diff --git a/README.md b/README.md index 97ff1e2..dfc9ea4 100644 --- a/README.md +++ b/README.md @@ -8,10 +8,10 @@ This release corresponds to the following OS versions | OS | Version | |---------|---------| -| iOS | 16.1 | -| macOS | 13.0 | -| tvOS | 16.1 | -| watchOS | 9.1 | +| iOS | 16.2 | +| macOS | 13.1 | +| tvOS | 16.2 | +| watchOS | 9.2 | ## What's Available diff --git a/declarative/declarations/configurations/account.exchange.yaml b/declarative/declarations/configurations/account.exchange.yaml index 7e1329d..a86735e 100644 --- a/declarative/declarations/configurations/account.exchange.yaml +++ b/declarative/declarations/configurations/account.exchange.yaml @@ -120,8 +120,8 @@ payloadkeys: presence: optional content: The URL that this account uses for signing in with OAuth. The system ignores this value unless 'Enabled' is 'true'. The system doesn't use autodiscovery - when a declaraction contains this URL, so the declaration must also contain - a 'HostName'. + when a declaration contains this URL, so the declaration must also contain a + 'HostName'. - key: TokenRequestURL supportedOS: macOS: diff --git a/declarative/declarations/configurations/account.ldap.yaml b/declarative/declarations/configurations/account.ldap.yaml index 8c51bc8..4f84d1a 100644 --- a/declarative/declarations/configurations/account.ldap.yaml +++ b/declarative/declarations/configurations/account.ldap.yaml @@ -77,7 +77,7 @@ payloadkeys: - Subtree default: Subtree content: |- - The type of recursion to use in the saerch. + The type of recursion to use in the search. * 'Base': Only the 'SearchBase' node. * 'OneLevel': The 'SearchBase' node and its immediate children. - * 'Subtree': The 'SearchBase' node and all its chidren, regardless of depth. + * 'Subtree': The 'SearchBase' node and all its children, regardless of depth. diff --git a/declarative/declarations/configurations/passcode.settings.yaml b/declarative/declarations/configurations/passcode.settings.yaml index 08565df..820a3fa 100644 --- a/declarative/declarations/configurations/passcode.settings.yaml +++ b/declarative/declarations/configurations/passcode.settings.yaml @@ -24,6 +24,18 @@ payloadkeys: content: If 'true', requires the user to set a passcode without any requirements about the length or quality of the passcode. The presence of any other keys implicitly requires a passcode, and overrides this key's value. +- key: RequireAlphanumericPasscode + title: Require Alphanumeric Passcode + supportedOS: + iOS: + introduced: '16.2' + macOS: + introduced: '13.1' + type: + presence: optional + default: false + content: If set to true, the passcode must consist of at least one alphabetic characters + ("abcd"), and at least one number. - key: RequireComplexPasscode title: Require Complex Passcode type: @@ -31,7 +43,7 @@ payloadkeys: default: false content: If 'true', requires a complex passcode. A complex passcode is one that doesn't contain repeated characters or increasing/decreasing characters (such - as 123 or CBA), and must contain at least one nonnumeric/nonalphabetic character. + as 123 or CBA). - key: MinimumLength title: Minimum Passcode Length type: @@ -41,6 +53,21 @@ payloadkeys: max: 16 default: 0 content: The minimum number of characters a passcode can contain. +- key: MinimumComplexCharacters + title: Minimum Complex Characters + supportedOS: + iOS: + introduced: '16.2' + macOS: + introduced: '13.1' + type: + presence: optional + range: + min: 0 + max: 4 + default: 1 + content: Specifies the minimum number of complex characters that must be present. + Only used when RequireComplexPasscode is true. - key: MaximumFailedAttempts title: Maximum Number of Failed Attempts type: @@ -52,6 +79,18 @@ payloadkeys: content: |- The number of failed passcode attempts that the system allows the user before iOS erases the device or macOS locks the device. If you don't change this setting, after six failed attempts, the device imposes a time delay before the user can enter a passcode again. The time delay increases with each failed attempt. After the final failed attempt, the system securely erases all data and settings from the iOS device. A macOS device locks after the final attempt. The passcode time delay begins after the sixth attempt, so if this value is six or lower, the system has no time delay and triggers the erase or lock as soon as the user exceeds the limit. +- key: FailedAttemptsResetInMinutes + title: Failed Attempts Reset + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '13.1' + type: + presence: optional + content: The number of minutes before the login will be reset after the maximum + number of failed attempts has been reached. The MaximumFailedAttempts key must + be set for this to take effect. - key: MaximumGracePeriodInMinutes title: Maximum Grace Period type: @@ -69,6 +108,21 @@ payloadkeys: content: |- The maximum period that a user can select, during which the device can be idle before the system automatically locks it. When the device reaches this limit, the device locks and the user must enter the passcode to unlock it. In the absence of this key, the user can select any period. macOS translates this to screensaver settings. +- key: MaximumPasscodeAgeInDays + title: Maximum Passcode Age + supportedOS: + iOS: + introduced: '16.2' + macOS: + introduced: '13.1' + type: + presence: optional + range: + min: 0 + max: 730 + content: Specifies the maximum number of days for which the passcode can remain + unchanged. After this number of days, the user is forced to change the passcode + before the device is unlocked. - key: PasscodeReuseLimit title: Passcode Reuse Limit type: @@ -76,7 +130,21 @@ payloadkeys: range: min: 1 max: 50 - content: The number of historical passcode entries the system checks when vaildating + content: The number of historical passcode entries the system checks when validating a new passcode. The device refuses a new passcode if it matches a previously used passcode within the specified passcode history range. In the absence of this key, the system performs no historical check. +- key: ChangeAtNextAuth + title: Change At Next Auth + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '13.1' + type: + presence: optional + default: false + content: If set to true, forces a password reset to occur the next time the user + tries to authenticate. If this key is set in a configuration in the system scope + (device channel), the setting takes effect for all users, and admin authentications + may fail until the admin user password is also reset. diff --git a/declarative/status/account.list.caldav.yaml b/declarative/status/account.list.caldav.yaml index 798821f..84df03c 100644 --- a/declarative/status/account.list.caldav.yaml +++ b/declarative/status/account.list.caldav.yaml @@ -31,6 +31,14 @@ payloadkeys: type: presence: required content: The unique identifier for the account. + - key: _removed + title: Indicates removal of the account. + type: + presence: optional + default: false + content: To indicate removal of an account, this key's value is set to true, + and only this key and the "identifier" key will be present in the status item + object. - key: declaration-identifier title: Identifier of the declaration that installed the account. type: diff --git a/declarative/status/account.list.carddav.yaml b/declarative/status/account.list.carddav.yaml index fd53e13..4ad05b2 100644 --- a/declarative/status/account.list.carddav.yaml +++ b/declarative/status/account.list.carddav.yaml @@ -32,6 +32,14 @@ payloadkeys: presence: required content: The unique identifier of the account. This can be used as a "primary key" to access a specific account. + - key: _removed + title: Indicates removal of the account. + type: + presence: optional + default: false + content: To indicate removal of an account, this key's value is set to true, + and only this key and the "identifier" key will be present in the status item + object. - key: declaration-identifier title: Identifier of the declaration that installed the account. type: diff --git a/declarative/status/account.list.exchange.yaml b/declarative/status/account.list.exchange.yaml index c75397f..1c6aa9d 100644 --- a/declarative/status/account.list.exchange.yaml +++ b/declarative/status/account.list.exchange.yaml @@ -32,6 +32,14 @@ payloadkeys: presence: required content: The unique identifier of the account. This can be used as a "primary key" to access a specific account. + - key: _removed + title: Indicates removal of the account. + type: + presence: optional + default: false + content: To indicate removal of an account, this key's value is set to true, + and only this key and the "identifier" key will be present in the status item + object. - key: declaration-identifier title: Identifier of the declaration that installed the account. type: diff --git a/declarative/status/account.list.google.yaml b/declarative/status/account.list.google.yaml index 81d8da5..ab29ffe 100644 --- a/declarative/status/account.list.google.yaml +++ b/declarative/status/account.list.google.yaml @@ -32,6 +32,14 @@ payloadkeys: presence: required content: The unique identifier of the account. This can be used as a "primary key" to access a specific account. + - key: _removed + title: Indicates removal of the account. + type: + presence: optional + default: false + content: To indicate removal of an account, this key's value is set to true, + and only this key and the "identifier" key will be present in the status item + object. - key: declaration-identifier title: Identifier of the declaration that installed the account. type: diff --git a/declarative/status/account.list.ldap.yaml b/declarative/status/account.list.ldap.yaml index 93ff64f..3fa3fe3 100644 --- a/declarative/status/account.list.ldap.yaml +++ b/declarative/status/account.list.ldap.yaml @@ -32,6 +32,14 @@ payloadkeys: presence: required content: The unique identifier of the account. This can be used as a "primary key" to access a specific account. + - key: _removed + title: Indicates removal of the account. + type: + presence: optional + default: false + content: To indicate removal of an account, this key's value is set to true, + and only this key and the "identifier" key will be present in the status item + object. - key: declaration-identifier title: Identifier of the declaration that installed the account. type: diff --git a/declarative/status/account.list.mail.incoming.yaml b/declarative/status/account.list.mail.incoming.yaml index d4d7bdb..f860c62 100644 --- a/declarative/status/account.list.mail.incoming.yaml +++ b/declarative/status/account.list.mail.incoming.yaml @@ -32,6 +32,14 @@ payloadkeys: presence: required content: The unique identifier of the account. This can be used as a "primary key" to access a specific account. + - key: _removed + title: Indicates removal of the account. + type: + presence: optional + default: false + content: To indicate removal of an account, this key's value is set to true, + and only this key and the "identifier" key will be present in the status item + object. - key: declaration-identifier title: Identifier of the declaration that installed the account. type: diff --git a/declarative/status/account.list.mail.outgoing.yaml b/declarative/status/account.list.mail.outgoing.yaml index 61af9d6..76c5606 100644 --- a/declarative/status/account.list.mail.outgoing.yaml +++ b/declarative/status/account.list.mail.outgoing.yaml @@ -32,6 +32,14 @@ payloadkeys: presence: required content: The unique identifier of the account. This can be used as a "primary key" to access a specific account. + - key: _removed + title: Indicates removal of the account. + type: + presence: optional + default: false + content: To indicate removal of an account, this key's value is set to true, + and only this key and the "identifier" key will be present in the status item + object. - key: declaration-identifier title: Identifier of the declaration that installed the account. type: diff --git a/declarative/status/account.list.subscribed-calendar.yaml b/declarative/status/account.list.subscribed-calendar.yaml index f7bf21a..4f04df2 100644 --- a/declarative/status/account.list.subscribed-calendar.yaml +++ b/declarative/status/account.list.subscribed-calendar.yaml @@ -30,6 +30,14 @@ payloadkeys: presence: required content: The unique identifier of the account. This can be used as a "primary key" to access a specific account. + - key: _removed + title: Indicates removal of the account. + type: + presence: optional + default: false + content: To indicate removal of an account, this key's value is set to true, + and only this key and the "identifier" key will be present in the status item + object. - key: declaration-identifier title: Identifier of the declaration that installed the account. type: diff --git a/declarative/status/mdm.app.yaml b/declarative/status/mdm.app.yaml index 97f4c77..010e909 100644 --- a/declarative/status/mdm.app.yaml +++ b/declarative/status/mdm.app.yaml @@ -25,6 +25,14 @@ payloadkeys: type: presence: required content: The app's bundle id, which is unique. + - key: _removed + title: Indicates removal of the app. + type: + presence: optional + default: false + content: To indicate removal of an app, this key's value is set to true, and + only this key and the "identifier" key will be present in the status item + object. - key: name title: App name type: diff --git a/docs/schema.yaml b/docs/schema.yaml index 6182428..f9b4ff0 100644 --- a/docs/schema.yaml +++ b/docs/schema.yaml @@ -165,9 +165,9 @@ properties: type: string description: Indicates the expected format of the string value of the key, supporting additional validation of the value. enum: - - url - - hostname - - email + - + - + - presence: type: string description: Whether the key is required or optional. diff --git a/mdm/commands/information.device.yaml b/mdm/commands/information.device.yaml index 1abf7d1..2cb28f1 100644 --- a/mdm/commands/information.device.yaml +++ b/mdm/commands/information.device.yaml @@ -269,7 +269,7 @@ payloadkeys: - key: SerialNumber supportedOS: iOS: - accessrights: AllowQueryDeviceInformatio + accessrights: AllowQueryDeviceInformation userenrollment: mode: forbidden macOS: @@ -731,6 +731,18 @@ payloadkeys: content: |- The grace period for Shared iPad online authentication (in days). 0 means the device requires online authentication for every login. Available in iOS 16 and later. + - key: SkipLanguageAndLocaleSetupForNewUsers + supportedOS: + iOS: + introduced: '16.2' + accessrights: AllowQueryDeviceInformation + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: Whether the language & locale pane will be skipped for new users of + Shared iPad - key: PushToken supportedOS: iOS: @@ -738,12 +750,10 @@ payloadkeys: accessrights: AllowQueryDeviceInformation sharedipad: devicechannel: false - userchannel: true userenrollment: mode: forbidden macOS: introduced: '10.12' - userchannel: true tvOS: introduced: n/a type: @@ -1123,11 +1133,28 @@ payloadkeys: content: The key that represents the device identifier you use to look up available OS updates through . Available in iOS 15 and later, and macOS 12 and later. + - key: SoftwareUpdateSettings + supportedOS: + iOS: + introduced: '14.5' + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: Returns the device settings that control which updates appear in the + Software Update pane in Settings. OS updates through . + Available in iOS 14.5 and later. - key: AccessibilitySettings supportedOS: iOS: introduced: '16.0' supervised: true + sharedipad: + mode: allowed + devicechannel: false userenrollment: mode: forbidden macOS: @@ -1229,7 +1256,7 @@ responsekeys: - key: OrganizationEmail type: presence: optional - content: The orgnization's support email address. This value is available in + content: The organization's support email address. This value is available in iOS 7 and later, macOS 10.11 and later, and tvOS 9 and later. - key: OrganizationMagic type: @@ -1766,7 +1793,7 @@ responsekeys: introduced: n/a tvOS: introduced: n/a - type: + type: content: The timeout interval for the user session. '0' means no timeout. - key: TemporarySessionTimeout supportedOS: @@ -1776,7 +1803,7 @@ responsekeys: introduced: n/a tvOS: introduced: n/a - type: + type: content: The timeout interval for the temporary session. '0' means no timeout. - key: TemporarySessionOnly supportedOS: @@ -1811,10 +1838,21 @@ responsekeys: introduced: n/a tvOS: introduced: n/a - type: + type: content: |- The grace period for Shared iPad online authentication (in days). 0 means the device requires online authentication for every login. Available in iOS 16 and later. + - key: SkipLanguageAndLocaleSetupForNewUsers + supportedOS: + iOS: + introduced: '16.2' + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: Whether the language & locale pane will be skipped for new users of Shared + iPad - key: PushToken supportedOS: iOS: @@ -2214,11 +2252,33 @@ responsekeys: content: The key representing the device identifier to be used when looking up available OS updates via . Available in iOS 14.5 and later. + - key: SoftwareUpdateSettings + supportedOS: + iOS: + introduced: '14.5' + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: Properties that control which updates appear in the Software Update pane + in Settings. + subkeys: + - key: RecommendationsCadence + type: + content: Which software updates are presented to the user. 0 (the default) allows + all updates, 1 allows only older updates. 2 allows only newer updates. No + effect if only a single update would be offered to the user for this device. - key: AccessibilitySettings supportedOS: iOS: introduced: '16.0' supervised: true + sharedipad: + mode: allowed + devicechannel: false userenrollment: mode: forbidden macOS: diff --git a/mdm/commands/settings.yaml b/mdm/commands/settings.yaml index 1a4dcb1..3d16795 100644 --- a/mdm/commands/settings.yaml +++ b/mdm/commands/settings.yaml @@ -457,7 +457,7 @@ payloadkeys: - key: OrganizationEmail type: presence: optional - content: The orgnization's support email address. + content: The organization's support email address. - key: OrganizationMagic type: presence: optional @@ -567,7 +567,7 @@ payloadkeys: type: presence: required content: |- - The maximum number of users that can use the device. If this value is greater than the value for the maximum possible number of users that the device suports, the MDM server uses that value instead. + The maximum number of users that can use the device. If this value is greater than the value for the maximum possible number of users that the device supports, the MDM server uses that value instead. This setting requires that the device is in the 'AwaitingConfiguration' phase before it receives the DeviceConfigured message. When a device reaches the maximum number of resident users and a new user tries to sign in, the MDM server removes a synchronized user to make space for the new user. If there are no synchronized users, the new user sign-in fails. A synchronized user is a user that has completed syncing their data. - key: SharedDeviceConfiguration @@ -658,6 +658,16 @@ payloadkeys: A grace period (in days) for Shared iPad online authentication. The Shared iPad only verifies the user's passcode locally during login for users that already exist on the device. However, the system requires an online authentication (against Apple's identity server) after the number of days specified by this setting. Setting this value to 0 enforces online authentication every time. Available in iOS 16 and later. + - key: SkipLanguageAndLocaleSetupForNewUsers + supportedOS: + iOS: + introduced: '16.2' + type: + presence: optional + default: false + content: Whether the language & locale pane will be skipped for new users of + Shared iPad. If 'true', system language & locale will be picked automatically + for the new user. - key: DiagnosticSubmission supportedOS: iOS: @@ -835,7 +845,6 @@ payloadkeys: sharedipad: mode: allowed devicechannel: false - userchannel: true userenrollment: mode: forbidden macOS: diff --git a/mdm/commands/system.update.available.yaml b/mdm/commands/system.update.available.yaml index 071bd52..06527ab 100644 --- a/mdm/commands/system.update.available.yaml +++ b/mdm/commands/system.update.available.yaml @@ -196,3 +196,38 @@ responsekeys: instead of prompting for user authentication prior to installation. This only applies when 'BootstrapTokenAllowedForAuthentication' is 'true' in the SecurityInfoResponse.SecurityInfo response. This value is available for Apple silicon in macOS 11 and later. + - key: IsSecurityResponse + supportedOS: + iOS: + introduced: '16.2' + macOS: + introduced: '13.1' + tvOS: + introduced: '16.2' + type: + presence: required + content: If true, this update is a Rapid Security Response. + - key: SupplementalBuildVersion + supportedOS: + iOS: + introduced: '16.2' + macOS: + introduced: '13.1' + tvOS: + introduced: '16.2' + type: + presence: optional + content: The build version associated with the Rapid Security Response update, + e.g. 13A999. This is always the same as 'build'. + - key: SupplementalOSVersionExtra + supportedOS: + iOS: + introduced: '16.2' + macOS: + introduced: '13.1' + tvOS: + introduced: '16.2' + type: + presence: optional + content: The Rapid Security Response OS version suffix, e.g. '(a)'. Only present + if this is a Rapid Security Response update. diff --git a/mdm/profiles/com.apple.AIM.account.yaml b/mdm/profiles/com.apple.AIM.account.yaml index b594921..3cfa551 100644 --- a/mdm/profiles/com.apple.AIM.account.yaml +++ b/mdm/profiles/com.apple.AIM.account.yaml @@ -54,7 +54,7 @@ payloadkeys: default: 5190 content: The connection port for the server. - key: AIMAuthentication - title: AIM Authentification + title: AIM Authentication type: presence: required rangelist: diff --git a/mdm/profiles/com.apple.AssetCache.managed.yaml b/mdm/profiles/com.apple.AssetCache.managed.yaml index e6d69f2..b7cd5dd 100644 --- a/mdm/profiles/com.apple.AssetCache.managed.yaml +++ b/mdm/profiles/com.apple.AssetCache.managed.yaml @@ -112,7 +112,7 @@ payloadkeys: presence: optional default: false content: |- - If 'true', prevents the computer from sleeping as long as Content Caching is on (System Preferences > Sharing > Content Caching is on). Customers who want Content Caching to be as available as musch as possible should turn this setting on. + If 'true', prevents the computer from sleeping as long as Content Caching is on (System Preferences > Sharing > Content Caching is on). Customers who want Content Caching to be as available as much as possible should turn this setting on. Available in macOS 10.15 and later. - key: ListenRanges supportedOS: diff --git a/mdm/profiles/com.apple.ManagedClient.preferences.yaml b/mdm/profiles/com.apple.ManagedClient.preferences.yaml index 8155b0b..3294c08 100644 --- a/mdm/profiles/com.apple.ManagedClient.preferences.yaml +++ b/mdm/profiles/com.apple.ManagedClient.preferences.yaml @@ -39,5 +39,5 @@ payloadkeys: - key: Set-Once type: presence: required - content: The dictonary of one-time settings. + content: The dictionary of one-time settings. subkeys: *id001 diff --git a/mdm/profiles/com.apple.TCC.configuration-profile-policy.yaml b/mdm/profiles/com.apple.TCC.configuration-profile-policy.yaml index 10444d9..f95e40b 100644 --- a/mdm/profiles/com.apple.TCC.configuration-profile-policy.yaml +++ b/mdm/profiles/com.apple.TCC.configuration-profile-policy.yaml @@ -71,7 +71,7 @@ payloadkeys: content: |- The 'Authorization' key is an optional replacement for the 'Allowed' key. Every payload must specify either 'Authorization' or 'Allowed', but not both. 'Allow': Equivalent to a 'true' value for the 'Allowed' key. - 'Deny': Equivalent to a f'alse' value for the 'Allowed' key. + 'Deny': Equivalent to a 'false' value for the 'Allowed' key. 'AllowStandardUserToSetSystemService:' allows a standard (non-admin) user to configure the permissions for the specified app in the Privacy preferences for services that otherwise require admin authorization. 'AllowStandardUserToSetSystemService' is only valid for the 'ListenEvent' and 'ScreenCapture' services. Available in macOS 11 and later. - key: Comment diff --git a/mdm/profiles/com.apple.domains.yaml b/mdm/profiles/com.apple.domains.yaml index 7c16477..7f14511 100644 --- a/mdm/profiles/com.apple.domains.yaml +++ b/mdm/profiles/com.apple.domains.yaml @@ -68,3 +68,22 @@ payloadkeys: subkeys: - key: SafariPasswordAutoFillDomainsItem type: +- key: CrossSiteTrackingPreventionRelaxedDomains + title: Cross-Site Tracking Prevention RelaxedDomains + supportedOS: + iOS: + introduced: '16.2' + supervised: true + allowmanualinstall: false + userenrollment: + mode: forbidden + macOS: + introduced: '13.1' + allowmanualinstall: false + type: + presence: optional + content: An array of up to 10 strings. URLs matching the patterns listed here will + have relaxed enforcement of cross-site tracking prevention. + subkeys: + - key: CrossSiteTrackingPreventionRelaxedDomainItem + type: diff --git a/mdm/profiles/com.apple.extensiblesso(kerberos).yaml b/mdm/profiles/com.apple.extensiblesso(kerberos).yaml index cd081eb..7d338c1 100644 --- a/mdm/profiles/com.apple.extensiblesso(kerberos).yaml +++ b/mdm/profiles/com.apple.extensiblesso(kerberos).yaml @@ -333,7 +333,7 @@ payloadkeys: type: presence: optional content: |- - The ordered list of perferred Key Distribution Centers (KDCs) to use for Kerberos traffic. Use this if the servers are not discoverable via DNS. If the servers are specified, then they are used for both connectivity checks and attempted first for Kerberos traffic. If the servers do not respond, then the device falls back to DNS discovery. Each entry is formatted the same as it would be in a 'krb5.conf' file. Examples of entries are: + The ordered list of preferred Key Distribution Centers (KDCs) to use for Kerberos traffic. Use this if the servers are not discoverable via DNS. If the servers are specified, then they are used for both connectivity checks and attempted first for Kerberos traffic. If the servers do not respond, then the device falls back to DNS discovery. Each entry is formatted the same as it would be in a 'krb5.conf' file. Examples of entries are: * 'adserver1.example.com' * 'tcp/adserver1.example.com:88' * 'kkdcp://kerberosproxy.example.com:443/kkdcp' diff --git a/mdm/profiles/com.apple.finder.yaml b/mdm/profiles/com.apple.finder.yaml index b9f9552..d918216 100644 --- a/mdm/profiles/com.apple.finder.yaml +++ b/mdm/profiles/com.apple.finder.yaml @@ -47,7 +47,7 @@ payloadkeys: type: presence: optional default: true - content: If set to false, extneral hard drives will not appear on the desktop. + content: If set to false, external hard drives will not appear on the desktop. - key: ShowHardDrivesOnDesktop type: presence: optional diff --git a/mdm/profiles/com.apple.font.yaml b/mdm/profiles/com.apple.font.yaml index 2d1b40f..b9162e2 100644 --- a/mdm/profiles/com.apple.font.yaml +++ b/mdm/profiles/com.apple.font.yaml @@ -22,7 +22,7 @@ payload: mode: allowed content: |- Each payload may contain one font file. Font files may be in TrueType (.ttf) or OpenType (.otf) file format. Collection types (.ttc or .otc) formats are not supported. - Fonts are uniqued internally by their embedded PostScript name. Two fonts with the same PostScript name will be considered the same font, even if their contents differ. Installing two different fonts with the same PostScript name is not supported, and it is undefined which font will remain installed. + Fonts are uniquely identified internally by their embedded PostScript name. Two fonts with the same PostScript name will be considered the same font, even if their contents differ. Installing two different fonts with the same PostScript name is not supported, and it is undefined which font will remain installed. payloadkeys: - key: Name title: Font Name diff --git a/mdm/profiles/com.apple.jabber.account.yaml b/mdm/profiles/com.apple.jabber.account.yaml index 3ca1788..ad6a0f8 100644 --- a/mdm/profiles/com.apple.jabber.account.yaml +++ b/mdm/profiles/com.apple.jabber.account.yaml @@ -53,7 +53,7 @@ payloadkeys: default: 5222 content: The server's port. - key: JabberAuthentication - title: Jabber Authentification + title: Jabber Authentication type: presence: required rangelist: diff --git a/mdm/profiles/com.apple.mail.managed.yaml b/mdm/profiles/com.apple.mail.managed.yaml index d6fe55f..ca6a94a 100644 --- a/mdm/profiles/com.apple.mail.managed.yaml +++ b/mdm/profiles/com.apple.mail.managed.yaml @@ -51,7 +51,7 @@ payloadkeys: the payload, the device prompts for this string during interactive profile installation in Settings or System Preferences. - key: IncomingMailServerAuthentication - title: Incoming Mail Server Authentification + title: Incoming Mail Server Authentication type: presence: required rangelist: diff --git a/mdm/profiles/com.apple.proxy.http.global.yaml b/mdm/profiles/com.apple.proxy.http.global.yaml index 0abe10b..aad59c3 100644 --- a/mdm/profiles/com.apple.proxy.http.global.yaml +++ b/mdm/profiles/com.apple.proxy.http.global.yaml @@ -43,7 +43,7 @@ payloadkeys: - key: ProxyServer title: Proxy Server type: - subtype: hostname + subtype: presence: required content: The proxy server's network address. - key: ProxyServerPort diff --git a/mdm/profiles/com.apple.security.acme.yaml b/mdm/profiles/com.apple.security.acme.yaml index b7c0d7f..b101f3b 100644 --- a/mdm/profiles/com.apple.security.acme.yaml +++ b/mdm/profiles/com.apple.security.acme.yaml @@ -14,6 +14,15 @@ payload: userchannel: false userenrollment: mode: allowed + macOS: + introduced: '13.1' + devicechannel: true + userchannel: true + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: allowed tvOS: introduced: '16.0' supervised: false @@ -68,6 +77,7 @@ payloadkeys: If 'false', the private key isn't bound to the device. If 'true', the private key is bound to the device. The Secure Enclave generates the key pair, and the private key is cryptographically entangled with a system key. This prevents the system from exporting the private key. If 'true', 'KeyType' must be 'ECSECPrimeRandom' and 'KeySize' must be 256 or 384. + On macOS, this key is required but must have a value of 'false'. - key: Subject title: Subject type: @@ -148,3 +158,26 @@ payloadkeys: content: |- If 'true', the device provides attestations describing the device and the generated key to the ACME server. The server can use the attestations as strong evidence that the key is bound to the device, and that the device has properties listed in the attestation. The server can use that as part of a trust score to decide whether to issue the requested certificate. When 'Attest' is 'true', 'HardwareBound' must also be 'true'. + On macOS, this key, if present, must have a value of 'false'. +- key: KeyIsExtractable + supportedOS: + iOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: Whether the private key of the identity obtained via SCEP should be tagged + as "non-extractable" in the keychain. +- key: AllowAllAppsAccess + title: Allow All Apps Access + supportedOS: + iOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: false + content: If true, all apps have access to the private key. diff --git a/mdm/profiles/com.apple.servicemanagement.yaml b/mdm/profiles/com.apple.servicemanagement.yaml index 4970d66..f714070 100644 --- a/mdm/profiles/com.apple.servicemanagement.yaml +++ b/mdm/profiles/com.apple.servicemanagement.yaml @@ -38,7 +38,7 @@ payloadkeys: - Label - LabelPrefix - TeamIdentifier - content: The type of comparision to make. + content: The type of comparison to make. - key: RuleValue title: Rule Value type: @@ -50,3 +50,9 @@ payloadkeys: type: presence: optional content: An optional description of the rule. + - key: TeamIdentifier + title: Team Identifier + type: + presence: optional + content: An additional constraint to limit the scope of the rule that is tested + after matching the RuleType/RuleValue. diff --git a/mdm/profiles/com.apple.syspolicy.kernel-extension-policy.yaml b/mdm/profiles/com.apple.syspolicy.kernel-extension-policy.yaml index cca6117..ee5ea66 100644 --- a/mdm/profiles/com.apple.syspolicy.kernel-extension-policy.yaml +++ b/mdm/profiles/com.apple.syspolicy.kernel-extension-policy.yaml @@ -51,7 +51,7 @@ payloadkeys: - key: ANY type: presence: optional - content: The kernal extension data. + content: The kernel extension data. subkeys: - key: AllowedKernelExtensionsItems type: diff --git a/mdm/profiles/com.apple.vpn.managed.applayer.yaml b/mdm/profiles/com.apple.vpn.managed.applayer.yaml index f106b81..a63a783 100644 --- a/mdm/profiles/com.apple.vpn.managed.applayer.yaml +++ b/mdm/profiles/com.apple.vpn.managed.applayer.yaml @@ -149,19 +149,3 @@ payloadkeys: type: presence: required content: An SMB domain. -- key: VPN - title: VPN - type: - presence: optional - content: A dictionary with additional VPN settings. - subkeys: - - key: ProviderType - type: - presence: optional - rangelist: - - packet-tunnel - - app-proxy - default: app-proxy - content: The type of VPN service. If it is 'app-proxy', the service will tunnel - traffic at the application level. If it is 'packet-tunnel', the service will - tunnel traffic at the IP layer. diff --git a/mdm/profiles/com.apple.vpn.managed.yaml b/mdm/profiles/com.apple.vpn.managed.yaml index e414b02..ea404d0 100644 --- a/mdm/profiles/com.apple.vpn.managed.yaml +++ b/mdm/profiles/com.apple.vpn.managed.yaml @@ -739,6 +739,36 @@ payloadkeys: type: presence: optional content: The password used for authentication. + - key: OnDemandEnabled + title: Enable VPN On Demand + type: + presence: optional + rangelist: + - 0 + - 1 + default: 0 + content: If 1, VPN is brought up on demand. + - key: OnDemandUserOverrideDisabled + title: Prevent users from toggling VPN On Demand + supportedOS: + iOS: + introduced: '14.0' + macOS: + introduced: n/a + type: + presence: optional + rangelist: + - 0 + - 1 + default: 0 + content: If 1, the Connect On Demand toggle in Settings is disabled for this configuration. + - key: OnDemandRules + title: On Demand Rules + type: + presence: optional + content: Determines when and how an OnDemand VPN should be used. + subkeytype: OnDemandRulesElement + subkeys: *id004 - key: DeadPeerDetectionRate title: Dead Peer Detection Rate type: diff --git a/mdm/profiles/com.apple.webClip.managed.yaml b/mdm/profiles/com.apple.webClip.managed.yaml index ad25aa2..40496c4 100644 --- a/mdm/profiles/com.apple.webClip.managed.yaml +++ b/mdm/profiles/com.apple.webClip.managed.yaml @@ -44,7 +44,7 @@ payloadkeys: - key: URL title: URL type: - subtype: url + subtype: presence: required content: The URL that the web clip should open when clicked. If the URL doesn't begin with 'HTTP' or 'HTTPS', it doesn't work. diff --git a/mdm/profiles/com.apple.webcontent-filter.yaml b/mdm/profiles/com.apple.webcontent-filter.yaml index 65df872..6ee325e 100644 --- a/mdm/profiles/com.apple.webcontent-filter.yaml +++ b/mdm/profiles/com.apple.webcontent-filter.yaml @@ -197,14 +197,16 @@ payloadkeys: introduced: n/a type: presence: optional - default: true - content: If 'true', enables the filtering of WebKit traffic. + default: false + content: If 'true', enables the filtering of WebKit traffic. Either 'FilterBrowsers' + or 'FilterSockets' must be 'true'. - key: FilterSockets title: FilterSockets type: presence: optional - default: true - content: If 'true', enables the filtering of socket traffic. + default: false + content: If 'true', enables the filtering of socket traffic. Either 'FilterBrowsers' + or 'FilterSockets' must be 'true'. - key: FilterDataProviderDesignatedRequirement title: Filter Data Provider Designated Requirement supportedOS: @@ -238,11 +240,11 @@ payloadkeys: introduced: '10.15' type: presence: optional - default: true + default: false content: |- If this value is 'true', the property enables the filtering of network packets. - Either 'FilterPackets' or 'FilterSockets' must be 'true' for the filter to have an effect. - You can use this when 'FilterType' is 'Plugin'. + Either 'FilterPackets' or 'FilterSockets' must be 'true'. + You can only use this when 'FilterType' is 'Plugin'. Available in macOS 10.15 and later. - key: FilterPacketProviderDesignatedRequirement title: Filter Packet Provider Designated Requirement diff --git a/other/manifesturl.yaml b/other/manifesturl.yaml index 78ec1ea..756bb86 100644 --- a/other/manifesturl.yaml +++ b/other/manifesturl.yaml @@ -107,7 +107,7 @@ payloadkeys: presence: required content: Must be a string with a length greater than one character. (internal only can not be the bundle identifier of a system application. Must be a - profile validated application if the bundle identifer matches that of an + profile validated application if the bundle identifier matches that of an existing application) - key: bundle-version title: The bundle version diff --git a/other/skipkeys.yaml b/other/skipkeys.yaml index cba4ec9..a77b107 100644 --- a/other/skipkeys.yaml +++ b/other/skipkeys.yaml @@ -401,19 +401,6 @@ payloadkeys: presence: optional content: 'Skips the “Where is this Apple TV?” screen in tvOS. Availability: tvOS 11.4+.' -- key: UnlockWithWatch - title: Skips Unlock with Apple Watch pane - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '12.0' - tvOS: - introduced: n/a - type: - presence: optional - content: 'Skips Unlock Your Mac with your Apple Watch pane. Availability: macOS - 12+.' - key: UpdateCompleted title: Skips Software Update Complete pane supportedOS: