Files
Cyrus Daboo 97a11a861f Seed2
2026-06-22 15:55:19 -04:00

326 lines
12 KiB
YAML

title: MDM
description: The payload that configures mobile device management (MDM) settings.
payload:
payloadtype: com.apple.mdm
supportedOS:
iOS:
introduced: '4.0'
multiple: false
supervised: false
allowmanualinstall: true
sharedipad:
mode: allowed
devicechannel: true
userchannel: false
userenrollment:
mode: allowed
macOS:
introduced: '10.7'
multiple: false
devicechannel: true
userchannel: false
requiresdep: false
userapprovedmdm: false
allowmanualinstall: true
userenrollment:
mode: allowed
tvOS:
introduced: '9.0'
multiple: false
supervised: false
allowmanualinstall: true
visionOS:
introduced: '1.1'
multiple: false
supervised: false
allowmanualinstall: true
userenrollment:
mode: allowed
watchOS:
introduced: '10.0'
multiple: false
supervised: true
allowmanualinstall: false
payloadkeys:
- key: IdentityCertificateUUID
title: Identity certificate UUID
type: <string>
presence: required
format: ^[0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}$
content: The UUID of the certificate payload for the device's identity. It may also
point to a SCEP payload.
- key: Topic
title: Topic
type: <string>
presence: required
content: |-
The topic that MDM listens to for push notifications. The certificate that the server uses to send push notifications must have the same topic in its subject. The topic must begin with the 'com.apple.mgmt.' prefix.
> Note:
> When updating the payload, the value of this key must not change. Any change is an error, and the system rejects the update.
- key: ServerURL
title: Server URL
type: <string>
presence: required
format: ^https://.*$
content: |-
The URL that the device contacts to retrieve device management instructions. The URL must begin with the `https://` URL scheme, and may contain a port number
(`:1234`, for example).
> Note:
> When updating the payload, the value of this key must not change. Any change is an error, and the system rejects the update.
- key: CheckInURL
title: Check in URL
type: <string>
presence: optional
format: ^https://.*$
content: |-
The URL that the device should use to check in during installation. The URL must begin with the `https://` URL scheme and may contain a port number (`:1234`, for example). If not set, the system uses `ServerURL`.
> Note:
> When updating the payload, the value of this key must not change. Any change is an error, and the system rejects the update.
- key: SignMessage
title: Sign message
type: <boolean>
presence: optional
default: false
content: If 'true', each message coming from the device carries the additional 'Mdm-Signature'
HTTP header.
- key: AccessRights
title: Access rights
supportedOS:
iOS:
userenrollment:
mode: ignored
macOS:
userenrollment:
mode: ignored
visionOS:
userenrollment:
mode: ignored
type: <integer>
presence: optional
content: |-
Logical OR of the following bit flags:
- `1`: Allow inspection of installed configuration profiles.
- `2`: Allow installation and removal of configuration profiles.
- `4`: Allow device lock and passcode removal.
- `8`: Allow device erase.
- `16`: Allow query of device information (device capacity, serial number).
- `32`: Allow query of network information (phone/SIM numbers, MAC addresses).
- `64`: Allow inspection of installed provisioning profiles.
- `128`: Allow installation and removal of provisioning profiles.
- `256`: Allow inspection of installed applications.
- `512`: Allow restriction-related queries.
- `1024`: Allow security-related queries.
- `2048`: Allow manipulation of settings.
- `4096`: Allow app management.
Don't set to `0`. Specify `1` if you specify `2`. Specify `64` if you specify `128`. Ignored if you set a value for `ManagedAppleID`.
> Note:
> When updating the payload, the addition of any access right is an error, and the update is rejected.
- key: UseDevelopmentAPNS
title: Use development APNS
type: <boolean>
presence: optional
default: false
content: |-
If 'true', the device uses the development APNS servers. Otherwise, the device uses the production servers.
Set to 'false' if your Apple Push Notification Service certificate was issued by the Apple Push Certificate Portal ('https://identity.apple.com/pushcert'). That portal only issues certificates for the production push environment.
- key: ManagedAppleID
title: Managed Apple Account
supportedOS:
iOS:
introduced: '13.1'
deprecated: '17.0'
removed: '18.0'
userenrollment:
mode: required
macOS:
introduced: '10.15'
deprecated: '14.0'
removed: '15.0'
userenrollment:
mode: required
tvOS:
introduced: n/a
visionOS:
introduced: n/a
watchOS:
introduced: n/a
type: <string>
presence: optional
content: |-
The Managed Apple Account of the user. Previously required for profile-driven user enrollment.
Removed as of iOS 18 and macOS 15.
- key: AssignedManagedAppleID
title: Assigned Managed Apple Account
supportedOS:
iOS:
introduced: '15.0'
macOS:
introduced: '14.0'
tvOS:
introduced: n/a
watchOS:
introduced: n/a
type: <string>
presence: optional
content: |-
The Managed Apple Account pre-assigned to the authenticated user. Required for account-driven enrollments.
> Note:
> When updating the payload, the value of this key must not change. Any change is an error, and the system rejects the update.
- key: EnrollmentMode
title: Enrollment mode
supportedOS:
iOS:
introduced: '15.0'
macOS:
introduced: '14.0'
tvOS:
introduced: n/a
watchOS:
introduced: n/a
type: <string>
presence: optional
rangelist:
- BYOD
- ADDE
content: |-
The enrollment mode the server indicates to use when enrolling. Required for account-driven enrollment.
> Note:
> When updating the payload, the value of this key must not change. Any change is an error, and the system rejects the update.
- key: ServerURLPinningCertificateUUIDs
supportedOS:
iOS:
introduced: '13.4'
macOS:
introduced: '10.13'
tvOS:
introduced: '13.4'
type: <array>
presence: optional
content: An array of strings, each containing the UUID of a certificate to use when
evaluating trust to the '.../connect/' URLs of MDM servers.
subkeys:
- key: ServerURLPinningCertificateUUIDsItem
type: <string>
presence: required
content: A certificate payload UUID.
- key: CheckInURLPinningCertificateUUIDs
supportedOS:
iOS:
introduced: '13.4'
macOS:
introduced: '10.13'
tvOS:
introduced: '13.4'
type: <array>
presence: optional
content: An array of strings, each containing the payload UUID of a certificate
to use when evaluating trust to the '.../checkin/' URLs of MDM servers.
subkeys:
- key: CheckInURLPinningCertificateUUIDsItem
type: <string>
presence: required
content: A certificate payload UUID.
- key: PinningRevocationCheckRequired
supportedOS:
iOS:
introduced: '13.4'
macOS:
introduced: '10.13'
tvOS:
introduced: '13.4'
type: <boolean>
presence: optional
default: false
content: |-
If 'true', the system fails the connection attempt unless it obtains a verified positive response during certificate revocation checks.
If 'false', the system performs revocation checks on a best-attempt basis, where failure to reach the server isn't considered fatal.
- key: ServerCapabilities
type: <array>
presence: optional
content: |-
A unique array of strings indicating server capabilities:
- `com.apple.mdm.per-user-connections`: Indicates that the server supports both device and user connections. This must be present when managing Shared iPad or macOS devices.
- `com.apple.mdm.bootstraptoken`: Indicates that the server supports escrowing the bootstrap token. This must be present for the device to create a bootstrap token and send it to the server. Available in iOS 26 and later, macOS 11 and later, and visionOS 26 and later.
- `com.apple.mdm.token`: Indicates that the server supports the `Get-Token` CheckIn message type. This must be present for the device to use `Get-Token` CheckIn message when appropriate.
> Note:
> When updating the payload, the `com.apple.mdm.per-user-connections` capability must not be added or removed. Any such change is an error, and the update is rejected.
subkeys:
- key: ServerCapabilitiesItems
type: <string>
rangelist:
- com.apple.mdm.per-user-connections
- com.apple.mdm.bootstraptoken
- com.apple.mdm.token
- key: CheckOutWhenRemoved
type: <boolean>
presence: optional
default: false
content: If 'true', the device attempts to send a `Check-Out` message to the 'CheckInURL'
when the profile is removed.
- key: RequiredAppIDForMDM
supportedOS:
iOS:
introduced: '15.1'
macOS:
introduced: n/a
tvOS:
introduced: n/a
watchOS:
introduced: n/a
type: <integer>
presence: optional
content: |-
This property specifies an iTunes Store ID for an app the system can install with the InstallApplicationCommand, without any approval from the user. The MDM vendor or managing organization generally provides this app, which enhances the management experience for the user. The device shows the user details about this app in the account-driven enrollment process prior to installing the MDM profile. Use this property with account-driven MDM enrollments that normally require user approval for app installs through MDM.
Only account-driven enrollments support this property and other enrollment types ignore it.
> Note:
> When updating the payload, the value of this key must not change. Any change is an error, and the system rejects the update.
- key: PromptUserToAllowBootstrapTokenForAuthentication
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '11.0'
tvOS:
introduced: n/a
visionOS:
introduced: n/a
watchOS:
introduced: n/a
type: <boolean>
presence: optional
default: false
content: |-
If 'true', the system warns the user that they need to reboot into RecoveryOS and allow the MDM to use the bootstrap token for authentication for certain sensitive operations such as enabling kernel extensions or installing some types of software updates. If the MDM doesn't need to perform these operations, it can leave this key set to 'false', and the user isn't notified.
The SettingsCommand.Command.Settings.MDMOptions.MDMOptions command overrides this default value.
This setting only applies to devices that have 'BootstrapTokenRequiredForSoftwareUpdate' or 'BootstrapTokenRequiredForKernelExtensionApproval' set to 'true' in their SecurityInfoResponse.SecurityInfo.
ADE-enrolled devices are automatically allowed to use the bootstrap token for authentication.
notes:
- title: ''
content: |-
Also define the following four standard payload values in your MDM payload:
* `PayloadIdentifier`: The reverse-DNS style identifier that identifies the profile; for example, `com.example.myprofile`. The system uses this value to determine whether to replace an existing profile or add a new one.
* `PayloadUUID`: A globally unique identifier for the profile. In macOS, you can use `uuidgen` to generate this value.
* `PayloadType`: The payload type. Set to `com.apple.mdm` to designate that this payload is an MDM payload.
* `PayloadVersion`: The version number of the profile format, which describes the version of the configuration profile as a whole, not of the individual profiles within it. Set this value to `1`.
> Note:
> MDM reserves profile payload dictionary keys with the _Payload_ prefix. Don't treat them as managed preferences.
examples:
- title: Profile example
files:
- file: examples/mdm/profiles/com.apple.mdm/example1.plist