Files
apple_device-management/mdm/commands/information.security.yaml
Cyrus Daboo 97a11a861f Seed2
2026-06-22 15:55:19 -04:00

579 lines
17 KiB
YAML

title: Security Info Command
description: Get security-related information about a device.
payload:
requesttype: SecurityInfo
supportedOS:
iOS:
introduced: '4.0'
accessrights: AllowQuerySecurity
supervised: false
requiresdep: false
sharedipad:
mode: allowed
devicechannel: true
userchannel: false
userenrollment:
mode: allowed
macOS:
introduced: '10.7'
accessrights: AllowQuerySecurity
devicechannel: true
userchannel: true
supervised: false
requiresdep: false
userenrollment:
mode: allowed
tvOS:
introduced: '9.0'
accessrights: AllowQuerySecurity
supervised: false
visionOS:
introduced: '1.1'
accessrights: AllowQuerySecurity
supervised: false
requiresdep: false
userenrollment:
mode: allowed
watchOS:
introduced: '10.0'
accessrights: AllowQuerySecurity
supervised: false
content: This command queries the device for security-related information. Queries
are available if the MDM host has the Security Query right.
responsekeys:
- key: SecurityInfo
type: <dictionary>
presence: required
content: A dictionary that contains security-related information.
subkeys:
- key: HardwareEncryptionCaps
supportedOS:
macOS:
introduced: n/a
type: <integer>
content: |-
An integer that indicates the underlying hardware encryption capabilities of the device, which is one of the following values:
- `1`: Block-level encryption
- `2`: File-level encryption
- `3`: Both block-level and file-level encryption
> Important:
> For a device to have data protection, `HardwareEncryptionCaps` must be `3` and `PasscodePresent` must `true`.
- key: PasscodePresent
supportedOS:
iOS:
userenrollment:
mode: forbidden
macOS:
introduced: n/a
visionOS:
userenrollment:
mode: forbidden
type: <boolean>
content: If `true`, the device has a passcode. This key doesn't apply to User-Enrolled
devices.
- key: PasscodeCompliant
supportedOS:
macOS:
introduced: n/a
type: <boolean>
content: If `true`, the user's passcode is compliant with all requirements on
the device, including Exchange and other accounts.
- key: PasscodeCompliantWithProfiles
supportedOS:
iOS:
userenrollment:
mode: forbidden
macOS:
introduced: n/a
visionOS:
userenrollment:
mode: forbidden
type: <boolean>
content: If `true`, the user's passcode is compliant with requirements from profiles.
This key doesn't apply to User-Enrolled devices.
- key: PasscodeLockGracePeriod
supportedOS:
iOS:
introduced: 9.3.2
userenrollment:
mode: forbidden
macOS:
introduced: n/a
visionOS:
userenrollment:
mode: forbidden
type: <integer>
content: The user preference for the number of seconds before a locked screen
requires the device passcode to unlock it. This value is only available for
Shared iPad.
- key: PasscodeLockGracePeriodEnforced
supportedOS:
iOS:
introduced: 9.3.2
userenrollment:
mode: forbidden
macOS:
introduced: n/a
visionOS:
userenrollment:
mode: forbidden
type: <integer>
content: The enforced value for the number of seconds before a locked screen requires
the device passcode to unlock it. If a device has a passcode, changing `PasscodeLockGracePeriod`
to a larger value doesn't take effect until the user logs out or removes the
passcode. This value is only available for Shared iPad.
- key: AutoLockTime
supportedOS:
iOS:
introduced: '17.0'
sharedipad:
mode: required
userenrollment:
mode: forbidden
macOS:
introduced: n/a
tvOS:
introduced: n/a
visionOS:
introduced: n/a
watchOS:
introduced: n/a
type: <integer>
content: The number of seconds before a device goes to sleep after being idle.
This value is only available on Shared iPad in iOS 17 and later.
- key: FDE_Enabled
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '10.9'
userchannel: false
tvOS:
introduced: n/a
visionOS:
introduced: n/a
watchOS:
introduced: n/a
type: <boolean>
content: If `true`, the device has enabled FileVault full disk encryption (FDE).
- key: FDE_HasPersonalRecoveryKey
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '10.9'
userchannel: false
userenrollment:
mode: forbidden
tvOS:
introduced: n/a
visionOS:
introduced: n/a
watchOS:
introduced: n/a
type: <boolean>
content: If `true`, FileVault FDE has a personal recovery key.
- key: FDE_HasInstitutionalRecoveryKey
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '10.9'
userchannel: false
userenrollment:
mode: forbidden
tvOS:
introduced: n/a
visionOS:
introduced: n/a
watchOS:
introduced: n/a
type: <boolean>
content: If `true`, FileVault FDE has an institutional recovery key.
- key: FDE_PersonalRecoveryKeyCMS
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '10.13'
userchannel: false
userenrollment:
mode: forbidden
tvOS:
introduced: n/a
visionOS:
introduced: n/a
watchOS:
introduced: n/a
type: <data>
content: If the FileVault personal recovery key has enabled escrow with a recovery
key, this value contains the key. The certificate from the `FDERecoveryKeyEscrow`
profile encrypts the key and wraps it as CMS data.
- key: FDE_PersonalRecoveryKeyDeviceKey
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '10.13'
userchannel: false
userenrollment:
mode: forbidden
tvOS:
introduced: n/a
visionOS:
introduced: n/a
watchOS:
introduced: n/a
type: <string>
content: If the FileVault personal recovery key has enabled escrow with a recovery
key, this value is the device serial number. This is the value that displays
to the user at the EFI Login Window as part of the help message if they enter
their password incorrectly three times. The server also uses this value as an
index when saving the device personal recovery key. This replaces the `recordNumber`
that the server returned in the previous escrow mechanism.
- key: SystemIntegrityProtectionEnabled
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '10.12'
userchannel: false
tvOS:
introduced: n/a
visionOS:
introduced: n/a
watchOS:
introduced: n/a
type: <boolean>
content: If `true`, System Integrity Protection (SIP) is active on the device.
- key: FirewallSettings
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '10.12'
userchannel: false
tvOS:
introduced: n/a
visionOS:
introduced: n/a
watchOS:
introduced: n/a
type: <dictionary>
content: A dictionary that contains the firewall settings.
subkeys:
- key: FirewallEnabled
type: <boolean>
content: If `true`, the firewall is on.
- key: BlockAllIncoming
type: <boolean>
content: If `true`, the firewall blocks all incoming connections.
- key: StealthMode
type: <boolean>
content: If true, stealth mode is active for the firewall.
- key: Applications
supportedOS:
macOS:
introduced: '10.12'
userenrollment:
mode: forbidden
type: <array>
content: An array of dictionaries that describes the allowed applications.
subkeys:
- key: ApplicationsItem
type: <dictionary>
content: A dictionary that describes the allowed apps.
subkeys:
- key: Allowed
type: <boolean>
content: If `true`, the app is an allowed app.
- key: BundleID
type: <string>
content: The app's bundle identifier.
- key: Name
type: <string>
content: The app's display name if it's determinable from the `BundleID`.
- key: LoggingEnabled
supportedOS:
macOS:
introduced: '12.0'
type: <boolean>
content: If `true`, logging is enabled.
- key: LoggingOption
supportedOS:
macOS:
introduced: '12.0'
type: <string>
rangelist:
- throttled
- brief
- detail
content: The type of logging emitted by the firewall.
- key: FirmwarePasswordStatus
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '10.13'
userchannel: false
tvOS:
introduced: n/a
visionOS:
introduced: n/a
watchOS:
introduced: n/a
type: <dictionary>
content: A dictionary that contains the status of the EFI firmware password.
subkeys:
- key: PasswordExists
type: <boolean>
content: If `true`, the device has an EFI firmware password.
- key: ChangePending
type: <boolean>
content: |-
If `true`, a firmware password change is pending. A device restart is necessary for this change to take effect. Until then, additional attempts to change the password fail.
> Note:
> If `true`, the other values show the current state of the device, not the state after a restart.
- key: AllowOroms
type: <boolean>
content: If `true`, enable ROMs.
- key: ManagementStatus
supportedOS:
iOS:
introduced: '13.0'
macOS:
introduced: 10.13.2
tvOS:
introduced: '13.0'
type: <dictionary>
content: A dictionary that contains the status of the device's MDM enrollment.
subkeys:
- key: EnrolledViaDEP
supportedOS:
iOS:
introduced: n/a
tvOS:
introduced: n/a
visionOS:
introduced: n/a
watchOS:
introduced: n/a
type: <boolean>
content: If `true`, the device enrolled in MDM through Automated Device Enrollment
(ADE).
- key: UserApprovedEnrollment
supportedOS:
iOS:
introduced: n/a
tvOS:
introduced: n/a
visionOS:
introduced: n/a
watchOS:
introduced: n/a
type: <boolean>
content: If `true`, the enrollment was user-approved. If `false`, the device
may reject certain security-sensitive payloads or commands.
- key: IsUserEnrollment
supportedOS:
macOS:
introduced: '10.15'
type: <boolean>
content: If `true`, the device is user-enrolled.
- key: IsActivationLockManageable
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '10.15'
tvOS:
introduced: n/a
visionOS:
introduced: n/a
watchOS:
introduced: n/a
type: <boolean>
content: If `true`, the type of enrollment allows the MDM to manage Activation
Lock for this device.
- key: SecureBoot
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '10.15'
userchannel: false
tvOS:
introduced: n/a
visionOS:
introduced: n/a
watchOS:
introduced: n/a
type: <dictionary>
content: A dictionary that contains the device's Secure Boot settings.
subkeys:
- key: SecureBootLevel
type: <string>
rangelist:
- 'off'
- medium
- full
- not supported
content: The security level for the bootable operating system versions.
- key: ExternalBootLevel
type: <string>
rangelist:
- allowed
- disallowed
- not supported
content: The device's external boot level, which indicates whether it allows
booting from an external device, disallows it, or doesn't support it.
- key: ReducedSecurity
supportedOS:
macOS:
introduced: '11.0'
type: <array>
content: Reports which security features the user disables in `recoveryOS`.
This property is only present for a Mac with Apple silicon when `SecureBootLevel`
is `medium`.
subkeys:
- key: ReducedSecurityItems
type: <string>
subkeys:
- key: AllowsAnyAppleSignedOS
type: <string>
content: If 'true', allows any signed version of trusted system software
from Apple to run.
- key: AllowsUserKextApproval
type: <string>
content: If 'true', the user has control over kernel extensions.
- key: AllowsMDM
type: <string>
content: If 'true', the MDM server controls kernel extensions and software
updates.
- key: RemoteDesktopEnabled
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: 10.14.4
userchannel: false
userenrollment:
mode: forbidden
tvOS:
introduced: n/a
visionOS:
introduced: n/a
watchOS:
introduced: n/a
type: <boolean>
content: If `true`, Remote Desktop is active on the device.
- key: AuthenticatedRootVolumeEnabled
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '11.0'
userchannel: false
tvOS:
introduced: n/a
visionOS:
introduced: n/a
watchOS:
introduced: n/a
type: <boolean>
content: If `true`, the system booted using an Authenticated Root Volume.
- key: BootstrapTokenAllowedForAuthentication
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '11.0'
userchannel: false
userenrollment:
mode: forbidden
tvOS:
introduced: n/a
visionOS:
introduced: n/a
watchOS:
introduced: n/a
type: <string>
rangelist:
- allowed
- disallowed
- not supported
content: |-
This value specifies whether the Secure Enclave Processor (SEP) supports and allows secure operations to use the Bootstrap Token. The device automatically sets this value if enrolled through Automated Device Enrollment (ADE). The user can also manually set this value in the RecoveryOS.
This value is available for a Mac with Apple silicon in macOS 11 and later. Not available for user enrollment.
- key: BootstrapTokenRequiredForSoftwareUpdate
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '11.0'
userchannel: false
userenrollment:
mode: forbidden
tvOS:
introduced: n/a
visionOS:
introduced: n/a
watchOS:
introduced: n/a
type: <boolean>
content: |-
If `true`, the device can accept a Bootstrap Token from the MDM server instead of prompting for user authentication prior to installation. This only applies when `BootstrapTokenAllowedForAuthentication` is `true` in the `SecurityInfo` response.
This value is available for a Mac with Apple silicon in macOS 11 and later. Not available for user enrollment.
- key: BootstrapTokenRequiredForKernelExtensionApproval
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '11.0'
userchannel: false
userenrollment:
mode: forbidden
tvOS:
introduced: n/a
visionOS:
introduced: n/a
watchOS:
introduced: n/a
type: <boolean>
content: |-
If `true`, the device can accept a Bootstrap Token from the MDM server instead of prompting for user authentication prior to enabling kernel extensions. This includes enabling kexts through the `com.apple.syspolicy.kernel-extension-policy` payload or triggering the `RestartDevice` command with `RebuildKernelCache` set to `true`. This only applies when `BootstrapTokenAllowedForAuthentication` is `true` in the `SecurityInfo` response.
This value is available for a Mac with Apple silicon in macOS 11 and later. Not available for user enrollment.
- key: IsRecoveryLockEnabled
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '11.5'
userchannel: false
userenrollment:
mode: forbidden
tvOS:
introduced: n/a
visionOS:
introduced: n/a
watchOS:
introduced: n/a
type: <boolean>
content: If `true`, a password is required to enter recovery (see `SetRecoveryLockCommand`).
Available in macOS 11.5 and later and only on a Mac with Apple silicon.
notes:
- title: ''
content: Refer to the following sections to determine supported channels and requirements,
and to see an example request and response.
examples:
- title: Example request and response
files:
- request-file: examples/mdm/commands/information.security/example1.plist
response-file: examples/mdm/commands/information.security/example2.plist