CalvinBackup/apple_device-management
1
0
Fork 0
mirror of https://github.com/apple/device-management.git synced 2026-02-12 12:52:53 +00:00
Code Issues Packages Projects Releases Wiki Activity

Release_iOS-17-1_macOS-14-1

Browse Source
This commit is contained in:
Cyrus Daboo
2023-11-03 16:30:20 -04:00
parent 72c2a0a69f
commit f44981aed0
19 changed files with 232 additions and 124 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
LICENSE.txt
View File

@@ -1,4 +1,4 @@
Copyright © 2022 Apple Inc.
Copyright © 2022-2023 Apple Inc.
Permission is hereby granted, free of charge, to any person obtaining a
copy of this software and associated documentation files (the

8
README.md
View File

@@ -8,10 +8,10 @@ This release corresponds to the following OS versions
| OS | Version |
|---------|---------|
| iOS | 17.0 |
| macOS | 14.0 |
| tvOS | 17.0 |
| watchOS | 10.0 |
| iOS | 17.1 |
| macOS | 14.1 |
| tvOS | 17.1 |
| watchOS | 10.1 |
## What's Available

14
declarative/status/device.power.battery-health.yaml
View File

@@ -31,10 +31,10 @@ payloadkeys:
- unknown
- unsupported
content: |-
The battery health status:
* non-genuine - the battery is not a genuine Apple battery
* normal - the battery is operating normally
* service-recommended - battery service is recommended
* unknown - battery health information could not be determined
* unsupported - battery health reporting is not supported on the device
Only supported on iPhones. iPads will return "unsupported".
The battery health status, which has the following values:
* 'non-genuine' - the battery isn't a genuine Apple battery.
* 'normal' - the battery is operating normally.
* 'service-recommended' - the system recommends battery service.
* 'unknown' - the system couldn't determine battery health information.
* 'unsupported' - the device doesn't support battery health reporting.
This field is available in iOS 17 and later on iPhone only. iPad returns 'unsupported'.

58
declarative/status/screensharing.connection.group.unresolved-connection.yaml Normal file
View File

@@ -0,0 +1,58 @@
title: Status Screen Sharing Connection Group Unresolved Connections
description: Information about connection groups which have member connection references
which could not be resolved.
payload:
statusitemtype: screensharing.connection.group.unresolved-connection
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '14.1'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
- user
tvOS:
introduced: n/a
watchOS:
introduced: n/a
payloadkeys:
- key: screensharing.connection.group.unresolved-connection
title: Connection Groups status
type: <array>
presence: required
content: Status value.
subkeytype: UnresolvedGroup
subkeys:
- key: unresolved_group
type: <dictionary>
subkeys:
- key: identifier
title: Unique identifier of the connection group.
type: <string>
presence: required
content: The unique identifier (i.e., ConnectionGroupUUID) of the connection
group.
- key: _removed
title: Indicates removal of the unresolved connection group.
type: <boolean>
presence: optional
default: false
content: To indicate removal of an unresolved connection group, this key's value
is set to true, and only this key and the "identifier" key will be present
in the status item object.
- key: unresolved_connections
title: Unique identifiers of unresolved connections.
type: <array>
presence: optional
content: An array of ConnectionUUID values (as specifed by the 'Members' key
in the group's declaration) which were not resolved.
subkeys:
- key: ConnectionUUID
title: Connection Unique Identifier
type: <string>
content: The unique identifier (i.e., ConnectionUUID) of a connection which
could not be resolved.

8
mdm/commands/application.install.yaml
View File

@@ -51,7 +51,9 @@ payloadkeys:
introduced: '7.0'
type: <string>
presence: optional
content: The app's bundle identifier.
content: |-
The app's bundle identifier.
For a watchOS app, the identifier needs to be the watch's bundle identifier, which differs from the main bundle identifier for the iPhone to which the watch is paired. Obtain the watch's bundle identifier for an app with a watch bundle, in the 'watchBundleId' key that's part of the Content Metadata query. For more information on this query, see Getting App and Book Information (Legacy).
- key: Options
supportedOS:
iOS:
@@ -285,7 +287,9 @@ responsekeys:
- key: Identifier
type: <string>
presence: optional
content: The app's bundle identifier, if the user accepted the request.
content: |-
The app's bundle identifier, if the user accepted the request.
For a watchOS app, the identifier is the watch's bundle identifier, which differs from the main bundle identifier for the iPhone to which the watch is paired.
- key: State
type: <string>
presence: optional

13
mdm/commands/application.installed.list.yaml
View File

@@ -40,9 +40,9 @@ payloadkeys:
introduced: '10.15'
type: <array>
presence: optional
content: An array of app identifiers. Provide this value to limit the response to
only include these apps. This value is available in iOS 7 and later, macOS 10.15
and later, and tvOS 10.2 and later.
content: |-
An array of app identifiers. Provide this value to limit the response to only include these apps. This value is available in iOS 7 and later, macOS 10.15 and later, and tvOS 10.2 and later.
For a watchOS app, the identifier needs to be the watch's bundle identifier, which differs from the main bundle identifier for the iPhone to which the watch is paired. Obtain the watch's bundle identifier for an app with a watch bundle, in the 'watchBundleId' key that's part of the Content Metadata query. For more information on this query, see Getting App and Book Information (Legacy).
subkeys:
- key: IdentifiersItem
type: <string>
@@ -103,8 +103,9 @@ responsekeys:
- key: Identifier
type: <string>
presence: optional
content: The app's identifier. This key will always be present on iOS/tvOS but
may be missing on macOS.
content: |-
The app's identifier. This key is always be present on iOS and tvOS, but may be missing on macOS.
For a watchOS app, the identifier is the watch's bundle identifier, which differs from the main bundle identifier for the iPhone to which the watch is paired.
- key: ExternalVersionIdentifier
supportedOS:
iOS:
@@ -117,7 +118,7 @@ responsekeys:
presence: optional
content: |-
The app's external version identifier, which you can use in the iTunes Search API to determine if an updated version of the app is available. Compare this value to the 'externalId' value in the 'contentMetadataLookupUrl' response from the 'VPPServiceConfigSrv' endpoint. If these values don't match, an updated version of the app may be available.
A newer version of an app may not be available for installation on the device for a variety of reasons, including that the device's operating system version or hardware is incompatible with the available version of the app.
A newer version of an app might not be available for installation on the device for a variety of reasons. A common reason is that the device's operating system version or hardware is incompatible with the available version of the app.
- key: Version
type: <string>
presence: optional

4
mdm/commands/application.managed.list.yaml
View File

@@ -43,7 +43,9 @@ payloadkeys:
introduced: '7.0'
type: <array>
presence: optional
content: The bundle identifiers of the managed apps to include in the response.
content: |-
The bundle identifiers of the managed apps to include in the response.
For a watchOS app, the identifier needs to be the watch's bundle identifier, which differs from the main bundle identifier for the iPhone to which the watch is paired. Obtain the watch's bundle identifier for an app with a watch bundle, in the 'watchBundleId' key that's part of the Content Metadata query. For more information on this query, see Getting App and Book Information (Legacy).
subkeys:
- key: IdentifiersItem
type: <string>

4
mdm/commands/application.remove.yaml
View File

@@ -34,4 +34,6 @@ payloadkeys:
- key: Identifier
type: <string>
presence: required
content: The bundle identifier of the managed app.
content: |-
The bundle identifier of the managed app.
For a watchOS app, the identifier needs to be the watch's bundle identifier, which differs from the main bundle identifier for the iPhone to which the watch is paired. Obtain the watch's bundle identifier for an app with a watch bundle, in the 'watchBundleId' key that's part of the Content Metadata query. For more information on this query, see Getting App and Book Information (Legacy).

8
mdm/commands/managed.application.attributes.yaml
View File

@@ -29,7 +29,9 @@ payloadkeys:
- key: Identifiers
type: <array>
presence: required
content: The bundle identifiers of the managed apps.
content: |-
The bundle identifiers of the managed apps.
For a watchOS app, the identifier needs to be the watch's bundle identifier, which differs from the main bundle identifier for the iPhone to which the watch is paired. Obtain the watch's bundle identifier for an app with a watch bundle, in the 'watchBundleId' key that's part of the Content Metadata query. For more information on this query, see Getting App and Book Information (Legacy).
subkeys:
- key: IdentifiersItem
type: <string>
@@ -45,7 +47,9 @@ responsekeys:
- key: Identifier
type: <string>
presence: required
content: The app's bundle identifier.
content: |-
The app's bundle identifier.
For a watchOS app, the identifier is the watch's bundle identifier, which differs from the main bundle identifier for the iPhone to which the watch is paired.
- key: Attributes
type: <dictionary>
presence: optional

8
mdm/commands/managed.application.configuration.yaml
View File

@@ -40,7 +40,9 @@ payloadkeys:
- key: Identifiers
type: <array>
presence: required
content: The bundle identifiers of the managed apps.
content: |-
The bundle identifiers of the managed apps.
For a watchOS app, the identifier needs to be the watch's bundle identifier, which differs from the main bundle identifier for the iPhone to which the watch is paired. Obtain the watch's bundle identifier for an app with a watch bundle, in the 'watchBundleId' key that's part of the Content Metadata query. For more information on this query, see Getting App and Book Information (Legacy).
subkeys:
- key: IdentifiersItem
type: <string>
@@ -56,7 +58,9 @@ responsekeys:
- key: Identifier
type: <string>
presence: required
content: The app's bundle identifier.
content: |-
The app's bundle identifier.
For a watchOS app, the identifier is the watch's bundle identifier, which differs from the main bundle identifier for the iPhone to which the watch is paired.
- key: Configuration
type: <dictionary>
presence: optional

20
mdm/commands/settings.yaml
View File

@@ -59,7 +59,9 @@ payloadkeys:
type: <dictionary>
presence: optional
content: A dictionary that contains wallpaper settings. This setting doesn't support
User Enrollment, and is available in iOS 8 and later.
User Enrollment, and is available in iOS 8 and later. Starting from iOS 16.0
& iPadOS 17.0, when the wallpaper is set for the first time, both location will
be updated. After that either location can be set separately.
subkeys:
- key: Item
type: <string>
@@ -252,7 +254,9 @@ payloadkeys:
- key: Identifier
type: <string>
presence: required
content: The bundle identifier of the managed app.
content: |-
The bundle identifier of the managed app.
For a watchOS app, the identifier needs to be the watch's bundle identifier, which differs from the main bundle identifier for the iPhone to which the watch is paired. Obtain the watch's bundle identifier for an app with a watch bundle, in the 'watchBundleId' key that's part of the Content Metadata query. For more information on this query, see Getting App and Book Information (Legacy).
- key: Configuration
type: <dictionary>
presence: optional
@@ -294,7 +298,9 @@ payloadkeys:
- key: Identifier
type: <string>
presence: required
content: The bundle identifier of the app.
content: |-
The bundle identifier of the app.
For a watchOS app, the identifier needs to be the watch's bundle identifier, which differs from the main bundle identifier for the iPhone to which the watch is paired. Obtain the watch's bundle identifier for an app with a watch bundle, in the 'watchBundleId' key that's part of the Content Metadata query. For more information on this query, see Getting App and Book Information (Legacy).
- key: Attributes
type: <dictionary>
presence: optional
@@ -716,7 +722,7 @@ payloadkeys:
presence: optional
content: |-
A list of domains that the Shared iPad login screen displays. The user can pick a domain from the list to complete their Managed Apple ID.
If this list contains more than 3 domains, the system picks 3 at random for display.Available in iOS 16 and later.
If this list contains more than 3 domains, the system picks 3 at random for display. Available in iOS 16 and later.
subkeys:
- key: AppleID domain
type: <string>
@@ -794,7 +800,7 @@ payloadkeys:
type: <integer>
presence: optional
content: Sets the user preference for the amount of time (in seconds) before
a device goes to sleep after being idle. The mininum value for this setting
a device goes to sleep after being idle. The minimum value for this setting
is 120 seconds. This setting can only be applied on Shared iPad.
- key: DiagnosticSubmission
supportedOS:
@@ -1116,4 +1122,6 @@ responsekeys:
introduced: '10.2'
type: <string>
presence: optional
content: The app identifier to which this error applies.
content: |-
The app identifier to which this error applies.
For a watchOS app, the identifier is the watch's bundle identifier, which differs from the main bundle identifier for the iPhone to which the watch is paired.

6
mdm/commands/system.update.available.yaml
View File

@@ -72,14 +72,16 @@ responsekeys:
type: <string>
presence: required
content: A URL where the MDM server can request additional localized names for
this update. This value is available in macOS 10.11 and later.
this update. This key isn't present for certain updates, such as mobile software
updates (MSUs) or major OS updates. This value is available in macOS 10.11
and later.
- key: ProductName
supportedOS:
macOS:
introduced: n/a
type: <string>
presence: required
content: The product name; for example, iOS. This value is available in iOS
content: The product name; for example, iOS. This value is available in iOS
9.0 and later, and tvOS 12.0 and later.
- key: Version
type: <string>

5
mdm/commands/system.update.schedule.yaml
View File

@@ -57,8 +57,9 @@ payloadkeys:
type: <string>
presence: optional
content: The version of the update, which the system requires if 'ProductKey'
isn't present. This value is available in iOS 11.3 and later, macOS 12 and
later, and tvOS 12.2 and later.
isn't present. Rapid Security Response updates are not able to be installed
using this command. This value is available in iOS 11.3 and later, macOS 12
and later, and tvOS 12.2 and later.
- key: InstallAction
type: <string>
presence: required

5
mdm/commands/system.update.status.yaml
View File

@@ -35,7 +35,8 @@ responsekeys:
type: <array>
presence: required
content: An array of dictionaries that describes the statuses of software updates.
If an activated declaration of configuration.softwareupdate.enforcement.specific
The array is empty if there are no software updates currently in progress. If
an activated declaration of configuration.softwareupdate.enforcement.specific
is present on a Mac, OSUpdateStatus will only return non OS update statuses.
subkeys:
- key: OSUpdateStatusItem
@@ -61,7 +62,7 @@ responsekeys:
content: |-
The status of the update, which is one of the following values:
* 'Idle': The update is idle.
* 'Downloading': The software update is downloading.
* 'Downloading': The software update is downloading and subsequently preparing.
* 'Installing': The software update is installing.
- key: MaxDeferrals
supportedOS:

42
mdm/profiles/com.apple.MCX.FileVault2.yaml
View File

@@ -22,14 +22,18 @@ payloadkeys:
rangelist:
- 'On'
- 'Off'
content: If 'true', enables FileVault.
content: Set to 'On' to enable FileVault and set to 'Off' to disable FileVault.
Payloads set to 'On' sent through MDM need to either include full authentication
information in the payload or have the 'Defer' option set to 'true'. When 'Defer'
is 'true', the system prompts for the authentication information when the user
enables FileVault.
- key: Defer
type: <boolean>
presence: optional
default: false
content: If 'true', defers enabling FileVault until the designated user logs out.
For details, see 'fdesetup(8)'. The person enabling FileVault must be either a
local user or a mobile account user.
For details, see 'fdesetup(8)'. Only a local user or a mobile account user can
enable FileVault.
- key: UserEntersMissingInfo
type: <boolean>
presence: optional
@@ -45,16 +49,16 @@ payloadkeys:
presence: optional
default: true
content: If 'false', prevents display of the personal recovery key to the user after
FileVault is enabled.
the system enables FileVault.
- key: OutputPath
type: <string>
presence: optional
content: The path to the location where the recovery key and computer information
property list are stored.
content: The path to the location of the recovery key and computer information property
list.
- key: Certificate
type: <data>
presence: optional
content: The DER-encoded certificate data if 'UseRecoveryKey' is enabled.
content: The DER-encoded certificate data if 'UseRecoveryKey' is 'true'.
- key: PayloadCertificateUUID
type: <string>
presence: optional
@@ -63,19 +67,19 @@ payloadkeys:
- key: Username
type: <string>
presence: optional
content: The user name of the Open Directory user to be added to FileVault.
content: The user name of the Open Directory user to add to FileVault.
- key: Password
type: <string>
presence: optional
content: The password of the Open Directory user to be added to FileVault. Use the
'UserEntersMissingInfo' key if you want to prompt for this information.
content: The password of the Open Directory user to add to FileVault. Use the 'UserEntersMissingInfo'
key to prompt for this information.
- key: UseKeychain
type: <boolean>
presence: optional
default: false
content: If 'true' and no certificate information is provided in this payload, the
keychain created at '/Library/Keychains/FileVaultMaster.keychain' is used when
the institutional recovery key is added.
content: If 'true' and you don't include certificate information in this payload,
the system uses the keychain created at '/Library/Keychains/FileVaultMaster.keychain'
when it adds the institutional recovery key.
- key: DeferForceAtUserLoginMaxBypassAttempts
type: <integer>
presence: optional
@@ -83,9 +87,9 @@ payloadkeys:
min: -1
max: 9999
content: The maximum number of times users can bypass enabling FileVault before
being required to enable it to log in. If the value is '0', the user will be required
to enabled FileVault the next time they attempt to log in. Setting this key to
'1' disables the feature.
the system requires the user to enable it to log in. If the value is '0', the
system requires the user to enable FileVault the next time they attempt to log
in. Set this key to '1' to disable this feature.
- key: DeferDontAskAtUserLogout
supportedOS:
macOS:
@@ -93,7 +97,7 @@ payloadkeys:
type: <boolean>
presence: optional
default: false
content: If 'true', prevents requests for enabling FileVault at user logout time.
content: If 'true', prevents requests to enable FileVault at user logout time.
- key: ForceEnableInSetupAssistant
supportedOS:
macOS:
@@ -104,5 +108,5 @@ payloadkeys:
presence: optional
default: false
content: |-
If 'true', and this payload is installed after enrolling with MDM in Setup Assistant, it requests Setup Assistant to enable FileVault at setup time.
To use this, enable the Await Device Configured DEP configuration option, send this profile with this key set, before sending the DeviceConfigured command. An admin SecureToken user is required, otherwise the FileVault pane does not appear.
If 'true', and installation of this payload occurs after enrolling with MDM in Setup Assistant, the system requests Setup Assistant to enable FileVault at setup time. In this case, the system also ignores all other keys in this payload, except for 'ShowRecoveryKey'.
To use this, enable the Await Device Configured DEP configuration option and send this profile with this key set, before sending the DeviceConfiguredCommand. An admin SecureToken user is required, otherwise the FileVault pane does not appear.

10
mdm/profiles/com.apple.SetupAssistant.managed.yaml
View File

@@ -137,3 +137,13 @@ payloadkeys:
presence: optional
default: false
content: If 'true', the system skips the Unlock With Apple Watch window.
- key: SkipWallpaper
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '14.1'
type: <boolean>
presence: optional
default: false
content: If 'true', the system skips the Wallpaper selection window.

118
mdm/profiles/com.apple.applicationaccess.yaml
View File

@@ -53,8 +53,7 @@ payloadkeys:
type: <boolean>
presence: optional
default: true
content: |-
If 'false', disables account modification. Requires a supervised device.
content: If 'false', disables account modification. Requires a supervised device.
Available in iOS 7 and later, macOS 14 and later, and watchOS 10 and later.
- key: allowActivityContinuation
title: Allow Handoff
@@ -309,9 +308,8 @@ payloadkeys:
type: <boolean>
presence: optional
default: true
content: |-
If 'false', prevents modifying the Remote Management Sharing setting in System Settings.
Available in macOS 14 and later.
content: If 'false', prevents modifying the Remote Management Sharing setting in
System Settings. Available in macOS 14 and later.
- key: allowAssistant
title: Allow Siri
supportedOS:
@@ -476,9 +474,8 @@ payloadkeys:
type: <boolean>
presence: optional
default: true
content: |-
If 'false', prevents modifying Bluetooth setting in System Settings.
Available in macOS 14 and later.
content: If 'false', prevents modifying Bluetooth setting in System Settings. Available
in macOS 14 and later.
- key: allowBookstore
title: Allow Bookstore
supportedOS:
@@ -515,7 +512,7 @@ payloadkeys:
type: <boolean>
presence: optional
default: true
content: If 'false', the user can't download Apple Books media that is tagged as
content: If 'false', the user can't download Apple Books media that's tagged as
erotica. Available in iOS 6 and later, and tvOS 11.3 and later. This restriction
will require supervision in a future release.
- key: allowCamera
@@ -708,9 +705,8 @@ payloadkeys:
type: <boolean>
presence: optional
default: true
content: |-
If 'false', disallows iCloud Freeform services.
Available in macOS 14 and later.
content: If 'false', disallows iCloud Freeform services. Available in macOS 14 and
later.
- key: allowCloudKeychainSync
supportedOS:
iOS:
@@ -905,9 +901,9 @@ payloadkeys:
type: <boolean>
presence: optional
default: true
content: |-
If 'false', prevents the user from changing the device name. Requires a supervised device.
Available in iOS 9 and later, macOS 14 and later, and tvOS 11.0 and later.
content: If 'false', prevents the user from changing the device name. Requires a
supervised device. Available in iOS 9 and later, macOS 14 and later, and tvOS
11.0 and later.
- key: allowDeviceSleep
title: Allow Device Sleep
supportedOS:
@@ -1135,8 +1131,7 @@ payloadkeys:
type: <boolean>
presence: optional
default: true
content: |-
If 'false', prevents modifying File Sharing setting in System Settings.
content: If 'false', prevents modifying File Sharing setting in System Settings.
Available in macOS 14 and later.
- key: allowFilesNetworkDriveAccess
supportedOS:
@@ -1369,8 +1364,7 @@ payloadkeys:
type: <boolean>
presence: optional
default: true
content: |-
If 'false', prevents modifying Internet Sharing setting in System Settings.
content: If 'false', prevents modifying Internet Sharing setting in System Settings.
Available in macOS 14 and later.
- key: allowiPhoneWidgetsOnMac
title: Allow iPhone widget on Mac
@@ -1391,9 +1385,8 @@ payloadkeys:
type: <boolean>
presence: optional
default: true
content: |-
If 'false', disallows iPhone widgets on a Mac that has signed in the same AppleID for iCloud. Supervised only.
Available on iOS 17 and later.
content: If 'false', disallows iPhone widgets on a Mac that has signed in the same
Apple ID for iCloud. Supervised only. Available on iOS 17 and later.
- key: allowiTunes
title: Allow use of iTunes
supportedOS:
@@ -1491,9 +1484,8 @@ payloadkeys:
type: <boolean>
presence: optional
default: true
content: |-
If 'false', prevents creating new users in System Settings.
Available in macOS 14 and later.
content: If 'false', prevents creating new users in System Settings. Available in
macOS 14 and later.
- key: allowLockScreenControlCenter
supportedOS:
iOS:
@@ -1904,7 +1896,8 @@ payloadkeys:
type: <boolean>
presence: optional
default: true
content: If 'false', disables Photo Stream. Available in iOS 5 and later.
content: If 'false', disables Photo Stream. Available in iOS 5 and later. This restriction
is deprecated and will be removed in a future release.
- key: allowPodcasts
supportedOS:
iOS:
@@ -1958,8 +1951,7 @@ payloadkeys:
type: <boolean>
presence: optional
default: true
content: |-
If 'false', prevents modifying Printer Sharing setting in System Settings.
content: If 'false', prevents modifying Printer Sharing setting in System Settings.
Available in macOS 14 and later.
- key: allowProximitySetupToNewDevice
supportedOS:
@@ -2017,7 +2009,8 @@ payloadkeys:
type: <boolean>
presence: optional
default: true
content: If 'false', prohibits installation of rapid security responses.
content: If 'false', prohibits installation of rapid security responses. Available
in iOS 16 and later and macOS 13 and later.
- key: allowRapidSecurityResponseRemoval
title: Allow Rapid Security Response Removal
supportedOS:
@@ -2037,7 +2030,8 @@ payloadkeys:
type: <boolean>
presence: optional
default: true
content: If 'false', prohibits removal of rapid security responses.
content: If 'false', prohibits removal of rapid security responses. Available in
iOS 16 and later and macOS 13 and later.
- key: allowRemoteAppleEventsModification
title: Allow modifying Remote Apple Events Sharing setting
supportedOS:
@@ -2054,9 +2048,8 @@ payloadkeys:
type: <boolean>
presence: optional
default: true
content: |-
If 'false', prevents modifying Remote Apple Events Sharing setting in System Settings.
Available in macOS 14 and later.
content: If 'false', prevents modifying Remote Apple Events Sharing setting in System
Settings. Available in macOS 14 and later.
- key: allowRemoteAppPairing
title: Allow pairing with Remote app
supportedOS:
@@ -2221,8 +2214,7 @@ payloadkeys:
type: <boolean>
presence: optional
default: true
content: |-
If 'false', prevents modification of Startup Disk setting in System Settings.
content: If 'false', prevents modification of Startup Disk setting in System Settings.
Available in macOS 14 and later.
- key: allowSystemAppRemoval
supportedOS:
@@ -2258,8 +2250,7 @@ payloadkeys:
type: <boolean>
presence: optional
default: true
content: |-
If 'false', prevents modification of Time Machine settings in System Settings.
content: If 'false', prevents modification of Time Machine settings in System Settings.
Available in macOS 14 and later.
- key: allowUIAppInstallation
title: Allow App Installation from App Store
@@ -2434,7 +2425,8 @@ payloadkeys:
presence: optional
default: true
content: If 'false', disables voice dialing if the device is locked with a passcode.
Available in iOS 4 and later.
Available in iOS 4 and later. This restriction is deprecated and will be removed
in a future release.
- key: allowVPNCreation
title: Allow Adding VPN Configurations (Supervised devices only)
supportedOS:
@@ -2516,7 +2508,7 @@ payloadkeys:
introduced: n/a
type: <array>
presence: optional
content: Use blockedAppBundleIDs instead.
content: Use 'blockedAppBundleIDs' instead.
subkeys:
- key: appBlacklistedBundleID
title: Blacklisted App
@@ -2560,9 +2552,8 @@ payloadkeys:
type: <integer>
presence: optional
default: 172800
content: |-
The value, in seconds, after which the fingerprint unlock requires a password to authenticate. The default value is 48 hours.
Available in macOS 12 and later.
content: The value, in seconds, after which the fingerprint unlock requires a password
to authenticate. The default value is 48 hours. Available in macOS 12 and later.
- key: enforcedSoftwareUpdateDelay
supportedOS:
iOS:
@@ -2587,8 +2578,7 @@ payloadkeys:
default: 30
content: |-
Sets how many days to delay a software update on the device. With this restriction in place, the user doesn't see a software update until the specified number of days after the software update release date. This value is used by 'forceDelayedAppSoftwareUpdates' and 'forceDelayedSoftwareUpdates'.
Requires a supervised device in iOS and tvOS.
Available in iOS 11.3 and later, macOS 10.13.4 and later, and tvOS 12.2 and later.
Requires a supervised device in iOS and tvOS. Available in iOS 11.3 and later, macOS 10.13.4 and later, and tvOS 12.2 and later.
- key: enforcedSoftwareUpdateMajorOSDeferredInstallDelay
supportedOS:
iOS:
@@ -2607,8 +2597,10 @@ payloadkeys:
min: 1
max: 90
default: 30
content: |-
This restriction allows the admin to set how many days to delay a major software upgrade on the device. When this restriction is in place the user sees a software upgrade only after the specified delay after the release of the software upgrade. This value controls the delay for 'forceDelayedMajorSoftwareUpdates'.
content: This restriction allows the admin to set how many days to delay a major
software upgrade on the device. When this restriction is in place the user sees
a software upgrade only after the specified delay after the release of the software
upgrade. This value controls the delay for 'forceDelayedMajorSoftwareUpdates'.
Available in macOS 11.3 and later.
- key: enforcedSoftwareUpdateMinorOSDeferredInstallDelay
supportedOS:
@@ -2628,9 +2620,11 @@ payloadkeys:
min: 1
max: 90
default: 30
content: |-
This restriction allows the admin to set how many days to delay a minor OS software update on the device. When this restriction is in place the user see a software update only after the specified delay after the release of the software update. This value controls the delay for 'forceDelayedSoftwareUpdates'.
Available in macOS 11.3 and later.
content: This restriction allows the admin to set how many days to delay a minor
OS software update on the device. When this restriction is in place the user see
a software update only after the specified delay after the release of the software
update. This value controls the delay for 'forceDelayedSoftwareUpdates'. Available
in macOS 11.3 and later.
- key: enforcedSoftwareUpdateNonOSDeferredInstallDelay
supportedOS:
iOS:
@@ -2649,8 +2643,10 @@ payloadkeys:
min: 1
max: 90
default: 30
content: |-
This restriction allows the admin to set how many days to delay an app software update on the device. When this restriction is in place the user sees a non-OS software update only after the specified delay after the release of the software. This value controls the delay for 'forceDelayedAppSoftwareUpdates'.
content: This restriction allows the admin to set how many days to delay an app
software update on the device. When this restriction is in place the user sees
a non-OS software update only after the specified delay after the release of the
software. This value controls the delay for 'forceDelayedAppSoftwareUpdates'.
Available in macOS 11.3 and later.
- key: forceAirDropUnmanaged
title: Treat AirDrop as Unmanaged Destination
@@ -2907,9 +2903,8 @@ payloadkeys:
type: <boolean>
presence: optional
default: false
content: |-
If set to true, delays user visibility of major upgrades to OS Software.
Available in macOS 11.3 and later.
content: If 'true', delays user visibility of major upgrades to OS Software. Available
in macOS 11.3 and later.
- key: forceDelayedSoftwareUpdates
supportedOS:
iOS:
@@ -2967,7 +2962,8 @@ payloadkeys:
presence: optional
default: false
content: If 'true', forces the user to enter their iTunes password for each transaction.
Available in iOS 6 and later.
Available in iOS 6 and later. This restriction is deprecated and will be removed
in a future release.
- key: forceLimitAdTracking
supportedOS:
iOS:
@@ -2983,9 +2979,8 @@ payloadkeys:
type: <boolean>
presence: optional
default: false
content: |-
If 'true', limits ad tracking. Additionally, it disables app tracking and the Allow Apps To Request To Track setting.
Available in iOS 7 and later.
content: If 'true', limits ad tracking. Additionally, it disables app tracking and
the Allow Apps To Request To Track setting. Available in iOS 7 and later.
- key: forceOnDeviceOnlyDictation
supportedOS:
iOS:
@@ -3064,7 +3059,7 @@ payloadkeys:
type: <boolean>
presence: optional
default: false
content: If 'true', limits device to only join Wi-Fi networks set-up via configuration
content: If 'true', limits device to only join Wi-Fi networks set up through a configuration
profile. Requires a supervised device. Available in iOS 14.5 and later.
- key: forceWiFiWhitelisting
title: Only join Wi-Fi networks installed by profiles
@@ -3106,6 +3101,7 @@ payloadkeys:
default: 1000
content: |-
The maximum level of app content allowed on the device. Available in iOS 4 and later, and tvOS 11.3 and later.
Pre-installed (1st party) apps ignore this restriction.
Possible values (with the US description of the rating level):
* 1000: All
* 600: 17+
@@ -3184,9 +3180,7 @@ payloadkeys:
default: 1000
content: |-
The maximum level of TV content allowed on the device. Available in iOS 4 and later, and tvOS 11.3 and later.
Possible values (with the US description of the rating level):
Possible values (with the US description of the rating level)
* 1000: All
* 600: TV-MA
* 500: TV-14

4
mdm/profiles/com.apple.vpn.managed.yaml
View File

@@ -44,7 +44,7 @@ payloadkeys:
content: |-
The type of the VPN, which defines which settings are appropriate for this VPN payload.
If the type is 'VPN' or 'TransparentProxy', then the system requires a value for 'VPNSubType'.
'TransparentProxy' is only available in macOS. 'L2TP' and 'IPSec' aren't available in tvOS. 'AlwaysOn' is only available on iOS and Apple Watch pairing isn't supported with 'AlwaysOn'. For a previously paired Apple Watch, all phone-watch communications cease when 'AlwaysOn' is enabled.
'TransparentProxy' is only available in macOS. 'L2TP' and 'IPSec' aren't available in tvOS. 'AlwaysOn' is only available on iOS and Apple Watch pairing isn't supported with 'AlwaysOn'. For a previously paired Apple Watch, all phone-watch communications cease when 'AlwaysOn' is enabled. Not available in watchOS.
- key: VPNSubType
title: VPN Subtype
type: <string>
@@ -175,7 +175,7 @@ payloadkeys:
- 1
default: 0
content: |-
If 1, then all network traffic will be routed through the VPN, with some exclusions. Several of the exclusions can be controlled with the ExcludeLocalNetworks, ExcludeCellularServices, and ExcludeAPNs properties. See the documentation for those properties. The following traffic is always excluded from the tunnel.
If '1', routes all traffic through the VPN, with some exclusions. Several of the exclusions can be controlled with the ExcludeLocalNetworks, ExcludeCellularServices, and ExcludeAPNs properties. See the documentation for those properties. The following traffic is always excluded from the tunnel. Not available in watchOS.
* Traffic necessary for connecting and maintaining the device's network connection, such as DHCP.
* Traffic necessary for connecting to captive networks.

19
other/skipkeys.yaml
View File

@@ -126,15 +126,15 @@ payloadkeys:
title: Skips Enable Lockdown Mode
supportedOS:
iOS:
introduced: n/a
introduced: '17.1'
macOS:
introduced: '14.0'
tvOS:
introduced: n/a
type: <string>
presence: optional
content: If the key is included in the SkipSetup array the Lockdown Mode pane will
be skipped if an Apple ID/iCloud account is set up.
content: The key to skip the Lockdown Mode pane if an Apple ID is set up. Available
in macOS 14 and later, and iOS 17.1 and later.
- key: FileVault
title: Skip configuration of FileVault
supportedOS:
@@ -454,6 +454,19 @@ payloadkeys:
presence: optional
content: The key to skip the Software Update Complete pane. This field is available
in iOS 14 and later.
- key: Wallpaper
title: Skips Wallpaper selection
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '14.1'
tvOS:
introduced: n/a
type: <string>
presence: optional
content: If the key is included in the SkipSetup array the Wallpaper pane will be
skipped.
- key: WatchMigration
title: Skip watch migration
supportedOS: