID + title: Allowed workspace ID type: - key: allowEnablingRestrictions - title: Allow Configuring Restrictions or ScreenTime + title: Allow configuring restrictions or ScreenTime supportedOS: iOS: introduced: '8.0' @@ -1383,7 +1409,7 @@ payloadkeys: ScreenTime option in the ScreenTime UI in Settings and disables ScreenTime if already enabled. - key: allowEnterpriseAppTrust - title: Allow Trusting Enterprise Apps + title: Allow trusting enterprise apps supportedOS: iOS: introduced: '9.0' @@ -1408,7 +1434,7 @@ payloadkeys: accounts and enterprise app developers that aren't implicitly trusted by apps that install through MDM. This restriction doesn't revoke previously granted trust. - key: allowEnterpriseBookBackup - title: Allow Enterprise Books Backup + title: Allow enterprise books backup supportedOS: iOS: introduced: '8.0' @@ -1425,7 +1451,7 @@ payloadkeys: default: true content: If `false`, the system disables backup of Enterprise books. - key: allowEnterpriseBookMetadataSync - title: Allow Enterprise Books Notes and Highlights Sync + title: Allow enterprise books notes and highlights sync supportedOS: iOS: introduced: '8.0' @@ -1442,7 +1468,7 @@ payloadkeys: default: true content: If `false`, the system disables sync of Enterprise books, notes, and highlights. - key: allowEraseContentAndSettings - title: Allow Erase All Content and Settings + title: Allow erase all content and settings supportedOS: iOS: introduced: '8.0' @@ -1468,7 +1494,7 @@ payloadkeys: content: If `false`, the system disables the Erase All Content and Settings option in the Reset UI. - key: allowESIMModification - title: Allow eSIM Modification + title: Allow eSIM modification supportedOS: iOS: introduced: '12.1' @@ -1486,9 +1512,10 @@ payloadkeys: type: presence: optional default: true - content: If `false`, the system disables modifications of eSIMs. + content: If `false`, the system disables modifications of eSIMs. This also disables + the phone number sharing setup on iPhones, in iOS 27 and later. - key: allowESIMOutgoingTransfers - title: Allow eSIM Outgoing Transfers + title: Allow eSIM outgoing transfers supportedOS: iOS: introduced: '18.0' @@ -1509,7 +1536,7 @@ payloadkeys: content: If `false`, prevents the transfer of an eSIM from the device on which the restriction is installed to a different device. - key: allowExplicitContent - title: Allow Explicit Content + title: Allow explicit content supportedOS: iOS: supervised: true @@ -1560,10 +1587,10 @@ payloadkeys: type: presence: optional default: true - content: If `false`, disables the use of external, cloud-based intelligence services - with Siri. In iOS, this restriction is temporarily allowed on unsupervised and - user enrollments. In a future release, this restriction will require supervision, - and will be ignored on unsupervised devices. + content: |- + If `false`, disables the use of external, cloud-based intelligence services with Siri. In iOS, this restriction is temporarily allowed on unsupervised and user enrollments. In a future release, this restriction will require supervision, and will be ignored on unsupervised devices. + + Deprecated: use the declarative management `com.apple.configuration.external-intelligence.settings` configuration. - key: allowExternalIntelligenceIntegrationsSignIn title: Allow external intelligence integrations sign-in supportedOS: @@ -1591,11 +1618,12 @@ payloadkeys: type: presence: optional default: true - content: If `false`, forces external intelligence providers into anonymous mode. - If a user is already signed in to an external intelligence provider, applying - this restriction signs them out when attempting the next request. + content: |- + If `false`, forces external intelligence providers into anonymous mode. If a user is already signed in to an external intelligence provider, applying this restriction signs them out when attempting the next request. + + Deprecated: use the declarative management `com.apple.configuration.external-intelligence.settings` configuration. - key: allowFileSharingModification - title: Allow modifying File Sharing setting + title: Allow modifying file sharing setting supportedOS: iOS: introduced: n/a @@ -1723,7 +1751,7 @@ payloadkeys: default: true content: If `false`, the system disables changes to Find My Friends. - key: allowFingerprintForUnlock - title: Allow Touch ID to Unlock Device + title: Allow Touch ID to unlock device supportedOS: iOS: introduced: '7.0' @@ -1747,7 +1775,7 @@ payloadkeys: content: If `false`, the system prevents Touch ID, Face ID, or Optic ID from unlocking a device. Support for this restriction on unsupervised devices is deprecated. - key: allowFingerprintModification - title: Allow Modifying Touch ID Fingerprints + title: Allow modifying Touch ID fingerprints supportedOS: iOS: introduced: '8.3' @@ -1826,9 +1854,12 @@ payloadkeys: type: presence: optional default: true - content: If `false`, prohibits creating new Genmoji. + content: |- + If `false`, prohibits creating new Genmoji. + + Deprecated: use the declarative management `com.apple.configuration.intelligence.settings` configuration. - key: allowGlobalBackgroundFetchWhenRoaming - title: Allow Automatic Sync While Roaming + title: Allow automatic sync while roaming supportedOS: iOS: userenrollment: @@ -1898,7 +1929,10 @@ payloadkeys: type: presence: optional default: true - content: If `false`, prohibits the use of image generation. + content: |- + If `false`, prohibits the use of image generation. + + Deprecated: use the declarative management `com.apple.configuration.intelligence.settings` configuration. - key: allowImageWand title: Allow Image Wand supportedOS: @@ -1925,9 +1959,12 @@ payloadkeys: type: presence: optional default: true - content: If `false`, prohibits the use of Image Wand. + content: |- + If `false`, prohibits the use of Image Wand. + + Deprecated: use the declarative management `com.apple.configuration.intelligence.settings` configuration. - key: allowInAppPurchases - title: Allow In App Purchases + title: Allow in app purchases supportedOS: iOS: userenrollment: @@ -1946,7 +1983,7 @@ payloadkeys: content: If `false`, the system prohibits in-app purchasing. Support for this restriction on unsupervised devices is deprecated. - key: allowInternetSharingModification - title: Allow modifying Internet Sharing setting + title: Allow modifying internet sharing setting supportedOS: iOS: introduced: n/a @@ -2054,7 +2091,7 @@ payloadkeys: default: true content: If `false`, the system disables iTunes file sharing services. - key: allowKeyboardShortcuts - title: Allow Keyboard Shortcuts + title: Allow keyboard shortcuts supportedOS: iOS: introduced: '9.0' @@ -2073,12 +2110,16 @@ payloadkeys: type: presence: optional default: true - content: If `false`, the system disables keyboard shortcuts. + content: |- + If `false`, the system disables keyboard shortcuts. + + Deprecated: use the declarative management `com.apple.configuration.keyboard.settings` configuration. - key: allowListedAppBundleIDs - title: Allow Listed Apps + title: Allow listed apps supportedOS: iOS: introduced: '15.0' + deprecated: '27.0' supervised: true userenrollment: mode: forbidden @@ -2086,23 +2127,28 @@ payloadkeys: introduced: n/a tvOS: introduced: '15.0' + deprecated: '27.0' supervised: true visionOS: - introduced: n/a + introduced: '27.0' + deprecated: '27.0' + supervised: true + userenrollment: + mode: forbidden watchOS: introduced: n/a type: presence: optional - content: If present, the system only shows or can launch apps with bundle IDs in - the array. Include the value `com.apple.webapp` to allow all webclips. This applies - to App Store apps, marketplace apps, and locally installed apps (using Configurator, - Xcode, and so forth). + content: |- + If present, the system only shows or can launch apps with bundle IDs in the array. Include the value `com.apple.webapp` to allow all webclips. This applies to App Store apps, marketplace apps, and locally installed apps (using Configurator, Xcode, and so forth). + + Deprecated: use the declarative management `com.apple.configuration.app.settings` configuration. subkeys: - key: appAllowlistedBundleID - title: Allow Listed App + title: Allow listed app type: - key: allowLiveVoicemail - title: Allow Live Voicemail + title: Allow live voicemail supportedOS: iOS: introduced: '17.2' @@ -2241,7 +2287,10 @@ payloadkeys: type: presence: optional default: true - content: If `false`, disables smart replies in Mail. + content: |- + If `false`, disables smart replies in Mail. + + Deprecated: use the declarative management `com.apple.configuration.intelligence.settings` configuration. - key: allowMailSummary supportedOS: iOS: @@ -2270,10 +2319,12 @@ payloadkeys: type: presence: optional default: true - content: If `false`, disables the ability to create summaries of email messages - manually. This doesn't affect automatic summary generation. + content: |- + If `false`, disables the ability to create summaries of email messages manually. This doesn't affect automatic summary generation. + + Deprecated: use the declarative management `com.apple.configuration.intelligence.settings` configuration. - key: allowManagedAppsCloudSync - title: Allow iCloud Sync for Managed Apps + title: Allow iCloud sync for managed apps supportedOS: iOS: introduced: '8.0' @@ -2317,7 +2368,7 @@ payloadkeys: > Important: > Use MDM to install profiles that contain this restriction. - key: allowMarketplaceAppInstallation - title: Allow App Installation from alternative marketplaces + title: Allow app installation from alternative marketplaces supportedOS: iOS: introduced: '17.4' @@ -2360,7 +2411,7 @@ payloadkeys: default: true content: If `false`, prevents modification of Media Sharing settings. - key: allowMultiplayerGaming - title: Allow Multiplayer Gaming + title: Allow multiplayer gaming supportedOS: iOS: introduced: '4.1' @@ -2467,7 +2518,10 @@ payloadkeys: type: presence: optional default: true - content: If `false`, disables transcription in Notes. + content: |- + If `false`, disables transcription in Notes. + + Deprecated: use the declarative management `com.apple.configuration.intelligence.settings` configuration. - key: allowNotesTranscriptionSummary supportedOS: iOS: @@ -2492,9 +2546,12 @@ payloadkeys: type: presence: optional default: true - content: If `false`, disables transcription summarization in Notes. + content: |- + If `false`, disables transcription summarization in Notes. + + Deprecated: use the declarative management `com.apple.configuration.intelligence.settings` configuration. - key: allowNotificationsModification - title: Allow Modifying Notifications Settings + title: Allow modifying notifications settings supportedOS: iOS: introduced: '9.3' @@ -2572,7 +2629,7 @@ payloadkeys: content: If `false`, the system disables over-the-air PKI updates. Setting this restriction to `false` doesn't disable CRL and OCSP checks. - key: allowPairedWatch - title: Allow Pairing With Apple Watch + title: Allow pairing with Apple Watch supportedOS: iOS: introduced: '9.0' @@ -2593,7 +2650,7 @@ payloadkeys: content: If `false`, the system disables pairing with an Apple Watch, and the system unpairs any currently paired Apple Watch and erases its content. - key: allowPassbookWhileLocked - title: Allow Wallet While Locked + title: Allow Wallet while locked supportedOS: iOS: introduced: '6.0' @@ -2612,7 +2669,7 @@ payloadkeys: default: true content: If `false`, the system hides Passbook notifications from the Lock Screen. - key: allowPasscodeModification - title: Allow Modifying Passcode + title: Allow modifying passcode supportedOS: iOS: introduced: '9.0' @@ -2721,7 +2778,7 @@ payloadkeys: content: If `false`, the system disables sharing passwords with the AirDrop passwords feature, or with the Passwords app. - key: allowPersonalHotspotModification - title: Allow modifying Personal Hotspot settings + title: Allow modifying personal hotspot settings supportedOS: iOS: introduced: '12.2' @@ -2762,7 +2819,10 @@ payloadkeys: type: presence: optional default: true - content: If false, prevents the system from generating text in the user's handwriting. + content: |- + If false, prevents the system from generating text in the user's handwriting. + + Deprecated: use the declarative management `com.apple.configuration.intelligence.settings` configuration. - key: allowPhotoStream title: Allow Photo Stream supportedOS: @@ -2803,7 +2863,7 @@ payloadkeys: default: true content: If `false`, the system disables podcasts. - key: allowPredictiveKeyboard - title: Allow Predictive Keyboard + title: Allow predictive keyboard supportedOS: iOS: introduced: 8.1.3 @@ -2822,7 +2882,10 @@ payloadkeys: type: presence: optional default: true - content: If `false`, the system disables predictive keyboards. + content: |- + If `false`, the system disables predictive keyboards. + + Deprecated: use the declarative management `com.apple.configuration.keyboard.settings` configuration. - key: allowPrinterSharingModification title: Allow modifying Printer Sharing setting supportedOS: @@ -2867,7 +2930,7 @@ payloadkeys: Starting with iOS 26.3, this also prevents exporting iOS data to set up new Android devices. - key: allowRadioService - title: Allow iTunes Radio + title: Allow iTunes radio supportedOS: iOS: introduced: '9.3' @@ -2887,17 +2950,19 @@ payloadkeys: default: true content: If `false`, the system disables Apple Music Radio. - key: allowRapidSecurityResponseInstallation - title: Allow Background Security Improvement Installation + title: Allow Background Security Improvements installation supportedOS: iOS: introduced: '16.0' deprecated: '26.0' + removed: '27.0' supervised: true userenrollment: mode: forbidden macOS: introduced: '13.0' deprecated: '26.0' + removed: '27.0' userenrollment: mode: forbidden tvOS: @@ -2909,19 +2974,24 @@ payloadkeys: type: presence: optional default: true - content: If `false`, the system prohibits installation of Background Security Improvements. + content: |- + If `false`, the system prohibits installation of Background Security Improvements. + + Removed: use the declarative management `com.apple.configuration.softwareupdate.settings` configuration. - key: allowRapidSecurityResponseRemoval - title: Allow Background Security Improvement Removal + title: Allow Background Security Improvements removal supportedOS: iOS: introduced: '16.0' deprecated: '26.0' + removed: '27.0' supervised: true userenrollment: mode: forbidden macOS: introduced: '13.0' deprecated: '26.0' + removed: '27.0' userenrollment: mode: forbidden tvOS: @@ -2933,7 +3003,10 @@ payloadkeys: type: presence: optional default: true - content: If `false`, the system prohibits removal of Background Security Improvements. + content: |- + If `false`, the system prohibits removal of Background Security Improvements. + + Removed: use the declarative management `com.apple.configuration.softwareupdate.settings` configuration. - key: allowRCSMessaging supportedOS: iOS: @@ -2954,7 +3027,7 @@ payloadkeys: default: true content: If `false`, prevents the use of RCS messaging. - key: allowRemoteAppleEventsModification - title: Allow modifying Remote Apple Events Sharing setting + title: Allow modifying remote Apple Events Sharing setting supportedOS: iOS: introduced: n/a @@ -2993,7 +3066,7 @@ payloadkeys: content: If `false`, the system disables pairing Apple TV for use with the Control Center widget. - key: allowRemoteScreenObservation - title: Allow Remote Screen Observation + title: Allow remote screen observation supportedOS: iOS: introduced: '9.3' @@ -3032,9 +3105,9 @@ payloadkeys: presence: optional default: true content: If `false`, disables Rosetta usage awareness. When Rosetta usage awareness - is active, a pop-up dialog is displayed to the user when an app that is using - Rosetta is launched. The pop-up dialog indicates that Rosetta will be removed - in a future version of the operating system so that the user can contact the app + is active, the device displays a pop-up dialog to the user when launching an app + that uses Rosetta. The pop-up dialog indicates that Rosetta will be removed in + a future version of the operating system so that the user can contact the app vendor regarding a replacement for the current app. - key: allowSafari title: Allow use of Safari @@ -3141,7 +3214,10 @@ payloadkeys: type: presence: optional default: true - content: If `false`, the system disables the ability to summarize content in Safari. + content: |- + If `false`, the system disables the ability to summarize content in Safari. + + Deprecated: use the declarative management `com.apple.configuration.intelligence.settings` configuration. - key: allowSatelliteConnection title: Allow use of satellite connectivity supportedOS: @@ -3166,7 +3242,7 @@ payloadkeys: content: If `false`, the system prohibits the connection to and use of satellite services. - key: allowScreenShot - title: Allow Screenshots and Screen Recording + title: Allow screenshots and screen recording supportedOS: iOS: introduced: '3.1' @@ -3204,7 +3280,7 @@ payloadkeys: default: true content: If `false`, the system makes temporary sessions unavailable on Shared iPad. - key: allowSharedStream - title: Allow Shared Stream + title: Allow shared stream supportedOS: iOS: introduced: '6.0' @@ -3224,7 +3300,7 @@ payloadkeys: content: If `false`, the system disables Shared Photo Stream. Support for this restriction on unsupervised devices is deprecated. - key: allowSpellCheck - title: Allow Spell Check + title: Allow spell check supportedOS: iOS: introduced: 8.1.3 @@ -3243,9 +3319,12 @@ payloadkeys: type: presence: optional default: true - content: If `false`, the system disables the keyboard spell checker. + content: |- + If `false`, the system disables the keyboard spell checker. + + Deprecated: use the declarative management `com.apple.configuration.keyboard.settings` configuration. - key: allowSpotlightInternetResults - title: Allow Siri Suggestions + title: Allow Siri suggestions supportedOS: iOS: introduced: '8.0' @@ -3267,7 +3346,7 @@ payloadkeys: content: If `false`, the system disables Spotlight Internet search results in Siri Suggestions. Support for this restriction on unsupervised devices is deprecated. - key: allowStartupDiskModification - title: Allow modifying Startup Disk settings + title: Allow modifying startup disk settings supportedOS: iOS: introduced: n/a @@ -3328,9 +3407,9 @@ payloadkeys: presence: optional default: true content: If `false`, the system prevents modification of Time Machine settings in - System Settings. This restriction is not supported on the user channel. + System Settings. This restriction isn't supported on the user channel. - key: allowUIAppInstallation - title: Allow App Installation from App Store + title: Allow app installation from app store supportedOS: iOS: introduced: '9.0' @@ -3356,7 +3435,7 @@ payloadkeys: In iOS 10 and later, MDM commands can override this restriction. - key: allowUIConfigurationProfileInstallation - title: Allow UI Configuration Profile Installation + title: Allow UI configuration profile installation supportedOS: iOS: introduced: '6.0' @@ -3488,9 +3567,9 @@ payloadkeys: content: If `false`, the system allows iOS devices to always connect to USB accessories while locked. In macOS, allows new USB and Thunderbolt accessories, and SD cards to connect without authorization. If the system has Lockdown mode enabled, it - ignores this value. This restriction is not supported on the user channel. + ignores this value. This restriction isn't supported on the user channel. - key: allowVideoConferencing - title: Allow Video Conferencing + title: Allow video conferencing supportedOS: iOS: supervised: true @@ -3513,7 +3592,7 @@ payloadkeys: content: If `false`, the system hides the FaceTime app. Requires a supervised device in iOS 13 and later. - key: allowVideoConferencingRemoteControl - title: Allow Video Conferencing Remote Control + title: Allow video conferencing remote control supportedOS: iOS: introduced: '18.4' @@ -3534,7 +3613,7 @@ payloadkeys: content: If `false`, disables the ability for a remote FaceTime session to request control of the device. - key: allowVisualIntelligenceSummary - title: Allow Visual Intelligence Summary + title: Allow visual intelligence summary supportedOS: iOS: introduced: '18.3' @@ -3555,9 +3634,12 @@ payloadkeys: type: presence: optional default: true - content: If `false`, the system disables visual intelligence summarization. + content: |- + If `false`, the system disables visual intelligence summarization. + + Deprecated: use the declarative management `com.apple.configuration.intelligence.settings` configuration. - key: allowVoiceDialing - title: Allow Voice Dialing While Device is Locked + title: Allow voice dialing while device is locked supportedOS: iOS: deprecated: '17.0' @@ -3577,7 +3659,7 @@ payloadkeys: content: If `false`, the system disables voice dialing if the device is locked with a passcode. - key: allowVPNCreation - title: Allow Adding VPN Configurations (Supervised devices only) + title: Allow adding VPN configurations (supervised devices only) supportedOS: iOS: introduced: '11.0' @@ -3601,7 +3683,7 @@ payloadkeys: content: If `false`, the system allows only managed apps to create VPN configurations. Prior to iOS 18, the system also allows unmanaged apps to create VPN configurations. - key: allowWallpaperModification - title: Allow Modifying Wallpaper + title: Allow modifying wallpaper supportedOS: iOS: introduced: '9.0' @@ -3623,7 +3705,7 @@ payloadkeys: default: true content: If `false`, the system prevents changing the wallpaper. - key: allowWebDistributionAppInstallation - title: Allow App Installation from web sites + title: Allow app installation from web sites supportedOS: iOS: introduced: '17.5' @@ -3674,7 +3756,10 @@ payloadkeys: type: presence: optional default: true - content: If `false`, disables Apple Intelligence writing tools. + content: |- + If `false`, disables Apple Intelligence writing tools. + + Deprecated: use the declarative management `com.apple.configuration.intelligence.settings` configuration. - key: autonomousSingleAppModePermittedAppIDs supportedOS: iOS: @@ -3696,10 +3781,10 @@ payloadkeys: in the array to autonomously enter Single App Mode. subkeys: - key: appAutonomousSingleAppModePermittedID - title: Apps allow list for Autonomous Single App Mode + title: Apps allow list for autonomous single app mode type: - key: blacklistedAppBundleIDs - title: Blacklisted Apps + title: Blacklisted apps supportedOS: iOS: introduced: '9.3' @@ -3719,16 +3804,18 @@ payloadkeys: introduced: n/a type: presence: optional - content: Use `blockedAppBundleIDs` instead. + content: 'Deprecated: use the declarative management `com.apple.configuration.app.settings` + configuration.' subkeys: - key: appBlacklistedBundleID - title: Blacklisted App + title: Blacklisted app type: - key: blockedAppBundleIDs - title: Blocked Apps + title: Blocked apps supportedOS: iOS: introduced: '15.0' + deprecated: '27.0' supervised: true userenrollment: mode: forbidden @@ -3736,9 +3823,14 @@ payloadkeys: introduced: n/a tvOS: introduced: '15.0' + deprecated: '27.0' supervised: true visionOS: - introduced: n/a + introduced: '27.0' + deprecated: '27.0' + supervised: true + userenrollment: + mode: forbidden watchOS: introduced: n/a type: @@ -3746,11 +3838,13 @@ payloadkeys: content: |- If present, the system prevents showing or launching apps with bundle IDs in the array. Include the value `com.apple.webapp` to restrict all webclips. This applies to App Store apps, marketplace apps, and locally installed apps (using Configurator, Xcode, and so forth). + Deprecated: use the declarative management `com.apple.configuration.app.settings` configuration. + > Note: > Denying system apps may disable other functionality. For example, denying the App Store app may prevent users from accepting the terms and conditions for the user-based Volume Purchase Program (VPP). subkeys: - key: appBlockedBundleID - title: Blocked App + title: Blocked app type: - key: deniedICCIDsForiMessageFaceTime supportedOS: @@ -3826,17 +3920,20 @@ payloadkeys: iOS: introduced: '11.3' deprecated: '26.0' + removed: '27.0' supervised: true userenrollment: mode: forbidden macOS: introduced: 10.13.4 deprecated: '26.0' + removed: '27.0' userenrollment: mode: forbidden tvOS: introduced: '12.2' deprecated: '26.0' + removed: '27.0' supervised: true visionOS: introduced: n/a @@ -3848,10 +3945,10 @@ payloadkeys: min: 1 max: 90 default: 30 - content: How many days to delay a software update on the device. With this restriction - in place, the user doesn't see a software update until the specified number of - days after the software update release date. The restrictions `forceDelayedAppSoftwareUpdates` - and `forceDelayedSoftwareUpdates` use this value. + content: |- + How many days to delay a software update on the device. With this restriction in place, the user doesn't see a software update until the specified number of days after the software update release date. The restrictions `forceDelayedAppSoftwareUpdates` and `forceDelayedSoftwareUpdates` use this value. + + Removed: use the declarative management `com.apple.configuration.softwareupdate.settings` configuration. - key: enforcedSoftwareUpdateMajorOSDeferredInstallDelay supportedOS: iOS: @@ -3859,6 +3956,7 @@ payloadkeys: macOS: introduced: '11.3' deprecated: '26.0' + removed: '27.0' userenrollment: mode: forbidden tvOS: @@ -3873,10 +3971,10 @@ payloadkeys: min: 1 max: 90 default: 30 - content: This restriction allows the administrator to set the number of days to - delay a major software upgrade on the device. When this restriction is in place, - the user sees a software upgrade only after the specified delay after the release - of the software upgrade. This value controls the delay for `forceDelayedMajorSoftwareUpdates`. + content: |- + This restriction allows the administrator to set the number of days to delay a major software upgrade on the device. When this restriction is in place, the user sees a software upgrade only after the specified delay after the release of the software upgrade. This value controls the delay for `forceDelayedMajorSoftwareUpdates`. + + Removed: use the declarative management `com.apple.configuration.softwareupdate.settings` configuration. - key: enforcedSoftwareUpdateMinorOSDeferredInstallDelay supportedOS: iOS: @@ -3884,6 +3982,7 @@ payloadkeys: macOS: introduced: '11.3' deprecated: '26.0' + removed: '27.0' userenrollment: mode: forbidden tvOS: @@ -3898,10 +3997,10 @@ payloadkeys: min: 1 max: 90 default: 30 - content: This restriction allows the administrator to set the number of days to - delay a minor OS software update on the device. When this restriction is in place, - the user sees a software update only after the specified delay after the release - of the software update. This value controls the delay for `forceDelayedSoftwareUpdates`. + content: |- + This restriction allows the administrator to set the number of days to delay a minor OS software update on the device. When this restriction is in place, the user sees a software update only after the specified delay after the release of the software update. This value controls the delay for `forceDelayedSoftwareUpdates`. + + Removed: use the declarative management `com.apple.configuration.softwareupdate.settings` configuration. - key: enforcedSoftwareUpdateNonOSDeferredInstallDelay supportedOS: iOS: @@ -3909,6 +4008,7 @@ payloadkeys: macOS: introduced: '11.3' deprecated: '26.0' + removed: '27.0' userenrollment: mode: forbidden tvOS: @@ -3923,12 +4023,12 @@ payloadkeys: min: 1 max: 90 default: 30 - content: This restriction allows the administrator to set the number of days to - delay an app software update on the device. When this restriction is in place, - the user sees a non-OS software update only after the specified delay after the - release of the software. This value controls the delay for `forceDelayedAppSoftwareUpdates`. + content: |- + This restriction allows the administrator to set the number of days to delay an app software update on the device. When this restriction is in place, the user sees a non-OS software update only after the specified delay after the release of the software. This value controls the delay for `forceDelayedAppSoftwareUpdates`. + + Removed: use the declarative management `com.apple.configuration.softwareupdate.settings` configuration. - key: forceAirDropUnmanaged - title: Treat AirDrop as Unmanaged Destination + title: Treat AirDrop as unmanaged destination supportedOS: iOS: introduced: '9.0' @@ -3998,7 +4098,7 @@ payloadkeys: default: false content: If `true`, the system requires trusted certificates for TLS printing communication. - key: forceAssistantProfanityFilter - title: Enable Siri Profanity Filter + title: Enable Siri profanity filter supportedOS: iOS: introduced: '5.0' @@ -4020,8 +4120,10 @@ payloadkeys: type: presence: optional default: false - content: If `true`, the system forces the use of the profanity filter for Siri and - dictation. Requires a supervised device in iOS. + content: |- + If `true`, the system forces the use of the profanity filter for Siri and dictation. Requires a supervised device in iOS. + + Deprecated: use the declarative management `com.apple.configuration.siri.settings` configuration. - key: forceAuthenticationBeforeAutoFill supportedOS: iOS: @@ -4093,6 +4195,28 @@ payloadkeys: default: false content: If `true`, then the system bypasses the presentation of a screen capture alert. +- key: ForceCaptivePortalConnectionFromLockScreen + title: Enable captive WiFi portal for login and unlock + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '27.0' + supervised: true + allowmanualinstall: false + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a + type: + presence: optional + default: false + content: If `true`, the system allows use of the captive WiFi portal at login or + unlock. - key: forceClassroomAutomaticallyJoinClasses supportedOS: iOS: @@ -4198,6 +4322,7 @@ payloadkeys: macOS: introduced: '11.0' deprecated: '26.0' + removed: '27.0' userenrollment: mode: forbidden tvOS: @@ -4219,6 +4344,7 @@ payloadkeys: macOS: introduced: '11.3' deprecated: '26.0' + removed: '27.0' userenrollment: mode: forbidden tvOS: @@ -4230,23 +4356,29 @@ payloadkeys: type: presence: optional default: false - content: If `true`, the system delays user visibility of major OS updates. + content: |- + If `true`, the system delays user visibility of major OS updates. + + Removed: use the declarative management `com.apple.configuration.softwareupdate.settings` configuration. - key: forceDelayedSoftwareUpdates supportedOS: iOS: introduced: '11.3' deprecated: '26.0' + removed: '27.0' supervised: true userenrollment: mode: forbidden macOS: introduced: '10.13' deprecated: '26.0' + removed: '27.0' userenrollment: mode: forbidden tvOS: introduced: '12.2' deprecated: '26.0' + removed: '27.0' supervised: true visionOS: introduced: n/a @@ -4255,11 +4387,12 @@ payloadkeys: type: presence: optional default: false - content: If `true`, the system delays user visibility of software updates. In macOS, - the system allows seed build updates without delay. The delay is 30 days unless - you set `enforcedSoftwareUpdateDelay` to another value. + content: |- + If `true`, the system delays user visibility of software updates. In macOS, the system allows seed build updates without delay. The delay is 30 days unless you set `enforcedSoftwareUpdateDelay` to another value. + + Removed: use the declarative management `com.apple.configuration.softwareupdate.settings` configuration. - key: forceEncryptedBackup - title: Force Encrypted Backups + title: Force encrypted backups supportedOS: macOS: introduced: n/a @@ -4331,8 +4464,10 @@ payloadkeys: type: presence: optional default: false - content: If `true`, the system disables connections to Siri servers for the purposes - of dictation. + content: |- + If `true`, the system disables connections to Siri servers for the purposes of dictation. + + Deprecated: use the declarative management `com.apple.configuration.intelligence.settings` configuration. - key: forceOnDeviceOnlyTranslation supportedOS: iOS: @@ -4349,10 +4484,12 @@ payloadkeys: type: presence: optional default: false - content: If `true`, the device can't connect to Siri servers for the purposes of - translation. + content: |- + If `true`, the device can't connect to Siri servers for the purposes of translation. + + Deprecated: use the declarative management `com.apple.configuration.intelligence.settings` configuration. - key: forcePreserveESIMOnErase - title: Force Preserve ESIM on Erase + title: Force preserve ESIM on erase supportedOS: iOS: introduced: '17.2' @@ -4378,7 +4515,7 @@ payloadkeys: > Note: > The system doesn't preserve eSIM if Find My initiates erasing the device. - key: forceWatchWristDetection - title: Force Apple Watch Wrist Detection + title: Force Apple Watch wrist detection supportedOS: iOS: introduced: '8.2' @@ -4392,6 +4529,28 @@ payloadkeys: presence: optional default: false content: If `true`, the system forces a paired Apple Watch to use Wrist Detection. +- key: ForceWifiConfigurationOnLockScreen + title: Enable WiFi network selection for login and unlock + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '27.0' + supervised: true + allowmanualinstall: false + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a + type: + presence: optional + default: false + content: If `true`, the system allows the user to select WiFi networks at login + or unlock. - key: forceWiFiPowerOn title: Disallow Wi-Fi from being turned off supportedOS: @@ -4459,7 +4618,7 @@ payloadkeys: default: false content: Use `forceWiFiToAllowedNetworksOnly` instead. - key: ratingApps - title: Apps Ranking Number + title: Apps ranking number supportedOS: iOS: userenrollment: @@ -4512,7 +4671,7 @@ payloadkeys: This restriction will require supervision in a future release. - key: ratingAppsExemptedBundleIDs - title: Apps Exempted from Rating Restrictions + title: Apps exempted from rating restrictions supportedOS: iOS: introduced: '26.1' @@ -4534,10 +4693,10 @@ payloadkeys: payloads and any exceptions that parental control apps provide, including ScreenTime. subkeys: - key: ratingAppsExemptedBundleID - title: Exempted App + title: Exempted app type: - key: ratingMovies - title: Movies Ranking Number + title: Movies ranking number supportedOS: iOS: userenrollment: @@ -4571,7 +4730,7 @@ payloadkeys: - `100`: G - `0`: None - key: ratingRegion - title: Region Code + title: Region code supportedOS: visionOS: introduced: n/a @@ -4592,7 +4751,7 @@ payloadkeys: content: The two-letter key that profile tools use to display the proper ratings for the given region. The client doesn't recognize or report this data. - key: ratingTVShows - title: TV Shows Ranking Number + title: TV shows ranking number supportedOS: iOS: userenrollment: @@ -4641,10 +4800,10 @@ payloadkeys: type: presence: optional default: false - content: If `true`, copy-and-paste functionality is limited by the `allowOpenFromManagedToUnmanaged` - and `allowOpenFromUnmanagedToManaged` restrictions. + content: If `true`, the `allowOpenFromManagedToUnmanaged` and `allowOpenFromUnmanagedToManaged` + restrictions also limit copy-and-paste functionality. - key: safariAcceptCookies - title: Accept Cookies in Safari + title: Accept cookies in Safari supportedOS: iOS: userenrollment: @@ -4719,7 +4878,7 @@ payloadkeys: content: If `false`, Safari doesn't execute JavaScript. This restriction will require supervision in a future release. - key: safariAllowPopups - title: Allow Pop-ups + title: Allow pop-ups supportedOS: iOS: userenrollment: @@ -4738,7 +4897,7 @@ payloadkeys: content: If `false`, Safari doesn't allow pop-up windows. Support for this restriction on unsupervised devices is deprecated. - key: safariForceFraudWarning - title: Enable Fraud Warning + title: Enable fraud warning supportedOS: macOS: introduced: n/a @@ -4753,7 +4912,7 @@ payloadkeys: default: false content: If `true`, the system enables Safari fraud warning. - key: whitelistedAppBundleIDs - title: Whitelisted Apps + title: Whitelisted apps supportedOS: iOS: introduced: '9.3' @@ -4773,13 +4932,18 @@ payloadkeys: introduced: n/a type: presence: optional - content: Use `allowListedAppBundleIDs` instead. + content: 'Deprecated: use the declarative management `com.apple.configuration.app.settings` + configuration.' subkeys: - key: appWhitelistedBundleID - title: Whitelisted App + title: Whitelisted app type: notes: - title: '' content: |- > Important: > The system allows multiple Restrictions payloads. However, don't attempt to manage the same restriction in different payloads. Doing so results in unexpected behavior. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.applicationaccess/example1.plist diff --git a/mdm/profiles/com.apple.appstore.yaml b/mdm/profiles/com.apple.appstore.yaml index 7d536ee..5e59985 100644 --- a/mdm/profiles/com.apple.appstore.yaml +++ b/mdm/profiles/com.apple.appstore.yaml @@ -42,9 +42,8 @@ payloadkeys: type: presence: optional default: false - content: If `true`, the system prevents App Store from launching. Available in macOS - 10.14 and later. Restricts installations to software updates only in macOS 10.10 - through 10.13. + content: If `true`, the system prevents App Store from launching. Restricts installations + to software updates only in macOS 10.10 through 10.13. - key: restrict-store-disable-app-adoption supportedOS: macOS: @@ -52,8 +51,7 @@ payloadkeys: type: presence: optional default: false - content: If `true`, the system disables app adoption by users. Available in macOS - 10.10 and later. + content: If `true`, the system disables app adoption by users. - key: DisableSoftwareUpdateNotifications supportedOS: macOS: @@ -61,5 +59,8 @@ payloadkeys: type: presence: optional default: false - content: If `true`, the system disables software update notifications. Available - in macOS 10.10 and later. + content: If `true`, the system disables software update notifications. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.appstore/example1.plist diff --git a/mdm/profiles/com.apple.asam.yaml b/mdm/profiles/com.apple.asam.yaml index 255c275..86b8e57 100644 --- a/mdm/profiles/com.apple.asam.yaml +++ b/mdm/profiles/com.apple.asam.yaml @@ -60,3 +60,7 @@ notes: > Important: > If two dictionaries contain the same `BundleIdentifier` value but a different `TeamIdentifier` value, an error occurs and the system doesn’t install the profile. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.asam/example1.plist diff --git a/mdm/profiles/com.apple.associated-domains.yaml b/mdm/profiles/com.apple.associated-domains.yaml index 7ee4ec6..354bbf6 100644 --- a/mdm/profiles/com.apple.associated-domains.yaml +++ b/mdm/profiles/com.apple.associated-domains.yaml @@ -61,8 +61,12 @@ payloadkeys: default: false content: If `true`, the system enables direct download of data for this domain instead of through a CDN. Set the entitlement value for this domain to `service:domain?mode=managed`; - otherwise, the system ignores this value. Available in macOS 11 and later. + otherwise, the system ignores this value. notes: - title: '' content: You can use associated domains with features such as Extensible AppSSO, universal links, and Password AutoFill. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.associated-domains/example1.plist diff --git a/mdm/profiles/com.apple.caldav.account.yaml b/mdm/profiles/com.apple.caldav.account.yaml index d32ea32..81fe36b 100644 --- a/mdm/profiles/com.apple.caldav.account.yaml +++ b/mdm/profiles/com.apple.caldav.account.yaml @@ -38,23 +38,23 @@ payload: introduced: n/a payloadkeys: - key: CalDAVAccountDescription - title: Account Description + title: Account description type: presence: optional content: The description of the account. - key: CalDAVHostName - title: Account Hostname + title: Account hostname type: presence: required content: The server's address. - key: CalDAVUsername - title: Account Username + title: Account username type: presence: optional content: The user name for logins. If this profile is part of a non-interactive install, the system requires this field. - key: CalDAVPassword - title: Account Password + title: Account password type: presence: optional content: The user's password. Only use this in encrypted profiles. @@ -70,7 +70,7 @@ payloadkeys: default: true content: If `true`, the system enables SSL. - key: CalDAVPort - title: Port Number + title: Port number type: presence: optional content: The server's port. @@ -84,4 +84,7 @@ payloadkeys: type: presence: optional content: The VPNUUID of the per-app VPN the account uses for network communication. - Available in iOS 14 and later. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.caldav.account/example1.plist diff --git a/mdm/profiles/com.apple.carddav.account.yaml b/mdm/profiles/com.apple.carddav.account.yaml index 971c251..c42f1b0 100644 --- a/mdm/profiles/com.apple.carddav.account.yaml +++ b/mdm/profiles/com.apple.carddav.account.yaml @@ -38,7 +38,7 @@ payload: introduced: n/a payloadkeys: - key: CardDAVAccountDescription - title: Account Description + title: Account description supportedOS: macOS: introduced: '10.7' @@ -46,7 +46,7 @@ payloadkeys: presence: optional content: The description of the account. - key: CardDAVHostName - title: Account Hostname + title: Account hostname supportedOS: macOS: introduced: '10.7' @@ -54,7 +54,7 @@ payloadkeys: presence: required content: The server's address. - key: CardDAVUsername - title: Account Username + title: Account username supportedOS: macOS: introduced: '10.7' @@ -62,7 +62,7 @@ payloadkeys: presence: optional content: The user name for logins. - key: CardDAVPassword - title: Account Password + title: Account password supportedOS: macOS: introduced: '10.7' @@ -87,7 +87,7 @@ payloadkeys: default: true content: If `true`, the system enables SSL. - key: CardDAVPort - title: Port Number + title: Port number supportedOS: macOS: introduced: '10.7' @@ -95,7 +95,7 @@ payloadkeys: presence: optional content: The server's port. - key: CommunicationServiceRules - title: Communication Service Rules + title: Communication service rules supportedOS: iOS: introduced: '10.0' @@ -106,7 +106,7 @@ payloadkeys: content: An array of communication service rules for this account. subkeys: - key: DefaultServiceHandlers - title: Default Service Handlers + title: Default service handlers supportedOS: iOS: introduced: '10.0' @@ -137,4 +137,7 @@ payloadkeys: type: presence: optional content: The VPNUUID of the per-app VPN the account uses for network communication. - Available in iOS 14 and later. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.carddav.account/example1.plist diff --git a/mdm/profiles/com.apple.cellular.yaml b/mdm/profiles/com.apple.cellular.yaml index 8cdcd3b..25b01f6 100644 --- a/mdm/profiles/com.apple.cellular.yaml +++ b/mdm/profiles/com.apple.cellular.yaml @@ -60,7 +60,7 @@ payloadkeys: presence: optional content: The password for the user. - key: AllowedProtocolMask - title: Supported IP Versions + title: Supported IP versions supportedOS: iOS: introduced: '10.3' @@ -135,13 +135,13 @@ payloadkeys: - 2 - 3 content: |- - The default Internet Protocol versions. Available in iOS 10.3 but no longer used in iOS 11 and later. Allowed values: + The default Internet Protocol versions. Allowed values: - `1`: IPv4 - `2`: IPv6 - `3`: Both - key: AllowedProtocolMask - title: Supported IP Versions + title: Supported IP versions supportedOS: iOS: introduced: '10.3' @@ -152,13 +152,13 @@ payloadkeys: - 2 - 3 content: |- - The Internet Protocol versions that the system supports. Available in iOS 10.3 and later. Allowed values: + The Internet Protocol versions that the system supports. Allowed values: - `1`: IPv4 - `2`: IPv6 - `3`: Both - key: AllowedProtocolMaskInRoaming - title: Supported Roaming IP Versions + title: Supported roaming IP versions supportedOS: iOS: introduced: '10.3' @@ -169,13 +169,13 @@ payloadkeys: - 2 - 3 content: |- - The Internet Protocol versions that the system supports while roaming. Available in iOS 10.3 and later. Allowed values: + The Internet Protocol versions that the system supports while roaming. Allowed values: - `1`: IPv4 - `2`: IPv6 - `3`: Both - key: AllowedProtocolMaskInDomesticRoaming - title: Supported Roaming IP Versions + title: Supported roaming IP versions supportedOS: iOS: introduced: '10.3' @@ -186,7 +186,7 @@ payloadkeys: - 2 - 3 content: |- - The Internet Protocol versions that the system supports while roaming. Available in iOS 10.3 and later. Allowed values: + The Internet Protocol versions that the system supports while roaming. Allowed values: - `1`: IPv4 - `2`: IPv6 @@ -201,5 +201,8 @@ payloadkeys: type: presence: optional default: false - content: If `true`, the system enables XLAT464. Available in iOS 16 and later - and watchOS 9 and later. + content: If `true`, the system enables XLAT464. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.cellular/example1.plist diff --git a/mdm/profiles/com.apple.cellularprivatenetwork.managed.yaml b/mdm/profiles/com.apple.cellularprivatenetwork.managed.yaml index 21d7742..3476158 100644 --- a/mdm/profiles/com.apple.cellularprivatenetwork.managed.yaml +++ b/mdm/profiles/com.apple.cellularprivatenetwork.managed.yaml @@ -101,3 +101,7 @@ payloadkeys: A string using the 3GPP "CSG_ID" format (defined in 3GPP 23.003, Section 4.7). The device uses this value to match a SIM present on the device. All combinations of `NetworkIdentifier` and `CsgNetworkIdentifier` must be unique across all profiles installed on the device. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.cellularprivatenetwork.managed/example1.plist diff --git a/mdm/profiles/com.apple.conferenceroomdisplay.yaml b/mdm/profiles/com.apple.conferenceroomdisplay.yaml index 72e3f59..9fcc01d 100644 --- a/mdm/profiles/com.apple.conferenceroomdisplay.yaml +++ b/mdm/profiles/com.apple.conferenceroomdisplay.yaml @@ -28,3 +28,7 @@ notes: - title: '' content: Conference Room Display mode locks Apple TV into that mode, to prevent other types of usage. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.conferenceroomdisplay/example1.plist diff --git a/mdm/profiles/com.apple.configurationprofile.identification.yaml b/mdm/profiles/com.apple.configurationprofile.identification.yaml index 42efff3..8850cd7 100644 --- a/mdm/profiles/com.apple.configurationprofile.identification.yaml +++ b/mdm/profiles/com.apple.configurationprofile.identification.yaml @@ -75,3 +75,7 @@ payloadkeys: type: presence: optional content: The additional descriptive text for the user prompt. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.configurationprofile.identification/example1.plist diff --git a/mdm/profiles/com.apple.declarations.yaml b/mdm/profiles/com.apple.declarations.yaml index fa4a17e..9e12ec9 100644 --- a/mdm/profiles/com.apple.declarations.yaml +++ b/mdm/profiles/com.apple.declarations.yaml @@ -50,7 +50,7 @@ payloadkeys: representations of the declaration JSON data. subkeys: - key: DeclarationsItem - title: Declarations Content Item + title: Declarations content item type: presence: required content: An item in the declarations list @@ -61,3 +61,7 @@ notes: > Important: > When a user installs the profile, the device only applies configuration declarations that allow a "local" enrollment. Consult the documentation for each configuration type to see if you can use it. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.declarations/example1.plist diff --git a/mdm/profiles/com.apple.desktop.yaml b/mdm/profiles/com.apple.desktop.yaml index e5b74fc..fe978e1 100644 --- a/mdm/profiles/com.apple.desktop.yaml +++ b/mdm/profiles/com.apple.desktop.yaml @@ -36,3 +36,7 @@ payloadkeys: type: presence: optional content: The path to the desktop picture. If set, this picture is always locked. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.desktop/example1.plist diff --git a/mdm/profiles/com.apple.dnsProxy.managed.yaml b/mdm/profiles/com.apple.dnsProxy.managed.yaml index f18506b..e8ff74c 100644 --- a/mdm/profiles/com.apple.dnsProxy.managed.yaml +++ b/mdm/profiles/com.apple.dnsProxy.managed.yaml @@ -40,19 +40,31 @@ payload: user enrollments via MDM if DNSProxyUUID is specified. payloadkeys: - key: AppBundleIdentifier - title: App Bundle Identifier + title: App bundle identifier type: presence: required content: The bundle identifier of the app containing the DNS proxy network extension. - key: ProviderBundleIdentifier - title: Provider Bundle Identifier + title: Provider bundle identifier type: presence: optional content: The bundle identifier of the DNS proxy network extension to use. Declaring the bundle identifier is useful for apps that contain more than one DNS proxy extension. +- key: ProviderDesignatedRequirement + title: Provider designated requirement + supportedOS: + iOS: + introduced: n/a + visionOS: + introduced: n/a + type: + presence: optional + content: The designated requirement string that the system embeds in the code signature + of the DNS proxy network extension. Use this to correctly identify the DNS proxy + extension when `ProviderBundleIdentifier` is present. - key: ProviderConfiguration - title: Provider Configuration + title: Provider configuration type: presence: optional content: The dictionary of vendor-specific configuration items. @@ -62,7 +74,7 @@ payloadkeys: presence: optional content: Key/value pairs. - key: DNSProxyUUID - title: DNS Proxy UUID + title: DNS proxy UUID supportedOS: iOS: introduced: '16.0' @@ -77,3 +89,7 @@ notes: - title: '' content: Beginning with iOS 15, this profile is unsupervised and needs to be installed through MDM. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.dnsProxy.managed/example1.plist diff --git a/mdm/profiles/com.apple.dnsSettings.managed.yaml b/mdm/profiles/com.apple.dnsSettings.managed.yaml index f6e6ba7..6794aae 100644 --- a/mdm/profiles/com.apple.dnsSettings.managed.yaml +++ b/mdm/profiles/com.apple.dnsSettings.managed.yaml @@ -37,13 +37,13 @@ payload: introduced: n/a payloadkeys: - key: DNSSettings - title: DNS Settings + title: DNS settings type: presence: required content: A dictionary that defines a configuration for an encrypted DNS server. subkeys: - key: DNSProtocol - title: DNS Protocol + title: DNS protocol type: presence: required rangelist: @@ -60,7 +60,7 @@ payloadkeys: are provided, the system uses the hostname or address in the URL to determine the server addresses. Required if `DNSProtocol` is `HTTPS`. - key: ServerName - title: Server Name + title: Server name type: presence: optional content: The hostname of a DNS-over-TLS server used to validate the server certificate, @@ -68,17 +68,17 @@ payloadkeys: the hostname to determine the server addresses. This key must be present only if the DNSProtocol is `TLS`. - key: ServerAddresses - title: DNS Server Addresses + title: DNS server addresses type: presence: optional content: An unordered list of DNS server IP address strings. These IP addresses can be a mixture of IPv4 and IPv6 addresses. subkeys: - key: ServerAddressesElement - title: Server Address Element + title: Server address element type: - key: AllowFailover - title: Allow Failover + title: Allow failover supportedOS: iOS: introduced: '26.0' @@ -103,7 +103,7 @@ payloadkeys: content: The UUID that points to an identity certificate payload. The system uses this identity to authenticate the user to the DNS resolver. - key: SupplementalMatchDomains - title: Supplemental Match Domains + title: Supplemental match domains type: presence: optional content: |- @@ -112,10 +112,10 @@ payloadkeys: The system supports a single wildcard (`*`) prefix, but it's not required. For example, both `*.example.com` and `example.com` match against `mydomain.example.com` and `your.domain.example.com`, but don't match against `mydomain-example.com`. subkeys: - key: SupplementalMatchDomainsElement - title: Supplemental Match Domains Element + title: Supplemental match domains element type: - key: OnDemandRules - title: On Demand Rules + title: On demand rules type: presence: optional content: An array of rules that define the DNS settings. If not set, the system @@ -124,11 +124,11 @@ payloadkeys: subkeytype: OnDemandRulesElement subkeys: - key: OnDemandRulesElement - title: On Demand Rules Element + title: On demand rules element type: subkeys: - key: Action - title: On Demand Action + title: On demand action type: presence: required rangelist: @@ -142,14 +142,14 @@ payloadkeys: - `Disconnect`: Don't apply DNS Settings when the dictionary matches. - `EvaluateConnection`: Apply DNS Settings with per-domain exceptions when the dictionary matches. - key: ActionParameters - title: Action Parameters + title: Action parameters type: presence: optional content: An array of dictionaries that provide per-connection rules. The system uses this array only for settings where the `Action` value is `EvaluateConnection`. subkeys: - key: ActionParameter - title: Action Parameter + title: Action parameter type: presence: optional content: |- @@ -163,10 +163,10 @@ payloadkeys: content: The domains for which this evaluation applies. subkeys: - key: DomainsElement - title: Domains Element + title: Domains element type: - key: DomainAction - title: Domain Action + title: Domain action type: presence: required rangelist: @@ -178,7 +178,7 @@ payloadkeys: * 'NeverConnect': Don't use the DNS Settings for the specified domains. * 'ConnectIfNeeded': Allow using the DNS Settings for the specified domains. - key: DNSDomainMatch - title: DNS Domain Match + title: DNS domain match type: presence: optional content: |- @@ -187,10 +187,10 @@ payloadkeys: The system supports a single wildcard (`*`) prefix, but it's not required. For example, both `*.example.com` and `example.com` match against `mydomain.example.com` and `your.domain.example.com`, but don't match against `mydomain-example.com`. subkeys: - key: DNSDomainMatchElement - title: DNS Domain Match Element + title: DNS domain match element type: - key: DNSServerAddressMatch - title: DNS Server Address Match + title: DNS server address match type: presence: optional content: |- @@ -199,10 +199,10 @@ payloadkeys: The system supports matching with a single wildcard. For example, `17.*` matches any DNS server in the 17.0.0.0/8 subnet. subkeys: - key: DNSServerAddressMatchElement - title: DNS Server Address Match Element + title: DNS server address match element type: - key: InterfaceTypeMatch - title: Interface Type Match + title: Interface type match type: presence: optional rangelist: @@ -212,7 +212,7 @@ payloadkeys: content: An interface type. If specified, this rule matches only if the primary network interface hardware matches the specified type. - key: SSIDMatch - title: SSID Match + title: SSID match type: presence: optional content: An array of SSIDs to match against the current network. If the network @@ -220,16 +220,29 @@ payloadkeys: fails. Omit this key and the corresponding array to match against any SSID. subkeys: - key: SSIDMatchElement - title: SSID Match Element + title: SSID match element type: - key: URLStringProbe - title: URL String Probe + title: URL string probe type: presence: optional content: A URL to probe. This rule matches if this URL is successfully fetched and returns a 200 HTTP status code without redirection. - key: ProhibitDisablement - title: Prohibit Disablement + title: Prohibit disablement + supportedOS: + iOS: + supervised: true + userenrollment: + mode: forbidden + macOS: + supervised: true + userenrollment: + mode: forbidden + visionOS: + supervised: true + userenrollment: + mode: forbidden type: presence: optional default: false diff --git a/mdm/profiles/com.apple.dock.yaml b/mdm/profiles/com.apple.dock.yaml index be01e76..4dfb309 100644 --- a/mdm/profiles/com.apple.dock.yaml +++ b/mdm/profiles/com.apple.dock.yaml @@ -188,7 +188,7 @@ payloadkeys: type: presence: optional content: |- - One or more special folders that may be created at user login time and placed in the Dock. + One or more special folders that the device may create at user login time and place in the Dock. @@ -210,7 +210,7 @@ payloadkeys: default: false content: If `true`, use the file in `/Library/Preferences/com.apple.dockfixup.plist` when a new user or migrated user logs in. This option has no effect for existing - users. Available in macOS 10.12 and later. Only available on the device channel. + users. Only available on the device channel. - key: static-only type: presence: optional @@ -222,8 +222,8 @@ payloadkeys: - key: static-others type: presence: optional - content: An array of items located on the Documents side of the Dock and cannot - be removed from that location. + content: An array of items located on the Documents side of the Dock that users + can't remove from that location. subkeytype: StaticItem subkeys: &id001 - key: StaticItem @@ -277,21 +277,25 @@ payloadkeys: - key: static-apps type: presence: optional - content: An array of items located on the Applications side of the Dock and cannot - be removed from that location. + content: An array of items located on the Applications side of the Dock that users + can't remove from that location. subkeytype: StaticItem subkeys: *id001 - key: persistent-apps type: presence: optional - content: An array of items located on the Applications side of the Dock that can - be removed from the Dock. + content: An array of items located on the Applications side of the Dock that users + can remove from the Dock. subkeytype: StaticItem subkeys: *id001 - key: persistent-others type: presence: optional - content: An array of items located on the Documents side of the Dock that can be - removed from the Dock. + content: An array of items located on the Documents side of the Dock that users + can remove from the Dock. subkeytype: StaticItem subkeys: *id001 +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.dock/example1.plist diff --git a/mdm/profiles/com.apple.domains.yaml b/mdm/profiles/com.apple.domains.yaml index b13ffc2..e0feb43 100644 --- a/mdm/profiles/com.apple.domains.yaml +++ b/mdm/profiles/com.apple.domains.yaml @@ -39,37 +39,33 @@ payload: content: This payload defines web domains that are under an enterprise's management. payloadkeys: - key: EmailDomains - title: Email Domains + title: Email domains supportedOS: visionOS: introduced: n/a type: presence: optional - content: |- - An array of domains. Mail marks in red all email addresses that lack a suffix matching any of these strings. - - Available in iOS 8 and later and macOS 10.10 and later. + content: An array of domains. Mail marks in red all email addresses that lack a + suffix matching any of these strings. subkeys: - key: EmailDomainsItem type: presence: required content: An email address. - key: WebDomains - title: Web Domains + title: Web domains supportedOS: macOS: introduced: n/a type: presence: optional - content: |- - An array of domains. The system considers URLs matching the patterns listed in this property managed. - - Available in iOS 9.3 and later. + content: An array of domains. The system considers URLs matching the patterns listed + in this property managed. subkeys: - key: WebDomainsItem type: - key: SafariPasswordAutoFillDomains - title: Password Autofill Domains + title: Password autofill domains supportedOS: iOS: introduced: '9.3' @@ -83,14 +79,12 @@ payloadkeys: content: |- An array of domains. Users can only save passwords in Safari from URLs matching the patterns listed here. This property doesn't disable the autofill feature itself. - Supervised devices or Shared iPads need this property to enable saving passwords in Safari. - - Available in iOS 9.3 and later. + Supervised devices or Shared iPad need this property to enable saving passwords in Safari. subkeys: - key: SafariPasswordAutoFillDomainsItem type: - key: CrossSiteTrackingPreventionRelaxedDomains - title: Cross-Site Tracking Prevention Relaxed Domains + title: Cross-site tracking prevention relaxed domains supportedOS: iOS: introduced: '16.2' @@ -103,15 +97,13 @@ payloadkeys: allowmanualinstall: false type: presence: optional - content: |- - An array of up to 10 strings. URLs matching the patterns listed here have relaxed enforcement of cross-site tracking prevention. - - Available in iOS 16.2 and later and macOS 13.1 and later. + content: An array of up to 10 strings. URLs matching the patterns listed here have + relaxed enforcement of cross-site tracking prevention. subkeys: - key: CrossSiteTrackingPreventionRelaxedDomainItem type: - key: CrossSiteTrackingPreventionRelaxedApps - title: Cross-Site Tracking Prevention Relaxed Apps + title: Cross-site tracking prevention relaxed apps supportedOS: iOS: introduced: '18.0' @@ -124,10 +116,9 @@ payloadkeys: allowmanualinstall: false type: presence: optional - content: |- - An array of up to 10 strings representing app bundle-ids. Apps matching the bundle-ids listed here have relaxed enforcement of cross-site tracking prevention for the domains listed in `CrossSiteTrackingPreventionRelaxedDomains`. - - Available in iOS 18 and later and macOS 15 and later. + content: An array of up to 10 strings representing app bundle-ids. Apps matching + the bundle-ids listed here have relaxed enforcement of cross-site tracking prevention + for the domains listed in `CrossSiteTrackingPreventionRelaxedDomains`. subkeys: - key: CrossSiteTrackingPreventionRelaxedAppsItem type: @@ -149,3 +140,7 @@ notes: Trailing slashes are ignored. If a domain string contains a port number, the system considers only addresses that specify that port number managed. Otherwise, the system matches the domain without regard to the port number specified. For example, the pattern `*.example.com:8080` matches `http://site.example.com:8080/page.html` but not `http://site.example.com/page.html`, while the pattern `*.example.com` matches both URLs. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.domains/example1.plist diff --git a/mdm/profiles/com.apple.eas.account.yaml b/mdm/profiles/com.apple.eas.account.yaml index dcc217d..8d49ea4 100644 --- a/mdm/profiles/com.apple.eas.account.yaml +++ b/mdm/profiles/com.apple.eas.account.yaml @@ -32,13 +32,13 @@ payload: Updating this payload overrides any settings that the user customized, such as EnableMail/Contacts/Calendars/Reminders/Notes and MailNumberOfPastDaysToSync. payloadkeys: - key: EmailAddress - title: Email Address + title: Email address type: presence: optional content: The full email address for the account. If not present in the payload, the device prompts for this string during profile installation. - key: Host - title: Exchange ActiveSync Host + title: Exchange ActiveSync host type: presence: optional content: The Exchange server host name or IP address. @@ -72,7 +72,7 @@ payloadkeys: presence: optional content: The password of the account. Use only with encrypted profiles. - key: Certificate - title: Authentication Credential + title: Authentication credential supportedOS: iOS: introduced: '7.0' @@ -81,7 +81,7 @@ payloadkeys: content: The `.p12` identity certificate in NSData blob format, for accounts that allow authentication via certificate. - key: CertificateName - title: Authentication Credential Name + title: Authentication credential name supportedOS: iOS: introduced: '7.0' @@ -89,13 +89,13 @@ payloadkeys: presence: optional content: The name or description of the certificate. - key: CertificatePassword - title: Authentication Credential Password + title: Authentication credential password type: presence: optional content: The password necessary for the `.p12` identity certificate. Used with mandatory encryption of profiles. - key: PreventMove - title: Prevent Move + title: Prevent move supportedOS: iOS: introduced: '5.0' @@ -106,7 +106,7 @@ payloadkeys: into another account. This setting also prevents forwarding or replying from an account other than the recipient of the message. - key: PreventAppSheet - title: Prevent App Sheet + title: Prevent app sheet supportedOS: iOS: introduced: '5.0' @@ -116,7 +116,7 @@ payloadkeys: content: If `true`, prevents this account from sending mail in any app other than the Apple Mail app. - key: PayloadCertificateUUID - title: Payload Certificate UUID + title: Payload certificate UUID type: presence: optional format: ^[0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}$ @@ -124,7 +124,7 @@ payloadkeys: the identity credential. If this field is present, the Certificate field isn't used. - key: SMIMEEnabled - title: S/MIME Enabled + title: S/MIME enabled supportedOS: iOS: introduced: '5.0' @@ -137,17 +137,16 @@ payloadkeys: content: If `true`, the system enables S/MIME encryption. In iOS 10.0 and later, this key is ignored. Use `SMIMESigningEnabled` instead. - key: SMIMESigningEnabled - title: S/MIME Signing Enabled + title: S/MIME signing enabled supportedOS: iOS: introduced: '10.3' type: presence: optional default: false - content: If `true`, the system enables S/MIME signing for this account. Available - in iOS 10.0 and later. + content: If `true`, the system enables S/MIME signing for this account. - key: SMIMESigningCertificateUUID - title: S/MIME Signing Certificate + title: S/MIME signing certificate supportedOS: iOS: introduced: '5.0' @@ -157,7 +156,7 @@ payloadkeys: content: The UUID of the identity certificate used to sign messages sent from this account. - key: SMIMEEncryptionEnabled - title: S/MIME Encryption Enabled + title: S/MIME encryption enabled supportedOS: iOS: introduced: '10.3' @@ -167,11 +166,10 @@ payloadkeys: type: presence: optional default: false - content: If `true`, the system enables S/MIME encryption for this account. Available - in iOS 10.0 and later. As of iOS 12.0, this key is deprecated. Use `SMIMEEncryptByDefault` - instead. + content: If `true`, the system enables S/MIME encryption for this account. This + key is deprecated. Use `SMIMEEncryptByDefault` instead. - key: SMIMEEncryptionCertificateUUID - title: S/MIME Encryption Certificate + title: S/MIME encryption certificate supportedOS: iOS: introduced: '5.0' @@ -184,7 +182,7 @@ payloadkeys: the system uses the public certificate to encrypt the copy of the mail in the user's Sent mailbox. - key: SMIMEEnablePerMessageSwitch - title: S/MIME Enable Per-Message Switch + title: S/MIME enable per-message switch supportedOS: iOS: introduced: '8.0' @@ -197,15 +195,15 @@ payloadkeys: content: |- If `true`, the system displays the per-message encryption switch in the Mail Compose UI. - Available in iOS 8.0 and later. As of iOS 12.0, this key is deprecated. Use `SMIMEEnableEncryptionPerMessageSwitch` instead. + This key is deprecated. Use `SMIMEEnableEncryptionPerMessageSwitch` instead. - key: disableMailRecentsSyncing - title: Disable Mail Recents Syncing + title: Disable mail recents syncing type: presence: optional default: false content: If `true`, the system excludes this account from Recent Addresses syncing. - key: MailNumberOfPastDaysToSync - title: Past Days of Mail to Sync + title: Past days of mail to sync type: presence: optional rangelist: @@ -230,7 +228,7 @@ payloadkeys: presence: optional content: The value of the `X-Apple-Config-Magic` header in each EAS HTTP request. - key: CommunicationServiceRules - title: Communication Service Rules + title: Communication service rules supportedOS: iOS: introduced: '10.0' @@ -239,7 +237,7 @@ payloadkeys: content: The communication service handler rules for this account. subkeys: - key: DefaultServiceHandlers - title: Default Service Handlers + title: Default service handlers supportedOS: iOS: introduced: '10.0' @@ -257,7 +255,7 @@ payloadkeys: content: The bundle identifier of the default application to use for audio calls made to contacts from this account. - key: allowMailDrop - title: Allow Mail Drop + title: Allow mail drop supportedOS: iOS: introduced: '9.2' @@ -272,8 +270,7 @@ payloadkeys: type: presence: optional default: false - content: If `true`, the user can turn S/MIME signing on or off in Settings. Available - in iOS 12.0 and later. + content: If `true`, the user can turn S/MIME signing on or off in Settings. - key: SMIMESigningCertificateUUIDUserOverrideable supportedOS: iOS: @@ -281,8 +278,7 @@ payloadkeys: type: presence: optional default: false - content: If `true`, the user can select the signing identity. Available in iOS 12.0 - and later. + content: If `true`, the user can select the signing identity. - key: SMIMEEncryptByDefault supportedOS: iOS: @@ -291,7 +287,7 @@ payloadkeys: presence: optional default: false content: If `true`, the system enables S/MIME encryption by default. If `SMIMEEnableEncryptionPerMessageSwitch` - is `false`, the user can't change this default. Available in iOS 12.0 and later. + is `false`, the user can't change this default. - key: SMIMEEncryptByDefaultUserOverrideable supportedOS: iOS: @@ -300,7 +296,7 @@ payloadkeys: presence: optional default: false content: If `true`, the system enables encryption by default and the user can't - change it. Available in iOS 12.0 and later. + change it. - key: SMIMEEncryptionCertificateUUIDUserOverrideable supportedOS: iOS: @@ -309,7 +305,7 @@ payloadkeys: presence: optional default: false content: If `true`, the user can select the S/MIME encryption identity, and encryption - is on.Available in iOS 12.0 and later. + is on. - key: SMIMEEnableEncryptionPerMessageSwitch supportedOS: iOS: @@ -318,7 +314,7 @@ payloadkeys: presence: optional default: false content: If `true`, the system displays the per-message encryption switch in the - Mail Compose UI. Available in iOS 12.0 and later. + Mail Compose UI. - key: EnableMail supportedOS: iOS: @@ -449,7 +445,7 @@ payloadkeys: presence: optional default: false content: If `true`, the system overrides the previous user/EAS password with the - new EAS password in the payload. Available in iOS 14 and later. + new EAS password in the payload. - key: VPNUUID title: VPNUUID supportedOS: @@ -458,4 +454,7 @@ payloadkeys: type: presence: optional content: The VPNUUID of the per-app VPN the account uses for network communication. - Available in iOS 14 and later. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.eas.account/example1.plist diff --git a/mdm/profiles/com.apple.education.yaml b/mdm/profiles/com.apple.education.yaml index 03c1ac5..56d7170 100644 --- a/mdm/profiles/com.apple.education.yaml +++ b/mdm/profiles/com.apple.education.yaml @@ -308,15 +308,19 @@ payloadkeys: notes: - title: '' content: |- - In iOS, send this payload over the device channel. Additionally, the system requires supervision unless the payload only specifies as teacher configuration. + In iOS, send this payload over the device channel. Additionally, the system requires supervision unless the payload only specifies a teacher configuration. In macOS, send this payload over the user channel. The system supports student payloads in macOS 10.14.4 and later. - Additionally, configure: + Additionally, ensure: - - All identities as both SSL clients and servers - - All certificates with a key size of at least 2048 bits - - All certificates to use a hashing algorithm of SHA256 or stronger - - Leader certificates to have the common name prefix leader, which is case-insensitive - - Member certificates to have the common name prefix member, which is case-insensitive - - TLS server certificates issued on or after September 1, 2020 00:00 GMT/UTC to have a validity period greater than 398 days; see [About Upcoming Limits on Trusted Certificates](https://support.apple.com/en-us/HT211025) for more information. + - You configure all identities as both TLS clients and servers + - You configure all certificates with a key size of at least 2048 bits + - You configure all certificates to use a hashing algorithm of SHA256 or stronger + - You configure leader certificates to have the common name prefix "leader", which is case-insensitive + - You configure member certificates to have the common name prefix "member", which is case-insensitive + - You configure TLS server certificates issued on or after September 1, 2020 00:00 GMT/UTC to have a validity period greater than 398 days; see [About Upcoming Limits on Trusted Certificates](https://support.apple.com/en-us/HT211025) for more information. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.education/example1.plist diff --git a/mdm/profiles/com.apple.ews.account.yaml b/mdm/profiles/com.apple.ews.account.yaml index 18fddb9..6552b79 100644 --- a/mdm/profiles/com.apple.ews.account.yaml +++ b/mdm/profiles/com.apple.ews.account.yaml @@ -49,7 +49,7 @@ payloadkeys: presence: optional default: false content: If `true`, the system enables OAuth for authentication. Don't specify a - password if `OAuth` is `true`. Available in macOS 10.14 and later + password if `OAuth` is `true`. - key: OAuthSignInURL title: URL for OAuth sign-in supportedOS: @@ -70,7 +70,7 @@ payloadkeys: presence: optional content: The password of the account. Use only with encrypted profiles. - key: PayloadCertificateUUID - title: Payload Certificate UUID + title: Payload certificate UUID supportedOS: macOS: introduced: '10.12' @@ -89,7 +89,7 @@ payloadkeys: the identity credential. Supported on macOS 10.11 or later. On macOS 10.12 or later use the PayloadCertificateUUID. - key: allowMailDrop - title: Allow Mail Drop + title: Allow mail drop supportedOS: macOS: introduced: '10.12' @@ -122,3 +122,7 @@ payloadkeys: type: presence: optional content: The external server port number. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.ews.account/example1.plist diff --git a/mdm/profiles/com.apple.extensiblesso(kerberos).yaml b/mdm/profiles/com.apple.extensiblesso(kerberos).yaml index 51adf7e..9e8366b 100644 --- a/mdm/profiles/com.apple.extensiblesso(kerberos).yaml +++ b/mdm/profiles/com.apple.extensiblesso(kerberos).yaml @@ -117,7 +117,7 @@ payloadkeys: default: false content: If `true`, the Kerberos extension allows only managed apps to access and use the credential. This is in addition to the `credentialBundleIDACL`, - if you specify that value. Available in iOS 14 and later, and macOS 12 and later. + if you specify that value. - key: includeKerberosAppsInBundleIdACL supportedOS: iOS: @@ -132,7 +132,7 @@ payloadkeys: content: If `true`, the Kerberos extension allows the standard Kerberos utilities including `TicketViewer` and `klist` to access and use the credential. This is in addition to `includeManagedAppsInBundleIdACL` or the `credentialBundleIdACL`, - if you specify those values. Available in macOS 12 and later. + if you specify those values. - key: domainRealmMapping type: presence: optional @@ -165,7 +165,7 @@ payloadkeys: type: presence: optional content: The custom user name label used in the Kerberos extension instead of - "Username," such as "Company ID". Available in macOS 11 and later. + "Username," such as "Company ID". - key: helpText supportedOS: iOS: @@ -175,8 +175,7 @@ payloadkeys: type: presence: optional content: The text to display to the user at the bottom of the Kerberos Login Window. - You can also use this to display help information or disclaimer text. Available - in iOS 14 and later, and macOS 11 and later. + You can also use this to display help information or disclaimer text. - key: allowPasswordChange supportedOS: iOS: @@ -186,8 +185,7 @@ payloadkeys: type: presence: optional default: true - content: If `false`, the system disables password changes. Available in macOS - 10.15 and later. + content: If `false`, the system disables password changes. - key: allowAutomaticLogin type: presence: optional @@ -210,8 +208,7 @@ payloadkeys: type: presence: optional content: The number of days that the system allows using passwords on this domain. - For most domains, this calculation is automatic. Available in macOS 10.15 and - later. + For most domains, this calculation is automatic. - key: pwNotificationDays supportedOS: iOS: @@ -222,8 +219,7 @@ payloadkeys: presence: optional default: 15 content: The number of days prior to password expiration when the system sends - a notification of password expiration to the user. Available in macOS 10.15 - and later. + a notification of password expiration to the user. - key: pwReqLength supportedOS: iOS: @@ -232,8 +228,7 @@ payloadkeys: introduced: n/a type: presence: optional - content: The minimum length of passwords on the domain.Available in macOS 10.15 - and later. + content: The minimum length of passwords on the domain. - key: pwReqComplexity supportedOS: iOS: @@ -244,7 +239,7 @@ payloadkeys: presence: optional default: false content: If `true`, the system requires passwords to meet Active Directory's definition - of "complex". Available in macOS 10.15 and later. + of "complex". - key: pwReqMinAge supportedOS: iOS: @@ -254,7 +249,7 @@ payloadkeys: type: presence: optional content: The minimum age of passwords before the system allows changing them on - this domain. Available in macOS 10.15 and later. + this domain. - key: pwReqHistory supportedOS: iOS: @@ -264,7 +259,7 @@ payloadkeys: type: presence: optional content: The number of prior passwords that the system disallows reuse on this - domain. Available in macOS 10.15 and later. + domain. - key: pwReqText supportedOS: iOS: @@ -274,8 +269,7 @@ payloadkeys: type: presence: optional content: The text version of the domain's password requirements. Only for use - if `pwReqComplexity` or `pwReqLength` aren't specified. Available in macOS 10.15 - and later. + if `pwReqComplexity` or `pwReqLength` aren't specified. - key: pwReqRTFData supportedOS: iOS: @@ -287,8 +281,7 @@ payloadkeys: type: presence: optional content: The RTF file formatted version of the domain's password requirements. - Only for use if `pwReqComplexity` or `pwReqLength` aren't specified. Available - in macOS 15 and later. + Only for use if `pwReqComplexity` or `pwReqLength` aren't specified. - key: pwChangeURL supportedOS: iOS: @@ -298,7 +291,7 @@ payloadkeys: type: presence: optional content: This URL will launch in the user's default web browser when they initiate - a password change. Available in macOS 10.15 and later. + a password change. - key: syncLocalPassword supportedOS: iOS: @@ -309,8 +302,7 @@ payloadkeys: presence: optional default: false content: If `false`, the system disables password sync. Note that this will not - work if the user is logged in with a mobile account. Available in macOS 10.15 - and later. + work if the user is logged in with a mobile account. - key: replicationTime supportedOS: iOS: @@ -325,7 +317,7 @@ payloadkeys: default: 900 content: The time, in seconds, required to replicate changes in the Active Directory domain. The Kerberos extension uses this when checking password age after a - change. Available in macOS 11 and later. + change. - key: delayUserSetup supportedOS: iOS: @@ -339,7 +331,7 @@ payloadkeys: default: false content: If `true`, the system doesn't prompt the user to setup the Kerberos extension until either the administrator enables it with the `app-sso` tool or the system - receives a Kerberos challenge. Available in macOS 11 and later. + receives a Kerberos challenge. - key: monitorCredentialsCache supportedOS: iOS: @@ -353,7 +345,7 @@ payloadkeys: default: true content: If `false`, the system requests the credential on the next matching Kerberos challenge or network state change. If the credential is expired or missing, - the system creates a new one. Available in macOS 11 and later. + the system creates a new one. - key: requireTLSForLDAP supportedOS: iOS: @@ -363,7 +355,7 @@ payloadkeys: type: presence: optional default: false - content: Require that LDAP connections use TLS. Available in macOS 11 and later. + content: Require that LDAP connections use TLS. - key: credentialUseMode supportedOS: iOS: @@ -383,8 +375,6 @@ payloadkeys: - `always`: The system always uses the credential if the SPN matches the Kerberos Extension `Hosts` array and the caller hasn't specified another credential. However, the system won't use the credential if the calling app isn't in the `credentialBundleIDACL`. - `whenNotSpecified`: The system only uses the extension credential if the SPN matches the Kerberos Extension `Hosts` array. However, the system won't use the credential if the calling app isn't in the `credentialBundleIDACL`. - `kerberosDefault`: The system uses the default Kerberos processes to select credentials, and normally uses the default Kerberos credential. This is the same as turning off this capability. - - Available in macOS 11 and later. - key: preferredKDCs supportedOS: iOS: @@ -394,7 +384,7 @@ payloadkeys: type: presence: optional content: |- - The ordered list of preferred Key Distribution Centers (KDCs) to use for Kerberos traffic. Use this if the servers aren't discoverable through DNS. If the servers are specified, then the system uses them for both connectivity checks and attempts to use them first for Kerberos traffic. If the servers don't respond, the device falls back to DNS discovery. Format each entry the same as it would be in a `krb5.conf` file, for example: + The ordered list of preferred Key Distribution Centers (KDCs) to use for Kerberos traffic. Use this if the servers aren't discoverable through DNS. If you specify the servers, the system uses them for both connectivity checks and attempts to use them first for Kerberos traffic. If the servers don't respond, the device falls back to DNS discovery. Format each entry the same as it would be in a `krb5.conf` file, for example: - `adserver1.example.com` - `tcp/adserver1.example.com:88` @@ -416,7 +406,7 @@ payloadkeys: presence: optional default: false content: If `true`, the system requires this configuration uses a TGT from Platform - SSO instead of requesting a new one. Available in macOS 13 and later. + SSO instead of requesting a new one. - key: allowPlatformSSOAuthFallback supportedOS: iOS: @@ -429,7 +419,7 @@ payloadkeys: presence: optional default: true content: If `true` and `usePlatformSSOTGT` is `true`, the system allows the user - to manually sign in. Available in macOS 13 and later. + to manually sign in. - key: performKerberosOnly supportedOS: iOS: @@ -442,7 +432,7 @@ payloadkeys: content: If `true`, the Kerberos Extension handles Kerberos requests only. It doesn't check for password expiration, show the password expiration in the menu, check for external password changes, perform password sync, or retrieve the - home directory. Available in macOS 13 and later. + home directory. - key: identityIssuerAutoSelectFilter supportedOS: iOS: @@ -454,9 +444,8 @@ payloadkeys: type: presence: optional content: A string with wildcards that can use used to filter the list of available - SmartCards by issuer. e.g "\*My CA2\*". If there is one remaining, it will be - auto-selected. If there more than one remaining, then the list is shorter. Available - in macOS 15 and later. + SmartCards by issuer. e.g "\*My CA2\*". If there's one remaining, it will be + auto-selected. If there more than one remaining, then the list is shorter. - key: allowSmartCard supportedOS: iOS: @@ -469,7 +458,6 @@ payloadkeys: presence: optional default: true content: If `true`, allow the user to switch the user interface to SmartCard mode. - Available in macOS 15 and later. - key: allowPassword supportedOS: iOS: @@ -482,7 +470,6 @@ payloadkeys: presence: optional default: true content: If `true`, allow the user to switch the user interface to Password mode. - Available in macOS 15 and later. - key: startInSmartCardMode supportedOS: iOS: @@ -494,8 +481,7 @@ payloadkeys: type: presence: optional default: false - content: If `true`, the user interface will start in SmartCard mode. Available - in macOS 15 and later. + content: If `true`, the user interface will start in SmartCard mode. - key: Hosts type: presence: optional @@ -521,3 +507,7 @@ notes: This is a version of the profile that defines the specific keys and values needed for the Kerberos extension. The system supports user channel installation in macOS 11 and later. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.extensiblesso(kerberos)/example1.plist diff --git a/mdm/profiles/com.apple.extensiblesso.yaml b/mdm/profiles/com.apple.extensiblesso.yaml index aafe57b..356ec0a 100644 --- a/mdm/profiles/com.apple.extensiblesso.yaml +++ b/mdm/profiles/com.apple.extensiblesso.yaml @@ -53,8 +53,8 @@ payloadkeys: introduced: n/a type: presence: optional - content: The team identifier of the app extension. This key is required on macOS - and ignored elsewhere. + content: The team identifier of the app extension. The device requires this key + on macOS and ignores it elsewhere. - key: Type type: presence: required @@ -131,8 +131,7 @@ payloadkeys: content: If set to `Cancel`, the system cancels authentication requests when the screen is locked. If set to `DoNotHandle`, the request continues without SSO instead. This doesn't apply to requests where `userInterfaceEnabled` is `false`, or for - background `URLSession` requests. Available in iOS 15 and later, and macOS 12 - and later. + background `URLSession` requests. - key: DeniedBundleIdentifiers supportedOS: iOS: @@ -142,7 +141,7 @@ payloadkeys: type: presence: optional content: An array of bundle identifiers of apps that don't use SSO provided by this - extension. Available in iOS 15 and later, and macOS 12 and later. + extension. subkeys: - key: bundleIdentifier type: @@ -163,8 +162,7 @@ payloadkeys: - Password - UserSecureEnclaveKey content: The Platform SSO authentication method the extension uses. Requires that - the SSO Extension also supports the method. Available in macOS 13 and later, and - deprecated in macOS 14. + the SSO Extension also supports the method. - key: RegistrationToken supportedOS: iOS: @@ -177,7 +175,7 @@ payloadkeys: presence: optional content: The token this device uses for registration with Platform SSO. Use it for silent registration with the Identity Provider. Requires that `AuthenticationMethod` - in `PlatformSSO` isn't empty. Available in macOS 13 and later. + in `PlatformSSO` isn't empty. - key: PlatformSSO supportedOS: iOS: @@ -188,8 +186,7 @@ payloadkeys: introduced: n/a type: presence: optional - content: The dictionary to configure Platform SSO. Requires `Type` to be set to - `Redirect`. + content: The dictionary to configure Platform SSO. Requires setting `Type` to `Redirect`. subkeys: - key: AuthenticationMethod type: @@ -198,8 +195,10 @@ payloadkeys: - Password - UserSecureEnclaveKey - SmartCard + - OpenID content: The Platform SSO authentication method to use with the extension. Requires - that the SSO Extension also support the method. + that the SSO Extension also support the method. `OpenID` is available in macOS + 27 and later. - key: UseSharedDeviceKeys supportedOS: macOS: @@ -276,12 +275,14 @@ payloadkeys: - Password - SmartCard - AccessKey + - OpenID content: |- An authentication method to use for newly created accounts at login or during `Setup Assistant`. Allowed values: - - `Password`: The account uses a password for authentication. - - `SmartCard`: The account uses a smart card for authentication. - - `AccessKey`: The account uses an access key for authentication. + * `Password`: The account uses a password for authentication. + * `SmartCard`: The account uses a smart card for authentication. + * `AccessKey`: The account uses an access key for authentication. + * `OpenID`: The account uses OpenID for authentication. Available in macOS 27 and later. - key: NewUserAuthorizationMode type: presence: optional @@ -293,10 +294,10 @@ payloadkeys: content: |- The permission to apply to newly created accounts at login. Allowed values: - - `Standard`: The account is a standard user. - - `Admin`: The system adds the account to the local administrators group. - - `Groups`: The system assigns groups to the account using `AdministratorGroups`, `AdditionalGroups`, or `AuthorizationGroups`. - - `Temporary`: The system uses a temporary session configuration for newly created accounts at login. + * `Standard`: The account is a standard user. + * `Admin`: The system adds the account to the local administrators group. + * `Groups`: The system assigns groups to the account using `AdministratorGroups`, `AdditionalGroups`, or `AuthorizationGroups`. + * `Temporary`: The system uses a temporary session configuration for newly created accounts at login. - key: UserAuthorizationMode type: presence: optional @@ -307,9 +308,9 @@ payloadkeys: content: |- The permission to apply to an account each time the user authenticates. Allowed values: - - `Standard`: The account is a standard user. - - `Admin`: The system adds the account to the local administrators group. - - `Groups`: The system assigns group to the account using `AdministratorGroups`, `AdditionalGroups`, or `AuthorizationGroups`. + * `Standard`: The account is a standard user. + * `Admin`: The system adds the account to the local administrators group. + * `Groups`: The system assigns group to the account using `AdministratorGroups`, `AdditionalGroups`, or `AuthorizationGroups`. - key: AdministratorGroups type: presence: optional @@ -388,9 +389,16 @@ payloadkeys: introduced: '15.0' type: presence: optional - content: The policy to apply when using Platform SSO at FileVault unlock on a - Mac with Apple silicon. Applies when `AuthenticationMethod` is `Password`. Available - in macOS 15 and later. + content: |- + The policy to apply when using Platform SSO at FileVault unlock on a Mac with Apple silicon. Applies when `AuthenticationMethod` is `Password`. + + * `AttemptAuthentication`: The device attempts Platform SSO authentication before proceeding. If offline, unlock continues if the local account password matches. If online and the credential is incorrect, then the device requires a successful Platform SSO authentication, even if taken offline. + * `RequireAuthentication`: The device requires Platform SSO authentication before proceeding. If the device is offline and `AllowOfflineGracePeriod` is enabled, then the device uses the offline `OfflineGracePeriod` to determine if the user can proceed or not. If online and the credential is incorrect, then the device requires a valid Platform SSO authentication to proceed, regardless of the `OfflineGracePeriod`. If the account isn't registered for Platform SSO and `AllowAuthenticationGracePeriod` is enabled, then the device uses `AuthenticationGracePeriod` to determine if the user can proceed or not. + * `AllowOfflineGracePeriod`: The device allows the use of the `OfflineGracePeriod` when `RequireAuthentication` is enabled. If `AllowOfflineGracePeriod` isn't set, then the device denies offline access. + * `AllowAuthenticationGracePeriod`: The device allows the use of the `AuthenticationGracePeriod` for other local accounts when `RequireAuthentication` is enabled. The `AuthenticationGracePeriod` starts when any of the policies are updated. If `AllowAuthenticationGracePeriod` isn't set, then the device denies unregistered account access. + * `RequireTouchID`: The device requires the use of Touch ID (and not Apple Watch) for File Vault unlock. Available in macOS 27 and later. + * `RequireTouchIDOrWatch`: The device requires the use of Touch ID or Apple Watch for File Vault unlock. Available in macOS 27 and later. + * `AllowOpenIDForTouchIDFallback`: The device allows web login as a fallback if touchID fails or isn't available. Available in macOS 27 and later. subkeys: - key: policy type: @@ -400,33 +408,26 @@ payloadkeys: - RequireAuthentication - AllowOfflineGracePeriod - AllowAuthenticationGracePeriod - content: |- - * AttemptAuthentication - Platform SSO authentication is attempted before proceeding. If offline, unlock will continue - if the local account password matches. If online and the credential is incorrect, then a - successful Platform SSO authentication is required to proceed, even if taken offline. - * RequireAuthentication - Platform SSO authentication is required before proceeding. If the device is offline and - `AllowOfflineGracePeriod` is enabled, then the offline `OfflineGracePeriod` is used to determine - if the user can proceed or not. If online and the credential is incorrect, then a valid Platform - SSO authentication is required to proceed regardless of the `OfflineGracePeriod`. If the account - is not registered for Platform SSO and `AllowAuthenticationGracePeriod` is enabled, then the - `AuthenticationGracePeriod` is used to determine if the user can proceed or not. - * AllowOfflineGracePeriod - Allow the use of the `OfflineGracePeriod` when `RequireAuthentication` is enabled. If - `AllowOfflineGracePeriod` is not set, then offline access is denied. - * AllowAuthenticationGracePeriod - Allow the use of the `AuthenticationGracePeriod` for other local accounts when `RequireAuthentication` - is enabled. The `AuthenticationGracePeriod` starts when any of the policies have been updated. If - `AllowAuthenticationGracePeriod` is not set, then unregistered account access is denied. + - RequireTouchID + - RequireTouchIDOrWatch + - AllowOpenIDForTouchIDFallback + content: The policy to apply. - key: LoginPolicy supportedOS: macOS: introduced: '15.0' type: presence: optional - content: The policy to apply when using Platform SSO at the Login Window. Applies - when `AuthenticationMethod` is `Password`. Available in macOS 15 and later. + content: |- + The policy to apply when using Platform SSO at the Login Window. Applies when `AuthenticationMethod` is `Password`. + + * `AttemptAuthentication`: The device attempts Platform SSO authentication before proceeding. If offline, login continues if the local account password matches. If online and the credential is incorrect, then the device requires a successful Platform SSO authentication to proceed, even if taken offline. + * `RequireAuthentication`: The device requires Platform SSO authentication before proceeding. If the device is offline and `AllowOfflineGracePeriod` is enabled, then the device uses the offline `OfflineGracePeriod` to determine if the user can proceed or not. If online and the credential is incorrect, then the device requires a valid Platform SSO authentication to proceed, regardless of the `OfflineGracePeriod`. If the account isn't registered for Platform SSO and `AllowAuthenticationGracePeriod` is enabled, then the device uses the `AuthenticationGracePeriod` to determine if the user can proceed or not. + * `AllowOfflineGracePeriod`: The device allows the use of the `OfflineGracePeriod` when `RequireAuthentication` is enabled. If `AllowOfflineGracePeriod` isn't set, then the device denies offline access. Applies to web login and all offline passwords. + * `AllowAuthenticationGracePeriod`: The device allows the use of the `AuthenticationGracePeriod` for other local accounts when `RequireAuthentication` is enabled. The `AuthenticationGracePeriod` starts when any of the policies have been updated. If `AllowAuthenticationGracePeriod` isn't set, then the device denies unregistered account access. + * `RequireTouchID`: The device requires the use of Touch ID (and not Apple Watch) for login. Available in macOS 27 and later. + * `RequireTouchIDOrWatch`: The device requires the use of Touch ID or Apple Watch for login. Available in macOS 27 and later. + * `AllowOpenIDForTouchIDFallback`: The device allows web login as fallback if touchID fails or isn't available. Available in macOS 27 and later. subkeys: - key: policy type: @@ -436,33 +437,27 @@ payloadkeys: - RequireAuthentication - AllowOfflineGracePeriod - AllowAuthenticationGracePeriod - content: |- - * AttemptAuthentication - Platform SSO authentication is attempted before proceeding. If offline, unlock will continue - if the local account password matches. If online and the credential is incorrect, then a - successful Platform SSO authentication is required to proceed, even if taken offline. - * RequireAuthentication - Platform SSO authentication is required before proceeding. If the device is offline and - `AllowOfflineGracePeriod` is enabled, then the offline `OfflineGracePeriod` is used to determine - if the user can proceed or not. If online and the credential is incorrect, then a valid Platform - SSO authentication is required to proceed regardless of the `OfflineGracePeriod`. If the account - is not registered for Platform SSO and `AllowAuthenticationGracePeriod` is enabled, then the - `AuthenticationGracePeriod` is used to determine if the user can proceed or not. - * AllowOfflineGracePeriod - Allow the use of the `OfflineGracePeriod` when `RequireAuthentication` is enabled. If - `AllowOfflineGracePeriod` is not set, then offline access is denied. - * AllowAuthenticationGracePeriod - Allow the use of the `AuthenticationGracePeriod` for other local accounts when `RequireAuthentication` - is enabled. The `AuthenticationGracePeriod` starts when any of the policies have been updated. If - `AllowAuthenticationGracePeriod` is not set, then unregistered account access is denied. + - RequireTouchID + - RequireTouchIDOrWatch + - AllowOpenIDForTouchIDFallback + content: The policy to apply. - key: UnlockPolicy supportedOS: macOS: introduced: '15.0' type: presence: optional - content: The policy to apply when using Platform SSO at screensaver unlock. Applies - when `AuthenticationMethod` is `Password`. Available in macOS 15 and later. + content: |- + The policy to apply when using Platform SSO at screensaver unlock. Applies when `AuthenticationMethod` is `Password`. + + * `AttemptAuthentication`: The device attempts Platform SSO authentication before proceeding. If offline, unlock will continue if the local account password matches. If online and the credential is incorrect, then the device requires a successful Platform SSO authentication to proceed, even if taken offline. + * `RequireAuthentication`: The device requires Platform SSO authentication before proceeding. If the device is offline and `AllowOfflineGracePeriod` is enabled, then the device uses the offline `OfflineGracePeriod` to determine if the user can proceed or not. If online and the credential is incorrect, then the device requires a valid Platform SSO authentication to proceed regardless of the `OfflineGracePeriod`. If the account isn't registered for Platform SSO and `AllowAuthenticationGracePeriod` is enabled, then the device uses `AuthenticationGracePeriod` to determine if the user can proceed or not. + * `AllowOfflineGracePeriod`: The device allows the use of the `OfflineGracePeriod` when `RequireAuthentication` is enabled. If `AllowOfflineGracePeriod` isn't set, then the device denies offline access. + * `AllowAuthenticationGracePeriod`: The device allows the use of the `AuthenticationGracePeriod` for other local accounts when `RequireAuthentication` is enabled. The `AuthenticationGracePeriod` starts when any of the policies have been updated. If `AllowAuthenticationGracePeriod` isn't set, then the device denies the unregistered account access. + * `AllowTouchIDOrWatchForUnlock`: The device allows TouchID or Watch to unlock the screensaver instead of Platform SSO authentication when `RequireAuthentication` is enabled. + * `RequireTouchID`: The device requires the use of Touch ID (and not Apple Watch) for unlock. Available in macOS 27 and later. + * `RequireTouchIDOrWatch`: RThe device requires the use of Touch ID or Apple Watch for unlock. Available in macOS 27 and later. + * `AllowOpenIDForTouchIDFallback`: The device allows web login as fallback if touchID fails or isn't available. Available in macOS 27 and later. subkeys: - key: policy type: @@ -473,28 +468,10 @@ payloadkeys: - AllowOfflineGracePeriod - AllowAuthenticationGracePeriod - AllowTouchIDOrWatchForUnlock - content: |- - * AttemptAuthentication - Platform SSO authentication is attempted before proceeding. If offline, unlock will continue - if the local account password matches. If online and the credential is incorrect, then a - successful Platform SSO authentication is required to proceed, even if taken offline. - * RequireAuthentication - Platform SSO authentication is required before proceeding. If the device is offline and - `AllowOfflineGracePeriod` is enabled, then the offline `OfflineGracePeriod` is used to determine - if the user can proceed or not. If online and the credential is incorrect, then a valid Platform - SSO authentication is required to proceed regardless of the `OfflineGracePeriod`. If the account - is not registered for Platform SSO and `AllowAuthenticationGracePeriod` is enabled, then the - `AuthenticationGracePeriod` is used to determine if the user can proceed or not. - * AllowOfflineGracePeriod - Allow the use of the `OfflineGracePeriod` when `RequireAuthentication` is enabled. If - `AllowOfflineGracePeriod` is not set, then offline access is denied. - * AllowAuthenticationGracePeriod - Allow the use of the `AuthenticationGracePeriod` for other local accounts when `RequireAuthentication` - is enabled. The `AuthenticationGracePeriod` starts when any of the policies have been updated. If - `AllowAuthenticationGracePeriod` is not set, then unregistered account access is denied. - * AllowTouchIDOrWatchForUnlock - Allow TouchID or Watch to unlock the screensaver instead of Platform SSO authentication when - `RequireAuthentication` is enabled. + - RequireTouchID + - RequireTouchIDOrWatch + - AllowOpenIDForTouchIDFallback + content: The policy to apply. - key: OfflineGracePeriod supportedOS: macOS: @@ -503,7 +480,6 @@ payloadkeys: presence: optional content: The amount of time after the last successful Platform SSO login for using a local account password offline. Required when setting `AllowOfflineGracePeriod`. - Available in macOS 15 and later. - key: AuthenticationGracePeriod supportedOS: macOS: @@ -512,7 +488,7 @@ payloadkeys: presence: optional content: The amount of time after receiving or updating a `FileVaultPolicy`, `LoginPolicy`, or `UnlockPolicy` that the system can use unregistered local accounts. Required - when `AllowAuthenticationGracePeriod` is set. Available in macOS 15 and later. + when `AllowAuthenticationGracePeriod` is set. - key: NonPlatformSSOAccounts supportedOS: macOS: @@ -521,7 +497,7 @@ payloadkeys: presence: optional content: The list of local accounts that aren't subject to the `FileVaultPolicy`, `LoginPolicy`, or `UnlockPolicy`. The accounts don't receive a prompt to register - for Platform SSO. Available in macOS 15 and later. + for Platform SSO. subkeys: - key: username type: @@ -568,6 +544,33 @@ payloadkeys: Setup Assistant on devices running macOS 26 and later. Set this key to `true` when configuring PlatformSSO before enrollment using the `com.apple.psso.required` error response. + - key: WebLoginURLAllowList + supportedOS: + macOS: + introduced: '27.0' + type: + presence: optional + content: The set of allowed hosts that the system can load in the PSSO web view. + Required if `AuthenticationMethod` is `OpenID`, or `NewUserAuthenticationMethods` + contains `OpenID`. + subkeys: + - key: Hosts + type: + presence: optional + content: A host or host prefix. + - key: AllowWebLoginPasswordSync + supportedOS: + macOS: + introduced: '27.0' + type: + presence: optional + default: false + content: If `true`, the system detects the password during web login and synchronizes + it to the local account password for the user. notes: - title: '' content: The system supports user channel installation in macOS 11 and later. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.extensiblesso/example1.plist diff --git a/mdm/profiles/com.apple.familycontrols.contentfilter.yaml b/mdm/profiles/com.apple.familycontrols.contentfilter.yaml index 05174f6..3093a85 100644 --- a/mdm/profiles/com.apple.familycontrols.contentfilter.yaml +++ b/mdm/profiles/com.apple.familycontrols.contentfilter.yaml @@ -58,7 +58,7 @@ payloadkeys: content: |- An array of sites that defines an allow list. If specified, this defines additional allowed sites besides those in the automated allow list and deny list, including disallowed adult sites. - This key is required if `allowListEnabled` is `true`. + The device requires this key if `allowListEnabled` is `true`. subkeys: - key: siteAllowListItem type: @@ -142,3 +142,7 @@ payloadkeys: type: presence: required content: A disallowed site. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.familycontrols.contentfilter/example1.plist diff --git a/mdm/profiles/com.apple.familycontrols.timelimits.v2.yaml b/mdm/profiles/com.apple.familycontrols.timelimits.v2.yaml index 4c3b03a..3f59bcc 100644 --- a/mdm/profiles/com.apple.familycontrols.timelimits.v2.yaml +++ b/mdm/profiles/com.apple.familycontrols.timelimits.v2.yaml @@ -84,3 +84,7 @@ payloadkeys: content: The weekend curfew settings. subkeytype: Allowance subkeys: *id001 +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.familycontrols.timelimits.v2/example1.plist diff --git a/mdm/profiles/com.apple.fileproviderd.yaml b/mdm/profiles/com.apple.fileproviderd.yaml index a0fbbfd..33d10ba 100644 --- a/mdm/profiles/com.apple.fileproviderd.yaml +++ b/mdm/profiles/com.apple.fileproviderd.yaml @@ -71,7 +71,7 @@ payloadkeys: presence: optional default: true content: If `false`, the device prevents the File Provider extension from using - desktop and documents synchronization in any app. This does not impact the ability + desktop and documents synchronization in any app. This doesn't impact the ability for apps to utilize the File Provider extension for file and folder syncing with remote storage. - key: ManagementKnownFolderSyncingAllowList @@ -87,7 +87,7 @@ payloadkeys: documents synchronization. If present, and `ManagementAllowsKnownFolderSyncing` is set to `true`, the device allows only the apps in this list to use desktop and documents synchronization. This key is ignored if `ManagementAllowsKnownFolderSyncing` - is set to `false`. This setting does not impact the ability for apps to use File + is set to `false`. This setting doesn't impact the ability for apps to use File Provider extension volume access. The format of the app identifiers is "Bundle-ID (Team-ID)", for example `com.example.app (ABCD1234)`. subkeys: @@ -149,3 +149,7 @@ payloadkeys: type: presence: required content: A composed app identifier. The format is "Bundle.Identifier (TeamIdentifier)". +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.fileproviderd/example1.plist diff --git a/mdm/profiles/com.apple.finder.yaml b/mdm/profiles/com.apple.finder.yaml index 2c5f682..365a069 100644 --- a/mdm/profiles/com.apple.finder.yaml +++ b/mdm/profiles/com.apple.finder.yaml @@ -78,3 +78,7 @@ payloadkeys: presence: optional default: true content: If `false`, the system doesn't warn the user before emptying the trash. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.finder/example1.plist diff --git a/mdm/profiles/com.apple.firstactiveethernet.managed.yaml b/mdm/profiles/com.apple.firstactiveethernet.managed.yaml index fe6147e..c248c74 100644 --- a/mdm/profiles/com.apple.firstactiveethernet.managed.yaml +++ b/mdm/profiles/com.apple.firstactiveethernet.managed.yaml @@ -34,8 +34,12 @@ notes: content: |- This payload's contents contain these profile-specific keys: - - Interface (String): This payload uses the value `FirstActiveEthernet`. - - EAPClientConfiguration (`EAPClientConfiguration`): The dictionary that defines the enterprise profile for the network. - - SetupModes (String): The type of connection mode, which is either "System" or "Loginwindow." "System" is the default. + * Interface (String): This payload uses the value `FirstActiveEthernet`. + * EAPClientConfiguration (`EAPClientConfiguration`): The dictionary that defines the enterprise profile for the network. + * SetupModes (String): The type of connection mode, which is either "System" or "Loginwindow." "System" is the default. Payloads with `active` in their name apply to Ethernet interfaces that are working at the time of profile installation. If there's no active Ethernet interface working, this payload configures the interface with the highest service-order priority. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.firstactiveethernet.managed/example1.plist diff --git a/mdm/profiles/com.apple.firstethernet.managed.yaml b/mdm/profiles/com.apple.firstethernet.managed.yaml index 5342d8a..3eb46ae 100644 --- a/mdm/profiles/com.apple.firstethernet.managed.yaml +++ b/mdm/profiles/com.apple.firstethernet.managed.yaml @@ -34,8 +34,12 @@ notes: content: |- This payload's contents contain these profile-specific keys: - - Interface (String): This payload uses the value `FirstEthernet`. - - EAPClientConfiguration (`EAPClientConfiguration`): The dictionary that defines the enterprise profile for the network. - - SetupModes (String): The type of connection mode, which is either "System" or "Loginwindow." "System" is the default. + * Interface (String): This payload uses the value `FirstEthernet`. + * EAPClientConfiguration (`EAPClientConfiguration`): The dictionary that defines the enterprise profile for the network. + * SetupModes (String): The type of connection mode, which is either "System" or "Loginwindow." "System" is the default. This payload applies to Ethernet interfaces according to service order, regardless of whether the interface is working. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.firstethernet.managed/example1.plist diff --git a/mdm/profiles/com.apple.font.yaml b/mdm/profiles/com.apple.font.yaml index 70cf25d..2f37f34 100644 --- a/mdm/profiles/com.apple.font.yaml +++ b/mdm/profiles/com.apple.font.yaml @@ -42,14 +42,14 @@ payload: Supported on the Shared iPad user channel as of iPadOS 18.0. Earlier versions of iPadOS erroneously accepted the Font payload on the device channel but installed it for the currently logged in user. payloadkeys: - key: Name - title: Font Name + title: Font name type: presence: optional default: '' content: |- - The user-visible name for the font. This field is replaced by the actual name of the font after installation. Each payload must contain exactly one font file in trueType (.ttf) or OpenType (.otf) format. Collection formats (.ttc or .otc) are not supported. + The user-visible name for the font. The device replaces this field with the actual name of the font after installation. Each payload must contain exactly one font file in trueType (.ttf) or OpenType (.otf) format. The device doesn't support collection formats (.ttc or .otc). - Fonts are identified by their embedded PostScript names. Two fonts with the same PostScript name are considered to be the same font even if their contents differ. Installing two different fonts with the same PostScript name isn't supported, and the resulting behavior is undefined. + The device identifies fonts by their embedded PostScript names. The device considers two fonts with the same PostScript name to be the same font, even if their contents differ. The device doesn't support installing two different fonts with the same PostScript name, and the resulting behavior is undefined. - key: Font title: Font type: @@ -58,4 +58,8 @@ payloadkeys: notes: - title: '' content: In iPadOS 18 and later, the font profile is available on the user channel - for Shared iPads. + for Shared iPad. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.font/example1.plist diff --git a/mdm/profiles/com.apple.gamed.yaml b/mdm/profiles/com.apple.gamed.yaml index f4c0dcb..ded4117 100644 --- a/mdm/profiles/com.apple.gamed.yaml +++ b/mdm/profiles/com.apple.gamed.yaml @@ -53,3 +53,7 @@ payloadkeys: presence: optional default: true content: If `true`, allows multiplayer gaming. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.gamed/example1.plist diff --git a/mdm/profiles/com.apple.globalethernet.managed.yaml b/mdm/profiles/com.apple.globalethernet.managed.yaml index d1f4233..0fc23da 100644 --- a/mdm/profiles/com.apple.globalethernet.managed.yaml +++ b/mdm/profiles/com.apple.globalethernet.managed.yaml @@ -46,6 +46,10 @@ notes: content: |- This payload's contents contain these profile-specific keys: - - Interface (String): This payload uses the value `GlobalEthernet`. - - EAPClientConfiguration (`EAPClientConfiguration`): The dictionary that defines the enterprise profile for the network. - - SetupModes (String): The type of connection mode, which is either `System` or `Loginwindow`. `System` is the default. + * Interface (String): This payload uses the value `GlobalEthernet`. + * EAPClientConfiguration (`EAPClientConfiguration`): The dictionary that defines the enterprise profile for the network. + * SetupModes (String): The type of connection mode, which is either `System` or `Loginwindow`. `System` is the default. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.globalethernet.managed/example1.plist diff --git a/mdm/profiles/com.apple.google-oauth.yaml b/mdm/profiles/com.apple.google-oauth.yaml index 0f85500..d597334 100644 --- a/mdm/profiles/com.apple.google-oauth.yaml +++ b/mdm/profiles/com.apple.google-oauth.yaml @@ -31,28 +31,28 @@ payload: other Google services the user enables after authentication. Google accounts must be installed via MDM or by Apple Configurator 2 (if the device is supervised). The payload never contains credentials and the user will be prompted to enter - their credentials shortly after the payload successfully installs. On Shared iPads, + their credentials shortly after the payload successfully installs. On Shared iPad, this payload can only be installed on the MDM user channel. payloadkeys: - key: AccountDescription - title: Account Description + title: Account description type: presence: optional content: A user-visible description of the Google account, shown in the Mail and Settings apps. - key: AccountName - title: Account Name + title: Account name type: presence: optional content: The user's full name for the Google account. This name appears in sent messages. - key: EmailAddress - title: Email Address + title: Email address type: presence: required content: The full Google email address for the account. - key: CommunicationServiceRules - title: Communication Service Rules + title: Communication service rules supportedOS: iOS: introduced: '10.0' @@ -61,7 +61,7 @@ payloadkeys: content: The communication service handler rules for this account. subkeys: - key: DefaultServiceHandlers - title: Default Service Handlers + title: Default service handlers supportedOS: iOS: introduced: '10.0' @@ -91,7 +91,6 @@ payloadkeys: type: presence: optional content: The VPNUUID of the per-app VPN the account uses for network communication. - Available in iOS 14 and later. notes: - title: '' content: |- @@ -101,3 +100,7 @@ notes: > For supervised devices, the system requires installation of Google accounts through MDM or Apple Configurator 2. The payload never contains credentials; the system prompts the user to enter credentials shortly after installation of the payload. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.google-oauth/example1.plist diff --git a/mdm/profiles/com.apple.homescreenlayout.yaml b/mdm/profiles/com.apple.homescreenlayout.yaml index f3c2c9b..e45f218 100644 --- a/mdm/profiles/com.apple.homescreenlayout.yaml +++ b/mdm/profiles/com.apple.homescreenlayout.yaml @@ -55,8 +55,8 @@ payloadkeys: - key: BundleID type: presence: optional - content: The bundle identifier of the app. This setting is required if the type - is `Application`. + content: The bundle identifier of the app. The device requires this setting + if the type is `Application`. - key: Pages type: presence: optional @@ -75,7 +75,7 @@ payloadkeys: type: presence: optional content: |- - The URL of the existing web clip for this item. This setting is required if `type` is `WebClip`. If more than one web clip exists with the same URL, the behavior is undefined. + The URL of the existing web clip for this item. The device requires this setting if `type` is `WebClip`. If more than one web clip exists with the same URL, the behavior is undefined. Specifying a web clip in this payload doesn't create the web clip. Use the `WebClip` payload to create a web clip. - key: Pages @@ -93,3 +93,7 @@ notes: If a Home Screen layout puts more than four items in the iPhone Dock the location of the fifth and succeeding items may be undefined but they will not be omitted. To disable deletion of apps, set `allowAppRemoval` to `false` with `Restrictions`. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.homescreenlayout/example1.plist diff --git a/mdm/profiles/com.apple.jabber.account.yaml b/mdm/profiles/com.apple.jabber.account.yaml index b06b82c..37eb906 100644 --- a/mdm/profiles/com.apple.jabber.account.yaml +++ b/mdm/profiles/com.apple.jabber.account.yaml @@ -27,22 +27,22 @@ payload: content: A Jabber payload creates a Jabber account on the device. payloadkeys: - key: JabberAccountDescription - title: Account Description + title: Account description type: presence: optional content: The description of the account. - key: JabberHostName - title: Account Hostname + title: Account hostname type: presence: required content: The server's address. - key: JabberUserName - title: Account Username + title: Account username type: presence: optional content: The user's user name. - key: JabberPassword - title: Account Password + title: Account password type: presence: optional content: The user's password. @@ -53,7 +53,7 @@ payloadkeys: default: false content: If `true`, enables SSL. - key: JabberPort - title: Port Number + title: Port number type: presence: optional range: @@ -62,7 +62,7 @@ payloadkeys: default: 5222 content: The server's port. - key: JabberAuthentication - title: Jabber Authentication + title: Jabber authentication type: presence: required rangelist: diff --git a/mdm/profiles/com.apple.ldap.account.yaml b/mdm/profiles/com.apple.ldap.account.yaml index 5efbf36..161e0dd 100644 --- a/mdm/profiles/com.apple.ldap.account.yaml +++ b/mdm/profiles/com.apple.ldap.account.yaml @@ -39,22 +39,22 @@ payload: introduced: n/a payloadkeys: - key: LDAPAccountDescription - title: Account Description + title: Account description type: presence: optional content: The description of the account. - key: LDAPAccountHostName - title: Account Hostname + title: Account hostname type: presence: required content: The server's address. - key: LDAPAccountUserName - title: Account Username + title: Account username type: presence: optional content: The user's user name. - key: LDAPAccountPassword - title: Account Password + title: Account password type: presence: optional content: The user's password. Only use this in encrypted profiles. @@ -65,13 +65,13 @@ payloadkeys: default: true content: If `true`, the system enables SSL. - key: LDAPSearchSettings - title: Search Settings + title: Search settings type: presence: optional content: An array of search settings dictionaries. subkeys: - key: LDAPSearchSettingsItem - title: An LDAP Search Setting + title: An LDAP search setting type: subkeys: - key: LDAPSearchSettingDescription @@ -80,12 +80,12 @@ payloadkeys: presence: optional content: The description of this search setting. - key: LDAPSearchSettingSearchBase - title: Search Setting Search Base + title: Search setting search base type: presence: required content: The path to the node where a search should start. - key: LDAPSearchSettingScope - title: Search Setting Scope + title: Search setting scope type: presence: optional rangelist: @@ -109,4 +109,7 @@ payloadkeys: type: presence: optional content: The VPNUUID of the per-app VPN the account uses for network communication. - Available in iOS 14 and later. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.ldap.account/example1.plist diff --git a/mdm/profiles/com.apple.loginitems.managed.yaml b/mdm/profiles/com.apple.loginitems.managed.yaml index c3a58e4..a30a8d3 100644 --- a/mdm/profiles/com.apple.loginitems.managed.yaml +++ b/mdm/profiles/com.apple.loginitems.managed.yaml @@ -44,3 +44,7 @@ payloadkeys: default: false content: If `true`, the system hides this item in the Users & Groups login items list. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.loginitems.managed/example1.plist diff --git a/mdm/profiles/com.apple.loginwindow.yaml b/mdm/profiles/com.apple.loginwindow.yaml index 92fc2c1..9e37d67 100644 --- a/mdm/profiles/com.apple.loginwindow.yaml +++ b/mdm/profiles/com.apple.loginwindow.yaml @@ -63,6 +63,14 @@ payloadkeys: this string could only contain host name, system version, or IP address. After macOS 10.10, setting this key to any value allows the user to click the time area of the menu bar to toggle through various computer information values. +- key: AdminMayDisableMCX + type: + presence: optional + default: false + content: If `true`, a local administrator user can bypass or disable managed preferences + (MCX settings) for their login session. The device presents the user with this + option at login only when the user is a local administrator, and other users are + not logged in. - key: AllowList type: presence: optional @@ -101,6 +109,12 @@ payloadkeys: presence: optional default: false content: If `true`, the system disables the Restart item. +- key: RetriesUntilHint + type: + presence: optional + default: 0 + content: If specified, allows a certain number of retries until the device shows + a password hint. The device shows no hints if set to a value of 0. - key: SleepDisabled type: presence: optional @@ -142,7 +156,7 @@ payloadkeys: presence: optional default: false content: If `true`, the system disables the Log Out menu item when the user is logged - in. Available in macOS 10.13 and later. + in. - key: DisableScreenLockImmediate supportedOS: macOS: @@ -150,8 +164,7 @@ payloadkeys: type: presence: optional default: false - content: If `true`, the system disables the immediate Screen Lock functions. Available - in macOS 10.13 and later. + content: If `true`, the system disables the immediate Screen Lock functions. - key: showInputMenu supportedOS: macOS: @@ -185,3 +198,7 @@ payloadkeys: presence: optional content: An optional user password to set up auto login. This must match the `AutologinUsername` user's current password. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.loginwindow/example1.plist diff --git a/mdm/profiles/com.apple.lom.yaml b/mdm/profiles/com.apple.lom.yaml index 10d3f5d..7cbe0da 100644 --- a/mdm/profiles/com.apple.lom.yaml +++ b/mdm/profiles/com.apple.lom.yaml @@ -25,7 +25,7 @@ payload: requests. payloadkeys: - key: DeviceCertificateUUID - title: Device Certificate payload UUID + title: Device certificate payload UUID type: presence: optional content: The UUID certificate for the device. This key indicates the device can @@ -34,7 +34,7 @@ payloadkeys: and Data Encipherment. As well as the Extended Key Usage attributes of Server Authentication and Client Authentication. - key: ControllerCertificateUUID - title: Controller Certificate payload UUID + title: Controller certificate payload UUID type: presence: optional content: The UUID certificate for the LOM controller. This key configures the device @@ -65,3 +65,7 @@ notes: content: You can configure a compatible macOS device to be both a controller and a device. Include the UUID of the certificate in both `DeviceCertificateUUID` and `ControllerCertificateUUID` properties. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.lom/example1.plist diff --git a/mdm/profiles/com.apple.mail.managed.yaml b/mdm/profiles/com.apple.mail.managed.yaml index 1b051ba..6fbdd2f 100644 --- a/mdm/profiles/com.apple.mail.managed.yaml +++ b/mdm/profiles/com.apple.mail.managed.yaml @@ -39,19 +39,19 @@ payload: content: An email payload creates an email account on the device. payloadkeys: - key: EmailAccountDescription - title: Account Description + title: Account description type: presence: optional content: A user-visible description of the email account, shown in the Mail and Settings applications. - key: EmailAccountName - title: Account Name + title: Account name type: presence: optional content: The full user name for the account. The system displays this name in sent messages. - key: EmailAccountType - title: Account Type + title: Account type type: presence: required rangelist: @@ -59,14 +59,14 @@ payloadkeys: - EmailTypePOP content: Defines the protocol to use for the account. - key: EmailAddress - title: Email Address + title: Email address type: presence: optional content: The full email address for the account. If this string isn't present in the payload, the device prompts the user for this string during interactive profile installation in Settings or System Preferences. - key: IncomingMailServerAuthentication - title: Incoming Mail Server Authentication + title: Incoming mail server authentication type: presence: required rangelist: @@ -77,7 +77,7 @@ payloadkeys: - EmailAuthHTTPMD5 content: The authentication scheme for incoming mail. - key: IncomingMailServerHostName - title: Mail Server + title: Mail server type: presence: required content: The incoming mail server host name. @@ -113,16 +113,16 @@ payloadkeys: presence: optional content: The password for the outgoing mail server. Only use this in encrypted profiles. - key: OutgoingPasswordSameAsIncomingPassword - title: Outgoing Password Same As Incoming + title: Outgoing password same as incoming type: presence: optional default: false content: |- If `true`, the system prompts the user only once for the password, which it uses for both outgoing and incoming mail. - This setting is only supported by interactive profile installations. Not supported by non-interactive installations, such as MDM on iOS. + This setting supports only interactive profile installations. Non-interactive installations, such as MDM on iOS, don't support this setting. - key: OutgoingMailServerAuthentication - title: Authentication Type + title: Authentication type type: presence: required rangelist: @@ -133,7 +133,7 @@ payloadkeys: - EmailAuthHTTPMD5 content: The authentication scheme for outgoing mail. - key: OutgoingMailServerHostName - title: Mail Server + title: Mail server type: presence: required content: The outgoing mail server host name. @@ -158,7 +158,7 @@ payloadkeys: outgoing email, the device prompts the user for this string during interactive profile installation in Settings or System Preferences. - key: PreventMove - title: Prevent Move + title: Prevent move supportedOS: iOS: introduced: '5.0' @@ -171,7 +171,7 @@ payloadkeys: and into another account. It also prevents forwarding or replying from an account other than the recipient of the message. - key: PreventAppSheet - title: Prevent App Sheet + title: Prevent app sheet supportedOS: iOS: introduced: '5.0' @@ -183,7 +183,7 @@ payloadkeys: content: If `true`, the system prevents this account from sending mail in any app other than the Apple Mail app. - key: SMIMEEnabled - title: S/MIME Enabled + title: S/MIME enabled supportedOS: iOS: introduced: '5.0' @@ -195,7 +195,7 @@ payloadkeys: content: If `true`, the system enables S/MIME encryption. The system ignores this key in iOS 10.0 and later. - key: SMIMESigningEnabled - title: S/MIME Signing Enabled + title: S/MIME signing enabled supportedOS: iOS: introduced: '10.0' @@ -206,7 +206,7 @@ payloadkeys: default: false content: If `true`, the system enables S/MIME signing for this account. - key: SMIMESigningCertificateUUID - title: S/MIME Signing Certificate + title: S/MIME signing certificate supportedOS: iOS: introduced: '5.0' @@ -218,7 +218,7 @@ payloadkeys: content: The payload UUID of the identity certificate used to sign messages sent from this account. - key: SMIMEEncryptionEnabled - title: S/MIME Encryption Enabled + title: S/MIME encryption enabled supportedOS: iOS: introduced: '10.0' @@ -229,7 +229,7 @@ payloadkeys: default: false content: If `true`, the system enables S/MIME encryption for this account. - key: SMIMEEncryptionCertificateUUID - title: S/MIME Encryption Certificate + title: S/MIME encryption certificate supportedOS: iOS: introduced: '5.0' @@ -243,7 +243,7 @@ payloadkeys: the user to receive encrypted mail. When the user sends encrypted mail, the system uses the public certificate to encrypt the copy of the mail in their Sent mailbox. - key: SMIMEEnablePerMessageSwitch - title: S/MIME Enable Per-Message Switch + title: S/MIME enable per-message switch supportedOS: iOS: introduced: '8.0' @@ -259,7 +259,7 @@ payloadkeys: Mail Compose UI. Deprecated in iOS 12.0. Use `SMIMEEnableEncryptionPerMessageSwitch` instead. - key: disableMailRecentsSyncing - title: Disable Mail Recents Syncing + title: Disable mail recents syncing supportedOS: iOS: introduced: '6.0' @@ -268,7 +268,7 @@ payloadkeys: default: false content: If `true`, the system excludes this account from Recent Addresses syncing. - key: allowMailDrop - title: Allow Mail Drop + title: Allow mail drop supportedOS: iOS: introduced: '9.2' @@ -279,7 +279,7 @@ payloadkeys: default: false content: If `true`, the system enables this account to use Mail Drop. - key: IncomingMailServerIMAPPathPrefix - title: Path Prefix + title: Path prefix type: presence: optional content: The path prefix for the IMAP mail server. @@ -356,4 +356,7 @@ payloadkeys: type: presence: optional content: The VPNUUID of the per-app VPN the account uses for network communication. - Available in iOS 14 and later. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.mail.managed/example1.plist diff --git a/mdm/profiles/com.apple.mcxMenuExtras.yaml b/mdm/profiles/com.apple.mcxMenuExtras.yaml index 1b8b2f0..7f89102 100644 --- a/mdm/profiles/com.apple.mcxMenuExtras.yaml +++ b/mdm/profiles/com.apple.mcxMenuExtras.yaml @@ -143,3 +143,7 @@ payloadkeys: type: presence: optional content: If `true`, enables the WWAN menu extra. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.mcxMenuExtras/example1.plist diff --git a/mdm/profiles/com.apple.mcxloginscripts.yaml b/mdm/profiles/com.apple.mcxloginscripts.yaml index aed98e8..93a5472 100644 --- a/mdm/profiles/com.apple.mcxloginscripts.yaml +++ b/mdm/profiles/com.apple.mcxloginscripts.yaml @@ -63,3 +63,7 @@ notes: The MCX login and logout managed-scripts payload contains information about executable scripts that can run at user login and logout. To use this payload, set `EnableMCXLoginScripts` to `true` in `/var/root/Library/Preferences/com.apple.loginwindow.plist`; otherwise, the system ignores this payload. `Loginwindow` uses the `LoginHook` and `LogoutHook` string keys in `/var/root/Library/Preferences/com.apple.loginwindow.plist` to indicate a path to the executable script files, which run during user login and logout. The system passes the current user name as an argument to the file. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.mcxloginscripts/example1.plist diff --git a/mdm/profiles/com.apple.mcxprinting.yaml b/mdm/profiles/com.apple.mcxprinting.yaml index c0c0fbd..b286aad 100644 --- a/mdm/profiles/com.apple.mcxprinting.yaml +++ b/mdm/profiles/com.apple.mcxprinting.yaml @@ -113,3 +113,7 @@ notes: - title: '' content: Removing this profile from a device doesn't automatically remove printers from the device. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.mcxprinting/example1.plist diff --git a/mdm/profiles/com.apple.mdm.yaml b/mdm/profiles/com.apple.mdm.yaml index c3163ea..6f36e65 100644 --- a/mdm/profiles/com.apple.mdm.yaml +++ b/mdm/profiles/com.apple.mdm.yaml @@ -43,7 +43,7 @@ payload: allowmanualinstall: false payloadkeys: - key: IdentityCertificateUUID - title: Identity Certificate UUID + title: Identity certificate UUID type: presence: required format: ^[0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}$ @@ -57,7 +57,7 @@ payloadkeys: The topic that MDM listens to for push notifications. The certificate that the server uses to send push notifications must have the same topic in its subject. The topic must begin with the 'com.apple.mgmt.' prefix. > Note: - > When updating the payload, the value of this key must not change. Any change is an error, and the update is rejected. + > When updating the payload, the value of this key must not change. Any change is an error, and the system rejects the update. - key: ServerURL title: Server URL type: @@ -68,9 +68,9 @@ payloadkeys: (`:1234`, for example). > Note: - > When updating the payload, the value of this key must not change. Any change is an error, and the update is rejected. + > When updating the payload, the value of this key must not change. Any change is an error, and the system rejects the update. - key: CheckInURL - title: Check In URL + title: Check in URL type: presence: optional format: ^https://.*$ @@ -78,16 +78,16 @@ payloadkeys: The URL that the device should use to check in during installation. The URL must begin with the `https://` URL scheme and may contain a port number (`:1234`, for example). If not set, the system uses `ServerURL`. > Note: - > When updating the payload, the value of this key must not change. Any change is an error, and the update is rejected. + > When updating the payload, the value of this key must not change. Any change is an error, and the system rejects the update. - key: SignMessage - title: Sign Message + title: Sign message type: presence: optional default: false content: If 'true', each message coming from the device carries the additional 'Mdm-Signature' HTTP header. - key: AccessRights - title: Access Rights + title: Access rights supportedOS: iOS: userenrollment: @@ -122,7 +122,7 @@ payloadkeys: > Note: > When updating the payload, the addition of any access right is an error, and the update is rejected. - key: UseDevelopmentAPNS - title: Use Development APNS + title: Use development APNS type: presence: optional default: false @@ -169,12 +169,12 @@ payloadkeys: type: presence: optional content: |- - The Managed Apple Account pre-assigned to the authenticated user. Required for account-driven enrollments. Available in iOS 15 and later, and macOS 14 and later. + The Managed Apple Account pre-assigned to the authenticated user. Required for account-driven enrollments. > Note: - > When updating the payload, the value of this key must not change. Any change is an error, and the update is rejected. + > When updating the payload, the value of this key must not change. Any change is an error, and the system rejects the update. - key: EnrollmentMode - title: Enrollment Mode + title: Enrollment mode supportedOS: iOS: introduced: '15.0' @@ -190,10 +190,10 @@ payloadkeys: - BYOD - ADDE content: |- - The enrollment mode the server indicates to use when enrolling. Required for account-driven enrollment. Available in iOS 15 and macOS 14, and later. + The enrollment mode the server indicates to use when enrolling. Required for account-driven enrollment. > Note: - > When updating the payload, the value of this key must not change. Any change is an error, and the update is rejected. + > When updating the payload, the value of this key must not change. Any change is an error, and the system rejects the update. - key: ServerURLPinningCertificateUUIDs supportedOS: iOS: @@ -282,10 +282,9 @@ payloadkeys: content: |- This property specifies an iTunes Store ID for an app the system can install with the InstallApplicationCommand, without any approval from the user. The MDM vendor or managing organization generally provides this app, which enhances the management experience for the user. The device shows the user details about this app in the account-driven enrollment process prior to installing the MDM profile. Use this property with account-driven MDM enrollments that normally require user approval for app installs through MDM. Only account-driven enrollments support this property and other enrollment types ignore it. - Available in iOS 15.1 and later. > Note: - > When updating the payload, the value of this key must not change. Any change is an error, and the update is rejected. + > When updating the payload, the value of this key must not change. Any change is an error, and the system rejects the update. - key: PromptUserToAllowBootstrapTokenForAuthentication supportedOS: iOS: @@ -305,19 +304,22 @@ payloadkeys: If 'true', the system warns the user that they need to reboot into RecoveryOS and allow the MDM to use the bootstrap token for authentication for certain sensitive operations such as enabling kernel extensions or installing some types of software updates. If the MDM doesn't need to perform these operations, it can leave this key set to 'false', and the user isn't notified. The SettingsCommand.Command.Settings.MDMOptions.MDMOptions command overrides this default value. This setting only applies to devices that have 'BootstrapTokenRequiredForSoftwareUpdate' or 'BootstrapTokenRequiredForKernelExtensionApproval' set to 'true' in their SecurityInfoResponse.SecurityInfo. - DEP-enrolled devices are automatically allowed to use the bootstrap token for authentication. - Available in macOS 11 and later. + ADE-enrolled devices are automatically allowed to use the bootstrap token for authentication. notes: - title: '' content: |- Also define the following four standard payload values in your MDM payload: - - `PayloadIdentifier`: The reverse-DNS style identifier that identifies the profile; for example, `com.example.myprofile`. The system uses this value to determine whether to replace an existing profile or add a new one. - - `PayloadUUID`: A globally unique identifier for the profile. In macOS, you can use `uuidgen` to generate this value. - - `PayloadType`: The payload type. Set to `com.apple.mdm` to designate that this payload is an MDM payload. - - `PayloadVersion`: The version number of the profile format, which describes the version of the configuration profile as a whole, not of the individual profiles within it. Set this value to `1`. + * `PayloadIdentifier`: The reverse-DNS style identifier that identifies the profile; for example, `com.example.myprofile`. The system uses this value to determine whether to replace an existing profile or add a new one. + * `PayloadUUID`: A globally unique identifier for the profile. In macOS, you can use `uuidgen` to generate this value. + * `PayloadType`: The payload type. Set to `com.apple.mdm` to designate that this payload is an MDM payload. + * `PayloadVersion`: The version number of the profile format, which describes the version of the configuration profile as a whole, not of the individual profiles within it. Set this value to `1`. > Note: > MDM reserves profile payload dictionary keys with the _Payload_ prefix. Don't treat them as managed preferences. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.mdm/example1.plist diff --git a/mdm/profiles/com.apple.mobiledevice.passwordpolicy.yaml b/mdm/profiles/com.apple.mobiledevice.passwordpolicy.yaml index 1e67996..d70396b 100644 --- a/mdm/profiles/com.apple.mobiledevice.passwordpolicy.yaml +++ b/mdm/profiles/com.apple.mobiledevice.passwordpolicy.yaml @@ -39,7 +39,7 @@ payload: allowmanualinstall: true payloadkeys: - key: allowSimple - title: Allow Simple Value + title: Allow simple value supportedOS: iOS: userenrollment: @@ -54,7 +54,7 @@ payloadkeys: contains repeated characters, or increasing or decreasing characters, such as `123` or `CBA`. - key: forcePIN - title: Require Passcode on Device + title: Require passcode on device supportedOS: iOS: userenrollment: @@ -67,7 +67,7 @@ payloadkeys: default: false content: If `true`, the system forces the user to enter a PIN. - key: maxFailedAttempts - title: Maximum Number of Failed Attempts + title: Maximum number of failed attempts supportedOS: iOS: userenrollment: @@ -86,7 +86,7 @@ payloadkeys: After the final failed attempt, the system locks a macOS device, or securely erases all data and settings from an iOS, visionOS, or watchOS device. - key: maxInactivity - title: Auto-Lock + title: Auto-lock supportedOS: iOS: userenrollment: @@ -106,7 +106,7 @@ payloadkeys: Setting this key removes the `never` option in the Settings UI on user enrolled devices. - key: maxPINAgeInDays - title: Maximum Passcode Age + title: Maximum passcode age supportedOS: iOS: userenrollment: @@ -123,7 +123,7 @@ payloadkeys: number of days, the system forces the user to change the passcode before it unlocks the device. - key: minComplexChars - title: Minimum Number of Complex Characters + title: Minimum number of complex characters supportedOS: iOS: userenrollment: @@ -144,7 +144,7 @@ payloadkeys: The system ignores this property for user enrollments. - key: minLength - title: Minimum Passcode Length + title: Minimum passcode length supportedOS: iOS: userenrollment: @@ -161,7 +161,7 @@ payloadkeys: content: The minimum overall length of the passcode. This value is independent of the value for `minComplexChars`. - key: requireAlphanumeric - title: Require Alphabetic Value + title: Require alphabetic value supportedOS: iOS: userenrollment: @@ -177,7 +177,7 @@ payloadkeys: content: If `true`, the system requires alphabetic characters instead of only numeric characters. - key: pinHistory - title: Passcode History + title: Passcode history supportedOS: iOS: userenrollment: @@ -193,7 +193,7 @@ payloadkeys: content: This value defines _N_, where the new passcode must be unique within the last _N_ entries in the passcode history. - key: maxGracePeriod - title: Grace Period for Device Lock + title: Grace period for device lock supportedOS: iOS: userenrollment: @@ -224,7 +224,6 @@ payloadkeys: presence: optional content: The number of minutes before the system resets the login after the maximum number of unsuccessful login attempts is reached. This key requires setting `maxFailedAttempts`. - Available in macOS 10.10 and later. - key: changeAtNextAuth supportedOS: iOS: @@ -243,7 +242,7 @@ payloadkeys: content: If `true`, the system causes a password reset to occur the next time the user tries to authenticate. If this key is set in a device profile, the setting takes effect for all users, and admin authentications may fail until the admin - user password is also reset. Available in macOS 10.13 and later. + user password is also reset. - key: customRegex supportedOS: iOS: @@ -256,10 +255,11 @@ payloadkeys: introduced: n/a type: presence: optional - content: |- - Specifies a regular expression, and its description, used to enforce password compliance. Use the simpler passcode restrictions whenever possible, and rely on regular expression matching only when necessary. Mistakes in regular expressions can lead to frustrating user experiences, such as unsatisfiable passcode policies, or policy descriptions that don't match the enforced policy. - - Available in macOS 14 and later. + content: Specifies a regular expression, and its description, used to enforce password + compliance. Use the simpler passcode restrictions whenever possible, and rely + on regular expression matching only when necessary. Mistakes in regular expressions + can lead to frustrating user experiences, such as unsatisfiable passcode policies, + or policy descriptions that don't match the enforced policy. subkeys: - key: passwordContentRegex type: @@ -291,3 +291,7 @@ notes: - `forcePIN`: always set to `true` - `minLength`: always set to `6` - `maxInactivity`: if this key is present its value is ignored, but the `never` option is removed in the Settings UI. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.mobiledevice.passwordpolicy/example1.plist diff --git a/mdm/profiles/com.apple.networkusagerules.yaml b/mdm/profiles/com.apple.networkusagerules.yaml index 634ff6e..210e7fc 100644 --- a/mdm/profiles/com.apple.networkusagerules.yaml +++ b/mdm/profiles/com.apple.networkusagerules.yaml @@ -101,3 +101,7 @@ notes: content: Network usage rules allow enterprises to specify how devices use networks, such as cellular data networks. iOS 9-12 require the application rules. In iOS 13, application rules, SIM rules, or both must be present. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.networkusagerules/example1.plist diff --git a/mdm/profiles/com.apple.notificationsettings.yaml b/mdm/profiles/com.apple.notificationsettings.yaml index 62da340..740b8f6 100644 --- a/mdm/profiles/com.apple.notificationsettings.yaml +++ b/mdm/profiles/com.apple.notificationsettings.yaml @@ -36,52 +36,42 @@ payload: yet), and those settings will always be enforced. payloadkeys: - key: NotificationSettings - title: Notification Settings + title: Notification settings type: presence: required content: An array of notification settings dictionaries. subkeys: - key: NotificationSettingsItem - title: Notification Setting + title: Notification setting type: subkeys: - key: BundleIdentifier - title: App Bundle Identifier + title: App bundle identifier type: presence: required - content: |- - The bundle identifier of the app to which to apply these notification settings. - - Available in iOS 9.3 and later and macOS 10.15 and later. + content: The bundle identifier of the app to which to apply these notification + settings. - key: NotificationsEnabled - title: Enable Notifications + title: Enable notifications type: presence: optional default: true - content: |- - If `true`, enables notifications for this app. - - Available in iOS 9.3 and later and macOS 10.15 and later. + content: If `true`, enables notifications for this app. - key: ShowInNotificationCenter title: Show in Notification Center type: presence: optional default: true - content: |- - If `true`, enables notifications in the notification center for this app. - - Available in iOS 9.3 and later and macOS 10.15 and later. + content: If `true`, enables notifications in the Notification Center for this + app. - key: ShowInLockScreen title: Show in Lock Screen type: presence: optional default: true - content: |- - If `true`, enables notifications on the Lock Screen for this app. - - Available in iOS 9.3 and later and macOS 10.15 and later. + content: If `true`, enables notifications on the Lock Screen for this app. - key: AlertType - title: Alert Type + title: Alert type type: presence: optional rangelist: @@ -95,19 +85,14 @@ payloadkeys: - `0`: None - `1`: Temporary Banner - `2`: Persistent Banner - - Available in iOS 9.3 and later and macOS 10.15 and later. - key: BadgesEnabled - title: Badges Enabled + title: Badges enabled type: presence: optional default: true - content: |- - If `true`, enables badges for this app. - - Available in iOS 9.3 and later and macOS 10.15 and later. + content: If `true`, enables badges for this app. - key: SoundsEnabled - title: Sounds Enabled + title: Sounds enabled type: presence: optional default: true @@ -122,24 +107,19 @@ payloadkeys: type: presence: optional default: true - content: |- - If `true`, enables notifications in CarPlay for this app. - - Available in iOS 12 and later. + content: If `true`, enables notifications in CarPlay for this app. - key: CriticalAlertEnabled - title: Critical Alert Enabled + title: Critical alert enabled supportedOS: iOS: introduced: '12.0' type: presence: optional default: false - content: |- - If `true`, enables critical alerts that can ignore Do Not Disturb and ringer settings for this app. - - Available in iOS 12 and later and macOS 10.15 and later. + content: If `true`, enables critical alerts that can ignore Do Not Disturb and + ringer settings for this app. - key: GroupingType - title: Grouping Type + title: Grouping type supportedOS: iOS: introduced: '12.0' @@ -158,10 +138,8 @@ payloadkeys: - `0`: Automatic: Group notifications into app-specified groups. - `1`: By app: Group notifications into one group. - `2`: Off: Don't group notifications. - - Available in iOS 12 and later. - key: PreviewType - title: Preview Type + title: Preview type supportedOS: iOS: introduced: '14.0' @@ -176,8 +154,10 @@ payloadkeys: content: |- The type previews for notifications. This key overrides the value at Settings>Notifications>Show Previews. - - `0` - Always: Previews will be shown when the device is locked and unlocked - - `1` - When Unlocked: Previews will only be shown when the device is unlocked - - `2` - Never: Previews will never be shown - - Available in iOS 14 and later. + - `0` - Always: The device shows previews when locked and unlocked + - `1` - When Unlocked: The device shows previews only when unlocked + - `2` - Never: The device never shows previews +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.notificationsettings/example1.plist diff --git a/mdm/profiles/com.apple.osxserver.account.yaml b/mdm/profiles/com.apple.osxserver.account.yaml index 875fd28..1d32975 100644 --- a/mdm/profiles/com.apple.osxserver.account.yaml +++ b/mdm/profiles/com.apple.osxserver.account.yaml @@ -24,45 +24,45 @@ payload: introduced: n/a payloadkeys: - key: HostName - title: Account Hostname + title: Account hostname type: presence: required content: The server's address. - key: UserName - title: Account Username + title: Account username type: presence: required content: The user's user name. - key: Password - title: Account Password + title: Account password type: presence: optional content: The user's password. - key: AccountDescription - title: Account Description + title: Account description type: presence: optional content: The description of the account. - key: ConfiguredAccounts - title: Configured Accounts + title: Configured accounts type: presence: required content: An array of dictionaries containing configured account types and relevant settings subkeys: - key: ConfiguredAccountsItem - title: Configured Account + title: Configured account type: subkeys: - key: Type - title: Account Type + title: Account type type: presence: required rangelist: - com.apple.osxserver.documents content: com.apple.osxserver.documents (the Documents account type). - key: Port - title: Port Number + title: Port number type: presence: optional content: Designates the port number to use when contacting the server. If no diff --git a/mdm/profiles/com.apple.preference.security.yaml b/mdm/profiles/com.apple.preference.security.yaml index 664592c..142e79d 100644 --- a/mdm/profiles/com.apple.preference.security.yaml +++ b/mdm/profiles/com.apple.preference.security.yaml @@ -38,3 +38,7 @@ payloadkeys: presence: optional default: false content: If `true`, disables user changes to the firewall settings. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.preference.security/example1.plist diff --git a/mdm/profiles/com.apple.preferences.users.yaml b/mdm/profiles/com.apple.preferences.users.yaml index 79bec6c..7842432 100644 --- a/mdm/profiles/com.apple.preferences.users.yaml +++ b/mdm/profiles/com.apple.preferences.users.yaml @@ -28,3 +28,7 @@ payloadkeys: presence: optional default: false content: If `true`, disables the iCloud password for local accounts. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.preferences.users/example1.plist diff --git a/mdm/profiles/com.apple.profileRemovalPassword.yaml b/mdm/profiles/com.apple.profileRemovalPassword.yaml index 6ec99f0..2caff8b 100644 --- a/mdm/profiles/com.apple.profileRemovalPassword.yaml +++ b/mdm/profiles/com.apple.profileRemovalPassword.yaml @@ -34,7 +34,7 @@ payload: introduced: n/a payloadkeys: - key: RemovalPassword - title: Removal Password + title: Removal password type: presence: optional content: The password to allow removing the profile. @@ -44,3 +44,7 @@ notes: profile from the device. If this payload is present and has a password value set, the device asks for the password when the user taps a profile's Remove button. This system encrypts the payload with the rest of the profile. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.profileRemovalPassword/example1.plist diff --git a/mdm/profiles/com.apple.proxy.http.global.yaml b/mdm/profiles/com.apple.proxy.http.global.yaml index db9febe..700a2c1 100644 --- a/mdm/profiles/com.apple.proxy.http.global.yaml +++ b/mdm/profiles/com.apple.proxy.http.global.yaml @@ -41,7 +41,7 @@ payload: content: PEM-encoded cer payloadkeys: - key: ProxyType - title: Proxy Type + title: Proxy type type: presence: optional rangelist: @@ -52,27 +52,27 @@ payloadkeys: server address, including its port, and optionally a user name and password. For an auto proxy type, you can enter a PAC URL. - key: ProxyServer - title: Proxy Server + title: Proxy server type: subtype: presence: optional content: The proxy server's network address. The device requires this if `ProxyType` is set to `Manual`, and ignores it if `ProxyType` is set to `Automatic`. - key: ProxyServerPort - title: Proxy Server Port + title: Proxy server port type: presence: optional content: The proxy server's port number. The device requires this if `ProxyType` is set to `Manual`, and ignores this if `ProxyType` is set to `Automatic`. - key: ProxyUsername - title: Proxy Username + title: Proxy username type: presence: optional content: The user name used to authenticate to the proxy server. The device only uses this if `ProxyType` is set to `Manual`, and ignores it if `ProxyType` is set to `Automatic`. - key: ProxyPassword - title: Proxy Password + title: Proxy password type: presence: optional content: The password used to authenticate to the proxy server. The device only @@ -87,7 +87,7 @@ payloadkeys: allowed. This is only used if `ProxyType` is set to `Automatic`, and is ignored if `ProxyType` is set to `Manual`. - key: ProxyPACFallbackAllowed - title: Proxy PAC Fallback Allowed + title: Proxy PAC fallback allowed supportedOS: iOS: introduced: '7.0' @@ -97,7 +97,7 @@ payloadkeys: content: If `true`, allows connecting directly to the destination if the proxy autoconfiguration (PAC) file is unreachable. - key: ProxyCaptiveLoginAllowed - title: Proxy Bypass Allowed + title: Proxy bypass allowed supportedOS: iOS: introduced: '7.0' @@ -109,3 +109,7 @@ payloadkeys: notes: - title: '' content: There can only be one payload of this type on the device at any time. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.proxy.http.global/example1.plist diff --git a/mdm/profiles/com.apple.relay.managed.yaml b/mdm/profiles/com.apple.relay.managed.yaml index fcd882d..e72ccf5 100644 --- a/mdm/profiles/com.apple.relay.managed.yaml +++ b/mdm/profiles/com.apple.relay.managed.yaml @@ -48,11 +48,11 @@ payloadkeys: system can chain together. subkeys: - key: Relay - title: Network Relay + title: Network relay type: subkeys: - key: HTTP3RelayURL - title: HTTP/3 Relay URL + title: HTTP/3 relay URL type: presence: optional content: |- @@ -60,7 +60,7 @@ payloadkeys: Each relay needs to include either `HTTP2RelayURL` or `HTTP3RelayURL`, or it can include both. - key: HTTP2RelayURL - title: HTTP/2 Relay URL + title: HTTP/2 relay URL type: presence: optional content: |- @@ -68,7 +68,7 @@ payloadkeys: Each relay needs to include either `HTTP2RelayURL` or `HTTP3RelayURL`, or it can include both. - key: AdditionalHTTPHeaderFields - title: Additional HTTP Header Fields + title: Additional HTTP header fields type: presence: optional content: A dictionary that contains custom HTTP header keys and values to add @@ -88,7 +88,7 @@ payloadkeys: content: The UUID that points to an identity certificate payload, which the system uses to authenticate the user to the relay server. - key: RawPublicKeys - title: Raw Public Keys + title: Raw public keys type: presence: optional content: |- @@ -97,10 +97,10 @@ payloadkeys: If this array is empty, the system uses the default TLS trust evaluation. subkeys: - key: RawPublicKeysElement - title: Raw Public Key Element + title: Raw public key element type: - key: MatchDomains - title: Match Domains + title: Match domains type: presence: optional content: |- @@ -111,10 +111,10 @@ payloadkeys: If this list and `MatchFQDNs` are empty, the system routes traffic to all domains to the relay servers, except those that match an excluded domain or excluded FQDN. subkeys: - key: MatchDomainsElement - title: Match Domains Element + title: Match domains element type: - key: ExcludedDomains - title: Excluded Domains + title: Excluded domains type: presence: optional content: A list of domain strings to exclude from routing through the servers in @@ -122,7 +122,7 @@ payloadkeys: of the listed domain won't use the relay server. subkeys: - key: ExcludedDomainsElement - title: Excluded Domains Element + title: Excluded domains element type: - key: MatchFQDNs title: Match FQDNs @@ -137,14 +137,14 @@ payloadkeys: introduced: '2.4' type: presence: optional - content: A list of Fully Qualified Domain Names (FQDNs) to be routed through the - servers contained in `Relays`. Any connection that matches an FQDN in the list - exactly uses the relay servers. If this list and `MatchDomains` are empty, the - system routes traffic to all domains to the relay servers, except those that match - an excluded domain or excluded FQDN. + content: A list of Fully Qualified Domain Names (FQDNs) to route through the servers + contained in `Relays`. Any connection that matches an FQDN in the list exactly + uses the relay servers. If this list and `MatchDomains` are empty, the system + routes traffic to all domains to the relay servers, except those that match an + excluded domain or excluded FQDN. subkeys: - key: MatchFQDNsElement - title: Match FQDNs Element + title: Match FQDNs element type: - key: ExcludedFQDNs title: Excluded FQDNs @@ -163,19 +163,23 @@ payloadkeys: through the servers contained in `Relays`. Any connection that matches an FQDN in the list exactly won't use the relay server. When `MatchDomains` is also present, any FQDN listed in the list should be a subdomain of at least one `MatchDomain` - value, otherwise it will not have any effect. + value, otherwise it won't have any effect. subkeys: - key: ExcludedFQDNsElement - title: Excluded FQDNs Element + title: Excluded FQDNs element type: - key: RelayUUID + title: Relay UUID + supportedOS: + macOS: + introduced: n/a type: presence: optional content: A globally unique identifier for this relay configuration. The system uses this UUID to route managed apps through the servers in `Relays`. This key is required for user enrollment. - key: UIToggleEnabled - title: UI Toggle Enabled + title: UI toggle enabled supportedOS: iOS: introduced: '26.0' @@ -190,7 +194,7 @@ payloadkeys: default: true content: If `true`, the device allows the user to disable this network relay configuration. - key: AllowDNSFailover - title: Allow DNS Failover + title: Allow DNS failover supportedOS: iOS: introduced: '26.0' diff --git a/mdm/profiles/com.apple.screensaver.user.yaml b/mdm/profiles/com.apple.screensaver.user.yaml index 506bcd6..6f5b3b6 100644 --- a/mdm/profiles/com.apple.screensaver.user.yaml +++ b/mdm/profiles/com.apple.screensaver.user.yaml @@ -38,3 +38,7 @@ payloadkeys: presence: optional content: The number of seconds of inactivity before the screen saver activates (`0` = Never activate). +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.screensaver.user/example1.plist diff --git a/mdm/profiles/com.apple.screensaver.yaml b/mdm/profiles/com.apple.screensaver.yaml index 8ec71d1..42c6332 100644 --- a/mdm/profiles/com.apple.screensaver.yaml +++ b/mdm/profiles/com.apple.screensaver.yaml @@ -30,19 +30,18 @@ payloadkeys: type: presence: optional default: false - content: If `true`, the user is prompted for a password when the screen saver is - unlocked or stopped. When you use this prompt, you must also provide `askForPasswordDelay`. - Available in macOS 10.13 and later. + content: If `true`, the device prompts the user for a password when the screen saver + is unlocked or stopped. When you use this prompt, you must also provide `askForPasswordDelay`. - key: askForPasswordDelay supportedOS: macOS: introduced: '10.13' type: presence: optional - content: The number of seconds to delay before the password will be required to - unlock or stop the screen saver (the grace period). A value of `2147483647` (for - example, `0x7FFFFFFF`) disables this requirement. To use this option, you must - set `askForPassword` to `true`. Available in macOS 10.13 and later. + content: The number of seconds to delay before the device requires a password to + unlock or stop the screen saver (the grace period). A value of `2147483647` (hexadecimal + equivalent of `0x7FFFFFFF`) disables this requirement, and a value of `0` immediately + requires the password. To use this option, you must set `askForPassword` to `true`. - key: idleTime type: presence: optional @@ -56,3 +55,7 @@ payloadkeys: type: presence: required content: The name of the screen saver module. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.screensaver/example1.plist diff --git a/mdm/profiles/com.apple.secondactiveethernet.managed.yaml b/mdm/profiles/com.apple.secondactiveethernet.managed.yaml index b3a304a..e3f47e3 100644 --- a/mdm/profiles/com.apple.secondactiveethernet.managed.yaml +++ b/mdm/profiles/com.apple.secondactiveethernet.managed.yaml @@ -34,8 +34,12 @@ notes: content: |- This payload's contents contain these profile-specific keys: - - Interface (String): This payload uses the value `SecondActiveEthernet`. - - EAPClientConfiguration (`EAPClientConfiguration`): The dictionary that defines the enterprise profile for the network. - - SetupModes (String): The type of connection mode, which is either "System" or "Loginwindow." "System" is the default. + * Interface (String): This payload uses the value `SecondActiveEthernet`. + * EAPClientConfiguration (`EAPClientConfiguration`): The dictionary that defines the enterprise profile for the network. + * SetupModes (String): The type of connection mode, which is either "System" or "Loginwindow." "System" is the default. Payloads with `active` in their name apply to Ethernet interfaces that are working at the time of profile installation. If there's no active Ethernet interface working, this payload configures the interface with the highest service-order priority. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.secondactiveethernet.managed/example1.plist diff --git a/mdm/profiles/com.apple.secondethernet.managed.yaml b/mdm/profiles/com.apple.secondethernet.managed.yaml index dee1ddf..987530d 100644 --- a/mdm/profiles/com.apple.secondethernet.managed.yaml +++ b/mdm/profiles/com.apple.secondethernet.managed.yaml @@ -34,8 +34,12 @@ notes: content: |- This payload's contents contain these profile-specific keys: - - Interface (String): This payload uses the value `SecondEthernet`. - - EAPClientConfiguration (`EAPClientConfiguration`): The dictionary that defines the enterprise profile for the network. - - SetupModes (String): The type of connection mode, which is either "System" or "Loginwindow." "System" is the default. + * Interface (String): This payload uses the value `SecondEthernet`. + * EAPClientConfiguration (`EAPClientConfiguration`): The dictionary that defines the enterprise profile for the network. + * SetupModes (String): The type of connection mode, which is either "System" or "Loginwindow." "System" is the default. This payload applies to Ethernet interfaces according to service order, regardless of whether the interface is working. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.secondethernet.managed/example1.plist diff --git a/mdm/profiles/com.apple.security.FDERecoveryKeyEscrow.yaml b/mdm/profiles/com.apple.security.FDERecoveryKeyEscrow.yaml index 96704de..779b531 100644 --- a/mdm/profiles/com.apple.security.FDERecoveryKeyEscrow.yaml +++ b/mdm/profiles/com.apple.security.FDERecoveryKeyEscrow.yaml @@ -68,3 +68,7 @@ notes: - The system doesn't provide a warning or error if FileVault is already enabled and an old-style payload is installed. In this case, it's assumed that the recovery key has already been escrowed with the server. Although the system no longer supports the previous FDE Recovery payload in macOS 10.13 and later, it's still supported in macOS 10.9 through 10.12. Designate that payload by specifying `com.apple.security.FDERecoveryRedirect` as the payload type. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.security.FDERecoveryKeyEscrow/example1.plist diff --git a/mdm/profiles/com.apple.security.FDERecoveryRedirect.yaml b/mdm/profiles/com.apple.security.FDERecoveryRedirect.yaml index 70bff75..9eacac1 100644 --- a/mdm/profiles/com.apple.security.FDERecoveryRedirect.yaml +++ b/mdm/profiles/com.apple.security.FDERecoveryRedirect.yaml @@ -33,14 +33,14 @@ payloadkeys: - key: RedirectURL type: presence: required - content: The URL to which FDE recovery keys should be sent instead of to Apple. + content: The URL to which the device sends FDE recovery keys instead of to Apple. The URL must begin with https://. - key: EncryptCertPayloadUUID type: presence: required content: The UUID of a payload within the same profile that contains a certificate - used to encrypt the recovery key when it's sent to the redirected URL. The referenced - payload must be of type \`com.apple.security.pkcs1\`. + used to encrypt the recovery key when the device sends it to the redirected URL. + The referenced payload must be of type \`com.apple.security.pkcs1\`. notes: - title: '' content: |- diff --git a/mdm/profiles/com.apple.security.acme.yaml b/mdm/profiles/com.apple.security.acme.yaml index 672beb8..d7aa2fe 100644 --- a/mdm/profiles/com.apple.security.acme.yaml +++ b/mdm/profiles/com.apple.security.acme.yaml @@ -60,13 +60,13 @@ payloadkeys: determine whether to trust the device. Though this is a relatively weak indication because of the risk that an attacker can intercept the client identifier. - key: KeySize - title: Key Size + title: Key size type: presence: required content: The valid values for `KeySize` depend on the values of `KeyType` and `HardwareBound`. See those keys for specific requirements. - key: KeyType - title: Key Type + title: Key type type: presence: required rangelist: @@ -81,7 +81,7 @@ payloadkeys: > Note: > The key size is `521`, not `512`, even though the other key sizes are multiples of 64. - key: HardwareBound - title: Hardware Bound + title: Hardware bound type: presence: required content: |- @@ -91,7 +91,7 @@ payloadkeys: If `true`, `KeyType` must be `ECSECPrimeRandom` and `KeySize` must be 256 or 384. - Setting this key to `true` is supported as of macOS 14 on Apple Silicon and Intel devices that have a T2 chip. Older macOS versions or other Mac devices require this key but it must have a value of `false`. + macOS 14 on Apple silicon and Intel devices that have a T2 chip support setting this key to `true`. Older macOS versions or other Mac devices require this key but it must have a value of `false`. - key: Subject title: Subject type: @@ -106,21 +106,21 @@ payloadkeys: Dotted numbers can represent OIDs , with shortcuts for country (C), locality (L), state (ST), organization (O), organizational unit (OU), and common name (CN). subkeys: - key: ACMESubjectArrayInnerArray - title: Array Inside ACME Subject Array + title: Array inside ACME subject array type: subkeys: - key: ACMESubjectArrayPair - title: Subject Array Pair + title: Subject array pair type: subkeys: - key: ACMESubjectArrayPairItem - title: ACME Subject Array Pair Item + title: ACME subject array pair item type: repetition: min: 2 max: 2 - key: SubjectAltName - title: Subject Alt Name + title: Subject alt name type: presence: optional content: The Subject Alt Name that the device requests for the certificate that @@ -128,12 +128,12 @@ payloadkeys: certificate it issues. subkeys: - key: rfc822Name - title: RFC 822 Name + title: RFC 822 name type: presence: optional content: The RFC 822 (email address) string. - key: dNSName - title: DNS Name + title: DNS name type: presence: optional content: The DNS name. @@ -143,12 +143,12 @@ payloadkeys: presence: optional content: The Uniform Resource Identifier. - key: ntPrincipalName - title: NT Principal Name + title: NT principal name type: presence: optional content: The NT principal name. Use an other name OID set to `1.3.6.1.4.1.311.20.2.3`. - key: UsageFlags - title: Key Usage + title: Key usage type: presence: optional content: |- @@ -159,7 +159,7 @@ payloadkeys: The device requests this key for the certificate that the ACME server issues. The ACME server may override or ignore this field in the certificate it issues. - key: ExtendedKeyUsage - title: Extended Key Usage + title: Extended key usage type: presence: optional content: |- @@ -183,7 +183,7 @@ payloadkeys: When `Attest` is `true`, `HardwareBound` also needs to be `true`. - Setting this key to `true` is supported as of macOS 14. Older macOS versions require this key but it must have a value of `false`. See below for hardware requirements. + macOS 14 supports setting this key to `true`. Older macOS versions require this key but it must have a value of `false`. See below for hardware requirements. - key: KeyIsExtractable supportedOS: iOS: @@ -197,10 +197,11 @@ payloadkeys: type: presence: optional default: true - content: If `true`, the private key of the identity obtained through Automated Certificate - Management Environment (ACME) needs to be tagged as "non-extractable" in the keychain. + content: If `false`, the device tags the private key of the identity obtained through + Automated Certificate Management Environment (ACME) as "non-extractable" in the + keychain. - key: AllowAllAppsAccess - title: Allow All Apps Access + title: Allow all apps access supportedOS: iOS: introduced: n/a @@ -231,4 +232,8 @@ notes: |--------------------|--------------------------------------|----------------|-------------------------|----------------|------------| | Must be false | none | T1 and earlier | none | none | none | | Ignored | A10x Fusion and earlier | T2 | A10x Fusion and earlier | S3 and earlier | none | - | Supported | A11 Bionic and later
All M series | Apple Silicon | A12 Bionic and later | S4 and later | All | + | Supported | A11 Bionic and later
All M series | Apple silicon | A12 Bionic and later | S4 and later | All | +examples: + title: Example profile + files: + - file: examples/mdm/profiles/com.apple.security.acme/example1.plist diff --git a/mdm/profiles/com.apple.security.certificatepreference.yaml b/mdm/profiles/com.apple.security.certificatepreference.yaml index 671c5cc..88261d7 100644 --- a/mdm/profiles/com.apple.security.certificatepreference.yaml +++ b/mdm/profiles/com.apple.security.certificatepreference.yaml @@ -43,3 +43,7 @@ notes: A `CertificatePreference` payload lets you identify a certificate preference item in the user's keychain that references a certificate payload included in the same profile. It can only appear in a user profile, not a device profile. You can include multiple `CertificatePreference` payloads as needed. See also `IdentityPreference` for information about setting up identity preferences. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.security.certificatepreference/example1.plist diff --git a/mdm/profiles/com.apple.security.certificaterevocation.yaml b/mdm/profiles/com.apple.security.certificaterevocation.yaml index 69a86a6..1161b6e 100644 --- a/mdm/profiles/com.apple.security.certificaterevocation.yaml +++ b/mdm/profiles/com.apple.security.certificaterevocation.yaml @@ -30,7 +30,7 @@ payload: content: Policies that affect system-wide certificate revocation checking. payloadkeys: - key: EnabledForCerts - title: Enabled Certs + title: Enabled certs type: presence: optional content: |- @@ -57,3 +57,7 @@ payloadkeys: The hash of the DER-encoding of the certificate's `subjectPublicKeyInfo`. The hash field requires the data (`subjectPublicKeyInfo` hash) in a specific format: a Base64 encoded (binary) SHA-256 hash of the certificate's public key. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.security.certificaterevocation/example1.plist diff --git a/mdm/profiles/com.apple.security.certificatetransparency.yaml b/mdm/profiles/com.apple.security.certificatetransparency.yaml index 17b5d61..03c3055 100644 --- a/mdm/profiles/com.apple.security.certificatetransparency.yaml +++ b/mdm/profiles/com.apple.security.certificatetransparency.yaml @@ -44,14 +44,14 @@ payload: content: Policies that affect system-wide certificate transparency enforcement. payloadkeys: - key: DisabledForCerts - title: Disabled Certs + title: Disabled certs type: presence: optional content: |- An array of certificates for which certificate transparency is disabled. One of the following conditions needs to be met to disable certificate transparency enforcement when this policy is set: - The hash is of the server certificate's `subjectPublicKeyInfo`. - - The hash is of a `subjectPublicKeyInfo` that appears in a CA certificate in the certificate chain; the CA certificate is constrained through the X.509v3 `nameConstraints` extension. One or more `directoryName` `nameConstraints` are present in the `permittedSubtrees`, and the `directoryName` contains an `organizationName` attribute. + - The hash is of a `subjectPublicKeyInfo` that appears in a CA certificate in the certificate chain; the X.509v3 `nameConstraints` extension constrains the CA certificate. One or more `directoryName` `nameConstraints` are present in the `permittedSubtrees`, and the `directoryName` contains an `organizationName` attribute. - The hash is of a `subjectPublicKeyInfo` that appears in a CA certificate in the certificate chain. The CA certificate has one or more `organizationName` attributes in the certificate `Subject`, and the server's certificate contains the same number of `organizationName` attributes, in the same order, and with byte-for-byte identical values. subkeys: - key: SubjectPublicKeyInfoHashDict @@ -82,3 +82,7 @@ payloadkeys: subkeys: - key: domain type: +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.security.certificatetransparency/example1.plist diff --git a/mdm/profiles/com.apple.security.firewall.yaml b/mdm/profiles/com.apple.security.firewall.yaml index fe1d045..ee7ed85 100644 --- a/mdm/profiles/com.apple.security.firewall.yaml +++ b/mdm/profiles/com.apple.security.firewall.yaml @@ -49,7 +49,7 @@ payloadkeys: type: subkeys: - key: BundleID - title: Application Identifier + title: Application identifier type: presence: required content: The bundle identifier for the app. @@ -66,8 +66,7 @@ payloadkeys: removed: '15.0' type: presence: optional - content: If `true`, the system enables logging. Available in macOS 12 through macOS - 14.6. + content: If `true`, the system enables logging. - key: LoggingOption supportedOS: macOS: @@ -80,7 +79,7 @@ payloadkeys: - throttled - brief - detail - content: The type of logging. Available in macOS 12 and through macOS 14.6. + content: The type of logging. - key: AllowSigned supportedOS: macOS: @@ -89,7 +88,7 @@ payloadkeys: presence: optional default: true content: |- - If `true`, the system allows built-in software to receive incoming connections. Available in macOS 12.3 and later. + If `true`, the system allows built-in software to receive incoming connections. > Note: > The system ensures that `AllowSigned` always has a value. If missing from the payload, the system sets it to `true`. @@ -101,7 +100,7 @@ payloadkeys: presence: optional default: true content: |- - If `true`, the system allows downloaded signed software to receive incoming connections. Available in macOS 12.3 and later. + If `true`, the system allows downloaded signed software to receive incoming connections. > Note: > The system ensures that `AllowSignedApp` always has a value. If missing from the payload, the system sets it to `true`. @@ -111,3 +110,7 @@ notes: The payload needs to exist in a system-scoped profile. If more than one profile contains this payload, the system uses the most restrictive union of settings. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.security.firewall/example1.plist diff --git a/mdm/profiles/com.apple.security.identitypreference.yaml b/mdm/profiles/com.apple.security.identitypreference.yaml index c173a19..66e85af 100644 --- a/mdm/profiles/com.apple.security.identitypreference.yaml +++ b/mdm/profiles/com.apple.security.identitypreference.yaml @@ -45,3 +45,7 @@ notes: You can include multiple `IdentityPreference` payloads as needed. See also `CertificatePreference` for setting up certificate preferences. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.security.identitypreference/example1.plist diff --git a/mdm/profiles/com.apple.security.pem.yaml b/mdm/profiles/com.apple.security.pem.yaml index 6524b35..abc2b21 100644 --- a/mdm/profiles/com.apple.security.pem.yaml +++ b/mdm/profiles/com.apple.security.pem.yaml @@ -44,12 +44,16 @@ payload: content: PEM-encoded certificate without private key. May contain root certificates. payloadkeys: - key: PayloadCertificateFileName - title: Payload Certificate Filename + title: Payload certificate filename type: presence: optional content: The file name of the enclosed certificate. - key: PayloadContent - title: Payload Certificate Data + title: Payload certificate data type: presence: required content: The binary representation of the payload, encoded in Base64. +examples: + title: Example profile + files: + - file: examples/mdm/profiles/com.apple.security.pem/example1.plist diff --git a/mdm/profiles/com.apple.security.pkcs1.yaml b/mdm/profiles/com.apple.security.pkcs1.yaml index 744aa66..dcc8c1e 100644 --- a/mdm/profiles/com.apple.security.pkcs1.yaml +++ b/mdm/profiles/com.apple.security.pkcs1.yaml @@ -44,12 +44,16 @@ payload: content: DER-encoded certificate without private key. May contain root certificates. payloadkeys: - key: PayloadCertificateFileName - title: Payload Certificate Filename + title: Payload certificate filename type: presence: optional content: The file name of the enclosed certificate. - key: PayloadContent - title: Payload Certificate Data + title: Payload certificate data type: presence: required content: The binary representation of the payload, encoded in Base64. +examples: + title: Example profile + files: + - file: examples/mdm/profiles/com.apple.security.pkcs1/example1.plist diff --git a/mdm/profiles/com.apple.security.pkcs12.yaml b/mdm/profiles/com.apple.security.pkcs12.yaml index 320b7b4..82ec3da 100644 --- a/mdm/profiles/com.apple.security.pkcs12.yaml +++ b/mdm/profiles/com.apple.security.pkcs12.yaml @@ -44,12 +44,12 @@ payload: content: Password-protected identity certificate. Only one certificate may be included. payloadkeys: - key: PayloadCertificateFileName - title: Payload Certificate Filename + title: Payload certificate filename type: presence: optional content: The file name of the enclosed certificate. - key: PayloadContent - title: Payload Certificate Data + title: Payload certificate data type: presence: required content: The binary representation of the payload, encoded in Base64. @@ -59,7 +59,7 @@ payloadkeys: presence: optional content: The password to the identity. - key: AllowAllAppsAccess - title: Allow All Apps Access + title: Allow all apps access supportedOS: iOS: introduced: n/a @@ -74,8 +74,7 @@ payloadkeys: type: presence: optional default: false - content: If `true`, the system allows apps access to the private key. Available - in macOS 10.10 and later. + content: If `true`, the system allows apps access to the private key. - key: KeyIsExtractable supportedOS: iOS: @@ -104,3 +103,7 @@ notes: - Securely deliver the profile to authorized users only, such as through MDM. - Encrypt the profile so that only authorized devices can decrypt it. - Use `SCEP` or `ACMECertificate` to provision the identity. +examples: + title: Example profile + files: + - file: examples/mdm/profiles/com.apple.security.pkcs12/example1.plist diff --git a/mdm/profiles/com.apple.security.root.yaml b/mdm/profiles/com.apple.security.root.yaml index e095bff..2fb968a 100644 --- a/mdm/profiles/com.apple.security.root.yaml +++ b/mdm/profiles/com.apple.security.root.yaml @@ -44,12 +44,16 @@ payload: content: Alias for com.apple.security.pkcs1. payloadkeys: - key: PayloadCertificateFileName - title: Payload Certificate Filename + title: Payload certificate filename type: presence: optional content: The file name of the enclosed certificate. - key: PayloadContent - title: Payload Certificate Data + title: Payload certificate data type: presence: required content: The binary representation of the payload encoded in base64. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.security.root/example1.plist diff --git a/mdm/profiles/com.apple.security.scep.yaml b/mdm/profiles/com.apple.security.scep.yaml index fcf973a..d1ef807 100644 --- a/mdm/profiles/com.apple.security.scep.yaml +++ b/mdm/profiles/com.apple.security.scep.yaml @@ -45,7 +45,7 @@ payload: allowmanualinstall: true payloadkeys: - key: PayloadContent - title: Payload Content + title: Payload content type: presence: required content: A dictionary containing the SCEP information. @@ -65,7 +65,7 @@ payloadkeys: presence: optional content: A string that's understood by the SCEP server; for example, a domain name like example.org. If a certificate authority has multiple CA certificates, - this field can be used to distinguish which is required. + use this field to distinguish which is required. - key: Subject title: Subject type: @@ -75,18 +75,18 @@ payloadkeys: For example, `/C=US/O=Apple Inc./CN=foo/1.2.5.3=bar` translates to `[ [ ["C", "US"] ], [ ["O", "Apple Inc."] ], …, [ [ "1.2.5.3", "bar" ] ] ]`. - OIDs can be represented as dotted numbers, with shortcuts for country (C), locality (L), state (ST), organization (O), organizational unit (OU), and common name (CN). + You can represent OIDs as dotted numbers, with shortcuts for country (C), locality (L), state (ST), organization (O), organizational unit (OU), and common name (CN). subkeys: - key: SCEPSubjectArrayInnerArray - title: Array Inside SCEP Subject Array + title: Array inside SCEP subject array type: subkeys: - key: SCEPSubjectArrayPair - title: Subject Array Pair + title: Subject array pair type: subkeys: - key: SCEPSubjectArrayPairItem - title: SCEP Subject Array Pair Item + title: SCEP subject array pair item type: repetition: min: 2 @@ -97,7 +97,7 @@ payloadkeys: presence: optional content: A preshared secret. - key: Keysize - title: Key Size + title: Key size type: presence: optional rangelist: @@ -107,13 +107,13 @@ payloadkeys: default: 1024 content: The key size, in bits. - key: Key Type - title: Key Type + title: Key type type: presence: optional default: RSA content: Always `RSA`. - key: Key Usage - title: Key Usage + title: Key usage supportedOS: macOS: introduced: '10.11' @@ -143,17 +143,17 @@ payloadkeys: content: The number of times the device should retry if the server sends a PENDING response. - key: RetryDelay - title: Retry Delay + title: Retry delay supportedOS: macOS: introduced: '10.10' type: presence: optional default: 10 - content: The number of seconds to wait between subsequent retries. The first retry - is attempted without this delay. + content: The number of seconds to wait between subsequent retries. The device + attempts the first retry without this delay. - key: SubjectAltName - title: Subject Alt Name + title: Subject alt name type: presence: optional content: The SCEP payload can specify an optional `SubjectAltName` dictionary @@ -164,12 +164,12 @@ payloadkeys: and Configuration. subkeys: - key: rfc822Name - title: RFC 822 Name + title: RFC 822 name type: presence: optional content: The RFC 822 (email address) string. - key: dNSName - title: DNS Name + title: DNS name type: presence: optional content: The DNS name. @@ -179,7 +179,7 @@ payloadkeys: presence: optional content: The Uniform Resource Identifier. - key: ntPrincipalName - title: NT Principal Name + title: NT principal name type: presence: optional content: The NT principal name. Use an other name OID set to `1.3.6.1.4.1.311.20.2.3`. @@ -192,7 +192,7 @@ payloadkeys: default: true content: If `false`, the system disables exporting the private key from the keychain. - key: AllowAllAppsAccess - title: Allow All Apps Access + title: Allow all apps access supportedOS: macOS: introduced: '10.10' @@ -204,3 +204,7 @@ notes: - title: '' content: A SCEP payload automates the request of a client certificate from a SCEP server, as described in [Over-the-Air Profile Delivery and Configuration](https://developer.apple.com/library/archive/documentation/NetworkingInternet/Conceptual/iPhoneOTAConfiguration/Introduction/Introduction.html). +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.security.scep/example1.plist diff --git a/mdm/profiles/com.apple.security.smartcard.yaml b/mdm/profiles/com.apple.security.smartcard.yaml index 817c55a..8aa95d9 100644 --- a/mdm/profiles/com.apple.security.smartcard.yaml +++ b/mdm/profiles/com.apple.security.smartcard.yaml @@ -34,9 +34,9 @@ payloadkeys: presence: optional default: true content: If `false`, the system disables smart cards for logins, authorizations, - and screen saver unlocking. It is still allowed for other functions, such as signing - emails and accessing the web. A restart is required for a setting change to take - effect. + and screen saver unlocking. It's still allowed for other functions, such as signing + emails and accessing the web. The device requires a restart for a setting change + to take effect. - key: checkCertificateTrust type: presence: optional @@ -50,9 +50,9 @@ payloadkeys: Configures the certificate trust check and has one of the following possible values: - `0`: Turns off certificate trust check. - - `1`: Turns on certificate trust check. A standard validity check is performed but doesn't include additional revocation checks. - - `2`: Turns on certificate trust check. A soft revocation check is also performed. Until the certificate is explicitly rejected by CRL/OCSP, it's considered valid. This setting means that unavailable or unreachable CRL/OCSP allow this check to succeed. - - `3`: Turns on certificate trust check. A hard revocation check is also performed. Unless CRL/OCSP explicitly says "This certificate is OK," it's considered invalid. This option is the most secure. + - `1`: Turns on certificate trust check. The device performs a standard validity check but doesn't include additional revocation checks. + - `2`: Turns on certificate trust check. The device also performs a soft revocation check. Until CRL/OCSP explicitly rejects the certificate, the device considers it valid. This setting means that unavailable or unreachable CRL/OCSP allow this check to succeed. + - `3`: Turns on certificate trust check. The device also performs a hard revocation check. Unless CRL/OCSP explicitly says "This certificate is OK," the device considers it invalid. This option is the most secure. - key: oneCardPerUser type: presence: optional @@ -69,8 +69,8 @@ payloadkeys: - 0 - 1 default: 0 - content: If `1`, the system enables the screen saver when the smart card is removed. - Available in macOS 10.13.4 and later. + content: If `1`, the device enables the screen saver when the user removes the smart + card. - key: enforceSmartCard supportedOS: macOS: @@ -78,5 +78,8 @@ payloadkeys: type: presence: optional default: false - content: If `true`, a user can only log in or authenticate with a smart card. Available - in macOS 10.13.2 and later. + content: If `true`, a user can only log in or authenticate with a smart card. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.security.smartcard/example1.plist diff --git a/mdm/profiles/com.apple.servicemanagement.yaml b/mdm/profiles/com.apple.servicemanagement.yaml index 037c905..1d7dc22 100644 --- a/mdm/profiles/com.apple.servicemanagement.yaml +++ b/mdm/profiles/com.apple.servicemanagement.yaml @@ -38,7 +38,7 @@ payloadkeys: content: A specification for matching one or more login items. subkeys: - key: RuleType - title: Rule Type + title: Rule type type: presence: required rangelist: @@ -49,7 +49,7 @@ payloadkeys: - TeamIdentifier content: The type of comparison to make. - key: RuleValue - title: Rule Value + title: Rule value type: presence: required content: The value to compare with each login item's value, to determine if @@ -60,8 +60,12 @@ payloadkeys: presence: optional content: An optional description of the rule. - key: TeamIdentifier - title: Team Identifier + title: Team identifier type: presence: optional content: An additional constraint to limit the scope of the rule that the system tests after matching the `RuleType` and `RuleValue`. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.servicemanagement/example1.plist diff --git a/mdm/profiles/com.apple.shareddeviceconfiguration.yaml b/mdm/profiles/com.apple.shareddeviceconfiguration.yaml index 88409d0..d020eaf 100644 --- a/mdm/profiles/com.apple.shareddeviceconfiguration.yaml +++ b/mdm/profiles/com.apple.shareddeviceconfiguration.yaml @@ -26,13 +26,13 @@ payload: Lock Screen (i.e. a footnote and Asset Tag Information). payloadkeys: - key: AssetTagInformation - title: Asset Tag + title: Asset tag type: presence: optional content: The asset tag information for the device, displayed in the Login Window and Lock Screen. - key: IfLostReturnToMessage - title: If Lost message + title: If lost message supportedOS: iOS: introduced: '9.3' @@ -52,3 +52,7 @@ notes: content: This payload allows administrators to specify optional text displayed in the Login Window and Lock Screen (for example, an "If Lost, Return To" message and asset tag information). There can only be one Lock Screen payload. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.shareddeviceconfiguration/example1.plist diff --git a/mdm/profiles/com.apple.sso.yaml b/mdm/profiles/com.apple.sso.yaml index dbcddfc..91a017f 100644 --- a/mdm/profiles/com.apple.sso.yaml +++ b/mdm/profiles/com.apple.sso.yaml @@ -78,3 +78,7 @@ payloadkeys: notes: - title: '' content: Deprecated in iOS 26. Use the `ExtensibleSingleSignOn` payload instead. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.sso/example1.plist diff --git a/mdm/profiles/com.apple.subscribedcalendar.account.yaml b/mdm/profiles/com.apple.subscribedcalendar.account.yaml index bfaca24..9aa83c0 100644 --- a/mdm/profiles/com.apple.subscribedcalendar.account.yaml +++ b/mdm/profiles/com.apple.subscribedcalendar.account.yaml @@ -62,4 +62,7 @@ payloadkeys: type: presence: optional content: The VPNUUID of the per-app VPN the account uses for network communication. - Available in iOS 14 and later. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.subscribedcalendar.account/example1.plist diff --git a/mdm/profiles/com.apple.syspolicy.kernel-extension-policy.yaml b/mdm/profiles/com.apple.syspolicy.kernel-extension-policy.yaml index 029b3da..5737054 100644 --- a/mdm/profiles/com.apple.syspolicy.kernel-extension-policy.yaml +++ b/mdm/profiles/com.apple.syspolicy.kernel-extension-policy.yaml @@ -32,10 +32,8 @@ payloadkeys: type: presence: optional default: false - content: |- - If `true`, nonadministrative users can approve additional kernel extensions in the Security & Privacy preferences. - - Available in macOS 11 and later. + content: If `true`, nonadministrative users can approve additional kernel extensions + in the Security & Privacy preferences. - key: AllowUserOverrides type: presence: optional @@ -67,3 +65,7 @@ payloadkeys: type: presence: required content: Kernel extension data. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.syspolicy.kernel-extension-policy/example1.plist diff --git a/mdm/profiles/com.apple.system-extension-policy.yaml b/mdm/profiles/com.apple.system-extension-policy.yaml index 323f12f..04a5808 100644 --- a/mdm/profiles/com.apple.system-extension-policy.yaml +++ b/mdm/profiles/com.apple.system-extension-policy.yaml @@ -62,7 +62,7 @@ payloadkeys: type: presence: optional content: The mapping of team identifier to an array of strings, where each string - is a type of system extension that may be installed for that team identifier. + is a type of system extension that you can install for that team identifier. subkeys: - key: AllowedSystemExtensionTypesItems type: @@ -82,7 +82,7 @@ payloadkeys: type: presence: optional content: The mapping of team identifiers to arrays of bundle identifiers, where - the bundle identifier is that of the system extension to be installed. + the bundle identifier defines the system extension to install. subkeys: - key: AllowedSystemExtensionsItems type: @@ -94,10 +94,11 @@ payloadkeys: introduced: '12.0' type: presence: optional - content: |- - A dictionary of system extensions that are allowed to remove themselves from the machine. The dictionary maps team identifiers (keys) to arrays of bundle identifiers, where the bundle identifier defines the system extension. An application using the `OSSystemExtensionDeactivationRequest` API can deactivate the specified system extensions without requiring an administrator to authorize the operation. - - Available in macOS 12 and later. + content: A dictionary of system extensions that are allowed to remove themselves + from the machine. The dictionary maps team identifiers (keys) to arrays of bundle + identifiers, where the bundle identifier defines the system extension. An application + using the `OSSystemExtensionDeactivationRequest` API can deactivate the specified + system extensions without requiring an administrator to authorize the operation. subkeys: - key: ANY type: @@ -141,7 +142,7 @@ payloadkeys: the team identifiers (keys) to arrays of bundle identifiers, where the bundle identifier defines the system extension which can't be disabled or uninstalled from System Settings or Finder. The set of system extensions between `RemovableSystemExtensions` - and `NonRemovableFromUISystemExtensions` can to overlap. + and `NonRemovableFromUISystemExtensions` can't overlap. subkeys: - key: ANY type: @@ -161,3 +162,7 @@ notes: - All the other values combine together. Beginning in macOS 11.3, installing or removing this payload can change the state of system extensions on the computer. If a containing application activates a system extension, and the system extension is in a pending state, installing a payload that allows the extension completes the activation process. If a system extension is active, removing a payload that allows the extension deactivates that extension. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.system-extension-policy/example1.plist diff --git a/mdm/profiles/com.apple.system.logging.yaml b/mdm/profiles/com.apple.system.logging.yaml deleted file mode 100644 index a1346ae..0000000 --- a/mdm/profiles/com.apple.system.logging.yaml +++ /dev/null @@ -1,58 +0,0 @@ -title: System Logging -description: The payload that configures system logging. -payload: - payloadtype: com.apple.system.logging - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.12' - multiple: true - devicechannel: true - userchannel: true - supervised: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a -payloadkeys: -- key: Processes - supportedOS: - macOS: - introduced: n/a - type: - presence: optional - content: Not to be used. - subkeytype: Item - subkeys: &id001 - - key: ANY - type: - presence: optional - content: TBD -- key: Subsystems - supportedOS: - macOS: - introduced: n/a - type: - presence: optional - content: A dictionary enabling the logging level for subsystems. See `Customizing - Logging Behavior While Debugging` for more details about the format of the dictionary. - subkeytype: Item - subkeys: *id001 -- key: System - supportedOS: - macOS: - introduced: n/a - type: - presence: optional - content: This dictionary has one key, `Enable-Private-Data`. Setting that value - to `true` enables private data logging for the entire system. - subkeytype: Item - subkeys: *id001 diff --git a/mdm/profiles/com.apple.systemmigration.yaml b/mdm/profiles/com.apple.systemmigration.yaml index 518b994..0679154 100644 --- a/mdm/profiles/com.apple.systemmigration.yaml +++ b/mdm/profiles/com.apple.systemmigration.yaml @@ -61,3 +61,7 @@ payloadkeys: type: presence: required content: If `true`, the target path is located within a user home directory. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.systemmigration/example1.plist diff --git a/mdm/profiles/com.apple.systempolicy.control.yaml b/mdm/profiles/com.apple.systempolicy.control.yaml index ed6d973..5bf90dc 100644 --- a/mdm/profiles/com.apple.systempolicy.control.yaml +++ b/mdm/profiles/com.apple.systempolicy.control.yaml @@ -45,3 +45,7 @@ payloadkeys: presence: optional content: If `false`, prevents Gatekeeper from prompting the user to upload blocked malware to Apple for purposes of improving malware detection. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.systempolicy.control/example1.plist diff --git a/mdm/profiles/com.apple.systempolicy.managed.yaml b/mdm/profiles/com.apple.systempolicy.managed.yaml index 298eb31..044316e 100644 --- a/mdm/profiles/com.apple.systempolicy.managed.yaml +++ b/mdm/profiles/com.apple.systempolicy.managed.yaml @@ -31,3 +31,7 @@ payloadkeys: presence: optional default: false content: If `true`, disables the Finder's contextual menu item. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.systempolicy.managed/example1.plist diff --git a/mdm/profiles/com.apple.systempolicy.rule.yaml b/mdm/profiles/com.apple.systempolicy.rule.yaml index b9e2984..61a1ba0 100644 --- a/mdm/profiles/com.apple.systempolicy.rule.yaml +++ b/mdm/profiles/com.apple.systempolicy.rule.yaml @@ -33,9 +33,9 @@ payloadkeys: - key: Comment type: presence: optional - content: This string appears in the System Policy UI. If it's missing, `PayloadDisplayName` - or `PayloadDescription` is entered into this field before the rule is added to - the System Policy database. + content: This string appears in the System Policy UI. If it's missing, the device + enters `PayloadDisplayName` or `PayloadDescription` into this field before adding + the rule to the System Policy database. - key: Priority type: presence: optional @@ -56,10 +56,14 @@ payloadkeys: - key: LeafCertificate type: presence: optional - content: The single leaf certificate for the app that is in the allow list. + content: The single leaf certificate for the app that's in the allow list. notes: - title: '' content: |- This payload allows control over Gatekeeper's system policy rules. The keys and functionality are tightly related to the `spctl` command line tool. For more information, see the manual page for `spctl`. This payload can only exist in a device profile. If the payload is present in a user profile, an error occurs during installation and the profile installation fails. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.systempolicy.rule/example1.plist diff --git a/mdm/profiles/com.apple.systempreferences.yaml b/mdm/profiles/com.apple.systempreferences.yaml index 601a6ba..4619d15 100644 --- a/mdm/profiles/com.apple.systempreferences.yaml +++ b/mdm/profiles/com.apple.systempreferences.yaml @@ -97,7 +97,7 @@ payloadkeys: type: presence: optional content: |- - The list of disabled System Settings extensions. All other items will be enabled. When `DisabledSystemSettings` is specified, the device ignores `DisabledPreferencePanes` and `EnabledPreferencePanes`. + The list of disabled System Settings extensions. The device enables all other items. When you specify `DisabledSystemSettings`, the device ignores `DisabledPreferencePanes` and `EnabledPreferencePanes`. > Note: > A given System Settings extension can supply more than one section in System Settings; disabling such an extension disables all sections it supplies. @@ -151,3 +151,7 @@ payloadkeys: - com.apple.settings.Storage - com.apple.systempreferences.AppleIDSettings - com.apple.wifi-settings-extension +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.systempreferences/example1.plist diff --git a/mdm/profiles/com.apple.systemuiserver.yaml b/mdm/profiles/com.apple.systemuiserver.yaml index 3974d8d..bd438c0 100644 --- a/mdm/profiles/com.apple.systemuiserver.yaml +++ b/mdm/profiles/com.apple.systemuiserver.yaml @@ -107,7 +107,7 @@ payloadkeys: type: presence: optional content: |- - A string or an array of media action strings. Internally installed SD cards and USB flash drives are included in the hard disk-external category. + A string or an array of media action strings. The hard disk-external category includes internally installed SD cards and USB flash drives. This key is the default for media types that don't fall into other categories. subkeytype: ActionStringItem diff --git a/mdm/profiles/com.apple.thirdactiveethernet.managed.yaml b/mdm/profiles/com.apple.thirdactiveethernet.managed.yaml index 49eee58..bcf6361 100644 --- a/mdm/profiles/com.apple.thirdactiveethernet.managed.yaml +++ b/mdm/profiles/com.apple.thirdactiveethernet.managed.yaml @@ -34,8 +34,12 @@ notes: content: |- This payload's contents contain these profile-specific keys: - - Interface (String): This payload uses the value `ThirdActiveEthernet`. - - EAPClientConfiguration (`EAPClientConfiguration`): The dictionary that defines the enterprise profile for the network. - - SetupModes (String): The type of connection mode, which is either "System" or "Loginwindow." "System" is the default. + * Interface (String): This payload uses the value `ThirdActiveEthernet`. + * EAPClientConfiguration (`EAPClientConfiguration`): The dictionary that defines the enterprise profile for the network. + * SetupModes (String): The type of connection mode, which is either "System" or "Loginwindow." "System" is the default. Payloads with `active` in their name apply to Ethernet interfaces that are working at the time of profile installation. If there's no active Ethernet interface working, this payload configures the interface with the highest service-order priority. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.thirdactiveethernet.managed/example1.plist diff --git a/mdm/profiles/com.apple.thirdethernet.managed.yaml b/mdm/profiles/com.apple.thirdethernet.managed.yaml index ea4c4c4..e6710b7 100644 --- a/mdm/profiles/com.apple.thirdethernet.managed.yaml +++ b/mdm/profiles/com.apple.thirdethernet.managed.yaml @@ -34,8 +34,12 @@ notes: content: |- This payload's contents contain these profile-specific keys: - - Interface (String): This payload uses the value `ThirdEthernet`. - - EAPClientConfiguration (`EAPClientConfiguration`): The dictionary that defines the enterprise profile for the network. - - SetupModes (String): The type of connection mode, which is either "System" or "Loginwindow." "System" is the default. + * Interface (String): This payload uses the value `ThirdEthernet`. + * EAPClientConfiguration (`EAPClientConfiguration`): The dictionary that defines the enterprise profile for the network. + * SetupModes (String): The type of connection mode, which is either "System" or "Loginwindow." "System" is the default. This payload applies to Ethernet interfaces according to service order, regardless of whether the interface is working. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.thirdethernet.managed/example1.plist diff --git a/mdm/profiles/com.apple.tvremote.yaml b/mdm/profiles/com.apple.tvremote.yaml index 0ed2cd3..10c9708 100644 --- a/mdm/profiles/com.apple.tvremote.yaml +++ b/mdm/profiles/com.apple.tvremote.yaml @@ -68,3 +68,7 @@ payloadkeys: presence: optional content: The name of an Apple TV device that the system permits this iOS device to control. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.tvremote/example1.plist diff --git a/mdm/profiles/com.apple.universalaccess.yaml b/mdm/profiles/com.apple.universalaccess.yaml index fcf40e5..9facfeb 100644 --- a/mdm/profiles/com.apple.universalaccess.yaml +++ b/mdm/profiles/com.apple.universalaccess.yaml @@ -145,3 +145,7 @@ payloadkeys: presence: optional default: false content: If `true`, enables Invert Colors in Display Accommodations. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.universalaccess/example1.plist diff --git a/mdm/profiles/com.apple.vpn.managed.applayer.yaml b/mdm/profiles/com.apple.vpn.managed.applayer.yaml index 4ad0f76..304cf89 100644 --- a/mdm/profiles/com.apple.vpn.managed.applayer.yaml +++ b/mdm/profiles/com.apple.vpn.managed.applayer.yaml @@ -149,10 +149,9 @@ payloadkeys: introduced: '11.0' type: presence: optional - content: |- - An array with entries that must each specify a domain that triggers this VPN. The domains must also be part of the `apple-app-site-association` file, as described in `Supporting associated domains`. - - Available in iOS 14 and later, and macOS 11 and later. + content: An array with entries that must each specify a domain that triggers this + VPN. The domains must also be part of the `apple-app-site-association` file, as + described in `Supporting associated domains`. subkeys: - key: AssociatedDomainsItem type: @@ -166,10 +165,8 @@ payloadkeys: introduced: '11.0' type: presence: optional - content: |- - An array with entries that each specify a domain that doesn't trigger this VPN for connections to the domain. - - Available in iOS 14 and later, and macOS 11 and later. + content: An array with entries that each specify a domain that doesn't trigger this + VPN for connections to the domain. subkeys: - key: ExcludedDomainsItem type: @@ -193,10 +190,7 @@ payloadkeys: introduced: n/a type: presence: optional - content: |- - An array of SMB domains that's accessible through this VPN connection. - - Available in iOS 13 and later. + content: An array of SMB domains that's accessible through this VPN connection. subkeys: - key: SMBDomainsItem type: @@ -207,3 +201,7 @@ notes: content: This profile defines per-app VPN behavior and applies only to VPN services of type `VPN`, `IPsec`, and `IKEv2`. All the properties of VPN apply to the top level of this profile as well. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.vpn.managed.applayer/example1.plist diff --git a/mdm/profiles/com.apple.vpn.managed.appmapping.yaml b/mdm/profiles/com.apple.vpn.managed.appmapping.yaml index 1bbf67b..c2c859b 100644 --- a/mdm/profiles/com.apple.vpn.managed.appmapping.yaml +++ b/mdm/profiles/com.apple.vpn.managed.appmapping.yaml @@ -106,3 +106,7 @@ payloadkeys: presence: optional content: The file-system path of the command-line tool using the per-app VPN. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.vpn.managed.appmapping/example1.plist diff --git a/mdm/profiles/com.apple.vpn.managed.yaml b/mdm/profiles/com.apple.vpn.managed.yaml index cb6b294..27ff794 100644 --- a/mdm/profiles/com.apple.vpn.managed.yaml +++ b/mdm/profiles/com.apple.vpn.managed.yaml @@ -56,9 +56,9 @@ payloadkeys: If the type is `VPN` or `TransparentProxy`, then the system requires a value for `VPNSubType`. - `TransparentProxy` is only available in macOS. `L2TP` and `IPSec` aren't available in tvOS. `AlwaysOn` is only available on iOS and Apple Watch pairing isn't supported with `AlwaysOn`. For a previously paired Apple Watch, all phone-watch communications cease when `AlwaysOn` is enabled. Not available in watchOS. + `TransparentProxy` is only available in macOS. `L2TP` and `IPSec` aren't available in tvOS. `AlwaysOn` is only available on iOS and `AlwaysOn` doesn't support Apple Watch pairing. For a previously paired Apple Watch, all phone-watch communications cease when `AlwaysOn` is enabled. Not available in watchOS. - key: VPNSubType - title: VPN Subtype + title: VPN subtype type: presence: optional content: |- @@ -78,13 +78,13 @@ payloadkeys: Not available in watchOS. - key: UserDefinedName - title: User Defined Name + title: User defined name type: presence: required content: The description of the VPN connection that the system displays on the device. Not available in watchOS. - key: VendorConfig - title: Vendor Configuration Dictionary + title: Vendor configuration dictionary type: presence: optional content: The vendor-specific configuration dictionary, which the system reads only @@ -109,7 +109,7 @@ payloadkeys: content: The group to connect to on the head end. Valid for Cisco AnyConnect and Cisco Legacy AnyConnect. Not available in watchOS. - key: LoginGroupOrDomain - title: Login Group or Domain + title: Login group or domain type: presence: optional content: The login group or domain. Valid only for SonicWALL Mobile Connect. Not @@ -121,12 +121,12 @@ payloadkeys: content: The dictionary to use when `VPNType` is `VPN`. subkeys: - key: AuthName - title: Account Username + title: Account username type: presence: optional content: The VPN account username. - key: AuthPassword - title: Account Password + title: Account password type: presence: optional content: The VPN account password. Only use this if `AuthenticationMethod` is @@ -137,7 +137,7 @@ payloadkeys: presence: required content: The IP address or hostname of the VPN server. - key: AuthenticationMethod - title: Authentication Method + title: Authentication method type: presence: optional rangelist: @@ -153,12 +153,12 @@ payloadkeys: content: The UUID of the certificate payload within the same profile to use for account credentials. - key: ProviderBundleIdentifier - title: Provider Bundle Identifier + title: Provider bundle identifier type: presence: optional content: The bundle identifier for the VPN provider. Not available in watchOS. - key: ProviderDesignatedRequirement - title: Provider Designated Requirement + title: Provider designated requirement supportedOS: iOS: introduced: n/a @@ -168,10 +168,10 @@ payloadkeys: introduced: n/a type: presence: optional - content: If the VPN provider is implemented as a system extension, this field - is required. Not available in watchOS. + content: If the VPN provider uses a system extension, this field is required. + Not available in watchOS. - key: DisconnectOnIdle - title: Enable Disconnect on Idle + title: Enable disconnect on idle type: presence: optional rangelist: @@ -180,7 +180,7 @@ payloadkeys: default: 0 content: If `1`, disconnects after an on-demand connection idles. - key: DisconnectOnIdleTimer - title: Disconnect on Idle time + title: Disconnect on idle time type: presence: optional content: The length of time to wait, in seconds, before disconnecting an on-demand @@ -196,7 +196,7 @@ payloadkeys: traffic at the app level. If the value is `packet-tunnel`, the service tunnels traffic at the IP layer. Not available in watchOS. - key: IncludeAllNetworks - title: Include All Networks + title: Include all networks supportedOS: iOS: introduced: '14.0' @@ -211,16 +211,16 @@ payloadkeys: - 1 default: 0 content: |- - If `1``, routes all traffic through the VPN, with some exclusions. Several of the exclusions can be controlled with the `ExcludeLocalNetworks`, `ExcludeCellularServices`, `ExcludeAPNs` and `ExcludeDeviceCommunication` properties. The following traffic is always excluded from the tunnel: + If `1``, routes all traffic through the VPN, with some exclusions. Several of the exclusions can be controlled with the `ExcludeLocalNetworks`, `ExcludeCellularServices`, `ExcludeAPNs` and `ExcludeDeviceCommunication` properties. The system always excludes the following traffic from the tunnel: - Traffic necessary for connecting and maintaining the device's network connection, such as DHCP. - Traffic necessary for connecting to captive networks. - - Certain cellular services traffic that is not routable over the internet and is instead directly routed to the cellular network. See the ExcludeCellularServices property for more details. + - Certain cellular services traffic that's not routable over the internet and is instead directly routed to the cellular network. See the ExcludeCellularServices property for more details. - Network communication with a companion device such as a watchOS device. Not available in watchOS. - key: EnforceRoutes - title: Enforce Routes + title: Enforce routes supportedOS: iOS: introduced: '14.2' @@ -237,9 +237,9 @@ payloadkeys: If `IncludeAllNetworks` is `1`, the system ignores the value of `EnforceRoutes`. - Available in iOS 14.2 and later, and macOS 11 and later. Not available in watchOS. + Not available in watchOS. - key: ExcludeLocalNetworks - title: Exclude Local Networks + title: Exclude local networks supportedOS: iOS: introduced: '14.2' @@ -255,7 +255,7 @@ payloadkeys: content: If `1` and `IncludeAllNetworks` is `1`, routes all local network traffic outside the VPN. Not available in watchOS. - key: ExcludeCellularServices - title: Exclude Cellular Services + title: Exclude cellular services supportedOS: iOS: introduced: '16.4' @@ -294,7 +294,7 @@ payloadkeys: network traffic for the Apple Push Notification service (APNs) from the tunnel. Not available in watchOS. - key: ExcludeDeviceCommunication - title: Exclude Device Communication + title: Exclude device communication supportedOS: iOS: introduced: '17.4' @@ -314,7 +314,7 @@ payloadkeys: network traffic used for communicating with devices connected via USB or Wi-Fi from the tunnel. - key: OnDemandEnabled - title: Enable VPN On Demand + title: Enable VPN on demand type: presence: optional rangelist: @@ -323,7 +323,7 @@ payloadkeys: default: 0 content: If `1`, enables VPN On Demand. - key: OnDemandUserOverrideDisabled - title: Prevent users from toggling VPN On Demand + title: Prevent users from toggling VPN on demand supportedOS: iOS: introduced: '14.0' @@ -335,10 +335,10 @@ payloadkeys: - 0 - 1 default: 0 - content: If `1`, the Connect On Demand toggle in Settings is disabled for this - configuration. Available in iOS 14 and later. Not available in watchOS. + content: If `1`, the device disables the Connect On Demand toggle in Settings + for this configuration. Not available in watchOS. - key: OnDemandMatchDomainsAlways - title: On Demand Match Domains Always + title: On demand match domains always supportedOS: iOS: deprecated: '7.0' @@ -353,10 +353,10 @@ payloadkeys: subkeytype: MatchDomainAlwaysElement subkeys: &id001 - key: MatchDomainAlwaysElement - title: Match Domain Always Element + title: Match domain always element type: - key: OnDemandMatchDomainsNever - title: On Demand Match Domains Never + title: On demand match domains never supportedOS: iOS: deprecated: '7.0' @@ -371,10 +371,10 @@ payloadkeys: subkeytype: MatchDomainNeverElement subkeys: &id002 - key: MatchDomainNeverElement - title: Match Domain Never Element + title: Match domain never element type: - key: OnDemandMatchDomainsOnRetry - title: On Demand Match Domains On Retry + title: On demand match domains on retry supportedOS: iOS: deprecated: '7.0' @@ -389,21 +389,21 @@ payloadkeys: subkeytype: MatchDomainOnRetryElement subkeys: &id003 - key: MatchDomainOnRetryElement - title: Match Domain On Retry Element + title: Match domain on retry element type: - key: OnDemandRules - title: On Demand Rules + title: On demand rules type: presence: optional content: An array of dictionaries defining On Demand Rules. subkeytype: OnDemandRulesElement subkeys: &id004 - key: OnDemandRulesElement - title: On Demand Rules Element + title: On demand rules element type: subkeys: - key: Action - title: On Demand Action + title: On demand action type: presence: required rangelist: @@ -421,7 +421,7 @@ payloadkeys: - `Ignore`: Leave any existing VPN connection up, but don't reconnect on demand as long as this dictionary matches. Only the `Disconnect` action is available on watchOS 10 and later. - key: ActionParameters - title: Action Parameters + title: Action parameters type: presence: optional content: An array of dictionaries that provides rules similar to the `OnDemandRules` @@ -432,7 +432,7 @@ payloadkeys: available in watchOS. subkeys: - key: ActionParameter - title: Action Parameter + title: Action parameter type: presence: optional content: |- @@ -446,10 +446,10 @@ payloadkeys: content: The domains to apply this evaluation. subkeys: - key: DomainsElement - title: Domains Element + title: Domains element type: - key: DomainAction - title: Domain Action + title: Domain action type: presence: required rangelist: @@ -460,7 +460,7 @@ payloadkeys: * 'ConnectIfNeeded': The specified domains should trigger a VPN connection attempt if domain name resolution fails, such as when the DNS server indicates that it can't resolve the domain, responds with a redirection to a different server, or fails to respond (timeout). * 'NeverConnect': The specified domains should never trigger a VPN connection attempt. - key: RequiredDNSServers - title: Required DNS Servers + title: Required DNS servers type: presence: optional content: |- @@ -468,17 +468,17 @@ payloadkeys: This key is valid only if the value of 'DomainAction' is 'ConnectIfNeeded'. subkeys: - key: RequiredDNSServersElement - title: Required DNS Servers Element + title: Required DNS servers element type: - key: RequiredURLStringProbe - title: Required URL String Probe + title: Required URL string probe type: presence: optional content: |- - An HTTP or HTTPS (preferred) URL to probe, using a GET request. If the URL's hostname can't be resolved, if the server is unreachable, or if the server doesn't respond with a 200 HTTP status code, a VPN connection is established in response. + An HTTP or HTTPS (preferred) URL to probe, using a GET request. If the URL's hostname can't be resolved, if the server is unreachable, or if the server doesn't respond with a 200 HTTP status code, the device establishes a VPN connection in response. This key is valid only if the value of 'DomainAction' is 'ConnectIfNeeded'. - key: DNSDomainMatch - title: DNS Domain Match + title: DNS domain match type: presence: optional content: |- @@ -486,10 +486,10 @@ payloadkeys: The system supports a wildcard (`*`) prefix. For example, `*.example.com` matches against either `mydomain.example.com` or `yourdomain.example.com`. subkeys: - key: DNSDomainMatchElement - title: DNS Domain Match Element + title: DNS domain match element type: - key: DNSServerAddressMatch - title: DNS Server Address Match + title: DNS server address match type: presence: optional content: |- @@ -497,10 +497,10 @@ payloadkeys: The system supports matching with a single wildcard. For example, `17.*` matches any DNS server in the `17.0.0.0/8` subnet. subkeys: - key: DNSServerAddressMatchElement - title: DNS Server Address Match Element + title: DNS server address match element type: - key: InterfaceTypeMatch - title: Interface Type Match + title: Interface type match type: presence: optional rangelist: @@ -510,7 +510,7 @@ payloadkeys: content: An interface type. If specified, this rule matches only if the primary network interface hardware matches the specified type. - key: SSIDMatch - title: SSID Match + title: SSID match type: presence: optional content: |- @@ -518,17 +518,17 @@ payloadkeys: Omit this key and the corresponding array to match against any SSID. subkeys: - key: SSIDMatchElement - title: SSID Match Element + title: SSID match element type: - key: URLStringProbe - title: URL String Probe + title: URL string probe type: presence: optional content: A URL to probe. This rule matches when this URL is successfully fetched (returns a `200` HTTP status code) without redirection. Not available in watchOS. - key: IPv4 - title: IPv4 Settings + title: IPv4 settings supportedOS: tvOS: introduced: n/a @@ -537,7 +537,7 @@ payloadkeys: content: The dictionary that contains IPv4 settings. Not available in watchOS. subkeys: - key: OverridePrimary - title: Override Primary Connection + title: Override primary connection type: presence: optional rangelist: @@ -557,18 +557,18 @@ payloadkeys: in watchOS. subkeys: - key: AuthName - title: Account Username + title: Account username type: presence: optional content: The VPN account user name. This key is for use with L2TP and PPTP networks. - key: AuthPassword - title: Account Password + title: Account password type: presence: optional content: If `TokenCard` is `1`, use this password for authentication. This key is for use with L2TP and PPTP networks. - key: TokenCard - title: Use Token Card + title: Use token card type: presence: optional rangelist: @@ -578,13 +578,13 @@ payloadkeys: content: If `1`, uses a token card such as an RSA SecurID card for connecting. This key is for use with L2TP networks. - key: CommRemoteAddress - title: Remote Address + title: Remote address type: presence: optional content: The IP address or host name of VPN server. This key is for use with L2TP and PPTP networks. - key: AuthEAPPlugins - title: EAP Plugins + title: EAP plugins type: presence: optional content: 'An array of authentication plugins. For use of RSA SecurID, this array @@ -592,7 +592,7 @@ payloadkeys: networks.' subkeys: - key: EAPPluginElement - title: EAP Plugin + title: EAP plugin type: rangelist: - EAP-RSA @@ -609,7 +609,7 @@ payloadkeys: should have one value, `EAP`. This key is for use with L2TP and PPTP networks. subkeys: - key: AuthProtocolElement - title: Auth Protocol + title: Auth protocol type: rangelist: - EAP @@ -642,7 +642,7 @@ payloadkeys: content: If `1`, enables encryption on the connection. This key is for use with PPTP networks. - key: DisconnectOnIdle - title: Enable Disconnect on Idle + title: Enable disconnect on idle type: presence: optional rangelist: @@ -651,12 +651,12 @@ payloadkeys: default: 0 content: If `1`, disconnects after an on demand connection idles. - key: DisconnectOnIdleTimer - title: Disconnect on Idle time + title: Disconnect on idle time type: presence: optional content: The length of time to wait before disconnecting an on demand connection - key: IPSec - title: IPSec Settings + title: IPSec settings supportedOS: tvOS: introduced: n/a @@ -665,12 +665,12 @@ payloadkeys: content: The dictionary that contains IPSec settings. Not available in watchOS. subkeys: - key: RemoteAddress - title: Remote Address + title: Remote address type: presence: optional content: The IP address or host name of the VPN server. - key: AuthenticationMethod - title: Authentication Method + title: Authentication method type: presence: optional rangelist: @@ -689,7 +689,7 @@ payloadkeys: presence: optional content: The VPN account password for Cisco IPSec. - key: XAuthEnabled - title: XAUTH Enabled + title: XAUTH enabled type: presence: optional rangelist: @@ -697,14 +697,14 @@ payloadkeys: - 1 content: If `1`, enables Xauth for Cisco IPSec VPNs. - key: XAuthPasswordEncryption - title: XAUTH Password Encryption + title: XAUTH password encryption type: presence: optional rangelist: - Prompt content: A string that either has the value "Prompt" or isn't present. - key: LocalIdentifier - title: Local Identifier + title: Local identifier type: presence: optional content: |- @@ -712,7 +712,7 @@ payloadkeys: Present only for Cisco IPSec if `AuthenticationMethod` is `SharedSecret`. - key: LocalIdentifierType - title: Local Identifier Type + title: Local identifier type type: presence: optional rangelist: @@ -721,7 +721,7 @@ payloadkeys: content: Present only if `AuthenticationMethod` is `SharedSecret`. The value is `KeyID`. The system uses this value for L2TP and Cisco IPSec VPNs. - key: SharedSecret - title: Shared Secret + title: Shared secret type: presence: optional content: |- @@ -743,7 +743,7 @@ payloadkeys: default: false content: If `true`, prompts for a PIN when connecting to Cisco IPSec VPNs. - key: DisconnectOnIdle - title: Enable Disconnect on Idle + title: Enable disconnect on idle type: presence: optional rangelist: @@ -752,12 +752,12 @@ payloadkeys: default: 0 content: If `1`, disconnect after an on-demand connection idles. - key: DisconnectOnIdleTimer - title: Disconnect on Idle time + title: Disconnect on idle time type: presence: optional content: The length of time to wait before disconnecting an on-demand connection. - key: OnDemandEnabled - title: Enable VPN On Demand + title: Enable VPN on demand type: presence: optional rangelist: @@ -766,7 +766,7 @@ payloadkeys: default: 0 content: If `1`, enables bringing the VPN connection up on demand. - key: OnDemandMatchDomainsAlways - title: On Demand Match Domains Always + title: On demand match domains always supportedOS: iOS: deprecated: '7.0' @@ -779,7 +779,7 @@ payloadkeys: subkeytype: MatchDomainAlwaysElement subkeys: *id001 - key: OnDemandMatchDomainsNever - title: On Demand Match Domains Never + title: On demand match domains never supportedOS: iOS: deprecated: '7.0' @@ -791,7 +791,7 @@ payloadkeys: subkeytype: MatchDomainNeverElement subkeys: *id002 - key: OnDemandMatchDomainsOnRetry - title: On Demand Match Domains On Retry + title: On demand match domains on retry supportedOS: iOS: deprecated: '7.0' @@ -803,7 +803,7 @@ payloadkeys: subkeytype: MatchDomainOnRetryElement subkeys: *id003 - key: OnDemandRules - title: On Demand Rules + title: On demand rules type: presence: optional content: The on-demand rules dictionary. @@ -846,7 +846,7 @@ payloadkeys: To enable EAP-only authentication, set this to `None` and `ExtendedAuthEnabled` to `1`. If this is `None` and the `ExtendedAuthEnabled` key isn't set, the authentication configuration defaults to `SharedSecret`. - key: CertificateType - title: Certificate Type + title: Certificate type type: presence: optional rangelist: @@ -868,22 +868,21 @@ payloadkeys: authentication (EAP) is used, the system sends this certificate out for EAP-TLS authentication. - key: Password - title: Account Password + title: Account password type: presence: optional content: The password to use for the account credentials. Only used if `AuthenticationMethod` is `Password`. - key: ProviderBundleIdentifier - title: Provider Bundle Identifier + title: Provider bundle identifier type: presence: optional content: If the VPNSubType field contains the bundle identifier of an app that contains multiple VPN providers of the same type (app-proxy or packet-tunnel), then the system uses this field to choose which provider to use for this configuration. - If the VPN provider is implemented as a System Extension, then this field is - required. + If the VPN provider uses a system extension, then this field is required. - key: ProviderDesignatedRequirement - title: Provider Designated Requirement + title: Provider designated requirement supportedOS: iOS: introduced: n/a @@ -893,15 +892,13 @@ payloadkeys: introduced: n/a type: presence: optional - content: If the VPN provider is implemented as a System Extension, then this field - is required. Available in macOS 10.15 and later, tvOS 17 and later, and watchOS - 10 and later. + content: If the VPN provider uses a system extension, then this field is required. - key: SharedSecret title: SharedSecret type: presence: optional - content: If `AuthenticationMethod` is `SharedSecret`, this value is used for IKE - authentication. + content: If `AuthenticationMethod` is `SharedSecret`, the device uses this value + for IKE authentication. - key: ExtendedAuthEnabled title: ExtendedAuthEnabled type: @@ -922,7 +919,7 @@ payloadkeys: presence: optional content: The password to use for authentication. - key: OnDemandEnabled - title: Enable VPN On Demand + title: Enable VPN on demand type: presence: optional rangelist: @@ -931,7 +928,7 @@ payloadkeys: default: 0 content: If `1`, enables VPN up on demand. - key: OnDemandUserOverrideDisabled - title: Prevent users from toggling VPN On Demand + title: Prevent users from toggling VPN on demand supportedOS: iOS: introduced: '14.0' @@ -946,14 +943,14 @@ payloadkeys: content: If `1`, the system disables the Connect On Demand toggle in Settings for this configuration. - key: OnDemandRules - title: On Demand Rules + title: On demand rules type: presence: optional content: A list of rules that determine when and how to use an OnDemand VPN. subkeytype: OnDemandRulesElement subkeys: *id004 - key: DeadPeerDetectionRate - title: Dead Peer Detection Rate + title: Dead peer detection rate supportedOS: watchOS: introduced: n/a @@ -990,7 +987,7 @@ payloadkeys: to validate the certificate sent by the IKE server. If not set, the system uses the remote identifier to validate the certificate. - key: TLSMinimumVersion - title: TLS Minimum Version + title: TLS minimum version supportedOS: iOS: introduced: '11.0' @@ -1002,10 +999,11 @@ payloadkeys: - '1.0' - '1.1' - '1.2' + - '1.3' default: '1.0' content: The minimum TLS version to use with EAP-TLS authentication. - key: TLSMaximumVersion - title: TLS Maximum Version + title: TLS maximum version supportedOS: iOS: introduced: '11.0' @@ -1017,10 +1015,11 @@ payloadkeys: - '1.0' - '1.1' - '1.2' + - '1.3' default: '1.2' content: The maximum TLS version to use with EAP-TLS authentication. - key: UseConfigurationAttributeInternalIPSubnet - title: Use IPv4 / IPv6 Internal Subnet Attributes + title: Use IPv4 / IPv6 internal subnet attributes supportedOS: iOS: introduced: '9.0' @@ -1033,7 +1032,7 @@ payloadkeys: content: If `1`, negotiations should use IKEv2 Configuration Attribute `INTERNAL_IP4_SUBNET` and `INTERNAL_IP6_SUBNET`. - key: DisableMOBIKE - title: Disable Mobility and Multihoming + title: Disable mobility and multihoming supportedOS: iOS: introduced: '9.0' @@ -1045,7 +1044,7 @@ payloadkeys: default: 0 content: If `1`, the system disables MOBIKE. - key: DisableRedirect - title: Disable Redirect + title: Disable redirect supportedOS: iOS: introduced: '9.0' @@ -1058,7 +1057,7 @@ payloadkeys: content: If `1`, the system disables IKEv2 redirect. If not set, the system redirects an IKEv2 connection when it receives a redirect request from the server. - key: DisconnectOnIdle - title: Enable Disconnect on Idle + title: Enable disconnect on idle type: presence: optional rangelist: @@ -1067,13 +1066,13 @@ payloadkeys: default: 0 content: If `1`, the VPN disconnects automatically after a period defined by `DisconnectOnIdleTimer`. - key: DisconnectOnIdleTimer - title: Disconnect on Idle time + title: Disconnect on idle time type: presence: optional content: Only used if `DisconnectOnIdle` is `1`. The number of seconds before the VPN disconnects. On watchOS, maximum allowed value is 15 seconds - key: NATKeepAliveOffloadEnable - title: NAT Keep Alive Offload Enable + title: NAT keep alive offload enable supportedOS: iOS: introduced: '9.0' @@ -1088,7 +1087,7 @@ payloadkeys: NAT keepalive offload has an impact on the battery life due to the extra workload during sleep. The default interval for the keepalive offload packets is 20 seconds over Wi-Fi and 110 seconds over Cellular interface. The default NAT keepalive works well on networks with small NAT mapping timeouts but imposes a potential battery impact. If a network has larger NAT mapping timeouts, larger keepalive intervals may be safely used to minimize battery impact. Modify the keepalive interval through the `NATKeepAliveInterval` key. - key: NATKeepAliveInterval - title: NAT Keepalive Interval + title: NAT keepalive interval supportedOS: iOS: introduced: '9.0' @@ -1145,9 +1144,9 @@ payloadkeys: Enabling fallback requires that the server support multiple tunnels for a single user. - This field is available in iOS 13 and later, and tvOS 17 and later. Not available in watchOS. + Not available in watchOS. - key: MTU - title: Maximum Transmission Unit + title: Maximum transmission unit supportedOS: iOS: introduced: '14.0' @@ -1160,8 +1159,7 @@ payloadkeys: max: 1400 default: 1280 content: The Maximum Transmission Unit (MTU) specifies the maximum size in bytes - of each packet that the system sends over the IKEv2 VPN interface. Available - in iOS 14 and later, and macOS 11 and later. + of each packet that the system sends over the IKEv2 VPN interface. - key: ProviderType type: presence: optional @@ -1173,7 +1171,7 @@ payloadkeys: at the application layer. If the value of this key is `packet-tunnel`, the VPN service tunnels traffic at the IP layer. - key: IncludeAllNetworks - title: Include All Networks + title: Include all networks supportedOS: iOS: introduced: '14.0' @@ -1197,7 +1195,7 @@ payloadkeys: - Certain cellular services traffic that's not routable over the internet and is instead directly routed to the cellular network. See the `ExcludeCellularServices` field for more information. - Network communication with a companion device such as a watchOS device. - key: EnforceRoutes - title: Enforce Routes + title: Enforce routes supportedOS: iOS: introduced: '14.2' @@ -1214,7 +1212,7 @@ payloadkeys: content: If `1`, all the VPN's non-default routes take precedence over any locally-defined routes. If `IncludeAllNetworks` is `1`, the system ignores `EnforceRoutes`. - key: ExcludeLocalNetworks - title: Exclude Local Networks + title: Exclude local networks supportedOS: iOS: introduced: '14.2' @@ -1233,7 +1231,7 @@ payloadkeys: the system routes local network traffic outside of the VPN. The default for this value is `0` on macOS and `1` on iOS. - key: ExcludeCellularServices - title: Exclude Cellular Services + title: Exclude cellular services supportedOS: iOS: introduced: '16.4' @@ -1274,7 +1272,7 @@ payloadkeys: content: If `1` and `IncludeAllNetworks` is `1`, the system excludes network traffic for the Apple Push Notification service (APNs) from the tunnel. - key: ExcludeDeviceCommunication - title: Exclude Device Communication + title: Exclude device communication supportedOS: iOS: introduced: '17.4' @@ -1296,7 +1294,7 @@ payloadkeys: network traffic used for communicating with devices connected via USB or Wi-Fi from the tunnel. - key: PPK - title: Post-quantum Pre-shared Key + title: Post-quantum pre-shared key supportedOS: iOS: introduced: '18.0' @@ -1314,7 +1312,7 @@ payloadkeys: key is is used with VPN servers that support RFC 8784. If this key is present `PPKIdentifier` must also be present. - key: PPKIdentifier - title: Post-quantum Pre-shared Key Identifier + title: Post-quantum pre-shared key identifier supportedOS: iOS: introduced: '18.0' @@ -1332,7 +1330,7 @@ payloadkeys: for this VPN. This key is is used with VPN servers that support RFC 8784. If this key is present `PPK` must also be present. - key: PPKMandatory - title: Post-quantum Pre-shared Key Mandatory + title: Post-quantum pre-shared key mandatory supportedOS: iOS: introduced: '18.0' @@ -1352,9 +1350,9 @@ payloadkeys: default: 1 content: If set to `1`, the VPN doesn't establish a connection if the server doesn't support RFC 8784 or doesn't accept the PPK identifier specified in `PPKIdentifier`. - The device ignores this key if `PPK` and `PPKIdentifier` are not present. + The device ignores this key if `PPK` and `PPKIdentifier` aren't present. - key: AllowPostQuantumKeyExchangeFallback - title: Allow Post-quantum Key Exchange Fallback + title: Allow post-quantum key exchange fallback supportedOS: iOS: introduced: '26.0' @@ -1374,10 +1372,10 @@ payloadkeys: default: 0 content: If set to `0`, the VPN doesn't establish a connection if the server does not support or doesn't allow post-quantum key exchanges. Thd device ignores - this key if `PostQuantumKeyExchangeMethods` is not present in `IKESecurityAssociationParameters` + this key if `PostQuantumKeyExchangeMethods` isn't present in `IKESecurityAssociationParameters` or `ChildSecurityAssociationParameters`. - key: EnforceStrictAlgorithmSelection - title: Enforce Strict Algorithm Selection + title: Enforce strict algorithm selection supportedOS: iOS: introduced: '18.5' @@ -1399,7 +1397,7 @@ payloadkeys: groups less than 14. Also the device requires the encryption algorithm specified for the IKE SA to be at least as cryptographically strong as the algorithm specified for the child SA. The device rejects this profile payload if these requirements - are not met. + aren't met. - key: IKESecurityAssociationParameters title: IKESecurityAssociationParameters type: @@ -1467,7 +1465,7 @@ payloadkeys: `1`, `2`, and `5` are available only in iOS, macOS, and visionOS prior to iOS 26, macOS 26, and visionOS 26. - key: PostQuantumKeyExchangeMethods - title: Post-quantum Key Exchange Methods + title: Post-quantum key exchange methods supportedOS: iOS: introduced: '26.0' @@ -1481,12 +1479,12 @@ payloadkeys: introduced: '26.0' type: presence: optional - content: An array of strings representing postquantum key exchange methods the - device uses during SA establishment and rekey. You can specify up to seven + content: An array of integers representing postquantum key exchange methods + the device uses during SA establishment and rekey. You can specify up to seven items, which correspond to ADDKE1 - ADDKE7 from RFC 9370. subkeys: - key: PostQuantumKeyExchangeMethod - title: Post-quantum Key Exchange Method + title: Post-quantum key exchange method type: rangelist: - 0 @@ -1518,7 +1516,7 @@ payloadkeys: content: A dictionary to use for all VPN types. subkeys: - key: DNSProtocol - title: DNS Protocol + title: DNS protocol supportedOS: iOS: introduced: '14.0' @@ -1546,7 +1544,7 @@ payloadkeys: the system uses the hostname or address in the URL to determine the server addresses. This key is required if the `DNSProtocol` is `HTTPS`. - key: ServerName - title: Server Name + title: Server name supportedOS: iOS: introduced: '14.0' @@ -1559,7 +1557,7 @@ payloadkeys: the hostname to determine the server addresses. This key is required if the `DNSProtocol` is `TLS`. - key: ServerAddresses - title: DNS Server Addresses + title: DNS server addresses supportedOS: iOS: introduced: '10.0' @@ -1571,10 +1569,10 @@ payloadkeys: a mixture of IPv4 and IPv6 addresses. subkeys: - key: ServerAddressesElement - title: Server Address Element + title: Server address element type: - key: SearchDomains - title: DNS Search Domains + title: DNS search domains supportedOS: iOS: introduced: '10.0' @@ -1585,10 +1583,10 @@ payloadkeys: content: The list of domain strings used to fully qualify single-label host names. subkeys: - key: SearchDomainsElement - title: Search Domains Element + title: Search domains element type: - key: DomainName - title: Domain Name + title: Domain name supportedOS: iOS: introduced: '10.0' @@ -1598,7 +1596,7 @@ payloadkeys: presence: optional content: The primary domain of the tunnel. - key: SupplementalMatchDomains - title: Supplemental Match Domains + title: Supplemental match domains supportedOS: iOS: introduced: '10.0' @@ -1614,10 +1612,10 @@ payloadkeys: Split-tunnel configurations can direct all DNS queries to the VPN DNS servers before the primary DNS servers. If the VPN tunnel becomes the network's default route, the servers listed in `ServerAddresses` become the default resolver and the system ignores the `SupplementalMatchDomains` list. subkeys: &id006 - key: SupplementalMatchDomainsElement - title: Supplemental Match Domains Element + title: Supplemental match domains element type: - key: SupplementalMatchDomainsNoSearch - title: Supplemental Match Domains No Search + title: Supplemental match domains no search supportedOS: iOS: introduced: '10.0' @@ -1632,7 +1630,7 @@ payloadkeys: content: If `0`, append the domains in the `SupplementalMatchDomains` list to the resolver's list of search domains. - key: PayloadCertificateUUID - title: DNS Certificate UUID + title: DNS certificate UUID supportedOS: iOS: introduced: '16.0' @@ -1653,7 +1651,7 @@ payloadkeys: content: The dictionary to use to configure `Proxies` for use with `VPN`. subkeys: - key: ProxyAutoConfigEnable - title: Proxy AutoConfig Enable + title: Proxy AutoConfig enable type: presence: optional rangelist: @@ -1661,7 +1659,7 @@ payloadkeys: - 1 content: If `true`, enables automatic proxy configuration. - key: ProxyAutoDiscoveryEnable - title: Proxy Auto Discovery Enable + title: Proxy auto discovery enable type: presence: optional rangelist: @@ -1670,13 +1668,13 @@ payloadkeys: default: 1 content: If `true`, enables proxy auto discovery. - key: ProxyAutoConfigURLString - title: Proxy Server URL + title: Proxy server URL type: presence: optional content: The URL to the location of the proxy auto-configuration file. Used only when `ProxyAutoConfigEnable` is `true`. - key: SupplementalMatchDomains - title: Supplemental Match Domains + title: Supplemental match domains type: presence: optional content: An array of domains that defines which hosts use proxy settings for hosts. @@ -1691,12 +1689,12 @@ payloadkeys: default: 0 content: If `1`, enables proxy for HTTP traffic. - key: HTTPProxy - title: HTTP Proxy + title: HTTP proxy type: presence: optional content: The host name of the HTTP proxy. - key: HTTPPort - title: HTTP Port + title: HTTP port type: presence: optional range: @@ -1724,12 +1722,12 @@ payloadkeys: default: 0 content: If `true`, enables proxy for HTTPS traffic. - key: HTTPSProxy - title: HTTPS Proxy + title: HTTPS proxy type: presence: optional content: The host name of the HTTPS proxy. - key: HTTPSPort - title: HTTPS Port + title: HTTPS port type: presence: optional range: @@ -1752,7 +1750,7 @@ payloadkeys: or watchOS. subkeys: - key: UIToggleEnabled - title: UI Toggle Enabled + title: UI toggle enabled type: presence: optional rangelist: @@ -1767,11 +1765,11 @@ payloadkeys: content: An array that contains an arbitrary number of tunnel configurations. subkeys: - key: TunnelConfigurationElement - title: A TunnelConfiguration Element + title: A TunnelConfiguration element type: subkeys: - key: ProtocolType - title: Protocol Type + title: Protocol type type: presence: required rangelist: @@ -1784,7 +1782,7 @@ payloadkeys: content: The interfaces to apply this configuration to. subkeys: - key: InterfacesElement - title: Interfaces Element + title: Interfaces element type: rangelist: - Cellular @@ -1796,11 +1794,11 @@ payloadkeys: content: An array that contains an arbitrary number of service exceptions. subkeys: - key: ServiceExceptionElement - title: A ServiceException Element + title: A ServiceException element type: subkeys: - key: ServiceName - title: Service Name + title: Service name type: presence: required rangelist: @@ -1811,7 +1809,7 @@ payloadkeys: content: |- The name of a service that's exempt from Always On VPN. - `CellularServices` is available in iOS 11.3 and later; it exempts `VoLTE`, `IMS` and `MMS`. WiFiCalling is exempted in iOS 13.4 and later. + `CellularServices` is available in iOS 11.3 and later; it exempts `VoLTE`, `IMS` and `MMS`. Always On VPN exempts WiFiCalling in iOS 13.4 and later. `DeviceCommunication` is available in iOS 17.4 and later; it exempts network traffic used for communicating with devices connected via USB or Wi-Fi. - key: Action @@ -1833,11 +1831,11 @@ payloadkeys: occur outside the VPN. subkeys: - key: ApplicationExceptionElement - title: A ApplicationException Element + title: A ApplicationException element type: subkeys: - key: BundleIdentifier - title: Bundle Identifier + title: Bundle identifier type: presence: required content: The app's bundle identifier. @@ -1849,12 +1847,12 @@ payloadkeys: support for `UDP` only. subkeys: - key: LimitToProtocolElement - title: LimitToProtocol Element + title: LimitToProtocol element type: rangelist: - UDP - key: AllowCaptiveWebSheet - title: Allow Captive Web Sheet + title: Allow captive web sheet type: presence: optional rangelist: @@ -1863,7 +1861,7 @@ payloadkeys: default: 0 content: If `1`, allows traffic from Captive Web Sheet outside the VPN tunnel. - key: AllowAllCaptiveNetworkPlugins - title: Allow All Captive Network Plugins + title: Allow all captive network plugins type: presence: optional rangelist: @@ -1881,11 +1879,11 @@ payloadkeys: is `false`. subkeys: - key: AllowedCaptiveNetworkPluginElement - title: An AllowedCaptiveNetworkPlugin Element + title: An AllowedCaptiveNetworkPlugin element type: subkeys: - key: BundleIdentifier - title: Bundle Identifier + title: Bundle identifier type: presence: required content: The bundle identifier for the app that's allowed on the captive network. @@ -1902,11 +1900,10 @@ payloadkeys: introduced: n/a type: presence: optional - content: The dictionary to use when `VPNType` is `TransparentProxy`. Available in - macOS 14 and later. + content: The dictionary to use when `VPNType` is `TransparentProxy`. subkeys: - key: AuthenticationMethod - title: Authentication Method + title: Authentication method type: presence: optional rangelist: @@ -1914,96 +1911,78 @@ payloadkeys: - Certificate - Password+Certificate default: Password - content: |- - The type of authentication method to use: `Password`, `Certificate`, or `Password+Certificate`. - - Available in macOS 14 and later. + content: 'The type of authentication method to use: `Password`, `Certificate`, + or `Password+Certificate`.' - key: DisconnectOnIdle - title: Enable Disconnect on Idle + title: Enable disconnect on idle type: presence: optional rangelist: - 0 - 1 default: 0 - content: |- - If `1`, the VPN disconnects automatically disconnect after a period defined by `DisconnectOnIdleTimer`. - - Available in macOS 14 and later. + content: If `1`, the VPN disconnects automatically disconnect after a period defined + by `DisconnectOnIdleTimer`. - key: DisconnectOnIdleTimer - title: Disconnect on Idle time + title: Disconnect on idle time type: presence: optional - content: |- - The number of seconds before the VPN disconnects. This value is only used if `DisconnectOnIdle` is `1`. - - Available in macOS 14 and later. + content: The number of seconds before the VPN disconnects. This value is only + used if `DisconnectOnIdle` is `1`. - key: EnforceRoutes - title: Enforce Routes + title: Enforce routes type: presence: optional rangelist: - 0 - 1 default: 0 - content: |- - If `1`, then all the VPN's non-default routes take precedence over any locally-defined routes. If `IncludeAllNetworks` is `1`, the system ignores the value of `EnforceRoutes`. - - Available in macOS 14 and later. + content: If `1`, then all the VPN's non-default routes take precedence over any + locally-defined routes. If `IncludeAllNetworks` is `1`, the system ignores the + value of `EnforceRoutes`. - key: OnDemandEnabled - title: Enable VPN On Demand + title: Enable VPN on demand type: presence: optional rangelist: - 0 - 1 default: 0 - content: |- - If `1`, the system brings up the VPN on demand. - - Available in macOS 14 and later. + content: If `1`, the system brings up the VPN on demand. - key: OnDemandRules - title: On Demand Rules + title: On demand rules type: presence: optional - content: |- - Determines when and how the system uses an OnDemand VPN. - - Available in macOS 14 and later. + content: Determines when and how the system uses an OnDemand VPN. subkeytype: OnDemandRulesElement subkeys: *id004 - key: PayloadCertificateUUID title: PayloadCertificateUUID type: presence: optional - content: |- - The UUID of the identity certificate as the account credential. If `AuthenticationMethod` is `Certificate`, and extended authentication (EAP) isn't used, this certificate is sent out for IKE client authentication. If extended authentication is used, this certificate can be used for EAP-TLS. - - Available in macOS 14 and later. + content: The UUID of the identity certificate as the account credential. If `AuthenticationMethod` + is `Certificate`, and extended authentication (EAP) isn't used, the device sends + this certificate for IKE client authentication. If extended authentication is + used, this certificate can be used for EAP-TLS. - key: Password - title: Account Password + title: Account password type: presence: optional - content: |- - The password to use for the account credentials. Only used if `AuthenticationMethod` is `Password`. - - Available in macOS 14 and later. + content: The password to use for the account credentials. Only used if `AuthenticationMethod` + is `Password`. - key: ProviderBundleIdentifier - title: Provider Bundle Identifier + title: Provider bundle identifier type: presence: optional - content: |- - If the VPNSubType field contains the bundle identifier of an app that contains multiple VPN providers of the same type (app-proxy or packet-tunnel), then the system uses this field to choose which provider to use for this configuration. If the VPN provider is implemented as a System Extension, then this field is required. - - Available in macOS 14 and later. + content: If the VPNSubType field contains the bundle identifier of an app that + contains multiple VPN providers of the same type (app-proxy or packet-tunnel), + then the system uses this field to choose which provider to use for this configuration. + If the VPN provider uses a system extension, then this field is required. - key: ProviderDesignatedRequirement - title: Provider Designated Requirement + title: Provider designated requirement type: presence: optional - content: |- - If the VPN provider is implemented as a System Extension, then this field is required. - - Available in macOS 14 and later. + content: If the VPN provider uses a system extension, then this field is required. - key: ProviderType type: presence: optional @@ -2011,15 +1990,15 @@ payloadkeys: - packet-tunnel - app-proxy default: packet-tunnel - content: |- - If the value of this key is `app-proxy`, the VPN service tunnels traffic at the application layer. If the value of this key is `packet-tunnel`, the VPN service tunnels traffic at the IP layer. - - Available in macOS 14 and later. + content: If the value of this key is `app-proxy`, the VPN service tunnels traffic + at the application layer. If the value of this key is `packet-tunnel`, the VPN + service tunnels traffic at the IP layer. - key: Order title: Order type: presence: optional - content: |- - A positive integer. - - Available in macOS 14 and later. + content: A positive integer. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.vpn.managed/example1.plist diff --git a/mdm/profiles/com.apple.webClip.managed.yaml b/mdm/profiles/com.apple.webClip.managed.yaml index 813a3c8..5ca98c1 100644 --- a/mdm/profiles/com.apple.webClip.managed.yaml +++ b/mdm/profiles/com.apple.webClip.managed.yaml @@ -33,7 +33,7 @@ payload: introduced: n/a payloadkeys: - key: Precomposed - title: Precomposed Icon + title: Precomposed icon supportedOS: macOS: introduced: n/a @@ -42,7 +42,7 @@ payloadkeys: default: false content: If `true`, the system prevents SpringBoard from adding shine to the icon. - key: FullScreen - title: Full Screen + title: Full screen supportedOS: macOS: introduced: n/a @@ -82,7 +82,7 @@ payloadkeys: presence: required content: The name of the web clip that the system displays on the Home Screen. - key: IgnoreManifestScope - title: Ignore Web Clip manifest scope + title: Ignore web clip manifest scope supportedOS: iOS: introduced: '14.0' @@ -93,10 +93,9 @@ payloadkeys: default: false content: If `true`, a full screen web clip can navigate to an external web site without showing Safari UI. Otherwise, Safari UI appears when navigating away from - the web clip's URL. This key has no effect when `FullScreen` is `false`. Available - in iOS 14 and later. + the web clip's URL. This key has no effect when `FullScreen` is `false`. - key: TargetApplicationBundleIdentifier - title: Target Application Bundle Identifier + title: Target application bundle identifier supportedOS: iOS: introduced: '14.0' @@ -106,8 +105,7 @@ payloadkeys: type: presence: optional content: The application bundle identifier of the application that opens the URL. - To use this property, install the profile through MDM. Available in iOS 14 and - later. + To use this property, install the profile through MDM. notes: - title: '' content: |- @@ -118,3 +116,7 @@ notes: A full-screen web clip on iOS devices opens the URL as a web app without a browser; there's no URL, search bar, or bookmarks. For Shared iPad devices, the system supports this payload on the user channel only. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.webClip.managed/example1.plist diff --git a/mdm/profiles/com.apple.webcontent-filter.yaml b/mdm/profiles/com.apple.webcontent-filter.yaml index 1337b00..82d1e80 100644 --- a/mdm/profiles/com.apple.webcontent-filter.yaml +++ b/mdm/profiles/com.apple.webcontent-filter.yaml @@ -272,12 +272,10 @@ payloadkeys: > Note: > At least one of `FilterBrowsers` or `FilterSockets` needs to be `true`. - key: FilterDataProviderDesignatedRequirement - title: Filter Data Provider Designated Requirement + title: Filter data provider designated requirement supportedOS: iOS: introduced: n/a - macOS: - introduced: '10.15' visionOS: introduced: n/a type: @@ -286,21 +284,14 @@ payloadkeys: of the filter data provider system extension. This string identifies the filter data provider when the filter starts running. Required if `FilterSockets` is `true`. - key: FilterDataProviderBundleIdentifier - title: Filter Data Provider Bundle Identifier - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.15' - visionOS: - introduced: n/a + title: Filter data provider bundle identifier type: presence: optional content: The bundle identifier string of the filter data provider system extension. This string identifies the filter data provider when the filter starts running. Required if `FilterSockets` is `true`. - key: FilterPackets - title: Filter Network Packets + title: Filter network packets supportedOS: iOS: introduced: n/a @@ -317,7 +308,7 @@ payloadkeys: > Note: > At least one of `FilterPackets` or `FilterSockets` needs to be `true`. - key: FilterPacketProviderDesignatedRequirement - title: Filter Packet Provider Designated Requirement + title: Filter packet provider designated requirement supportedOS: iOS: introduced: n/a @@ -332,7 +323,7 @@ payloadkeys: packet provider when the filter starts running. Required if `FilterPackets` is `true`. - key: FilterPacketProviderBundleIdentifier - title: Filter Packet Provider Bundle Identifier + title: Filter packet provider bundle identifier supportedOS: iOS: introduced: n/a @@ -346,7 +337,7 @@ payloadkeys: This string identifies the filter packet provider when the filter starts running. Required if `FilterPackets` is `true`. - key: FilterGrade - title: Filter Grade + title: Filter grade supportedOS: iOS: introduced: n/a @@ -365,7 +356,7 @@ payloadkeys: of `inspector`. However, the system doesn't define the order of filters within a grade. - key: ContentFilterUUID - title: Content Filter UUID + title: Content filter UUID supportedOS: iOS: introduced: '16.0' @@ -390,7 +381,6 @@ payloadkeys: presence: optional default: false content: If `true`, the system filters URL requests. Use when `FilterType` is `Plugin`. - Available in iOS 26 and macOS 26, and later. - key: URLFilterParameters supportedOS: iOS: @@ -402,35 +392,35 @@ payloadkeys: type: presence: optional content: A dictionary containing URL filter parameters. Required when `FilterURLs` - is `true`. Available in iOS 26 and macOS 26 and later. + is `true`. subkeys: - key: URLFilterControlProviderDesignatedRequirement - title: URL Filter Control Provider Designated Requirement + title: URL filter control provider designated requirement type: presence: optional content: The designated requirement string in the code signature of the URL filter control provider app extension. The system uses this string to identify the URL filter control provider when the filter starts running. Required in macOS. - key: URLFilterControlProviderBundleIdentifier - title: URL Filter Control Provider Bundle Identifier + title: URL filter control provider bundle identifier type: presence: required content: The bundle identifier string of the URL filter control provider app extension. The system uses this string to identify the URL filter control provider when the filter starts running. - key: PIRServerURL - title: Private Information Retrieval server URL + title: Private information retrieval server URL type: presence: required content: The URL containing the domain name of the private information retrieval server. - key: PIRPrivacyPassIssuerURL - title: Privacy Pass Issuer URL + title: Privacy pass issuer URL type: presence: required content: The URL containing the domain name of Privacy Pass Issuer. - key: PIRAuthenticationToken - title: Authentication Token + title: Authentication token type: presence: required content: The per-user authentication token string, which is an HTTP bearer token @@ -469,3 +459,7 @@ notes: Matching discards a `www` subdomain prefix if present, so if the system doesn't allow `www.test.com`, it also blocks `m.test.com`. All filtering options are active simultaneously. The system only permits URLs and sites that pass all rules. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.webcontent-filter/example1.plist diff --git a/mdm/profiles/com.apple.wifi.managed.yaml b/mdm/profiles/com.apple.wifi.managed.yaml index 432e002..bcbef68 100644 --- a/mdm/profiles/com.apple.wifi.managed.yaml +++ b/mdm/profiles/com.apple.wifi.managed.yaml @@ -43,7 +43,7 @@ payload: allowmanualinstall: true payloadkeys: - key: AutoJoin - title: Auto Join + title: Auto join supportedOS: iOS: introduced: '5.0' @@ -70,7 +70,7 @@ payloadkeys: default: false content: If `true`, defines this network as hidden. - key: ProxyType - title: Proxy Type + title: Proxy type supportedOS: iOS: userenrollment: @@ -90,7 +90,7 @@ payloadkeys: password into the proxy server. If you choose the auto proxy type, you can enter a proxy autoconfiguration (PAC) URL. - key: EncryptionType - title: Encryption Type + title: Encryption type type: presence: optional rangelist: @@ -129,13 +129,13 @@ payloadkeys: content: The UUID of the certificate payload within the same profile to use for the client credential. - key: EAPClientConfiguration - title: EAP Client Configuration + title: EAP client configuration type: presence: optional content: The enterprise network configuration. subkeys: - key: AcceptEAPTypes - title: Accept EAP Types + title: Accept EAP types type: presence: required content: |- @@ -152,7 +152,7 @@ payloadkeys: For EAP-TLS authentication without a network payload, install the necessary identity certificates and have your users select EAP-TLS mode in the 802.1X credentials dialog that appears when they connect to the network. For other EAP types, a network payload is necessary and must specify the correct settings for the network. subkeys: - key: EAPType - title: EAP Type + title: EAP type type: rangelist: - 13 @@ -175,21 +175,21 @@ payloadkeys: content: The user's password. If you don't specify a value, the system prompts the user during login. - key: PayloadCertificateAnchorUUID - title: Certificate Anchor UUID + title: Certificate anchor UUID type: presence: optional content: An array of the UUID of each certificate payload in the same profile to trust for authentication. Use this key to prevent the device from asking - the user whether to trust the listed certificates. Dynamic trust (the certificate - dialogue) is in a disabled state if you specify this property without also enabling + the user whether to trust the listed certificates. The device disables dynamic + trust (the certificate dialogue) if you specify this property without also enabling 'TLSAllowTrustExceptions'. subkeys: - key: CertificateAnchorUUID - title: Individual Certificate Anchor UUID + title: Individual certificate anchor UUID type: format: ^[0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}$ - key: TLSTrustedCertificates - title: TLS Trusted Certificates + title: TLS trusted certificates type: presence: optional content: An array of trusted certificates. Each entry in the array must contain @@ -201,19 +201,19 @@ payloadkeys: presence: required content: A certificate identifier. - key: TLSTrustedServerNames - title: TLS Trusted Server Names + title: TLS trusted server names type: presence: optional content: |- The list of accepted server certificate common names. If a server presents a certificate that isn't in this list, the system doesn't trust it. If you specify this property, the system disables dynamic trust (the certificate dialog) unless you also specify 'TLSAllowTrustExceptions' with the value 'true'. - If necessary, use wildcards to specify the name, such as 'wpa.*.example.com'. + If necessary, use a single "*" character to specify a wildcard for an individual component of the name, such as 'wpa.*.example.com'. subkeys: - key: TLSTrustedServerName - title: Individual Trusted TLS Server Name + title: Individual trusted TLS server name type: - key: TLSAllowTrustExceptions - title: Allow Trust Exceptions + title: Allow trust exceptions supportedOS: iOS: removed: '8.0' @@ -237,7 +237,7 @@ payloadkeys: If 'true', allows for two-factor authentication for EAP-TTLS, PEAP, or EAP-FAST. If 'false', allows for zero-factor authentication for EAP-TLS. If you don't specify a value, the default is 'true' for EAP-TLS, and 'false' for other EAP types. - key: TTLSInnerAuthentication - title: TTLS Inner Authentication + title: TTLS inner authentication type: presence: optional rangelist: @@ -283,7 +283,7 @@ payloadkeys: default: '1.2' content: The maximum TLS version for EAP authentication. - key: OuterIdentity - title: Outer Identity + title: Outer identity type: presence: optional content: |- @@ -307,14 +307,14 @@ payloadkeys: This value is only applicable if 'EAPFASTUsePAC' is 'true'. This value must be 'true' for EAP-FAST PAC usage to succeed because there's no other way to provision a PAC. - key: EAPFASTProvisionPACAnonymously - title: Provision PAC Anonymously + title: Provision PAC anonymously type: presence: optional default: false content: If 'true', provisions the device anonymously. Note that there are known machine-in-the-middle attacks for anonymous provisioning. - key: EAPSIMNumberOfRANDs - title: Allow Two RANDs + title: Allow two RANDs supportedOS: iOS: introduced: '8.0' @@ -341,7 +341,7 @@ payloadkeys: If 'true', the system mode connection tries to use the Open Directory credentials. If using this property, you can't use 'SystemModeCredentialsSource'. - key: OneTimeUserPassword - title: Per-Connection Password + title: Per-connection password supportedOS: iOS: introduced: '8.0' @@ -355,7 +355,7 @@ payloadkeys: content: If 'true', the user receives a prompt for a password each time they connect to the network. - key: DisplayedOperatorName - title: Displayed Operator Name + title: Displayed operator name supportedOS: iOS: introduced: '7.0' @@ -366,7 +366,7 @@ payloadkeys: content: The operator name to display when connected to this network. Used only with Wi-Fi Hotspot 2.0 access points. - key: DomainName - title: Domain Name + title: Domain name supportedOS: iOS: introduced: '7.0' @@ -391,7 +391,7 @@ payloadkeys: type: format: ^([0-9A-Za-z]{6})|([0-9A-Za-z]{9})$ - key: ServiceProviderRoamingEnabled - title: Roaming Enable + title: Roaming enable supportedOS: iOS: introduced: '7.0' @@ -402,7 +402,7 @@ payloadkeys: default: false content: If `true`, allows connection to roaming service providers. - key: IsHotspot - title: Is Hotspot + title: Is hotspot supportedOS: iOS: introduced: '7.0' @@ -420,7 +420,7 @@ payloadkeys: presence: optional content: The HESSID used for Wi-Fi Hotspot 2.0 negotiation. - key: NAIRealmNames - title: Realm Names + title: Realm names supportedOS: iOS: introduced: '7.0' @@ -449,7 +449,7 @@ payloadkeys: type: format: ^[0-9]{6}$ - key: CaptiveBypass - title: Disable Captive Network Detection + title: Disable captive network detection supportedOS: iOS: introduced: '10.0' @@ -461,7 +461,7 @@ payloadkeys: content: If `true`, the system bypasses Captive Network detection when the device connects to the network. - key: QoSMarkingPolicy - title: QoS Marking Policy + title: QoS marking policy supportedOS: iOS: introduced: '10.0' @@ -475,7 +475,7 @@ payloadkeys: lane. subkeys: - key: QoSMarkingAllowListAppIdentifiers - title: Allowlisted App Identifiers + title: Allowlisted app identifiers supportedOS: iOS: introduced: '14.5' @@ -489,10 +489,10 @@ payloadkeys: use L2 and L3 marking. subkeys: &id001 - key: appBundleID - title: Allowlisted App + title: Allowlisted app type: - key: QoSMarkingWhitelistedAppIdentifiers - title: Whitelisted App Identifiers + title: Whitelisted app identifiers supportedOS: iOS: deprecated: '14.5' @@ -552,14 +552,14 @@ payloadkeys: default: true content: If `true`, enables IPv6 on this interface. - key: TLSCertificateRequired - title: Certificate Required + title: Certificate required type: presence: optional default: false content: If `true`, allows for two-factor authentication for EAP-TTLS, PEAP, or EAP-FAST. If `false`, allows for zero-factor authentication for EAP-TLS. - key: ProxyServer - title: Proxy Server + title: Proxy server supportedOS: iOS: userenrollment: @@ -574,7 +574,7 @@ payloadkeys: presence: optional content: The proxy server's network address. - key: ProxyServerPort - title: Proxy Server Port + title: Proxy server port supportedOS: iOS: userenrollment: @@ -592,7 +592,7 @@ payloadkeys: max: 65535 content: The proxy server's port number. - key: ProxyUsername - title: Proxy Username + title: Proxy username supportedOS: iOS: userenrollment: @@ -607,7 +607,7 @@ payloadkeys: presence: optional content: The user name used to authenticate to the proxy server. - key: ProxyPassword - title: Proxy Password + title: Proxy password supportedOS: iOS: userenrollment: @@ -634,7 +634,7 @@ payloadkeys: presence: optional content: The URL of the PAC file that defines the proxy configuration. - key: ProxyPACFallbackAllowed - title: Proxy PAC Fallback Allowed + title: Proxy PAC fallback allowed supportedOS: iOS: userenrollment: @@ -678,7 +678,7 @@ payloadkeys: This value is only locked when MDM installs the profile. If the profile is manually installed, the system sets the value but the user can change it. - key: AllowJoinBeforeFirstUnlock - title: Allow Join Before First Unlock + title: Allow join before first unlock supportedOS: iOS: introduced: n/a @@ -697,15 +697,19 @@ payloadkeys: presence: optional default: false content: |- - If `true`, the device makes this network available for joining before the device is unlocked for the first time following a reboot, on a device configured for return to service. Any network credentials are placed into Class D storage within the keychain, and information about the network is stored on disk in Class D. + If `true`, the device makes this network available for joining before the device is unlocked for the first time following a reboot, on a device configured for return to service. The device places any network credentials into Class D storage within the keychain and stores information about the network on disk in Class D. There are several restrictions on the use of this flag: - This property is only available in the return to service mode. - - Only one network can be designated as available before first unlock. + - You can designate only one network as available before first unlock. - `EAPClientConfiguration` must not be present. - If `IsHotspot` is present, it must be set to `false`. - `QoSMarkingPolicy` must not be present. - If `ProxyType` is present, it must be set to `None`. - The device fails to install the profile payload if any of these conditions are not met. + The device fails to install the profile payload if any of these conditions aren't met. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.wifi.managed/example1.plist diff --git a/mdm/profiles/com.apple.xsan.preferences.yaml b/mdm/profiles/com.apple.xsan.preferences.yaml index 6ef0c5e..9c0c0a2 100644 --- a/mdm/profiles/com.apple.xsan.preferences.yaml +++ b/mdm/profiles/com.apple.xsan.preferences.yaml @@ -82,3 +82,7 @@ payloadkeys: notes: - title: '' content: For more information, see [https://support.apple.com/en-us/HT205333](https://support.apple.com/en-us/HT205333). +examples: + title: Example profile + files: + - file: examples/mdm/profiles/com.apple.xsan.preferences/example1.plist diff --git a/mdm/profiles/com.apple.xsan.yaml b/mdm/profiles/com.apple.xsan.yaml index 8954f4c..d42ad8f 100644 --- a/mdm/profiles/com.apple.xsan.yaml +++ b/mdm/profiles/com.apple.xsan.yaml @@ -65,7 +65,7 @@ payloadkeys: - Only one value is accepted: `auth_secret` + The SAN accepts only one value: `auth_secret` - key: sharedSecret type: presence: required @@ -75,3 +75,7 @@ payloadkeys: notes: - title: '' content: For more information, see [https://support.apple.com/en-us/HT205333](https://support.apple.com/en-us/HT205333). +examples: + title: Profile example + files: + - file: examples/mdm/profiles/com.apple.xsan/example1.plist diff --git a/mdm/profiles/loginwindow.yaml b/mdm/profiles/loginwindow.yaml index 65838db..ce1286e 100644 --- a/mdm/profiles/loginwindow.yaml +++ b/mdm/profiles/loginwindow.yaml @@ -32,3 +32,7 @@ payloadkeys: default: false content: If `true`, the system prevents the user from disabling login item launches by using the Shift key. +examples: + title: Profile example + files: + - file: examples/mdm/profiles/loginwindow/example1.plist diff --git a/other/esso.yaml b/other/esso.yaml index e10e78d..d62ec95 100644 --- a/other/esso.yaml +++ b/other/esso.yaml @@ -22,7 +22,7 @@ payloadkeys: content: The iTunes Store ID of the app to download prior to enrollment, to support Enrollment SSO during enrollment. Using developer mode ignores this key. - key: AppIDs - title: Developer App IDs + title: Developer app IDs type: presence: optional content: An array of App IDs that specify apps that Enrollment SSO developer mode @@ -34,17 +34,17 @@ payloadkeys: title: App ID type: - key: AssociatedDomains - title: Associated Domains + title: Associated domains type: presence: optional content: An array of associated domains that the device uses with the Enrollment SSO extension. subkeys: - key: AssociatedDomain - title: Associated Domain + title: Associated domain type: - key: AssociatedDomainsEnableDirectDownloads - title: Associated Domains Enable Direct Downloads + title: Associated domains enable direct downloads type: presence: optional default: false @@ -52,7 +52,7 @@ payloadkeys: of at Apple's servers. Use this verification only with domains that are inaccessible on the public Internet. - key: ConfigurationProfile - title: Configuration Profile + title: Configuration profile type: presence: optional content: |- @@ -71,12 +71,12 @@ payloadkeys: content: |- An array of base64-encoded JSON formatted Declarative Device Management declarations that specify the managed app and its configuration, including any certificates or identities. - The set of declarations must include one `com.apple.configuration.app.managed` configuration, and one activation declaration that references the configuration. Asset declarations may be present if required by the app config. + The set of declarations must include one `com.apple.configuration.app.managed` configuration, and one activation declaration that references the configuration. Include asset declarations if the app config requires them. - The app configuration must include `AppStoreID` when developer mode is not being used, or it must include `BundleID` when developer mode is used. + The app configuration must include `AppStoreID` when developer mode isn't being used, or it must include `BundleID` when developer mode is used. One of `ConfigurationProfile` and `Declarations` must be present. subkeys: - key: Declaration - title: Declaration Domain + title: Declaration domain type: diff --git a/other/machineinfo.yaml b/other/machineinfo.yaml index 897f5c9..a1165b4 100644 --- a/other/machineinfo.yaml +++ b/other/machineinfo.yaml @@ -33,7 +33,7 @@ payloadkeys: presence: required content: The device's UDID. - key: SERIAL - title: Serial Number + title: Serial number supportedOS: iOS: userenrollment: @@ -56,12 +56,12 @@ payloadkeys: presence: required content: The device's product type, for example, `iPhone5,1`. - key: VERSION - title: Build Version + title: Build version type: presence: required content: The build version installed on the device, for example, `7A182`. - key: OS_VERSION - title: OS Version + title: OS version supportedOS: iOS: introduced: '17.0' @@ -71,12 +71,9 @@ payloadkeys: introduced: '17.0' type: presence: required - content: |- - The OS version installed on the device, for example, 17.0. - - Available on iOS 17 and later, macOS 14 and later, tvOS 17 and later, and watchOS 10 and later. + content: The OS version installed on the device, for example, 17.0. - key: SUPPLEMENTAL_BUILD_VERSION - title: Supplemental Build Version + title: Supplemental build version supportedOS: iOS: introduced: '17.0' @@ -86,12 +83,9 @@ payloadkeys: introduced: '17.0' type: presence: optional - content: |- - The device's operating system supplemental build version (if available). - - Available on iOS 17 and later, macOS 14 and later, tvOS 17 and later, and watchOS 10 and later. + content: The device's operating system supplemental build version (if available). - key: SUPPLEMENTAL_OS_VERSION_EXTRA - title: Supplemental OS Version Extra + title: Supplemental OS version extra supportedOS: iOS: introduced: '17.0' @@ -101,10 +95,7 @@ payloadkeys: introduced: '17.0' type: presence: optional - content: |- - The device's operating system supplemental OS version extra (if available). - - Available on iOS 17 and later, macOS 14 and later, tvOS 17 and later, and watchOS 10 and later. + content: The device's operating system supplemental OS version extra (if available). - key: IMEI title: IMEI supportedOS: @@ -141,7 +132,7 @@ payloadkeys: presence: optional content: The user's currently-selected language, for example, `en`. - key: MDM_CAN_REQUEST_SOFTWARE_UPDATE - title: MDM Can Request Software Update + title: MDM can request software update supportedOS: iOS: introduced: '17.0' @@ -156,12 +147,10 @@ payloadkeys: type: presence: optional default: false - content: |- - If `true`, indicates that the server can trigger the device to do a required software update. - - Available on iOS 17 and later, and macOS 14 and later. + content: If `true`, indicates that the server can trigger the device to do a required + software update. - key: PAIRING_TOKEN - title: Watch Enrollment Pairing Token + title: Watch enrollment pairing token supportedOS: iOS: introduced: n/a @@ -173,12 +162,9 @@ payloadkeys: introduced: n/a type: presence: optional - content: |- - The pairing token to validate when a watch is enrolling. - - Available on watchOS 10 and later. + content: The pairing token to validate when a watch is enrolling. - key: SOFTWARE_UPDATE_DEVICE_ID - title: Software Update Device ID + title: Software update device ID supportedOS: iOS: introduced: '17.4' @@ -189,10 +175,9 @@ payloadkeys: type: presence: optional content: The device model identifier used to lookup available OS updates through - https://gdmf.apple.com/v2/pmv. Available on iOS 17.4 and later, macOS 14.4 and - later, and visionOS 1.1 and later. + https://gdmf.apple.com/v2/pmv. - key: MDM_CAN_REQUEST_PSSO_CONFIG - title: Platform SSO is Supported + title: Platform SSO is supported supportedOS: iOS: introduced: n/a @@ -207,10 +192,8 @@ payloadkeys: type: presence: optional default: false - content: |- - If `true`, indicates that the server can trigger the device to do a required Platform SSO authentication before enrolling. - - Available on macOS 26 and later. + content: If `true`, indicates that the server can trigger the device to do a required + Platform SSO authentication before enrolling. - key: MANDATORY_SOFTWARE_UPDATE_REQUIRED title: Mandatory software update is required supportedOS: @@ -227,10 +210,10 @@ payloadkeys: type: presence: optional default: false - content: |- - If `true`, indicates that the device requires a mandatory software update during Setup Assistant. The MDM server can return a 403 with a `ErrorCodeSoftwareUpdateRequired` error to force the device to update to a specific version instead of the device choosing a version. - - Available on macOS 26.1 and later. + content: If `true`, indicates that the device requires a mandatory software update + during Setup Assistant. The MDM server can return a 403 with a `ErrorCodeSoftwareUpdateRequired` + error to force the device to update to a specific version instead of the device + choosing a version. notes: - title: '' content: This dictionary is CMS-signed with the device identity certificate. The diff --git a/other/manifesturl.yaml b/other/manifesturl.yaml index 496d8e8..3946578 100644 --- a/other/manifesturl.yaml +++ b/other/manifesturl.yaml @@ -52,54 +52,57 @@ payloadkeys: content: The kind of manifest item to install. Use `software-package` for apps and macOS packages. - key: md5 - title: md5 hash + title: MD5 hash type: presence: optional content: The MD5 hash value the device uses when verifying the hash of the manifest item data. When this key is present, the device ignores the `md5-size` and `md5s` keys. - key: md5-size - title: md5 chunk size + title: MD5 chunk size type: presence: optional content: The data *chunk* size the device uses when verifying the hash of - the manifest item data. Required when the `md5s` key is present. + the manifest item data. The device requires this key when the `md5s` key + is present. - key: md5s - title: md5 hashes + title: MD5 hashes type: presence: optional content: An array of strings representing a set of MD5 hash values. The device uses these values to verify the integrity of the downloaded manifest - item data. Required when the `md5-size` key is present. + item data. The device requires this key when the `md5-size` key is present. subkeys: - key: md5s-item - title: md5 hash + title: MD5 hash type: presence: required content: An MD5 hash value. - key: sha256 - title: sha256 hash + title: SHA256 hash type: presence: optional content: The SHA-256 hash value the device uses when verifying the hash of the manifest item data. When this key is present, the device ignores the `sha256-size` and `sha256` keys. - key: sha256-size - title: sha256 chunk size + title: SHA256 chunk size type: presence: optional content: The data *chunk* size the device uses when verifying the hash of - the manifest item data. Required when the `sha256s` key is present. + the manifest item data. The device requires this key when the `sha256s` + key is present. - key: sha256s - title: If there are multiple sha256 hashes provide a chunk size + title: If there are multiple SHA256 hashes provide a chunk size type: presence: optional content: An array of strings representing a set of SHA-256 hash values. The device uses these values to verify the integrity of the downloaded - manifest item data. Required when the `sha256-size` key is present. + manifest item data. The device requires this key when the `sha256-size` + key is present. subkeys: - key: sha256s-item - title: sha256 hash + title: SHA256 hash type: presence: required content: A SHA-256 hash value. @@ -125,7 +128,7 @@ payloadkeys: type: presence: optional default: false - content: removed + content: Removed - key: metadata title: Application metadata type: @@ -165,7 +168,7 @@ payloadkeys: introduced: n/a type: presence: optional - content: removed + content: Removed - key: subtitle title: The application subtitle type: @@ -198,17 +201,21 @@ payloadkeys: presence: optional subkeys: - key: bundle-identifier - title: removed + title: Removed type: presence: optional - content: removed + content: Removed - key: bundle-version - title: removed + title: Removed type: presence: optional - content: removed + content: Removed notes: - title: '' content: Use SHA-256 hashes instead of MD5 because SHA-256 has stronger security. If both SHA-256 and MD5 hash properties are present, the device uses only the SHA-256 hashes to verify the manifest data. +examples: + title: Example manifest + files: + - file: examples/other/manifesturl/example1.plist diff --git a/other/skipkeys.yaml b/other/skipkeys.yaml index 963a24e..68825ae 100644 --- a/other/skipkeys.yaml +++ b/other/skipkeys.yaml @@ -37,6 +37,20 @@ payloadkeys: > Note: > This key doesn't skip the Accessibility pane in Setup Assistant during initial device set up. It does skip the Accessibility pane when Setup Assistant runs due to a new user log in. +- key: AccessibilityAppearance + title: Skip Accessibility Appearance setup pane + supportedOS: + iOS: + introduced: '17.0' + macOS: + introduced: n/a + tvOS: + introduced: n/a + visionOS: + introduced: n/a + type: + presence: optional + content: The key to skip the Accessibility Appearance configuration pane. - key: ActionButton title: Skip Action Button setup pane supportedOS: @@ -67,7 +81,7 @@ payloadkeys: content: If the Restore pane isn't skipped, this is the key to remove the Move from Android option in the Restore pane. - key: Appearance - title: Skip Choose your Look setup pane + title: Skip Choose Your Look setup pane supportedOS: iOS: introduced: '13.0' @@ -145,7 +159,7 @@ payloadkeys: presence: optional content: The key to skip the App Analytics pane. - key: DisplayTone - title: Disables True Tone + title: Disables True Tone pane supportedOS: iOS: introduced: 9.3.2 @@ -161,7 +175,7 @@ payloadkeys: presence: optional content: The key to skip DisplayTone setup. - key: EnableLockdownMode - title: Skips Enable Lockdown Mode + title: Skips enable Lockdown Mode supportedOS: iOS: introduced: '17.1' @@ -274,6 +288,20 @@ payloadkeys: presence: optional content: The key to skip the Keyboard pane. This pane isn't always skippable because it appears before the device retrieves the Cloud Configuration from the server. +- key: LiquidGlass + title: Skip Liquid Glass pane + supportedOS: + iOS: + introduced: '27.0' + macOS: + introduced: '27.0' + tvOS: + introduced: n/a + visionOS: + introduced: n/a + type: + presence: optional + content: The key to skip the Liquid Glass pane. - key: Location title: Disables Location Services supportedOS: @@ -453,7 +481,7 @@ payloadkeys: presence: optional content: The key to skip the Screen Time pane. - key: SIMSetup - title: Skip SIM-related setup + title: Skip sim-related setup supportedOS: iOS: introduced: '12.0' @@ -554,7 +582,7 @@ payloadkeys: presence: optional content: The key to skip Terms and Conditions. - key: TVHomeScreenSync - title: Skip TV Home Screen + title: Skip TV Home Screen Layout supportedOS: iOS: introduced: n/a @@ -568,7 +596,7 @@ payloadkeys: presence: optional content: The key to skip TV Home Screen layout sync screen. - key: TVProviderSignIn - title: Skip TV provider sign in + title: Skip TV Provider sign in supportedOS: iOS: introduced: n/a @@ -582,7 +610,7 @@ payloadkeys: presence: optional content: The key to skip the TV provider sign in screen. - key: TVRoom - title: Skip Where is this Apple TV pane + title: Skip where is this Apple TV pane supportedOS: iOS: introduced: n/a @@ -596,7 +624,7 @@ payloadkeys: presence: optional content: The key to skip the "Where is this Apple TV?" screen. - key: UnlockWithWatch - title: Skips Unlock With Watch pane + title: Skips Unlock with Apple Watch pane supportedOS: iOS: introduced: n/a @@ -653,10 +681,11 @@ payloadkeys: presence: optional content: The key to skip the screen for watch migration. - key: WebContentFiltering - title: Skip web content filtering pane + title: Skip Web Content Filtering pane supportedOS: iOS: introduced: '18.2' + removed: '26.1' macOS: introduced: n/a tvOS: