mirror of
https://github.com/apple/device-management.git
synced 2026-02-12 21:03:12 +00:00
228 lines
7.4 KiB
YAML
228 lines
7.4 KiB
YAML
title: Top Level
|
|
description: The top-level payload properties for all profiles.
|
|
payload:
|
|
payloadtype: TopLevel
|
|
supportedOS:
|
|
iOS:
|
|
introduced: '4.0'
|
|
multiple: false
|
|
supervised: false
|
|
allowmanualinstall: true
|
|
sharedipad:
|
|
mode: allowed
|
|
devicechannel: true
|
|
userchannel: true
|
|
userenrollment:
|
|
mode: allowed
|
|
macOS:
|
|
introduced: '10.7'
|
|
multiple: false
|
|
devicechannel: true
|
|
userchannel: true
|
|
supervised: false
|
|
requiresdep: false
|
|
userapprovedmdm: false
|
|
allowmanualinstall: true
|
|
userenrollment:
|
|
mode: allowed
|
|
tvOS:
|
|
introduced: '9.0'
|
|
multiple: false
|
|
supervised: false
|
|
allowmanualinstall: true
|
|
visionOS:
|
|
introduced: '1.0'
|
|
multiple: false
|
|
supervised: false
|
|
allowmanualinstall: true
|
|
userenrollment:
|
|
mode: allowed
|
|
watchOS:
|
|
introduced: '1.0'
|
|
multiple: false
|
|
allowmanualinstall: true
|
|
payloadkeys:
|
|
- key: PayloadIdentifier
|
|
type: <string>
|
|
presence: required
|
|
content: The reverse-DNS style identifier (`com.example.myprofile`, for example)
|
|
that identifies the profile. The system uses this string to determine whether
|
|
to replace an existing profile or add it as a new profile.
|
|
- key: PayloadUUID
|
|
type: <string>
|
|
presence: required
|
|
content: The globally unique identifier for the profile. The actual content is unimportant.
|
|
In macOS, you can use `uuidgen` to generate reasonable UUIDs.
|
|
- key: PayloadType
|
|
type: <string>
|
|
presence: required
|
|
rangelist:
|
|
- Configuration
|
|
content: The type of payload. The only supported value is `Configuration`.
|
|
- key: PayloadVersion
|
|
type: <integer>
|
|
presence: required
|
|
rangelist:
|
|
- 1
|
|
content: The version number of the profile format, which needs to be `1`. This number
|
|
represents the version of the configuration profile as a whole, not of the individual
|
|
profiles within it.
|
|
- key: PayloadContent
|
|
type: <array>
|
|
presence: required
|
|
content: The array of payload dictionaries. If `IsEncrypted` is `true`, this array
|
|
isn't needed.
|
|
subkeys:
|
|
- key: PayloadContentItem
|
|
type: <dictionary>
|
|
content: The payload-specific content for this profile.
|
|
subkeys:
|
|
- key: ANY
|
|
type: <any>
|
|
presence: required
|
|
content: A payload item as defined by each payload type.
|
|
- key: EncryptedPayloadContent
|
|
type: <data>
|
|
presence: optional
|
|
content: Enabled if `IsEncrypted` is `true`.
|
|
- key: PayloadDescription
|
|
type: <string>
|
|
presence: optional
|
|
content: The description of the profile, shown on the Detail screen for the profile.
|
|
Make this description detailed enough to help the user decide whether to install
|
|
the profile.
|
|
- key: PayloadDisplayName
|
|
type: <string>
|
|
presence: optional
|
|
content: The human-readable name for the profile, which doesn't need to be unique.
|
|
The system displays this value on the Detail screen.
|
|
- key: PayloadOrganization
|
|
type: <string>
|
|
presence: optional
|
|
content: The human-readable string that contains the name of the organization that
|
|
provided the profile.
|
|
- key: PayloadRemovalDisallowed
|
|
supportedOS:
|
|
iOS:
|
|
supervised: true
|
|
userenrollment:
|
|
mode: forbidden
|
|
tvOS:
|
|
supervised: true
|
|
visionOS:
|
|
introduced: n/a
|
|
watchOS:
|
|
introduced: n/a
|
|
type: <boolean>
|
|
presence: optional
|
|
default: false
|
|
content: |-
|
|
If present and set to `true`, the user can't delete the profile unless the profile has a removal password and the user provides it.
|
|
|
|
On macOS 10.15 and later, this key only affects removal of _manually_ installed profiles. If set to `true` and no profile removal payload is present, removing the profile requires admin auth.
|
|
|
|
On macOS versions prior to 10.15, this key prevents admins from removing MDM installed profiles. However, as of macOS 10.15, users can never remove MDM profiles, not even the admin.
|
|
|
|
On iOS users can't remove a MDM profile.
|
|
|
|
Requires a supervised device.
|
|
- key: PayloadScope
|
|
supportedOS:
|
|
macOS:
|
|
introduced: '10.8'
|
|
type: <string>
|
|
presence: optional
|
|
rangelist:
|
|
- System
|
|
- User
|
|
content: A string that defines whether to install the profile for the system or
|
|
the user. In many cases, it determines the location of certificate items, such
|
|
as keychains. Though it's not possible to declare different payload scopes, payloads
|
|
like VPN can automatically install their items in both scopes, if needed.
|
|
- key: RemovalDate
|
|
type: <date>
|
|
presence: optional
|
|
content: The date when the system automatically removes the profile.
|
|
- key: DurationUntilRemoval
|
|
type: <real>
|
|
presence: optional
|
|
content: The number of seconds until the profile is automatically removed. If the
|
|
`RemovalDate` key is present, the system uses whichever field yields the earliest
|
|
date.
|
|
- key: PayloadExpirationDate
|
|
supportedOS:
|
|
watchOS:
|
|
introduced: n/a
|
|
type: <date>
|
|
presence: optional
|
|
content: The date when a profile is no longer valid and the system presents an update
|
|
button to the user.
|
|
- key: TargetDeviceType
|
|
supportedOS:
|
|
iOS:
|
|
introduced: '12.2'
|
|
macOS:
|
|
introduced: '10.15'
|
|
tvOS:
|
|
introduced: '12.2'
|
|
visionOS:
|
|
introduced: '1.1'
|
|
watchOS:
|
|
introduced: '5.2'
|
|
type: <integer>
|
|
presence: optional
|
|
rangelist:
|
|
- 0
|
|
- 1
|
|
- 2
|
|
- 3
|
|
- 4
|
|
- 5
|
|
- 6
|
|
default: 0
|
|
content: |-
|
|
The type of platform of the target device. Specifying the platform type helps prevent unintended installations.
|
|
|
|
For interactive installations on iOS devices, specifying a target platform avoids interstitial alerts that prompt the user to choose a profile target when multiple targets are eligible.
|
|
|
|
Allowed values:
|
|
|
|
- `0`: Any/unspecified
|
|
- `1`: iPhone/iPad/iPod Touch
|
|
- `2`: Apple Watch
|
|
- `3`: HomePod
|
|
- `4`: Apple TV
|
|
- `5`: Mac
|
|
- `6`: Vision Pro
|
|
- key: ConsentText
|
|
type: <dictionary>
|
|
presence: optional
|
|
content: |-
|
|
A dictionary that includes:
|
|
|
|
- A key that contains the IETF BCP 47 identifier for a language, such as _en_ or _jp_
|
|
- A value that contains the agreement localized to language specified by the key
|
|
|
|
The dictionary can also contain an optional key, `default`, with its value consisting of the unlocalized (usually in _en_) agreement.
|
|
|
|
The system always displays the agreement in a dialog, and the user needs to agree before the system can install the profile.
|
|
|
|
The system chooses a localized version in the order of preference that the user specifies in macOS, or based on the user's current language setting in iOS. If there's no exact match, the system uses the default localization. If there's no default localization, the system uses the _en_ localization. If there's no _en_ localization, the system uses the first available localization.
|
|
|
|
> Tip:
|
|
> Provide a default value, if possible. The system won't display a warning if the user's locale doesn't match any localization in the `ConsentText` dictionary.
|
|
subkeys:
|
|
- key: ConsentTextItem
|
|
type: <dictionary>
|
|
presence: required
|
|
content: The dictionary containing a key that consists of the IETF BCP 47 identifier
|
|
for a language (for example, en or jp) and a value that consists of the agreement
|
|
localized to that language.
|
|
subkeys:
|
|
- key: ANY
|
|
type: <string>
|
|
presence: required
|
|
content: The key consisting of the IETF BCP 47 identifier for a language (for
|
|
example, en or jp) and the value consisting of the agreement localized to
|
|
that language.
|