CalvinBackup/apple_device-management
1
0
Fork 0
mirror of https://github.com/apple/device-management.git synced 2026-05-23 16:09:45 +02:00
Code Issues Packages Projects Releases Wiki Activity

Release_iOS-17-1_macOS-14-1

Browse Source
This commit is contained in:
Cyrus Daboo
2023-11-03 16:30:20 -04:00
parent 72c2a0a69f
commit f44981aed0
19 changed files with 232 additions and 124 deletions
Download Patch File Download Diff File Expand all files Collapse all files
mdm/profiles/com.apple.MCX.FileVault2.yaml
+23 -19
View File
@@ -22,14 +22,18 @@ payloadkeys:
rangelist:
- 'On'
- 'Off'
content: If 'true', enables FileVault.
content: Set to 'On' to enable FileVault and set to 'Off' to disable FileVault.
Payloads set to 'On' sent through MDM need to either include full authentication
information in the payload or have the 'Defer' option set to 'true'. When 'Defer'
is 'true', the system prompts for the authentication information when the user
enables FileVault.
- key: Defer
type: <boolean>
presence: optional
default: false
content: If 'true', defers enabling FileVault until the designated user logs out.
For details, see 'fdesetup(8)'. The person enabling FileVault must be either a
local user or a mobile account user.
For details, see 'fdesetup(8)'. Only a local user or a mobile account user can
enable FileVault.
- key: UserEntersMissingInfo
type: <boolean>
presence: optional
@@ -45,16 +49,16 @@ payloadkeys:
presence: optional
default: true
content: If 'false', prevents display of the personal recovery key to the user after
FileVault is enabled.
the system enables FileVault.
- key: OutputPath
type: <string>
presence: optional
content: The path to the location where the recovery key and computer information
property list are stored.
content: The path to the location of the recovery key and computer information property
list.
- key: Certificate
type: <data>
presence: optional
content: The DER-encoded certificate data if 'UseRecoveryKey' is enabled.
content: The DER-encoded certificate data if 'UseRecoveryKey' is 'true'.
- key: PayloadCertificateUUID
type: <string>
presence: optional
@@ -63,19 +67,19 @@ payloadkeys:
- key: Username
type: <string>
presence: optional
content: The user name of the Open Directory user to be added to FileVault.
content: The user name of the Open Directory user to add to FileVault.
- key: Password
type: <string>
presence: optional
content: The password of the Open Directory user to be added to FileVault. Use the
'UserEntersMissingInfo' key if you want to prompt for this information.
content: The password of the Open Directory user to add to FileVault. Use the 'UserEntersMissingInfo'
key to prompt for this information.
- key: UseKeychain
type: <boolean>
presence: optional
default: false
content: If 'true' and no certificate information is provided in this payload, the
keychain created at '/Library/Keychains/FileVaultMaster.keychain' is used when
the institutional recovery key is added.
content: If 'true' and you don't include certificate information in this payload,
the system uses the keychain created at '/Library/Keychains/FileVaultMaster.keychain'
when it adds the institutional recovery key.
- key: DeferForceAtUserLoginMaxBypassAttempts
type: <integer>
presence: optional
@@ -83,9 +87,9 @@ payloadkeys:
min: -1
max: 9999
content: The maximum number of times users can bypass enabling FileVault before
being required to enable it to log in. If the value is '0', the user will be required
to enabled FileVault the next time they attempt to log in. Setting this key to
'1' disables the feature.
the system requires the user to enable it to log in. If the value is '0', the
system requires the user to enable FileVault the next time they attempt to log
in. Set this key to '1' to disable this feature.
- key: DeferDontAskAtUserLogout
supportedOS:
macOS:
@@ -93,7 +97,7 @@ payloadkeys:
type: <boolean>
presence: optional
default: false
content: If 'true', prevents requests for enabling FileVault at user logout time.
content: If 'true', prevents requests to enable FileVault at user logout time.
- key: ForceEnableInSetupAssistant
supportedOS:
macOS:
@@ -104,5 +108,5 @@ payloadkeys:
presence: optional
default: false
content: |-
If 'true', and this payload is installed after enrolling with MDM in Setup Assistant, it requests Setup Assistant to enable FileVault at setup time.
To use this, enable the Await Device Configured DEP configuration option, send this profile with this key set, before sending the DeviceConfigured command. An admin SecureToken user is required, otherwise the FileVault pane does not appear.
If 'true', and installation of this payload occurs after enrolling with MDM in Setup Assistant, the system requests Setup Assistant to enable FileVault at setup time. In this case, the system also ignores all other keys in this payload, except for 'ShowRecoveryKey'.
To use this, enable the Await Device Configured DEP configuration option and send this profile with this key set, before sending the DeviceConfiguredCommand. An admin SecureToken user is required, otherwise the FileVault pane does not appear.
mdm/profiles/com.apple.SetupAssistant.managed.yaml
+10
View File
@@ -137,3 +137,13 @@ payloadkeys:
presence: optional
default: false
content: If 'true', the system skips the Unlock With Apple Watch window.
- key: SkipWallpaper
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '14.1'
type: <boolean>
presence: optional
default: false
content: If 'true', the system skips the Wallpaper selection window.
mdm/profiles/com.apple.applicationaccess.yaml
+56 -62
View File
@@ -53,8 +53,7 @@ payloadkeys:
type: <boolean>
presence: optional
default: true
content: |-
If 'false', disables account modification. Requires a supervised device.
content: If 'false', disables account modification. Requires a supervised device.
Available in iOS 7 and later, macOS 14 and later, and watchOS 10 and later.
- key: allowActivityContinuation
title: Allow Handoff
@@ -309,9 +308,8 @@ payloadkeys:
type: <boolean>
presence: optional
default: true
content: |-
If 'false', prevents modifying the Remote Management Sharing setting in System Settings.
Available in macOS 14 and later.
content: If 'false', prevents modifying the Remote Management Sharing setting in
System Settings. Available in macOS 14 and later.
- key: allowAssistant
title: Allow Siri
supportedOS:
@@ -476,9 +474,8 @@ payloadkeys:
type: <boolean>
presence: optional
default: true
content: |-
If 'false', prevents modifying Bluetooth setting in System Settings.
Available in macOS 14 and later.
content: If 'false', prevents modifying Bluetooth setting in System Settings. Available
in macOS 14 and later.
- key: allowBookstore
title: Allow Bookstore
supportedOS:
@@ -515,7 +512,7 @@ payloadkeys:
type: <boolean>
presence: optional
default: true
content: If 'false', the user can't download Apple Books media that is tagged as
content: If 'false', the user can't download Apple Books media that's tagged as
erotica. Available in iOS 6 and later, and tvOS 11.3 and later. This restriction
will require supervision in a future release.
- key: allowCamera
@@ -708,9 +705,8 @@ payloadkeys:
type: <boolean>
presence: optional
default: true
content: |-
If 'false', disallows iCloud Freeform services.
Available in macOS 14 and later.
content: If 'false', disallows iCloud Freeform services. Available in macOS 14 and
later.
- key: allowCloudKeychainSync
supportedOS:
iOS:
@@ -905,9 +901,9 @@ payloadkeys:
type: <boolean>
presence: optional
default: true
content: |-
If 'false', prevents the user from changing the device name. Requires a supervised device.
Available in iOS 9 and later, macOS 14 and later, and tvOS 11.0 and later.
content: If 'false', prevents the user from changing the device name. Requires a
supervised device. Available in iOS 9 and later, macOS 14 and later, and tvOS
11.0 and later.
- key: allowDeviceSleep
title: Allow Device Sleep
supportedOS:
@@ -1135,8 +1131,7 @@ payloadkeys:
type: <boolean>
presence: optional
default: true
content: |-
If 'false', prevents modifying File Sharing setting in System Settings.
content: If 'false', prevents modifying File Sharing setting in System Settings.
Available in macOS 14 and later.
- key: allowFilesNetworkDriveAccess
supportedOS:
@@ -1369,8 +1364,7 @@ payloadkeys:
type: <boolean>
presence: optional
default: true
content: |-
If 'false', prevents modifying Internet Sharing setting in System Settings.
content: If 'false', prevents modifying Internet Sharing setting in System Settings.
Available in macOS 14 and later.
- key: allowiPhoneWidgetsOnMac
title: Allow iPhone widget on Mac
@@ -1391,9 +1385,8 @@ payloadkeys:
type: <boolean>
presence: optional
default: true
content: |-
If 'false', disallows iPhone widgets on a Mac that has signed in the same AppleID for iCloud. Supervised only.
Available on iOS 17 and later.
content: If 'false', disallows iPhone widgets on a Mac that has signed in the same
Apple ID for iCloud. Supervised only. Available on iOS 17 and later.
- key: allowiTunes
title: Allow use of iTunes
supportedOS:
@@ -1491,9 +1484,8 @@ payloadkeys:
type: <boolean>
presence: optional
default: true
content: |-
If 'false', prevents creating new users in System Settings.
Available in macOS 14 and later.
content: If 'false', prevents creating new users in System Settings. Available in
macOS 14 and later.
- key: allowLockScreenControlCenter
supportedOS:
iOS:
@@ -1904,7 +1896,8 @@ payloadkeys:
type: <boolean>
presence: optional
default: true
content: If 'false', disables Photo Stream. Available in iOS 5 and later.
content: If 'false', disables Photo Stream. Available in iOS 5 and later. This restriction
is deprecated and will be removed in a future release.
- key: allowPodcasts
supportedOS:
iOS:
@@ -1958,8 +1951,7 @@ payloadkeys:
type: <boolean>
presence: optional
default: true
content: |-
If 'false', prevents modifying Printer Sharing setting in System Settings.
content: If 'false', prevents modifying Printer Sharing setting in System Settings.
Available in macOS 14 and later.
- key: allowProximitySetupToNewDevice
supportedOS:
@@ -2017,7 +2009,8 @@ payloadkeys:
type: <boolean>
presence: optional
default: true
content: If 'false', prohibits installation of rapid security responses.
content: If 'false', prohibits installation of rapid security responses. Available
in iOS 16 and later and macOS 13 and later.
- key: allowRapidSecurityResponseRemoval
title: Allow Rapid Security Response Removal
supportedOS:
@@ -2037,7 +2030,8 @@ payloadkeys:
type: <boolean>
presence: optional
default: true
content: If 'false', prohibits removal of rapid security responses.
content: If 'false', prohibits removal of rapid security responses. Available in
iOS 16 and later and macOS 13 and later.
- key: allowRemoteAppleEventsModification
title: Allow modifying Remote Apple Events Sharing setting
supportedOS:
@@ -2054,9 +2048,8 @@ payloadkeys:
type: <boolean>
presence: optional
default: true
content: |-
If 'false', prevents modifying Remote Apple Events Sharing setting in System Settings.
Available in macOS 14 and later.
content: If 'false', prevents modifying Remote Apple Events Sharing setting in System
Settings. Available in macOS 14 and later.
- key: allowRemoteAppPairing
title: Allow pairing with Remote app
supportedOS:
@@ -2221,8 +2214,7 @@ payloadkeys:
type: <boolean>
presence: optional
default: true
content: |-
If 'false', prevents modification of Startup Disk setting in System Settings.
content: If 'false', prevents modification of Startup Disk setting in System Settings.
Available in macOS 14 and later.
- key: allowSystemAppRemoval
supportedOS:
@@ -2258,8 +2250,7 @@ payloadkeys:
type: <boolean>
presence: optional
default: true
content: |-
If 'false', prevents modification of Time Machine settings in System Settings.
content: If 'false', prevents modification of Time Machine settings in System Settings.
Available in macOS 14 and later.
- key: allowUIAppInstallation
title: Allow App Installation from App Store
@@ -2434,7 +2425,8 @@ payloadkeys:
presence: optional
default: true
content: If 'false', disables voice dialing if the device is locked with a passcode.
Available in iOS 4 and later.
Available in iOS 4 and later. This restriction is deprecated and will be removed
in a future release.
- key: allowVPNCreation
title: Allow Adding VPN Configurations (Supervised devices only)
supportedOS:
@@ -2516,7 +2508,7 @@ payloadkeys:
introduced: n/a
type: <array>
presence: optional
content: Use blockedAppBundleIDs instead.
content: Use 'blockedAppBundleIDs' instead.
subkeys:
- key: appBlacklistedBundleID
title: Blacklisted App
@@ -2560,9 +2552,8 @@ payloadkeys:
type: <integer>
presence: optional
default: 172800
content: |-
The value, in seconds, after which the fingerprint unlock requires a password to authenticate. The default value is 48 hours.
Available in macOS 12 and later.
content: The value, in seconds, after which the fingerprint unlock requires a password
to authenticate. The default value is 48 hours. Available in macOS 12 and later.
- key: enforcedSoftwareUpdateDelay
supportedOS:
iOS:
@@ -2587,8 +2578,7 @@ payloadkeys:
default: 30
content: |-
Sets how many days to delay a software update on the device. With this restriction in place, the user doesn't see a software update until the specified number of days after the software update release date. This value is used by 'forceDelayedAppSoftwareUpdates' and 'forceDelayedSoftwareUpdates'.
Requires a supervised device in iOS and tvOS.
Available in iOS 11.3 and later, macOS 10.13.4 and later, and tvOS 12.2 and later.
Requires a supervised device in iOS and tvOS. Available in iOS 11.3 and later, macOS 10.13.4 and later, and tvOS 12.2 and later.
- key: enforcedSoftwareUpdateMajorOSDeferredInstallDelay
supportedOS:
iOS:
@@ -2607,8 +2597,10 @@ payloadkeys:
min: 1
max: 90
default: 30
content: |-
This restriction allows the admin to set how many days to delay a major software upgrade on the device. When this restriction is in place the user sees a software upgrade only after the specified delay after the release of the software upgrade. This value controls the delay for 'forceDelayedMajorSoftwareUpdates'.
content: This restriction allows the admin to set how many days to delay a major
software upgrade on the device. When this restriction is in place the user sees
a software upgrade only after the specified delay after the release of the software
upgrade. This value controls the delay for 'forceDelayedMajorSoftwareUpdates'.
Available in macOS 11.3 and later.
- key: enforcedSoftwareUpdateMinorOSDeferredInstallDelay
supportedOS:
@@ -2628,9 +2620,11 @@ payloadkeys:
min: 1
max: 90
default: 30
content: |-
This restriction allows the admin to set how many days to delay a minor OS software update on the device. When this restriction is in place the user see a software update only after the specified delay after the release of the software update. This value controls the delay for 'forceDelayedSoftwareUpdates'.
Available in macOS 11.3 and later.
content: This restriction allows the admin to set how many days to delay a minor
OS software update on the device. When this restriction is in place the user see
a software update only after the specified delay after the release of the software
update. This value controls the delay for 'forceDelayedSoftwareUpdates'. Available
in macOS 11.3 and later.
- key: enforcedSoftwareUpdateNonOSDeferredInstallDelay
supportedOS:
iOS:
@@ -2649,8 +2643,10 @@ payloadkeys:
min: 1
max: 90
default: 30
content: |-
This restriction allows the admin to set how many days to delay an app software update on the device. When this restriction is in place the user sees a non-OS software update only after the specified delay after the release of the software. This value controls the delay for 'forceDelayedAppSoftwareUpdates'.
content: This restriction allows the admin to set how many days to delay an app
software update on the device. When this restriction is in place the user sees
a non-OS software update only after the specified delay after the release of the
software. This value controls the delay for 'forceDelayedAppSoftwareUpdates'.
Available in macOS 11.3 and later.
- key: forceAirDropUnmanaged
title: Treat AirDrop as Unmanaged Destination
@@ -2907,9 +2903,8 @@ payloadkeys:
type: <boolean>
presence: optional
default: false
content: |-
If set to true, delays user visibility of major upgrades to OS Software.
Available in macOS 11.3 and later.
content: If 'true', delays user visibility of major upgrades to OS Software. Available
in macOS 11.3 and later.
- key: forceDelayedSoftwareUpdates
supportedOS:
iOS:
@@ -2967,7 +2962,8 @@ payloadkeys:
presence: optional
default: false
content: If 'true', forces the user to enter their iTunes password for each transaction.
Available in iOS 6 and later.
Available in iOS 6 and later. This restriction is deprecated and will be removed
in a future release.
- key: forceLimitAdTracking
supportedOS:
iOS:
@@ -2983,9 +2979,8 @@ payloadkeys:
type: <boolean>
presence: optional
default: false
content: |-
If 'true', limits ad tracking. Additionally, it disables app tracking and the Allow Apps To Request To Track setting.
Available in iOS 7 and later.
content: If 'true', limits ad tracking. Additionally, it disables app tracking and
the Allow Apps To Request To Track setting. Available in iOS 7 and later.
- key: forceOnDeviceOnlyDictation
supportedOS:
iOS:
@@ -3064,7 +3059,7 @@ payloadkeys:
type: <boolean>
presence: optional
default: false
content: If 'true', limits device to only join Wi-Fi networks set-up via configuration
content: If 'true', limits device to only join Wi-Fi networks set up through a configuration
profile. Requires a supervised device. Available in iOS 14.5 and later.
- key: forceWiFiWhitelisting
title: Only join Wi-Fi networks installed by profiles
@@ -3106,6 +3101,7 @@ payloadkeys:
default: 1000
content: |-
The maximum level of app content allowed on the device. Available in iOS 4 and later, and tvOS 11.3 and later.
Pre-installed (1st party) apps ignore this restriction.
Possible values (with the US description of the rating level):
* 1000: All
* 600: 17+
@@ -3184,9 +3180,7 @@ payloadkeys:
default: 1000
content: |-
The maximum level of TV content allowed on the device. Available in iOS 4 and later, and tvOS 11.3 and later.
Possible values (with the US description of the rating level):
Possible values (with the US description of the rating level)
* 1000: All
* 600: TV-MA
* 500: TV-14
mdm/profiles/com.apple.vpn.managed.yaml
+2 -2
View File
@@ -44,7 +44,7 @@ payloadkeys:
content: |-
The type of the VPN, which defines which settings are appropriate for this VPN payload.
If the type is 'VPN' or 'TransparentProxy', then the system requires a value for 'VPNSubType'.
'TransparentProxy' is only available in macOS. 'L2TP' and 'IPSec' aren't available in tvOS. 'AlwaysOn' is only available on iOS and Apple Watch pairing isn't supported with 'AlwaysOn'. For a previously paired Apple Watch, all phone-watch communications cease when 'AlwaysOn' is enabled.
'TransparentProxy' is only available in macOS. 'L2TP' and 'IPSec' aren't available in tvOS. 'AlwaysOn' is only available on iOS and Apple Watch pairing isn't supported with 'AlwaysOn'. For a previously paired Apple Watch, all phone-watch communications cease when 'AlwaysOn' is enabled. Not available in watchOS.
- key: VPNSubType
title: VPN Subtype
type: <string>
@@ -175,7 +175,7 @@ payloadkeys:
- 1
default: 0
content: |-
If 1, then all network traffic will be routed through the VPN, with some exclusions. Several of the exclusions can be controlled with the ExcludeLocalNetworks, ExcludeCellularServices, and ExcludeAPNs properties. See the documentation for those properties. The following traffic is always excluded from the tunnel.
If '1', routes all traffic through the VPN, with some exclusions. Several of the exclusions can be controlled with the ExcludeLocalNetworks, ExcludeCellularServices, and ExcludeAPNs properties. See the documentation for those properties. The following traffic is always excluded from the tunnel. Not available in watchOS.
* Traffic necessary for connecting and maintaining the device's network connection, such as DHCP.
* Traffic necessary for connecting to captive networks.