mirror of
https://github.com/apple/device-management.git
synced 2026-07-10 21:13:42 +02:00
Release_iOS-16-2_macOS-13-1
This commit is contained in:
@@ -8,10 +8,10 @@ This release corresponds to the following OS versions
|
||||
|
||||
| OS | Version |
|
||||
|---------|---------|
|
||||
| iOS | 16.1 |
|
||||
| macOS | 13.0 |
|
||||
| tvOS | 16.1 |
|
||||
| watchOS | 9.1 |
|
||||
| iOS | 16.2 |
|
||||
| macOS | 13.1 |
|
||||
| tvOS | 16.2 |
|
||||
| watchOS | 9.2 |
|
||||
|
||||
## What's Available
|
||||
|
||||
|
||||
@@ -120,8 +120,8 @@ payloadkeys:
|
||||
presence: optional
|
||||
content: The URL that this account uses for signing in with OAuth. The system
|
||||
ignores this value unless 'Enabled' is 'true'. The system doesn't use autodiscovery
|
||||
when a declaraction contains this URL, so the declaration must also contain
|
||||
a 'HostName'.
|
||||
when a declaration contains this URL, so the declaration must also contain a
|
||||
'HostName'.
|
||||
- key: TokenRequestURL
|
||||
supportedOS:
|
||||
macOS:
|
||||
|
||||
@@ -77,7 +77,7 @@ payloadkeys:
|
||||
- Subtree
|
||||
default: Subtree
|
||||
content: |-
|
||||
The type of recursion to use in the saerch.
|
||||
The type of recursion to use in the search.
|
||||
* 'Base': Only the 'SearchBase' node.
|
||||
* 'OneLevel': The 'SearchBase' node and its immediate children.
|
||||
* 'Subtree': The 'SearchBase' node and all its chidren, regardless of depth.
|
||||
* 'Subtree': The 'SearchBase' node and all its children, regardless of depth.
|
||||
|
||||
@@ -24,6 +24,18 @@ payloadkeys:
|
||||
content: If 'true', requires the user to set a passcode without any requirements
|
||||
about the length or quality of the passcode. The presence of any other keys implicitly
|
||||
requires a passcode, and overrides this key's value.
|
||||
- key: RequireAlphanumericPasscode
|
||||
title: Require Alphanumeric Passcode
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: '16.2'
|
||||
macOS:
|
||||
introduced: '13.1'
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If set to true, the passcode must consist of at least one alphabetic characters
|
||||
("abcd"), and at least one number.
|
||||
- key: RequireComplexPasscode
|
||||
title: Require Complex Passcode
|
||||
type: <boolean>
|
||||
@@ -31,7 +43,7 @@ payloadkeys:
|
||||
default: false
|
||||
content: If 'true', requires a complex passcode. A complex passcode is one that
|
||||
doesn't contain repeated characters or increasing/decreasing characters (such
|
||||
as 123 or CBA), and must contain at least one nonnumeric/nonalphabetic character.
|
||||
as 123 or CBA).
|
||||
- key: MinimumLength
|
||||
title: Minimum Passcode Length
|
||||
type: <integer>
|
||||
@@ -41,6 +53,21 @@ payloadkeys:
|
||||
max: 16
|
||||
default: 0
|
||||
content: The minimum number of characters a passcode can contain.
|
||||
- key: MinimumComplexCharacters
|
||||
title: Minimum Complex Characters
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: '16.2'
|
||||
macOS:
|
||||
introduced: '13.1'
|
||||
type: <integer>
|
||||
presence: optional
|
||||
range:
|
||||
min: 0
|
||||
max: 4
|
||||
default: 1
|
||||
content: Specifies the minimum number of complex characters that must be present.
|
||||
Only used when RequireComplexPasscode is true.
|
||||
- key: MaximumFailedAttempts
|
||||
title: Maximum Number of Failed Attempts
|
||||
type: <integer>
|
||||
@@ -52,6 +79,18 @@ payloadkeys:
|
||||
content: |-
|
||||
The number of failed passcode attempts that the system allows the user before iOS erases the device or macOS locks the device. If you don't change this setting, after six failed attempts, the device imposes a time delay before the user can enter a passcode again. The time delay increases with each failed attempt.
|
||||
After the final failed attempt, the system securely erases all data and settings from the iOS device. A macOS device locks after the final attempt. The passcode time delay begins after the sixth attempt, so if this value is six or lower, the system has no time delay and triggers the erase or lock as soon as the user exceeds the limit.
|
||||
- key: FailedAttemptsResetInMinutes
|
||||
title: Failed Attempts Reset
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: n/a
|
||||
macOS:
|
||||
introduced: '13.1'
|
||||
type: <integer>
|
||||
presence: optional
|
||||
content: The number of minutes before the login will be reset after the maximum
|
||||
number of failed attempts has been reached. The MaximumFailedAttempts key must
|
||||
be set for this to take effect.
|
||||
- key: MaximumGracePeriodInMinutes
|
||||
title: Maximum Grace Period
|
||||
type: <integer>
|
||||
@@ -69,6 +108,21 @@ payloadkeys:
|
||||
content: |-
|
||||
The maximum period that a user can select, during which the device can be idle before the system automatically locks it. When the device reaches this limit, the device locks and the user must enter the passcode to unlock it. In the absence of this key, the user can select any period.
|
||||
macOS translates this to screensaver settings.
|
||||
- key: MaximumPasscodeAgeInDays
|
||||
title: Maximum Passcode Age
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: '16.2'
|
||||
macOS:
|
||||
introduced: '13.1'
|
||||
type: <integer>
|
||||
presence: optional
|
||||
range:
|
||||
min: 0
|
||||
max: 730
|
||||
content: Specifies the maximum number of days for which the passcode can remain
|
||||
unchanged. After this number of days, the user is forced to change the passcode
|
||||
before the device is unlocked.
|
||||
- key: PasscodeReuseLimit
|
||||
title: Passcode Reuse Limit
|
||||
type: <integer>
|
||||
@@ -76,7 +130,21 @@ payloadkeys:
|
||||
range:
|
||||
min: 1
|
||||
max: 50
|
||||
content: The number of historical passcode entries the system checks when vaildating
|
||||
content: The number of historical passcode entries the system checks when validating
|
||||
a new passcode. The device refuses a new passcode if it matches a previously used
|
||||
passcode within the specified passcode history range. In the absence of this key,
|
||||
the system performs no historical check.
|
||||
- key: ChangeAtNextAuth
|
||||
title: Change At Next Auth
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: n/a
|
||||
macOS:
|
||||
introduced: '13.1'
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If set to true, forces a password reset to occur the next time the user
|
||||
tries to authenticate. If this key is set in a configuration in the system scope
|
||||
(device channel), the setting takes effect for all users, and admin authentications
|
||||
may fail until the admin user password is also reset.
|
||||
|
||||
@@ -31,6 +31,14 @@ payloadkeys:
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The unique identifier for the account.
|
||||
- key: _removed
|
||||
title: Indicates removal of the account.
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: To indicate removal of an account, this key's value is set to true,
|
||||
and only this key and the "identifier" key will be present in the status item
|
||||
object.
|
||||
- key: declaration-identifier
|
||||
title: Identifier of the declaration that installed the account.
|
||||
type: <string>
|
||||
|
||||
@@ -32,6 +32,14 @@ payloadkeys:
|
||||
presence: required
|
||||
content: The unique identifier of the account. This can be used as a "primary
|
||||
key" to access a specific account.
|
||||
- key: _removed
|
||||
title: Indicates removal of the account.
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: To indicate removal of an account, this key's value is set to true,
|
||||
and only this key and the "identifier" key will be present in the status item
|
||||
object.
|
||||
- key: declaration-identifier
|
||||
title: Identifier of the declaration that installed the account.
|
||||
type: <string>
|
||||
|
||||
@@ -32,6 +32,14 @@ payloadkeys:
|
||||
presence: required
|
||||
content: The unique identifier of the account. This can be used as a "primary
|
||||
key" to access a specific account.
|
||||
- key: _removed
|
||||
title: Indicates removal of the account.
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: To indicate removal of an account, this key's value is set to true,
|
||||
and only this key and the "identifier" key will be present in the status item
|
||||
object.
|
||||
- key: declaration-identifier
|
||||
title: Identifier of the declaration that installed the account.
|
||||
type: <string>
|
||||
|
||||
@@ -32,6 +32,14 @@ payloadkeys:
|
||||
presence: required
|
||||
content: The unique identifier of the account. This can be used as a "primary
|
||||
key" to access a specific account.
|
||||
- key: _removed
|
||||
title: Indicates removal of the account.
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: To indicate removal of an account, this key's value is set to true,
|
||||
and only this key and the "identifier" key will be present in the status item
|
||||
object.
|
||||
- key: declaration-identifier
|
||||
title: Identifier of the declaration that installed the account.
|
||||
type: <string>
|
||||
|
||||
@@ -32,6 +32,14 @@ payloadkeys:
|
||||
presence: required
|
||||
content: The unique identifier of the account. This can be used as a "primary
|
||||
key" to access a specific account.
|
||||
- key: _removed
|
||||
title: Indicates removal of the account.
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: To indicate removal of an account, this key's value is set to true,
|
||||
and only this key and the "identifier" key will be present in the status item
|
||||
object.
|
||||
- key: declaration-identifier
|
||||
title: Identifier of the declaration that installed the account.
|
||||
type: <string>
|
||||
|
||||
@@ -32,6 +32,14 @@ payloadkeys:
|
||||
presence: required
|
||||
content: The unique identifier of the account. This can be used as a "primary
|
||||
key" to access a specific account.
|
||||
- key: _removed
|
||||
title: Indicates removal of the account.
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: To indicate removal of an account, this key's value is set to true,
|
||||
and only this key and the "identifier" key will be present in the status item
|
||||
object.
|
||||
- key: declaration-identifier
|
||||
title: Identifier of the declaration that installed the account.
|
||||
type: <string>
|
||||
|
||||
@@ -32,6 +32,14 @@ payloadkeys:
|
||||
presence: required
|
||||
content: The unique identifier of the account. This can be used as a "primary
|
||||
key" to access a specific account.
|
||||
- key: _removed
|
||||
title: Indicates removal of the account.
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: To indicate removal of an account, this key's value is set to true,
|
||||
and only this key and the "identifier" key will be present in the status item
|
||||
object.
|
||||
- key: declaration-identifier
|
||||
title: Identifier of the declaration that installed the account.
|
||||
type: <string>
|
||||
|
||||
@@ -30,6 +30,14 @@ payloadkeys:
|
||||
presence: required
|
||||
content: The unique identifier of the account. This can be used as a "primary
|
||||
key" to access a specific account.
|
||||
- key: _removed
|
||||
title: Indicates removal of the account.
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: To indicate removal of an account, this key's value is set to true,
|
||||
and only this key and the "identifier" key will be present in the status item
|
||||
object.
|
||||
- key: declaration-identifier
|
||||
title: Identifier of the declaration that installed the account.
|
||||
type: <string>
|
||||
|
||||
@@ -25,6 +25,14 @@ payloadkeys:
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The app's bundle id, which is unique.
|
||||
- key: _removed
|
||||
title: Indicates removal of the app.
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: To indicate removal of an app, this key's value is set to true, and
|
||||
only this key and the "identifier" key will be present in the status item
|
||||
object.
|
||||
- key: name
|
||||
title: App name
|
||||
type: <string>
|
||||
|
||||
+3
-3
@@ -165,9 +165,9 @@ properties:
|
||||
type: string
|
||||
description: Indicates the expected format of the string value of the key, supporting additional validation of the value.
|
||||
enum:
|
||||
- url
|
||||
- hostname
|
||||
- email
|
||||
- <url>
|
||||
- <hostname>
|
||||
- <email>
|
||||
presence:
|
||||
type: string
|
||||
description: Whether the key is required or optional.
|
||||
|
||||
@@ -269,7 +269,7 @@ payloadkeys:
|
||||
- key: SerialNumber
|
||||
supportedOS:
|
||||
iOS:
|
||||
accessrights: AllowQueryDeviceInformatio
|
||||
accessrights: AllowQueryDeviceInformation
|
||||
userenrollment:
|
||||
mode: forbidden
|
||||
macOS:
|
||||
@@ -731,6 +731,18 @@ payloadkeys:
|
||||
content: |-
|
||||
The grace period for Shared iPad online authentication (in days). 0 means the device requires online authentication for every login.
|
||||
Available in iOS 16 and later.
|
||||
- key: SkipLanguageAndLocaleSetupForNewUsers
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: '16.2'
|
||||
accessrights: AllowQueryDeviceInformation
|
||||
macOS:
|
||||
introduced: n/a
|
||||
tvOS:
|
||||
introduced: n/a
|
||||
type: <string>
|
||||
content: Whether the language & locale pane will be skipped for new users of
|
||||
Shared iPad
|
||||
- key: PushToken
|
||||
supportedOS:
|
||||
iOS:
|
||||
@@ -738,12 +750,10 @@ payloadkeys:
|
||||
accessrights: AllowQueryDeviceInformation
|
||||
sharedipad:
|
||||
devicechannel: false
|
||||
userchannel: true
|
||||
userenrollment:
|
||||
mode: forbidden
|
||||
macOS:
|
||||
introduced: '10.12'
|
||||
userchannel: true
|
||||
tvOS:
|
||||
introduced: n/a
|
||||
type: <string>
|
||||
@@ -1123,11 +1133,28 @@ payloadkeys:
|
||||
content: The key that represents the device identifier you use to look up available
|
||||
OS updates through <https://gdmf.apple.com/v2/pmv>. Available in iOS 15 and
|
||||
later, and macOS 12 and later.
|
||||
- key: SoftwareUpdateSettings
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: '14.5'
|
||||
userenrollment:
|
||||
mode: forbidden
|
||||
macOS:
|
||||
introduced: n/a
|
||||
tvOS:
|
||||
introduced: n/a
|
||||
type: <string>
|
||||
content: Returns the device settings that control which updates appear in the
|
||||
Software Update pane in Settings. OS updates through <https://gdmf.apple.com/v2/pmv>.
|
||||
Available in iOS 14.5 and later.
|
||||
- key: AccessibilitySettings
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: '16.0'
|
||||
supervised: true
|
||||
sharedipad:
|
||||
mode: allowed
|
||||
devicechannel: false
|
||||
userenrollment:
|
||||
mode: forbidden
|
||||
macOS:
|
||||
@@ -1229,7 +1256,7 @@ responsekeys:
|
||||
- key: OrganizationEmail
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The orgnization's support email address. This value is available in
|
||||
content: The organization's support email address. This value is available in
|
||||
iOS 7 and later, macOS 10.11 and later, and tvOS 9 and later.
|
||||
- key: OrganizationMagic
|
||||
type: <string>
|
||||
@@ -1766,7 +1793,7 @@ responsekeys:
|
||||
introduced: n/a
|
||||
tvOS:
|
||||
introduced: n/a
|
||||
type: <real>
|
||||
type: <integer>
|
||||
content: The timeout interval for the user session. '0' means no timeout.
|
||||
- key: TemporarySessionTimeout
|
||||
supportedOS:
|
||||
@@ -1776,7 +1803,7 @@ responsekeys:
|
||||
introduced: n/a
|
||||
tvOS:
|
||||
introduced: n/a
|
||||
type: <real>
|
||||
type: <integer>
|
||||
content: The timeout interval for the temporary session. '0' means no timeout.
|
||||
- key: TemporarySessionOnly
|
||||
supportedOS:
|
||||
@@ -1811,10 +1838,21 @@ responsekeys:
|
||||
introduced: n/a
|
||||
tvOS:
|
||||
introduced: n/a
|
||||
type: <real>
|
||||
type: <integer>
|
||||
content: |-
|
||||
The grace period for Shared iPad online authentication (in days). 0 means the device requires online authentication for every login.
|
||||
Available in iOS 16 and later.
|
||||
- key: SkipLanguageAndLocaleSetupForNewUsers
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: '16.2'
|
||||
macOS:
|
||||
introduced: n/a
|
||||
tvOS:
|
||||
introduced: n/a
|
||||
type: <boolean>
|
||||
content: Whether the language & locale pane will be skipped for new users of Shared
|
||||
iPad
|
||||
- key: PushToken
|
||||
supportedOS:
|
||||
iOS:
|
||||
@@ -2214,11 +2252,33 @@ responsekeys:
|
||||
content: The key representing the device identifier to be used when looking up
|
||||
available OS updates via <https://gdmf.apple.com/v2/pmv>. Available in iOS 14.5
|
||||
and later.
|
||||
- key: SoftwareUpdateSettings
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: '14.5'
|
||||
userenrollment:
|
||||
mode: forbidden
|
||||
macOS:
|
||||
introduced: n/a
|
||||
tvOS:
|
||||
introduced: n/a
|
||||
type: <dictionary>
|
||||
content: Properties that control which updates appear in the Software Update pane
|
||||
in Settings.
|
||||
subkeys:
|
||||
- key: RecommendationsCadence
|
||||
type: <integer>
|
||||
content: Which software updates are presented to the user. 0 (the default) allows
|
||||
all updates, 1 allows only older updates. 2 allows only newer updates. No
|
||||
effect if only a single update would be offered to the user for this device.
|
||||
- key: AccessibilitySettings
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: '16.0'
|
||||
supervised: true
|
||||
sharedipad:
|
||||
mode: allowed
|
||||
devicechannel: false
|
||||
userenrollment:
|
||||
mode: forbidden
|
||||
macOS:
|
||||
|
||||
@@ -457,7 +457,7 @@ payloadkeys:
|
||||
- key: OrganizationEmail
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The orgnization's support email address.
|
||||
content: The organization's support email address.
|
||||
- key: OrganizationMagic
|
||||
type: <string>
|
||||
presence: optional
|
||||
@@ -567,7 +567,7 @@ payloadkeys:
|
||||
type: <integer>
|
||||
presence: required
|
||||
content: |-
|
||||
The maximum number of users that can use the device. If this value is greater than the value for the maximum possible number of users that the device suports, the MDM server uses that value instead.
|
||||
The maximum number of users that can use the device. If this value is greater than the value for the maximum possible number of users that the device supports, the MDM server uses that value instead.
|
||||
This setting requires that the device is in the 'AwaitingConfiguration' phase before it receives the DeviceConfigured <https://developer.apple.com/library/archive/documentation/Miscellaneous/Reference/MobileDeviceManagementProtocolRef/3-MDM_Protocol/MDM_Protocol.html#//apple_ref/doc/uid/TP40017387-CH3-SW301> message.
|
||||
When a device reaches the maximum number of resident users and a new user tries to sign in, the MDM server removes a synchronized user to make space for the new user. If there are no synchronized users, the new user sign-in fails. A synchronized user is a user that has completed syncing their data.
|
||||
- key: SharedDeviceConfiguration
|
||||
@@ -658,6 +658,16 @@ payloadkeys:
|
||||
A grace period (in days) for Shared iPad online authentication. The Shared iPad only verifies the user's passcode locally during login for users that already exist on the device. However, the system requires an online authentication (against Apple's identity server) after the number of days specified by this setting.
|
||||
Setting this value to 0 enforces online authentication every time.
|
||||
Available in iOS 16 and later.
|
||||
- key: SkipLanguageAndLocaleSetupForNewUsers
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: '16.2'
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: Whether the language & locale pane will be skipped for new users of
|
||||
Shared iPad. If 'true', system language & locale will be picked automatically
|
||||
for the new user.
|
||||
- key: DiagnosticSubmission
|
||||
supportedOS:
|
||||
iOS:
|
||||
@@ -835,7 +845,6 @@ payloadkeys:
|
||||
sharedipad:
|
||||
mode: allowed
|
||||
devicechannel: false
|
||||
userchannel: true
|
||||
userenrollment:
|
||||
mode: forbidden
|
||||
macOS:
|
||||
|
||||
@@ -196,3 +196,38 @@ responsekeys:
|
||||
instead of prompting for user authentication prior to installation. This only
|
||||
applies when 'BootstrapTokenAllowedForAuthentication' is 'true' in the SecurityInfoResponse.SecurityInfo
|
||||
response. This value is available for Apple silicon in macOS 11 and later.
|
||||
- key: IsSecurityResponse
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: '16.2'
|
||||
macOS:
|
||||
introduced: '13.1'
|
||||
tvOS:
|
||||
introduced: '16.2'
|
||||
type: <boolean>
|
||||
presence: required
|
||||
content: If true, this update is a Rapid Security Response.
|
||||
- key: SupplementalBuildVersion
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: '16.2'
|
||||
macOS:
|
||||
introduced: '13.1'
|
||||
tvOS:
|
||||
introduced: '16.2'
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The build version associated with the Rapid Security Response update,
|
||||
e.g. 13A999. This is always the same as 'build'.
|
||||
- key: SupplementalOSVersionExtra
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: '16.2'
|
||||
macOS:
|
||||
introduced: '13.1'
|
||||
tvOS:
|
||||
introduced: '16.2'
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The Rapid Security Response OS version suffix, e.g. '(a)'. Only present
|
||||
if this is a Rapid Security Response update.
|
||||
|
||||
@@ -54,7 +54,7 @@ payloadkeys:
|
||||
default: 5190
|
||||
content: The connection port for the server.
|
||||
- key: AIMAuthentication
|
||||
title: AIM Authentification
|
||||
title: AIM Authentication
|
||||
type: <string>
|
||||
presence: required
|
||||
rangelist:
|
||||
|
||||
@@ -112,7 +112,7 @@ payloadkeys:
|
||||
presence: optional
|
||||
default: false
|
||||
content: |-
|
||||
If 'true', prevents the computer from sleeping as long as Content Caching is on (System Preferences > Sharing > Content Caching is on). Customers who want Content Caching to be as available as musch as possible should turn this setting on.
|
||||
If 'true', prevents the computer from sleeping as long as Content Caching is on (System Preferences > Sharing > Content Caching is on). Customers who want Content Caching to be as available as much as possible should turn this setting on.
|
||||
Available in macOS 10.15 and later.
|
||||
- key: ListenRanges
|
||||
supportedOS:
|
||||
|
||||
@@ -39,5 +39,5 @@ payloadkeys:
|
||||
- key: Set-Once
|
||||
type: <array>
|
||||
presence: required
|
||||
content: The dictonary of one-time settings.
|
||||
content: The dictionary of one-time settings.
|
||||
subkeys: *id001
|
||||
|
||||
@@ -71,7 +71,7 @@ payloadkeys:
|
||||
content: |-
|
||||
The 'Authorization' key is an optional replacement for the 'Allowed' key. Every payload must specify either 'Authorization' or 'Allowed', but not both.
|
||||
'Allow': Equivalent to a 'true' value for the 'Allowed' key.
|
||||
'Deny': Equivalent to a f'alse' value for the 'Allowed' key.
|
||||
'Deny': Equivalent to a 'false' value for the 'Allowed' key.
|
||||
'AllowStandardUserToSetSystemService:' allows a standard (non-admin) user to configure the permissions for the specified app in the Privacy preferences for services that otherwise require admin authorization. 'AllowStandardUserToSetSystemService' is only valid for the 'ListenEvent' and 'ScreenCapture' services.
|
||||
Available in macOS 11 and later.
|
||||
- key: Comment
|
||||
|
||||
@@ -68,3 +68,22 @@ payloadkeys:
|
||||
subkeys:
|
||||
- key: SafariPasswordAutoFillDomainsItem
|
||||
type: <string>
|
||||
- key: CrossSiteTrackingPreventionRelaxedDomains
|
||||
title: Cross-Site Tracking Prevention RelaxedDomains
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: '16.2'
|
||||
supervised: true
|
||||
allowmanualinstall: false
|
||||
userenrollment:
|
||||
mode: forbidden
|
||||
macOS:
|
||||
introduced: '13.1'
|
||||
allowmanualinstall: false
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: An array of up to 10 strings. URLs matching the patterns listed here will
|
||||
have relaxed enforcement of cross-site tracking prevention.
|
||||
subkeys:
|
||||
- key: CrossSiteTrackingPreventionRelaxedDomainItem
|
||||
type: <string>
|
||||
|
||||
@@ -333,7 +333,7 @@ payloadkeys:
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: |-
|
||||
The ordered list of perferred Key Distribution Centers (KDCs) to use for Kerberos traffic. Use this if the servers are not discoverable via DNS. If the servers are specified, then they are used for both connectivity checks and attempted first for Kerberos traffic. If the servers do not respond, then the device falls back to DNS discovery. Each entry is formatted the same as it would be in a 'krb5.conf' file. Examples of entries are:
|
||||
The ordered list of preferred Key Distribution Centers (KDCs) to use for Kerberos traffic. Use this if the servers are not discoverable via DNS. If the servers are specified, then they are used for both connectivity checks and attempted first for Kerberos traffic. If the servers do not respond, then the device falls back to DNS discovery. Each entry is formatted the same as it would be in a 'krb5.conf' file. Examples of entries are:
|
||||
* 'adserver1.example.com'
|
||||
* 'tcp/adserver1.example.com:88'
|
||||
* 'kkdcp://kerberosproxy.example.com:443/kkdcp'
|
||||
|
||||
@@ -47,7 +47,7 @@ payloadkeys:
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: true
|
||||
content: If set to false, extneral hard drives will not appear on the desktop.
|
||||
content: If set to false, external hard drives will not appear on the desktop.
|
||||
- key: ShowHardDrivesOnDesktop
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
|
||||
@@ -22,7 +22,7 @@ payload:
|
||||
mode: allowed
|
||||
content: |-
|
||||
Each payload may contain one font file. Font files may be in TrueType (.ttf) or OpenType (.otf) file format. Collection types (.ttc or .otc) formats are not supported.
|
||||
Fonts are uniqued internally by their embedded PostScript name. Two fonts with the same PostScript name will be considered the same font, even if their contents differ. Installing two different fonts with the same PostScript name is not supported, and it is undefined which font will remain installed.
|
||||
Fonts are uniquely identified internally by their embedded PostScript name. Two fonts with the same PostScript name will be considered the same font, even if their contents differ. Installing two different fonts with the same PostScript name is not supported, and it is undefined which font will remain installed.
|
||||
payloadkeys:
|
||||
- key: Name
|
||||
title: Font Name
|
||||
|
||||
@@ -53,7 +53,7 @@ payloadkeys:
|
||||
default: 5222
|
||||
content: The server's port.
|
||||
- key: JabberAuthentication
|
||||
title: Jabber Authentification
|
||||
title: Jabber Authentication
|
||||
type: <string>
|
||||
presence: required
|
||||
rangelist:
|
||||
|
||||
@@ -51,7 +51,7 @@ payloadkeys:
|
||||
the payload, the device prompts for this string during interactive profile installation
|
||||
in Settings or System Preferences.
|
||||
- key: IncomingMailServerAuthentication
|
||||
title: Incoming Mail Server Authentification
|
||||
title: Incoming Mail Server Authentication
|
||||
type: <string>
|
||||
presence: required
|
||||
rangelist:
|
||||
|
||||
@@ -43,7 +43,7 @@ payloadkeys:
|
||||
- key: ProxyServer
|
||||
title: Proxy Server
|
||||
type: <string>
|
||||
subtype: hostname
|
||||
subtype: <hostname>
|
||||
presence: required
|
||||
content: The proxy server's network address.
|
||||
- key: ProxyServerPort
|
||||
|
||||
@@ -14,6 +14,15 @@ payload:
|
||||
userchannel: false
|
||||
userenrollment:
|
||||
mode: allowed
|
||||
macOS:
|
||||
introduced: '13.1'
|
||||
devicechannel: true
|
||||
userchannel: true
|
||||
requiresdep: false
|
||||
userapprovedmdm: false
|
||||
allowmanualinstall: true
|
||||
userenrollment:
|
||||
mode: allowed
|
||||
tvOS:
|
||||
introduced: '16.0'
|
||||
supervised: false
|
||||
@@ -68,6 +77,7 @@ payloadkeys:
|
||||
If 'false', the private key isn't bound to the device.
|
||||
If 'true', the private key is bound to the device. The Secure Enclave generates the key pair, and the private key is cryptographically entangled with a system key. This prevents the system from exporting the private key.
|
||||
If 'true', 'KeyType' must be 'ECSECPrimeRandom' and 'KeySize' must be 256 or 384.
|
||||
On macOS, this key is required but must have a value of 'false'.
|
||||
- key: Subject
|
||||
title: Subject
|
||||
type: <array>
|
||||
@@ -148,3 +158,26 @@ payloadkeys:
|
||||
content: |-
|
||||
If 'true', the device provides attestations describing the device and the generated key to the ACME server. The server can use the attestations as strong evidence that the key is bound to the device, and that the device has properties listed in the attestation. The server can use that as part of a trust score to decide whether to issue the requested certificate.
|
||||
When 'Attest' is 'true', 'HardwareBound' must also be 'true'.
|
||||
On macOS, this key, if present, must have a value of 'false'.
|
||||
- key: KeyIsExtractable
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: n/a
|
||||
tvOS:
|
||||
introduced: n/a
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: true
|
||||
content: Whether the private key of the identity obtained via SCEP should be tagged
|
||||
as "non-extractable" in the keychain.
|
||||
- key: AllowAllAppsAccess
|
||||
title: Allow All Apps Access
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: n/a
|
||||
tvOS:
|
||||
introduced: n/a
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If true, all apps have access to the private key.
|
||||
|
||||
@@ -38,7 +38,7 @@ payloadkeys:
|
||||
- Label
|
||||
- LabelPrefix
|
||||
- TeamIdentifier
|
||||
content: The type of comparision to make.
|
||||
content: The type of comparison to make.
|
||||
- key: RuleValue
|
||||
title: Rule Value
|
||||
type: <string>
|
||||
@@ -50,3 +50,9 @@ payloadkeys:
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: An optional description of the rule.
|
||||
- key: TeamIdentifier
|
||||
title: Team Identifier
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: An additional constraint to limit the scope of the rule that is tested
|
||||
after matching the RuleType/RuleValue.
|
||||
|
||||
@@ -51,7 +51,7 @@ payloadkeys:
|
||||
- key: ANY
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: The kernal extension data.
|
||||
content: The kernel extension data.
|
||||
subkeys:
|
||||
- key: AllowedKernelExtensionsItems
|
||||
type: <string>
|
||||
|
||||
@@ -149,19 +149,3 @@ payloadkeys:
|
||||
type: <string>
|
||||
presence: required
|
||||
content: An SMB domain.
|
||||
- key: VPN
|
||||
title: VPN
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: A dictionary with additional VPN settings.
|
||||
subkeys:
|
||||
- key: ProviderType
|
||||
type: <string>
|
||||
presence: optional
|
||||
rangelist:
|
||||
- packet-tunnel
|
||||
- app-proxy
|
||||
default: app-proxy
|
||||
content: The type of VPN service. If it is 'app-proxy', the service will tunnel
|
||||
traffic at the application level. If it is 'packet-tunnel', the service will
|
||||
tunnel traffic at the IP layer.
|
||||
|
||||
@@ -739,6 +739,36 @@ payloadkeys:
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The password used for authentication.
|
||||
- key: OnDemandEnabled
|
||||
title: Enable VPN On Demand
|
||||
type: <integer>
|
||||
presence: optional
|
||||
rangelist:
|
||||
- 0
|
||||
- 1
|
||||
default: 0
|
||||
content: If 1, VPN is brought up on demand.
|
||||
- key: OnDemandUserOverrideDisabled
|
||||
title: Prevent users from toggling VPN On Demand
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: '14.0'
|
||||
macOS:
|
||||
introduced: n/a
|
||||
type: <integer>
|
||||
presence: optional
|
||||
rangelist:
|
||||
- 0
|
||||
- 1
|
||||
default: 0
|
||||
content: If 1, the Connect On Demand toggle in Settings is disabled for this configuration.
|
||||
- key: OnDemandRules
|
||||
title: On Demand Rules
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: Determines when and how an OnDemand VPN should be used.
|
||||
subkeytype: OnDemandRulesElement
|
||||
subkeys: *id004
|
||||
- key: DeadPeerDetectionRate
|
||||
title: Dead Peer Detection Rate
|
||||
type: <string>
|
||||
|
||||
@@ -44,7 +44,7 @@ payloadkeys:
|
||||
- key: URL
|
||||
title: URL
|
||||
type: <string>
|
||||
subtype: url
|
||||
subtype: <url>
|
||||
presence: required
|
||||
content: The URL that the web clip should open when clicked. If the URL doesn't
|
||||
begin with 'HTTP' or 'HTTPS', it doesn't work.
|
||||
|
||||
@@ -197,14 +197,16 @@ payloadkeys:
|
||||
introduced: n/a
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: true
|
||||
content: If 'true', enables the filtering of WebKit traffic.
|
||||
default: false
|
||||
content: If 'true', enables the filtering of WebKit traffic. Either 'FilterBrowsers'
|
||||
or 'FilterSockets' must be 'true'.
|
||||
- key: FilterSockets
|
||||
title: FilterSockets
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: true
|
||||
content: If 'true', enables the filtering of socket traffic.
|
||||
default: false
|
||||
content: If 'true', enables the filtering of socket traffic. Either 'FilterBrowsers'
|
||||
or 'FilterSockets' must be 'true'.
|
||||
- key: FilterDataProviderDesignatedRequirement
|
||||
title: Filter Data Provider Designated Requirement
|
||||
supportedOS:
|
||||
@@ -238,11 +240,11 @@ payloadkeys:
|
||||
introduced: '10.15'
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: true
|
||||
default: false
|
||||
content: |-
|
||||
If this value is 'true', the property enables the filtering of network packets.
|
||||
Either 'FilterPackets' or 'FilterSockets' must be 'true' for the filter to have an effect.
|
||||
You can use this when 'FilterType' is 'Plugin'.
|
||||
Either 'FilterPackets' or 'FilterSockets' must be 'true'.
|
||||
You can only use this when 'FilterType' is 'Plugin'.
|
||||
Available in macOS 10.15 and later.
|
||||
- key: FilterPacketProviderDesignatedRequirement
|
||||
title: Filter Packet Provider Designated Requirement
|
||||
|
||||
@@ -107,7 +107,7 @@ payloadkeys:
|
||||
presence: required
|
||||
content: Must be a string with a length greater than one character. (internal
|
||||
only can not be the bundle identifier of a system application. Must be a
|
||||
profile validated application if the bundle identifer matches that of an
|
||||
profile validated application if the bundle identifier matches that of an
|
||||
existing application)
|
||||
- key: bundle-version
|
||||
title: The bundle version
|
||||
|
||||
@@ -401,19 +401,6 @@ payloadkeys:
|
||||
presence: optional
|
||||
content: 'Skips the “Where is this Apple TV?” screen in tvOS. Availability: tvOS
|
||||
11.4+.'
|
||||
- key: UnlockWithWatch
|
||||
title: Skips Unlock with Apple Watch pane
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: n/a
|
||||
macOS:
|
||||
introduced: '12.0'
|
||||
tvOS:
|
||||
introduced: n/a
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: 'Skips Unlock Your Mac with your Apple Watch pane. Availability: macOS
|
||||
12+.'
|
||||
- key: UpdateCompleted
|
||||
title: Skips Software Update Complete pane
|
||||
supportedOS:
|
||||
|
||||
Reference in New Issue
Block a user