mirror of
https://github.com/apple/device-management.git
synced 2026-07-10 21:13:42 +02:00
579 lines
17 KiB
YAML
579 lines
17 KiB
YAML
title: Security Info Command
|
|
description: Get security-related information about a device.
|
|
payload:
|
|
requesttype: SecurityInfo
|
|
supportedOS:
|
|
iOS:
|
|
introduced: '4.0'
|
|
accessrights: AllowQuerySecurity
|
|
supervised: false
|
|
requiresdep: false
|
|
sharedipad:
|
|
mode: allowed
|
|
devicechannel: true
|
|
userchannel: false
|
|
userenrollment:
|
|
mode: allowed
|
|
macOS:
|
|
introduced: '10.7'
|
|
accessrights: AllowQuerySecurity
|
|
devicechannel: true
|
|
userchannel: true
|
|
supervised: false
|
|
requiresdep: false
|
|
userenrollment:
|
|
mode: allowed
|
|
tvOS:
|
|
introduced: '9.0'
|
|
accessrights: AllowQuerySecurity
|
|
supervised: false
|
|
visionOS:
|
|
introduced: '1.1'
|
|
accessrights: AllowQuerySecurity
|
|
supervised: false
|
|
requiresdep: false
|
|
userenrollment:
|
|
mode: allowed
|
|
watchOS:
|
|
introduced: '10.0'
|
|
accessrights: AllowQuerySecurity
|
|
supervised: false
|
|
content: This command queries the device for security-related information. Queries
|
|
are available if the MDM host has the Security Query right.
|
|
responsekeys:
|
|
- key: SecurityInfo
|
|
type: <dictionary>
|
|
presence: required
|
|
content: A dictionary that contains security-related information.
|
|
subkeys:
|
|
- key: HardwareEncryptionCaps
|
|
supportedOS:
|
|
macOS:
|
|
introduced: n/a
|
|
type: <integer>
|
|
content: |-
|
|
An integer that indicates the underlying hardware encryption capabilities of the device, which is one of the following values:
|
|
|
|
- `1`: Block-level encryption
|
|
- `2`: File-level encryption
|
|
- `3`: Both block-level and file-level encryption
|
|
|
|
> Important:
|
|
> For a device to have data protection, `HardwareEncryptionCaps` must be `3` and `PasscodePresent` must `true`.
|
|
- key: PasscodePresent
|
|
supportedOS:
|
|
iOS:
|
|
userenrollment:
|
|
mode: forbidden
|
|
macOS:
|
|
introduced: n/a
|
|
visionOS:
|
|
userenrollment:
|
|
mode: forbidden
|
|
type: <boolean>
|
|
content: If `true`, the device has a passcode. This key doesn't apply to User-Enrolled
|
|
devices.
|
|
- key: PasscodeCompliant
|
|
supportedOS:
|
|
macOS:
|
|
introduced: n/a
|
|
type: <boolean>
|
|
content: If `true`, the user's passcode is compliant with all requirements on
|
|
the device, including Exchange and other accounts.
|
|
- key: PasscodeCompliantWithProfiles
|
|
supportedOS:
|
|
iOS:
|
|
userenrollment:
|
|
mode: forbidden
|
|
macOS:
|
|
introduced: n/a
|
|
visionOS:
|
|
userenrollment:
|
|
mode: forbidden
|
|
type: <boolean>
|
|
content: If `true`, the user's passcode is compliant with requirements from profiles.
|
|
This key doesn't apply to User-Enrolled devices.
|
|
- key: PasscodeLockGracePeriod
|
|
supportedOS:
|
|
iOS:
|
|
introduced: 9.3.2
|
|
userenrollment:
|
|
mode: forbidden
|
|
macOS:
|
|
introduced: n/a
|
|
visionOS:
|
|
userenrollment:
|
|
mode: forbidden
|
|
type: <integer>
|
|
content: The user preference for the number of seconds before a locked screen
|
|
requires the device passcode to unlock it. This value is only available for
|
|
Shared iPad.
|
|
- key: PasscodeLockGracePeriodEnforced
|
|
supportedOS:
|
|
iOS:
|
|
introduced: 9.3.2
|
|
userenrollment:
|
|
mode: forbidden
|
|
macOS:
|
|
introduced: n/a
|
|
visionOS:
|
|
userenrollment:
|
|
mode: forbidden
|
|
type: <integer>
|
|
content: The enforced value for the number of seconds before a locked screen requires
|
|
the device passcode to unlock it. If a device has a passcode, changing `PasscodeLockGracePeriod`
|
|
to a larger value doesn't take effect until the user logs out or removes the
|
|
passcode. This value is only available for Shared iPad.
|
|
- key: AutoLockTime
|
|
supportedOS:
|
|
iOS:
|
|
introduced: '17.0'
|
|
sharedipad:
|
|
mode: required
|
|
userenrollment:
|
|
mode: forbidden
|
|
macOS:
|
|
introduced: n/a
|
|
tvOS:
|
|
introduced: n/a
|
|
visionOS:
|
|
introduced: n/a
|
|
watchOS:
|
|
introduced: n/a
|
|
type: <integer>
|
|
content: The number of seconds before a device goes to sleep after being idle.
|
|
This value is only available on Shared iPad in iOS 17 and later.
|
|
- key: FDE_Enabled
|
|
supportedOS:
|
|
iOS:
|
|
introduced: n/a
|
|
macOS:
|
|
introduced: '10.9'
|
|
userchannel: false
|
|
tvOS:
|
|
introduced: n/a
|
|
visionOS:
|
|
introduced: n/a
|
|
watchOS:
|
|
introduced: n/a
|
|
type: <boolean>
|
|
content: If `true`, the device has enabled FileVault full disk encryption (FDE).
|
|
- key: FDE_HasPersonalRecoveryKey
|
|
supportedOS:
|
|
iOS:
|
|
introduced: n/a
|
|
macOS:
|
|
introduced: '10.9'
|
|
userchannel: false
|
|
userenrollment:
|
|
mode: forbidden
|
|
tvOS:
|
|
introduced: n/a
|
|
visionOS:
|
|
introduced: n/a
|
|
watchOS:
|
|
introduced: n/a
|
|
type: <boolean>
|
|
content: If `true`, FileVault FDE has a personal recovery key.
|
|
- key: FDE_HasInstitutionalRecoveryKey
|
|
supportedOS:
|
|
iOS:
|
|
introduced: n/a
|
|
macOS:
|
|
introduced: '10.9'
|
|
userchannel: false
|
|
userenrollment:
|
|
mode: forbidden
|
|
tvOS:
|
|
introduced: n/a
|
|
visionOS:
|
|
introduced: n/a
|
|
watchOS:
|
|
introduced: n/a
|
|
type: <boolean>
|
|
content: If `true`, FileVault FDE has an institutional recovery key.
|
|
- key: FDE_PersonalRecoveryKeyCMS
|
|
supportedOS:
|
|
iOS:
|
|
introduced: n/a
|
|
macOS:
|
|
introduced: '10.13'
|
|
userchannel: false
|
|
userenrollment:
|
|
mode: forbidden
|
|
tvOS:
|
|
introduced: n/a
|
|
visionOS:
|
|
introduced: n/a
|
|
watchOS:
|
|
introduced: n/a
|
|
type: <data>
|
|
content: If the FileVault personal recovery key has enabled escrow with a recovery
|
|
key, this value contains the key. The certificate from the `FDERecoveryKeyEscrow`
|
|
profile encrypts the key and wraps it as CMS data.
|
|
- key: FDE_PersonalRecoveryKeyDeviceKey
|
|
supportedOS:
|
|
iOS:
|
|
introduced: n/a
|
|
macOS:
|
|
introduced: '10.13'
|
|
userchannel: false
|
|
userenrollment:
|
|
mode: forbidden
|
|
tvOS:
|
|
introduced: n/a
|
|
visionOS:
|
|
introduced: n/a
|
|
watchOS:
|
|
introduced: n/a
|
|
type: <string>
|
|
content: If the FileVault personal recovery key has enabled escrow with a recovery
|
|
key, this value is the device serial number. This is the value that displays
|
|
to the user at the EFI Login Window as part of the help message if they enter
|
|
their password incorrectly three times. The server also uses this value as an
|
|
index when saving the device personal recovery key. This replaces the `recordNumber`
|
|
that the server returned in the previous escrow mechanism.
|
|
- key: SystemIntegrityProtectionEnabled
|
|
supportedOS:
|
|
iOS:
|
|
introduced: n/a
|
|
macOS:
|
|
introduced: '10.12'
|
|
userchannel: false
|
|
tvOS:
|
|
introduced: n/a
|
|
visionOS:
|
|
introduced: n/a
|
|
watchOS:
|
|
introduced: n/a
|
|
type: <boolean>
|
|
content: If `true`, System Integrity Protection (SIP) is active on the device.
|
|
- key: FirewallSettings
|
|
supportedOS:
|
|
iOS:
|
|
introduced: n/a
|
|
macOS:
|
|
introduced: '10.12'
|
|
userchannel: false
|
|
tvOS:
|
|
introduced: n/a
|
|
visionOS:
|
|
introduced: n/a
|
|
watchOS:
|
|
introduced: n/a
|
|
type: <dictionary>
|
|
content: A dictionary that contains the firewall settings.
|
|
subkeys:
|
|
- key: FirewallEnabled
|
|
type: <boolean>
|
|
content: If `true`, the firewall is on.
|
|
- key: BlockAllIncoming
|
|
type: <boolean>
|
|
content: If `true`, the firewall blocks all incoming connections.
|
|
- key: StealthMode
|
|
type: <boolean>
|
|
content: If true, stealth mode is active for the firewall.
|
|
- key: Applications
|
|
supportedOS:
|
|
macOS:
|
|
introduced: '10.12'
|
|
userenrollment:
|
|
mode: forbidden
|
|
type: <array>
|
|
content: An array of dictionaries that describes the allowed applications.
|
|
subkeys:
|
|
- key: ApplicationsItem
|
|
type: <dictionary>
|
|
content: A dictionary that describes the allowed apps.
|
|
subkeys:
|
|
- key: Allowed
|
|
type: <boolean>
|
|
content: If `true`, the app is an allowed app.
|
|
- key: BundleID
|
|
type: <string>
|
|
content: The app's bundle identifier.
|
|
- key: Name
|
|
type: <string>
|
|
content: The app's display name if it's determinable from the `BundleID`.
|
|
- key: LoggingEnabled
|
|
supportedOS:
|
|
macOS:
|
|
introduced: '12.0'
|
|
type: <boolean>
|
|
content: If `true`, logging is enabled.
|
|
- key: LoggingOption
|
|
supportedOS:
|
|
macOS:
|
|
introduced: '12.0'
|
|
type: <string>
|
|
rangelist:
|
|
- throttled
|
|
- brief
|
|
- detail
|
|
content: The type of logging emitted by the firewall.
|
|
- key: FirmwarePasswordStatus
|
|
supportedOS:
|
|
iOS:
|
|
introduced: n/a
|
|
macOS:
|
|
introduced: '10.13'
|
|
userchannel: false
|
|
tvOS:
|
|
introduced: n/a
|
|
visionOS:
|
|
introduced: n/a
|
|
watchOS:
|
|
introduced: n/a
|
|
type: <dictionary>
|
|
content: A dictionary that contains the status of the EFI firmware password.
|
|
subkeys:
|
|
- key: PasswordExists
|
|
type: <boolean>
|
|
content: If `true`, the device has an EFI firmware password.
|
|
- key: ChangePending
|
|
type: <boolean>
|
|
content: |-
|
|
If `true`, a firmware password change is pending. A device restart is necessary for this change to take effect. Until then, additional attempts to change the password fail.
|
|
|
|
> Note:
|
|
> If `true`, the other values show the current state of the device, not the state after a restart.
|
|
- key: AllowOroms
|
|
type: <boolean>
|
|
content: If `true`, enable ROMs.
|
|
- key: ManagementStatus
|
|
supportedOS:
|
|
iOS:
|
|
introduced: '13.0'
|
|
macOS:
|
|
introduced: 10.13.2
|
|
tvOS:
|
|
introduced: '13.0'
|
|
type: <dictionary>
|
|
content: A dictionary that contains the status of the device's MDM enrollment.
|
|
subkeys:
|
|
- key: EnrolledViaDEP
|
|
supportedOS:
|
|
iOS:
|
|
introduced: n/a
|
|
tvOS:
|
|
introduced: n/a
|
|
visionOS:
|
|
introduced: n/a
|
|
watchOS:
|
|
introduced: n/a
|
|
type: <boolean>
|
|
content: If `true`, the device enrolled in MDM through Automated Device Enrollment
|
|
(ADE).
|
|
- key: UserApprovedEnrollment
|
|
supportedOS:
|
|
iOS:
|
|
introduced: n/a
|
|
tvOS:
|
|
introduced: n/a
|
|
visionOS:
|
|
introduced: n/a
|
|
watchOS:
|
|
introduced: n/a
|
|
type: <boolean>
|
|
content: If `true`, the enrollment was user-approved. If `false`, the device
|
|
may reject certain security-sensitive payloads or commands.
|
|
- key: IsUserEnrollment
|
|
supportedOS:
|
|
macOS:
|
|
introduced: '10.15'
|
|
type: <boolean>
|
|
content: If `true`, the device is user-enrolled.
|
|
- key: IsActivationLockManageable
|
|
supportedOS:
|
|
iOS:
|
|
introduced: n/a
|
|
macOS:
|
|
introduced: '10.15'
|
|
tvOS:
|
|
introduced: n/a
|
|
visionOS:
|
|
introduced: n/a
|
|
watchOS:
|
|
introduced: n/a
|
|
type: <boolean>
|
|
content: If `true`, the type of enrollment allows the MDM to manage Activation
|
|
Lock for this device.
|
|
- key: SecureBoot
|
|
supportedOS:
|
|
iOS:
|
|
introduced: n/a
|
|
macOS:
|
|
introduced: '10.15'
|
|
userchannel: false
|
|
tvOS:
|
|
introduced: n/a
|
|
visionOS:
|
|
introduced: n/a
|
|
watchOS:
|
|
introduced: n/a
|
|
type: <dictionary>
|
|
content: A dictionary that contains the device's Secure Boot settings.
|
|
subkeys:
|
|
- key: SecureBootLevel
|
|
type: <string>
|
|
rangelist:
|
|
- 'off'
|
|
- medium
|
|
- full
|
|
- not supported
|
|
content: The security level for the bootable operating system versions.
|
|
- key: ExternalBootLevel
|
|
type: <string>
|
|
rangelist:
|
|
- allowed
|
|
- disallowed
|
|
- not supported
|
|
content: The device's external boot level, which indicates whether it allows
|
|
booting from an external device, disallows it, or doesn't support it.
|
|
- key: ReducedSecurity
|
|
supportedOS:
|
|
macOS:
|
|
introduced: '11.0'
|
|
type: <array>
|
|
content: Reports which security features the user disables in `recoveryOS`.
|
|
This property is only present for a Mac with Apple silicon when `SecureBootLevel`
|
|
is `medium`.
|
|
subkeys:
|
|
- key: ReducedSecurityItems
|
|
type: <string>
|
|
subkeys:
|
|
- key: AllowsAnyAppleSignedOS
|
|
type: <string>
|
|
content: If 'true', allows any signed version of trusted system software
|
|
from Apple to run.
|
|
- key: AllowsUserKextApproval
|
|
type: <string>
|
|
content: If 'true', the user has control over kernel extensions.
|
|
- key: AllowsMDM
|
|
type: <string>
|
|
content: If 'true', the MDM server controls kernel extensions and software
|
|
updates.
|
|
- key: RemoteDesktopEnabled
|
|
supportedOS:
|
|
iOS:
|
|
introduced: n/a
|
|
macOS:
|
|
introduced: 10.14.4
|
|
userchannel: false
|
|
userenrollment:
|
|
mode: forbidden
|
|
tvOS:
|
|
introduced: n/a
|
|
visionOS:
|
|
introduced: n/a
|
|
watchOS:
|
|
introduced: n/a
|
|
type: <boolean>
|
|
content: If `true`, Remote Desktop is active on the device.
|
|
- key: AuthenticatedRootVolumeEnabled
|
|
supportedOS:
|
|
iOS:
|
|
introduced: n/a
|
|
macOS:
|
|
introduced: '11.0'
|
|
userchannel: false
|
|
tvOS:
|
|
introduced: n/a
|
|
visionOS:
|
|
introduced: n/a
|
|
watchOS:
|
|
introduced: n/a
|
|
type: <boolean>
|
|
content: If `true`, the system booted using an Authenticated Root Volume.
|
|
- key: BootstrapTokenAllowedForAuthentication
|
|
supportedOS:
|
|
iOS:
|
|
introduced: n/a
|
|
macOS:
|
|
introduced: '11.0'
|
|
userchannel: false
|
|
userenrollment:
|
|
mode: forbidden
|
|
tvOS:
|
|
introduced: n/a
|
|
visionOS:
|
|
introduced: n/a
|
|
watchOS:
|
|
introduced: n/a
|
|
type: <string>
|
|
rangelist:
|
|
- allowed
|
|
- disallowed
|
|
- not supported
|
|
content: |-
|
|
This value specifies whether the Secure Enclave Processor (SEP) supports and allows secure operations to use the Bootstrap Token. The device automatically sets this value if enrolled through Automated Device Enrollment (ADE). The user can also manually set this value in the RecoveryOS.
|
|
|
|
This value is available for a Mac with Apple silicon in macOS 11 and later. Not available for user enrollment.
|
|
- key: BootstrapTokenRequiredForSoftwareUpdate
|
|
supportedOS:
|
|
iOS:
|
|
introduced: n/a
|
|
macOS:
|
|
introduced: '11.0'
|
|
userchannel: false
|
|
userenrollment:
|
|
mode: forbidden
|
|
tvOS:
|
|
introduced: n/a
|
|
visionOS:
|
|
introduced: n/a
|
|
watchOS:
|
|
introduced: n/a
|
|
type: <boolean>
|
|
content: |-
|
|
If `true`, the device can accept a Bootstrap Token from the MDM server instead of prompting for user authentication prior to installation. This only applies when `BootstrapTokenAllowedForAuthentication` is `true` in the `SecurityInfo` response.
|
|
|
|
This value is available for a Mac with Apple silicon in macOS 11 and later. Not available for user enrollment.
|
|
- key: BootstrapTokenRequiredForKernelExtensionApproval
|
|
supportedOS:
|
|
iOS:
|
|
introduced: n/a
|
|
macOS:
|
|
introduced: '11.0'
|
|
userchannel: false
|
|
userenrollment:
|
|
mode: forbidden
|
|
tvOS:
|
|
introduced: n/a
|
|
visionOS:
|
|
introduced: n/a
|
|
watchOS:
|
|
introduced: n/a
|
|
type: <boolean>
|
|
content: |-
|
|
If `true`, the device can accept a Bootstrap Token from the MDM server instead of prompting for user authentication prior to enabling kernel extensions. This includes enabling kexts through the `com.apple.syspolicy.kernel-extension-policy` payload or triggering the `RestartDevice` command with `RebuildKernelCache` set to `true`. This only applies when `BootstrapTokenAllowedForAuthentication` is `true` in the `SecurityInfo` response.
|
|
|
|
This value is available for a Mac with Apple silicon in macOS 11 and later. Not available for user enrollment.
|
|
- key: IsRecoveryLockEnabled
|
|
supportedOS:
|
|
iOS:
|
|
introduced: n/a
|
|
macOS:
|
|
introduced: '11.5'
|
|
userchannel: false
|
|
userenrollment:
|
|
mode: forbidden
|
|
tvOS:
|
|
introduced: n/a
|
|
visionOS:
|
|
introduced: n/a
|
|
watchOS:
|
|
introduced: n/a
|
|
type: <boolean>
|
|
content: If `true`, a password is required to enter recovery (see `SetRecoveryLockCommand`).
|
|
Available in macOS 11.5 and later and only on a Mac with Apple silicon.
|
|
notes:
|
|
- title: ''
|
|
content: Refer to the following sections to determine supported channels and requirements,
|
|
and to see an example request and response.
|
|
examples:
|
|
- title: Example request and response
|
|
files:
|
|
- request-file: examples/mdm/commands/information.security/example1.plist
|
|
response-file: examples/mdm/commands/information.security/example2.plist
|