From 900bae61f8e1bcbe2311d7c8f48fb6e42d00d7c4 Mon Sep 17 00:00:00 2001 From: rzfp96wrw6-coder <258487732+rzfp96wrw6-coder@users.noreply.github.com> Date: Sat, 7 Feb 2026 06:47:38 +0700 Subject: [PATCH] Delete mdm directory --- mdm/checkin/authenticate.yaml | 232 - mdm/checkin/checkout.yaml | 88 - mdm/checkin/declarativemanagement.yaml | 177 - mdm/checkin/getbootstraptoken.yaml | 58 - mdm/checkin/gettoken.yaml | 220 - mdm/checkin/returntoservice.yaml | 72 - mdm/checkin/setbootstraptoken.yaml | 56 - mdm/checkin/tokenupdate.yaml | 234 - mdm/checkin/userauthenticate.yaml | 55 - mdm/commands/account.configuration.yaml | 133 - .../application.extensions.listactive.yaml | 91 - .../application.extensions.mappings.yaml | 57 - .../application.install.enterprise.yaml | 136 - mdm/commands/application.install.yaml | 404 -- mdm/commands/application.installed.list.yaml | 333 -- mdm/commands/application.invitetoprogram.yaml | 59 - mdm/commands/application.managed.list.yaml | 202 - mdm/commands/application.redemptioncode.yaml | 39 - mdm/commands/application.remove.yaml | 57 - mdm/commands/application.validate.yaml | 47 - mdm/commands/certificate.list.yaml | 88 - mdm/commands/declarativemanagement.yaml | 50 - .../device.activationlock.bypasscode.yaml | 53 - ...device.activationlock.clearbypasscode.yaml | 39 - mdm/commands/device.configured.yaml | 46 - mdm/commands/device.erase.yaml | 188 - mdm/commands/device.esim.yaml | 42 - mdm/commands/device.lock.yaml | 105 - mdm/commands/device.lostmode.disable.yaml | 37 - mdm/commands/device.lostmode.enable.yaml | 49 - mdm/commands/device.lostmode.location.yaml | 91 - mdm/commands/device.lostmode.playsound.yaml | 38 - mdm/commands/device.restart.yaml | 89 - .../device.restrictions.clearpassword.yaml | 30 - mdm/commands/device.restrictions.list.yaml | 140 - mdm/commands/device.shutdown.yaml | 39 - mdm/commands/information.contentcaching.yaml | 647 --- mdm/commands/information.device.yaml | 3294 ------------ mdm/commands/information.security.yaml | 591 --- mdm/commands/lom.devicerequest.yaml | 105 - mdm/commands/lom.setuprequest.yaml | 52 - .../managed.application.attributes.yaml | 223 - .../managed.application.configuration.yaml | 87 - .../managed.application.feedback.yaml | 81 - mdm/commands/media.install.yaml | 177 - mdm/commands/media.managed.list.yaml | 90 - mdm/commands/media.remove.yaml | 45 - mdm/commands/mirroring.request.yaml | 71 - mdm/commands/mirroring.stop.yaml | 36 - mdm/commands/passcode.clear.yaml | 43 - mdm/commands/passcode.firmware.set.yaml | 64 - mdm/commands/passcode.firmware.verify.yaml | 48 - mdm/commands/passcode.recovery.set.yaml | 41 - mdm/commands/passcode.recovery.verify.yaml | 36 - mdm/commands/profile.install.yaml | 54 - mdm/commands/profile.list.yaml | 197 - .../profile.provisioning.install.yaml | 55 - mdm/commands/profile.provisioning.list.yaml | 83 - mdm/commands/profile.provisioning.remove.yaml | 55 - mdm/commands/profile.remove.yaml | 51 - mdm/commands/remotedesktop.disable.yaml | 28 - mdm/commands/remotedesktop.enable.yaml | 34 - mdm/commands/rotate.file.vault.key.yaml | 94 - mdm/commands/set.auto.admin.password.yaml | 48 - mdm/commands/settings.yaml | 1345 ----- mdm/commands/system.update.available.yaml | 253 - mdm/commands/system.update.scan.yaml | 40 - mdm/commands/system.update.schedule.yaml | 220 - mdm/commands/system.update.status.yaml | 138 - mdm/commands/user.configured.yaml | 31 - mdm/commands/user.delete.yaml | 73 - mdm/commands/user.list.yaml | 125 - mdm/commands/user.logout.yaml | 31 - mdm/commands/user.unlock.yaml | 36 - mdm/errors/psso.required.yaml | 78 - mdm/errors/softwareupdate.required.yaml | 78 - mdm/errors/unrecognized.device.yaml | 37 - mdm/errors/watch.pairing.token.missing.yaml | 47 - mdm/errors/well-known.failed.yaml | 37 - mdm/profiles/CommonPayloadKeys.yaml | 84 - mdm/profiles/GlobalPreferences.yaml | 37 - mdm/profiles/TopLevel.yaml | 227 - .../com.apple.ADCertificate.managed.yaml | 132 - mdm/profiles/com.apple.AIM.account.yaml | 72 - .../com.apple.AssetCache.managed.yaml | 302 -- mdm/profiles/com.apple.Dictionary.yaml | 30 - .../com.apple.DirectoryService.managed.yaml | 274 - mdm/profiles/com.apple.DiscRecording.yaml | 37 - mdm/profiles/com.apple.MCX(Accounts).yaml | 41 - mdm/profiles/com.apple.MCX(EnergySaver).yaml | 149 - mdm/profiles/com.apple.MCX(FileVault2).yaml | 43 - mdm/profiles/com.apple.MCX(Mobililty).yaml | 58 - mdm/profiles/com.apple.MCX(TimeServer).yaml | 43 - mdm/profiles/com.apple.MCX(WiFi).yaml | 48 - mdm/profiles/com.apple.MCX.FileVault2.yaml | 133 - mdm/profiles/com.apple.MCX.TimeMachine.yaml | 69 - .../com.apple.ManagedClient.preferences.yaml | 62 - mdm/profiles/com.apple.NSExtension.yaml | 64 - .../com.apple.SetupAssistant.managed.yaml | 169 - mdm/profiles/com.apple.ShareKitHelper.yaml | 48 - mdm/profiles/com.apple.SoftwareUpdate.yaml | 110 - .../com.apple.SystemConfiguration.yaml | 136 - ...pple.TCC.configuration-profile-policy.yaml | 313 -- mdm/profiles/com.apple.airplay.security.yaml | 59 - mdm/profiles/com.apple.airplay.yaml | 154 - mdm/profiles/com.apple.airprint.yaml | 98 - mdm/profiles/com.apple.apn.managed.yaml | 77 - mdm/profiles/com.apple.app.lock.yaml | 209 - .../com.apple.applicationaccess.new.yaml | 113 - mdm/profiles/com.apple.applicationaccess.yaml | 4705 ----------------- mdm/profiles/com.apple.appstore.yaml | 65 - mdm/profiles/com.apple.asam.yaml | 62 - .../com.apple.associated-domains.yaml | 68 - mdm/profiles/com.apple.caldav.account.yaml | 87 - mdm/profiles/com.apple.carddav.account.yaml | 140 - mdm/profiles/com.apple.cellular.yaml | 205 - ....apple.cellularprivatenetwork.managed.yaml | 103 - .../com.apple.conferenceroomdisplay.yaml | 30 - ...e.configurationprofile.identification.yaml | 77 - mdm/profiles/com.apple.dashboard.yaml | 50 - mdm/profiles/com.apple.declarations.yaml | 63 - mdm/profiles/com.apple.desktop.yaml | 38 - mdm/profiles/com.apple.dnsProxy.managed.yaml | 79 - .../com.apple.dnsSettings.managed.yaml | 243 - mdm/profiles/com.apple.dock.yaml | 297 -- mdm/profiles/com.apple.domains.yaml | 151 - mdm/profiles/com.apple.eas.account.yaml | 461 -- mdm/profiles/com.apple.education.yaml | 322 -- mdm/profiles/com.apple.ews.account.yaml | 124 - .../com.apple.extensiblesso(kerberos).yaml | 523 -- mdm/profiles/com.apple.extensiblesso.yaml | 573 -- ...om.apple.familycontrols.contentfilter.yaml | 144 - ...om.apple.familycontrols.timelimits.v2.yaml | 86 - mdm/profiles/com.apple.fileproviderd.yaml | 65 - mdm/profiles/com.apple.finder.yaml | 80 - ...com.apple.firstactiveethernet.managed.yaml | 41 - .../com.apple.firstethernet.managed.yaml | 41 - mdm/profiles/com.apple.font.yaml | 61 - mdm/profiles/com.apple.gamed.yaml | 55 - .../com.apple.globalethernet.managed.yaml | 51 - mdm/profiles/com.apple.google-oauth.yaml | 103 - mdm/profiles/com.apple.homescreenlayout.yaml | 95 - mdm/profiles/com.apple.ironwood.support.yaml | 37 - mdm/profiles/com.apple.jabber.account.yaml | 70 - mdm/profiles/com.apple.ldap.account.yaml | 112 - .../com.apple.loginitems.managed.yaml | 46 - mdm/profiles/com.apple.loginwindow.yaml | 187 - mdm/profiles/com.apple.lom.yaml | 67 - mdm/profiles/com.apple.mail.managed.yaml | 359 -- mdm/profiles/com.apple.mcxMenuExtras.yaml | 145 - mdm/profiles/com.apple.mcxloginscripts.yaml | 65 - mdm/profiles/com.apple.mcxprinting.yaml | 115 - mdm/profiles/com.apple.mdm.yaml | 323 -- ...com.apple.mobiledevice.passwordpolicy.yaml | 293 - mdm/profiles/com.apple.networkusagerules.yaml | 103 - .../com.apple.notificationsettings.yaml | 183 - mdm/profiles/com.apple.osxserver.account.yaml | 69 - .../com.apple.preference.security.yaml | 40 - mdm/profiles/com.apple.preferences.users.yaml | 30 - .../com.apple.profileRemovalPassword.yaml | 46 - mdm/profiles/com.apple.proxy.http.global.yaml | 111 - mdm/profiles/com.apple.relay.managed.yaml | 207 - mdm/profiles/com.apple.screensaver.user.yaml | 40 - mdm/profiles/com.apple.screensaver.yaml | 58 - ...om.apple.secondactiveethernet.managed.yaml | 41 - .../com.apple.secondethernet.managed.yaml | 41 - ...m.apple.security.FDERecoveryKeyEscrow.yaml | 70 - ...om.apple.security.FDERecoveryRedirect.yaml | 52 - mdm/profiles/com.apple.security.acme.yaml | 234 - ....apple.security.certificatepreference.yaml | 45 - ....apple.security.certificaterevocation.yaml | 59 - ...pple.security.certificatetransparency.yaml | 84 - mdm/profiles/com.apple.security.firewall.yaml | 113 - ...com.apple.security.identitypreference.yaml | 47 - mdm/profiles/com.apple.security.pem.yaml | 55 - mdm/profiles/com.apple.security.pkcs1.yaml | 55 - mdm/profiles/com.apple.security.pkcs12.yaml | 106 - mdm/profiles/com.apple.security.root.yaml | 55 - mdm/profiles/com.apple.security.scep.yaml | 206 - .../com.apple.security.smartcard.yaml | 82 - mdm/profiles/com.apple.servicemanagement.yaml | 67 - .../com.apple.shareddeviceconfiguration.yaml | 54 - mdm/profiles/com.apple.sso.yaml | 80 - .../com.apple.subscribedcalendar.account.yaml | 65 - ...ple.syspolicy.kernel-extension-policy.yaml | 69 - .../com.apple.system-extension-policy.yaml | 163 - mdm/profiles/com.apple.system.logging.yaml | 58 - mdm/profiles/com.apple.systemmigration.yaml | 63 - .../com.apple.systempolicy.control.yaml | 47 - .../com.apple.systempolicy.managed.yaml | 33 - mdm/profiles/com.apple.systempolicy.rule.yaml | 65 - mdm/profiles/com.apple.systempreferences.yaml | 153 - mdm/profiles/com.apple.systemuiserver.yaml | 135 - ...com.apple.thirdactiveethernet.managed.yaml | 41 - .../com.apple.thirdethernet.managed.yaml | 41 - mdm/profiles/com.apple.tvremote.yaml | 70 - mdm/profiles/com.apple.universalaccess.yaml | 147 - .../com.apple.vpn.managed.applayer.yaml | 209 - .../com.apple.vpn.managed.appmapping.yaml | 108 - mdm/profiles/com.apple.vpn.managed.yaml | 2025 ------- mdm/profiles/com.apple.webClip.managed.yaml | 120 - mdm/profiles/com.apple.webcontent-filter.yaml | 471 -- mdm/profiles/com.apple.wifi.managed.yaml | 711 --- mdm/profiles/com.apple.xsan.preferences.yaml | 84 - mdm/profiles/com.apple.xsan.yaml | 77 - mdm/profiles/loginwindow.yaml | 34 - 206 files changed, 34793 deletions(-) delete mode 100644 mdm/checkin/authenticate.yaml delete mode 100644 mdm/checkin/checkout.yaml delete mode 100644 mdm/checkin/declarativemanagement.yaml delete mode 100644 mdm/checkin/getbootstraptoken.yaml delete mode 100644 mdm/checkin/gettoken.yaml delete mode 100644 mdm/checkin/returntoservice.yaml delete mode 100644 mdm/checkin/setbootstraptoken.yaml delete mode 100644 mdm/checkin/tokenupdate.yaml delete mode 100644 mdm/checkin/userauthenticate.yaml delete mode 100644 mdm/commands/account.configuration.yaml delete mode 100644 mdm/commands/application.extensions.listactive.yaml delete mode 100644 mdm/commands/application.extensions.mappings.yaml delete mode 100644 mdm/commands/application.install.enterprise.yaml delete mode 100644 mdm/commands/application.install.yaml delete mode 100644 mdm/commands/application.installed.list.yaml delete mode 100644 mdm/commands/application.invitetoprogram.yaml delete mode 100644 mdm/commands/application.managed.list.yaml delete mode 100644 mdm/commands/application.redemptioncode.yaml delete mode 100644 mdm/commands/application.remove.yaml delete mode 100644 mdm/commands/application.validate.yaml delete mode 100644 mdm/commands/certificate.list.yaml delete mode 100644 mdm/commands/declarativemanagement.yaml delete mode 100644 mdm/commands/device.activationlock.bypasscode.yaml delete mode 100644 mdm/commands/device.activationlock.clearbypasscode.yaml delete mode 100644 mdm/commands/device.configured.yaml delete mode 100644 mdm/commands/device.erase.yaml delete mode 100644 mdm/commands/device.esim.yaml delete mode 100644 mdm/commands/device.lock.yaml delete mode 100644 mdm/commands/device.lostmode.disable.yaml delete mode 100644 mdm/commands/device.lostmode.enable.yaml delete mode 100644 mdm/commands/device.lostmode.location.yaml delete mode 100644 mdm/commands/device.lostmode.playsound.yaml delete mode 100644 mdm/commands/device.restart.yaml delete mode 100644 mdm/commands/device.restrictions.clearpassword.yaml delete mode 100644 mdm/commands/device.restrictions.list.yaml delete mode 100644 mdm/commands/device.shutdown.yaml delete mode 100644 mdm/commands/information.contentcaching.yaml delete mode 100644 mdm/commands/information.device.yaml delete mode 100644 mdm/commands/information.security.yaml delete mode 100644 mdm/commands/lom.devicerequest.yaml delete mode 100644 mdm/commands/lom.setuprequest.yaml delete mode 100644 mdm/commands/managed.application.attributes.yaml delete mode 100644 mdm/commands/managed.application.configuration.yaml delete mode 100644 mdm/commands/managed.application.feedback.yaml delete mode 100644 mdm/commands/media.install.yaml delete mode 100644 mdm/commands/media.managed.list.yaml delete mode 100644 mdm/commands/media.remove.yaml delete mode 100644 mdm/commands/mirroring.request.yaml delete mode 100644 mdm/commands/mirroring.stop.yaml delete mode 100644 mdm/commands/passcode.clear.yaml delete mode 100644 mdm/commands/passcode.firmware.set.yaml delete mode 100644 mdm/commands/passcode.firmware.verify.yaml delete mode 100644 mdm/commands/passcode.recovery.set.yaml delete mode 100644 mdm/commands/passcode.recovery.verify.yaml delete mode 100644 mdm/commands/profile.install.yaml delete mode 100644 mdm/commands/profile.list.yaml delete mode 100644 mdm/commands/profile.provisioning.install.yaml delete mode 100644 mdm/commands/profile.provisioning.list.yaml delete mode 100644 mdm/commands/profile.provisioning.remove.yaml delete mode 100644 mdm/commands/profile.remove.yaml delete mode 100644 mdm/commands/remotedesktop.disable.yaml delete mode 100644 mdm/commands/remotedesktop.enable.yaml delete mode 100644 mdm/commands/rotate.file.vault.key.yaml delete mode 100644 mdm/commands/set.auto.admin.password.yaml delete mode 100644 mdm/commands/settings.yaml delete mode 100644 mdm/commands/system.update.available.yaml delete mode 100644 mdm/commands/system.update.scan.yaml delete mode 100644 mdm/commands/system.update.schedule.yaml delete mode 100644 mdm/commands/system.update.status.yaml delete mode 100644 mdm/commands/user.configured.yaml delete mode 100644 mdm/commands/user.delete.yaml delete mode 100644 mdm/commands/user.list.yaml delete mode 100644 mdm/commands/user.logout.yaml delete mode 100644 mdm/commands/user.unlock.yaml delete mode 100644 mdm/errors/psso.required.yaml delete mode 100644 mdm/errors/softwareupdate.required.yaml delete mode 100644 mdm/errors/unrecognized.device.yaml delete mode 100644 mdm/errors/watch.pairing.token.missing.yaml delete mode 100644 mdm/errors/well-known.failed.yaml delete mode 100644 mdm/profiles/CommonPayloadKeys.yaml delete mode 100644 mdm/profiles/GlobalPreferences.yaml delete mode 100644 mdm/profiles/TopLevel.yaml delete mode 100644 mdm/profiles/com.apple.ADCertificate.managed.yaml delete mode 100644 mdm/profiles/com.apple.AIM.account.yaml delete mode 100644 mdm/profiles/com.apple.AssetCache.managed.yaml delete mode 100644 mdm/profiles/com.apple.Dictionary.yaml delete mode 100644 mdm/profiles/com.apple.DirectoryService.managed.yaml delete mode 100644 mdm/profiles/com.apple.DiscRecording.yaml delete mode 100644 mdm/profiles/com.apple.MCX(Accounts).yaml delete mode 100644 mdm/profiles/com.apple.MCX(EnergySaver).yaml delete mode 100644 mdm/profiles/com.apple.MCX(FileVault2).yaml delete mode 100644 mdm/profiles/com.apple.MCX(Mobililty).yaml delete mode 100644 mdm/profiles/com.apple.MCX(TimeServer).yaml delete mode 100644 mdm/profiles/com.apple.MCX(WiFi).yaml delete mode 100644 mdm/profiles/com.apple.MCX.FileVault2.yaml delete mode 100644 mdm/profiles/com.apple.MCX.TimeMachine.yaml delete mode 100644 mdm/profiles/com.apple.ManagedClient.preferences.yaml delete mode 100644 mdm/profiles/com.apple.NSExtension.yaml delete mode 100644 mdm/profiles/com.apple.SetupAssistant.managed.yaml delete mode 100644 mdm/profiles/com.apple.ShareKitHelper.yaml delete mode 100644 mdm/profiles/com.apple.SoftwareUpdate.yaml delete mode 100644 mdm/profiles/com.apple.SystemConfiguration.yaml delete mode 100644 mdm/profiles/com.apple.TCC.configuration-profile-policy.yaml delete mode 100644 mdm/profiles/com.apple.airplay.security.yaml delete mode 100644 mdm/profiles/com.apple.airplay.yaml delete mode 100644 mdm/profiles/com.apple.airprint.yaml delete mode 100644 mdm/profiles/com.apple.apn.managed.yaml delete mode 100644 mdm/profiles/com.apple.app.lock.yaml delete mode 100644 mdm/profiles/com.apple.applicationaccess.new.yaml delete mode 100644 mdm/profiles/com.apple.applicationaccess.yaml delete mode 100644 mdm/profiles/com.apple.appstore.yaml delete mode 100644 mdm/profiles/com.apple.asam.yaml delete mode 100644 mdm/profiles/com.apple.associated-domains.yaml delete mode 100644 mdm/profiles/com.apple.caldav.account.yaml delete mode 100644 mdm/profiles/com.apple.carddav.account.yaml delete mode 100644 mdm/profiles/com.apple.cellular.yaml delete mode 100644 mdm/profiles/com.apple.cellularprivatenetwork.managed.yaml delete mode 100644 mdm/profiles/com.apple.conferenceroomdisplay.yaml delete mode 100644 mdm/profiles/com.apple.configurationprofile.identification.yaml delete mode 100644 mdm/profiles/com.apple.dashboard.yaml delete mode 100644 mdm/profiles/com.apple.declarations.yaml delete mode 100644 mdm/profiles/com.apple.desktop.yaml delete mode 100644 mdm/profiles/com.apple.dnsProxy.managed.yaml delete mode 100644 mdm/profiles/com.apple.dnsSettings.managed.yaml delete mode 100644 mdm/profiles/com.apple.dock.yaml delete mode 100644 mdm/profiles/com.apple.domains.yaml delete mode 100644 mdm/profiles/com.apple.eas.account.yaml delete mode 100644 mdm/profiles/com.apple.education.yaml delete mode 100644 mdm/profiles/com.apple.ews.account.yaml delete mode 100644 mdm/profiles/com.apple.extensiblesso(kerberos).yaml delete mode 100644 mdm/profiles/com.apple.extensiblesso.yaml delete mode 100644 mdm/profiles/com.apple.familycontrols.contentfilter.yaml delete mode 100644 mdm/profiles/com.apple.familycontrols.timelimits.v2.yaml delete mode 100644 mdm/profiles/com.apple.fileproviderd.yaml delete mode 100644 mdm/profiles/com.apple.finder.yaml delete mode 100644 mdm/profiles/com.apple.firstactiveethernet.managed.yaml delete mode 100644 mdm/profiles/com.apple.firstethernet.managed.yaml delete mode 100644 mdm/profiles/com.apple.font.yaml delete mode 100644 mdm/profiles/com.apple.gamed.yaml delete mode 100644 mdm/profiles/com.apple.globalethernet.managed.yaml delete mode 100644 mdm/profiles/com.apple.google-oauth.yaml delete mode 100644 mdm/profiles/com.apple.homescreenlayout.yaml delete mode 100644 mdm/profiles/com.apple.ironwood.support.yaml delete mode 100644 mdm/profiles/com.apple.jabber.account.yaml delete mode 100644 mdm/profiles/com.apple.ldap.account.yaml delete mode 100644 mdm/profiles/com.apple.loginitems.managed.yaml delete mode 100644 mdm/profiles/com.apple.loginwindow.yaml delete mode 100644 mdm/profiles/com.apple.lom.yaml delete mode 100644 mdm/profiles/com.apple.mail.managed.yaml delete mode 100644 mdm/profiles/com.apple.mcxMenuExtras.yaml delete mode 100644 mdm/profiles/com.apple.mcxloginscripts.yaml delete mode 100644 mdm/profiles/com.apple.mcxprinting.yaml delete mode 100644 mdm/profiles/com.apple.mdm.yaml delete mode 100644 mdm/profiles/com.apple.mobiledevice.passwordpolicy.yaml delete mode 100644 mdm/profiles/com.apple.networkusagerules.yaml delete mode 100644 mdm/profiles/com.apple.notificationsettings.yaml delete mode 100644 mdm/profiles/com.apple.osxserver.account.yaml delete mode 100644 mdm/profiles/com.apple.preference.security.yaml delete mode 100644 mdm/profiles/com.apple.preferences.users.yaml delete mode 100644 mdm/profiles/com.apple.profileRemovalPassword.yaml delete mode 100644 mdm/profiles/com.apple.proxy.http.global.yaml delete mode 100644 mdm/profiles/com.apple.relay.managed.yaml delete mode 100644 mdm/profiles/com.apple.screensaver.user.yaml delete mode 100644 mdm/profiles/com.apple.screensaver.yaml delete mode 100644 mdm/profiles/com.apple.secondactiveethernet.managed.yaml delete mode 100644 mdm/profiles/com.apple.secondethernet.managed.yaml delete mode 100644 mdm/profiles/com.apple.security.FDERecoveryKeyEscrow.yaml delete mode 100644 mdm/profiles/com.apple.security.FDERecoveryRedirect.yaml delete mode 100644 mdm/profiles/com.apple.security.acme.yaml delete mode 100644 mdm/profiles/com.apple.security.certificatepreference.yaml delete mode 100644 mdm/profiles/com.apple.security.certificaterevocation.yaml delete mode 100644 mdm/profiles/com.apple.security.certificatetransparency.yaml delete mode 100644 mdm/profiles/com.apple.security.firewall.yaml delete mode 100644 mdm/profiles/com.apple.security.identitypreference.yaml delete mode 100644 mdm/profiles/com.apple.security.pem.yaml delete mode 100644 mdm/profiles/com.apple.security.pkcs1.yaml delete mode 100644 mdm/profiles/com.apple.security.pkcs12.yaml delete mode 100644 mdm/profiles/com.apple.security.root.yaml delete mode 100644 mdm/profiles/com.apple.security.scep.yaml delete mode 100644 mdm/profiles/com.apple.security.smartcard.yaml delete mode 100644 mdm/profiles/com.apple.servicemanagement.yaml delete mode 100644 mdm/profiles/com.apple.shareddeviceconfiguration.yaml delete mode 100644 mdm/profiles/com.apple.sso.yaml delete mode 100644 mdm/profiles/com.apple.subscribedcalendar.account.yaml delete mode 100644 mdm/profiles/com.apple.syspolicy.kernel-extension-policy.yaml delete mode 100644 mdm/profiles/com.apple.system-extension-policy.yaml delete mode 100644 mdm/profiles/com.apple.system.logging.yaml delete mode 100644 mdm/profiles/com.apple.systemmigration.yaml delete mode 100644 mdm/profiles/com.apple.systempolicy.control.yaml delete mode 100644 mdm/profiles/com.apple.systempolicy.managed.yaml delete mode 100644 mdm/profiles/com.apple.systempolicy.rule.yaml delete mode 100644 mdm/profiles/com.apple.systempreferences.yaml delete mode 100644 mdm/profiles/com.apple.systemuiserver.yaml delete mode 100644 mdm/profiles/com.apple.thirdactiveethernet.managed.yaml delete mode 100644 mdm/profiles/com.apple.thirdethernet.managed.yaml delete mode 100644 mdm/profiles/com.apple.tvremote.yaml delete mode 100644 mdm/profiles/com.apple.universalaccess.yaml delete mode 100644 mdm/profiles/com.apple.vpn.managed.applayer.yaml delete mode 100644 mdm/profiles/com.apple.vpn.managed.appmapping.yaml delete mode 100644 mdm/profiles/com.apple.vpn.managed.yaml delete mode 100644 mdm/profiles/com.apple.webClip.managed.yaml delete mode 100644 mdm/profiles/com.apple.webcontent-filter.yaml delete mode 100644 mdm/profiles/com.apple.wifi.managed.yaml delete mode 100644 mdm/profiles/com.apple.xsan.preferences.yaml delete mode 100644 mdm/profiles/com.apple.xsan.yaml delete mode 100644 mdm/profiles/loginwindow.yaml diff --git a/mdm/checkin/authenticate.yaml b/mdm/checkin/authenticate.yaml deleted file mode 100644 index d473edf..0000000 --- a/mdm/checkin/authenticate.yaml +++ /dev/null @@ -1,232 +0,0 @@ -title: Authenticate -description: Authenticates a user during MDM payload installation. -payload: - requesttype: Authenticate - supportedOS: - iOS: - introduced: '4.0' - supervised: false - requiresdep: false - sharedipad: - mode: allowed - devicechannel: true - userchannel: false - userenrollment: - mode: allowed - macOS: - introduced: '10.7' - devicechannel: true - userchannel: false - supervised: false - requiresdep: false - userenrollment: - mode: allowed - tvOS: - introduced: '10.2' - supervised: false - visionOS: - introduced: '1.1' - supervised: false - requiresdep: false - userenrollment: - mode: allowed - watchOS: - introduced: '10.0' - supervised: false - content: Check-in protocol authenticate request and response. -payloadkeys: -- key: DeviceName - supportedOS: - iOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: required - content: The device's name. -- key: ModelName - supportedOS: - iOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: required - content: The device's model name. -- key: Model - supportedOS: - iOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: required - content: The device's model. -- key: MessageType - type: - presence: required - rangelist: - - Authenticate - content: The message type, which requires a value of `Authenticate`. -- key: Topic - type: - presence: required - content: The topic that the device subscribes to. -- key: UDID - supportedOS: - iOS: - userenrollment: - mode: forbidden - macOS: - userenrollment: - mode: forbidden - visionOS: - userenrollment: - mode: forbidden - type: - presence: optional - content: The device's UDID (unique device identifier). The system requires this - value if the enrollment type is a device enrollment. -- key: EnrollmentID - supportedOS: - iOS: - introduced: '13.0' - userenrollment: - mode: required - macOS: - introduced: '10.15' - userenrollment: - mode: required - tvOS: - introduced: n/a - visionOS: - userenrollment: - mode: required - watchOS: - introduced: n/a - type: - presence: optional - content: |- - The per-enrollment identifier for the device. The system requires this value if the enrollment type is a user enrollment. - - Available in iOS 13 and later, macOS 10.15 and later, and visionOS 2 and later. -- key: OSVersion - supportedOS: - iOS: - introduced: '9.0' - accessrights: AllowQueryDeviceInformation - visionOS: - accessrights: AllowQueryDeviceInformation - watchOS: - introduced: '10.0' - accessrights: AllowQueryDeviceInformation - type: - presence: optional - content: The device's OS version. -- key: BuildVersion - supportedOS: - iOS: - introduced: '9.0' - accessrights: AllowQueryDeviceInformation - visionOS: - accessrights: AllowQueryDeviceInformation - watchOS: - introduced: '10.0' - accessrights: AllowQueryDeviceInformation - type: - presence: optional - content: The device's build version. -- key: ProductName - supportedOS: - iOS: - introduced: '9.0' - accessrights: AllowQueryDeviceInformation - visionOS: - accessrights: AllowQueryDeviceInformation - watchOS: - introduced: '10.0' - accessrights: AllowQueryDeviceInformation - type: - presence: optional - content: The device's product name (such as `iPhone17,2`). -- key: SerialNumber - supportedOS: - iOS: - introduced: '9.0' - accessrights: AllowQueryDeviceInformation - userenrollment: - mode: forbidden - macOS: - accessrights: AllowQueryDeviceInformation - userenrollment: - mode: forbidden - visionOS: - accessrights: AllowQueryDeviceInformation - userenrollment: - mode: forbidden - watchOS: - introduced: '10.0' - accessrights: AllowQueryDeviceInformation - type: - presence: optional - content: The device's serial number. -- key: IMEI - supportedOS: - iOS: - introduced: '9.0' - accessrights: AllowQueryDeviceInformation - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - accessrights: AllowQueryDeviceInformation - userenrollment: - mode: forbidden - watchOS: - introduced: '10.0' - accessrights: AllowQueryDeviceInformation - type: - presence: optional - content: The device's IMEI (International Mobile Equipment Identity). -- key: MEID - supportedOS: - iOS: - introduced: '9.0' - accessrights: AllowQueryDeviceInformation - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - accessrights: AllowQueryDeviceInformation - userenrollment: - mode: forbidden - watchOS: - introduced: '10.0' - accessrights: AllowQueryDeviceInformation - type: - presence: optional - content: The device's MEID (Mobile Equipment Identifier). -notes: -- title: '' - content: On success, the server needs to respond with a `200 OK` status. Don't assume - that the device has installed the MDM payload at this time because other payloads - in the profile may still fail to install. When the device successfully installs - the MDM payload, it sends a `Token-Update` message. diff --git a/mdm/checkin/checkout.yaml b/mdm/checkin/checkout.yaml deleted file mode 100644 index 0c6baa5..0000000 --- a/mdm/checkin/checkout.yaml +++ /dev/null @@ -1,88 +0,0 @@ -title: Check Out -description: Responds to the removal of the MDM enrollment profile from a device. -payload: - requesttype: CheckOut - supportedOS: - iOS: - introduced: '4.0' - supervised: false - requiresdep: false - sharedipad: - mode: allowed - devicechannel: true - userchannel: false - userenrollment: - mode: allowed - macOS: - introduced: '10.7' - devicechannel: true - userchannel: false - supervised: false - requiresdep: false - userenrollment: - mode: allowed - tvOS: - introduced: '10.2' - supervised: false - visionOS: - introduced: '1.1' - supervised: false - requiresdep: false - userenrollment: - mode: allowed - watchOS: - introduced: '10.0' - supervised: false - content: Check-in protocol check out request and response. -payloadkeys: -- key: MessageType - type: - presence: required - rangelist: - - CheckOut - content: The message type, which requires a value of `CheckOut`. -- key: Topic - type: - presence: required - content: The topic the device subscribes to. -- key: UDID - supportedOS: - iOS: - userenrollment: - mode: forbidden - visionOS: - userenrollment: - mode: forbidden - type: - presence: required - content: The device's UDID (unique device identifier). The system requires this - value if the enrollment type is a device enrollment. -- key: EnrollmentID - supportedOS: - iOS: - introduced: '13.0' - userenrollment: - mode: required - macOS: - introduced: '10.15' - userenrollment: - mode: required - tvOS: - introduced: n/a - visionOS: - userenrollment: - mode: required - watchOS: - introduced: n/a - type: - presence: required - content: |- - The per-enrollment identifier for the device. The system requires this value if the enrollment type is a user enrollment. - - Available in iOS 13 and later, macOS 10.15 and later, and visionOS 2 and later. -notes: -- title: '' - content: |- - The system sends this message on a best-effort basis. If the system can't send the message while removing the MDM profile, it removes the profile and doesn't resend the message. - - On success, the server needs to respond with a `200 OK` status. diff --git a/mdm/checkin/declarativemanagement.yaml b/mdm/checkin/declarativemanagement.yaml deleted file mode 100644 index 6d82546..0000000 --- a/mdm/checkin/declarativemanagement.yaml +++ /dev/null @@ -1,177 +0,0 @@ -title: Declarative Management -description: Sends declarative management requests to the server. -payload: - requesttype: DeclarativeManagement - supportedOS: - iOS: - introduced: '15.0' - supervised: false - requiresdep: false - sharedipad: - mode: allowed - devicechannel: true - userchannel: true - userenrollment: - mode: allowed - macOS: - introduced: '13.0' - devicechannel: true - userchannel: true - supervised: false - requiresdep: false - userenrollment: - mode: allowed - tvOS: - introduced: '16.0' - supervised: false - requiresdep: false - visionOS: - introduced: '1.1' - supervised: false - requiresdep: false - userenrollment: - mode: allowed - watchOS: - introduced: '10.0' - supervised: false - requiresdep: false - content: Check-in protocol declarative management request and response. -payloadkeys: -- key: MessageType - type: - presence: required - rangelist: - - DeclarativeManagement - content: The message type, which requires a value of `DeclarativeManagement`. -- key: Endpoint - type: - presence: required - content: |- - The type of operation the declaration is requesting. This key needs to be one of these values: - - - `tokens`: For fetching synchronization tokens from the server - - `declaration-items`: For fetching the declaration manifest from the server - - `status`: For sending a status report to the server - - `declaration/…/…`: For fetching a specific declaration from the server. Include the declaration type and identifier separated by slash characters (`/`). -- key: Data - type: - presence: optional - content: A Base64-encoded JSON object using the `SynchronizationTokens` schema. -- key: UDID - supportedOS: - iOS: - userenrollment: - mode: forbidden - macOS: - userenrollment: - mode: forbidden - visionOS: - userenrollment: - mode: forbidden - type: - presence: required - content: The device's UDID (unique device identifier). The system requires this - value if the enrollment type is a device enrollment. -- key: EnrollmentID - supportedOS: - iOS: - userenrollment: - mode: required - macOS: - userenrollment: - mode: required - tvOS: - introduced: n/a - visionOS: - userenrollment: - mode: required - watchOS: - introduced: n/a - type: - presence: required - content: The per-enrollment identifier for the device. The system requires this - value if the enrollment type is a user enrollment. -- key: EnrollmentUserID - supportedOS: - iOS: - introduced: n/a - macOS: - devicechannel: false - userenrollment: - mode: required - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: required - content: The per-enrollment identifier for the user. The system requires this value - if the enrollment type is a user enrollment on the user channel. -- key: UserShortName - supportedOS: - iOS: - sharedipad: - mode: required - macOS: - devicechannel: false - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: |- - For macOS, this value is the short name of the user. - - For Shared iPad, this value is the Managed Apple Account identifier of the user on Shared iPad. It indicates that the token is for the user channel. -- key: UserID - supportedOS: - iOS: - sharedipad: - mode: required - macOS: - devicechannel: false - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: |- - For macOS, this value is the ID of the user. - - For Shared iPad, this value is `FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF` to indicate that authentication doesn't occur. -- key: UserLongName - supportedOS: - iOS: - introduced: n/a - macOS: - devicechannel: false - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: required - content: The full name of the user. -notes: -- title: '' - content: |- - The `Data` field is optional, depending on the `Endpoint` value, as described below: - - - `tokens`: The client uses the `tokens` endpoint to request the current synchronization tokens from the server. It doesn't use the `Data` field. A successful response to this request is a `200 OK` HTTP status, with a response body that's a JSON object conforming to the `TokensResponse` schema. - - `declaration-items`: The client uses the `declaration-items` endpoint to request the current declaration manifest from the server. It doesn't use the `Data` field. A successful response to this request is a `200 OK` HTTP status, with a response body that's a JSON object conforming to the `DeclarationItemsResponse` schema. - - `declaration/…/…` : The client uses the `declaration/…/…` endpoint to request a specific declaration from the server. It doesn't use the `Data` field. - - The endpoint value is a path with three segments separated by a slash character (`/`). The first segment is always `declaration`. The second segment indicates the declaration type and is one of `activation`, `asset`, `configuration`, or `management`. The third segment is the `Identifier` of the declaration to fetch. - - A successful response to this request is a `200 OK` HTTP status, with a response body that's a JSON object representing the requested declaration. If the declaration isn't present on the server, it needs to return a `404 Not Found` HTTP status response to the device. That causes the device to remove any corresponding declaration that is present on it. - - `status`: The client uses the `status` endpoint to send a status report to the server. The `Data` field needs to be present and set to a Base64-encoded JSON object conforming to the `StatusReport` schema. A successful response to this request is a `200 OK` HTTP status, with an empty response body. diff --git a/mdm/checkin/getbootstraptoken.yaml b/mdm/checkin/getbootstraptoken.yaml deleted file mode 100644 index 9c89c43..0000000 --- a/mdm/checkin/getbootstraptoken.yaml +++ /dev/null @@ -1,58 +0,0 @@ -title: Get Bootstrap Token -description: Gets the bootstrap token from the server. -payload: - requesttype: GetBootstrapToken - supportedOS: - iOS: - introduced: '26.0' - supervised: true - requiresdep: true - userenrollment: - mode: forbidden - macOS: - introduced: '10.15' - devicechannel: true - userchannel: false - supervised: true - requiresdep: false - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: '26.0' - supervised: true - requiresdep: true - userenrollment: - mode: forbidden - watchOS: - introduced: n/a - content: Check-in protocol get bootstrap token data request and response. -payloadkeys: -- key: MessageType - type: - presence: required - rangelist: - - GetBootstrapToken - content: The message type, which requires a value of `GetBootstrapToken`. -- key: AwaitingConfiguration - type: - presence: optional - default: false - content: If `true`, the device is awaiting a `Device-Configured-Command` command - before proceeding through Setup Assistant. -responsekeys: -- key: BootstrapToken - type: - presence: optional - content: The current bootstrap token data for the device. -notes: -- title: '' - content: |- - A server that supports this request needs to include a `com.apple.mdm.bootstraptoken` value in the `ServerCapabilities` key of the MDM profile payload to enroll the device. - - This request returns the device's bootstrap token data that the server stores. - - If a bootstrap token isn't available, the server returns a success response with either a zero-length value for the `BootstrapToken` key or omits the key. - - Requires a device enrolled using Automated Device Enrollment. diff --git a/mdm/checkin/gettoken.yaml b/mdm/checkin/gettoken.yaml deleted file mode 100644 index 033c7da..0000000 --- a/mdm/checkin/gettoken.yaml +++ /dev/null @@ -1,220 +0,0 @@ -title: Get Token -description: Gets a token from the server. -payload: - requesttype: GetToken - supportedOS: - iOS: - introduced: '17.0' - supervised: false - requiresdep: false - sharedipad: - mode: allowed - devicechannel: true - userchannel: true - userenrollment: - mode: allowed - macOS: - introduced: '14.0' - devicechannel: true - userchannel: true - supervised: false - requiresdep: false - userenrollment: - mode: allowed - tvOS: - introduced: n/a - visionOS: - introduced: '1.1' - supervised: false - requiresdep: false - userenrollment: - mode: allowed - watchOS: - introduced: n/a - content: Check-in protocol get token data request and response. -payloadkeys: -- key: MessageType - type: - presence: required - rangelist: - - GetToken - content: The message type, which requires a value of `GetToken`. -- key: TokenServiceType - type: - presence: required - rangelist: - - com.apple.maid - - com.apple.watch.pairing - content: A string that specifies the service for the requested token. -- key: TokenParameters - type: - presence: optional - content: Parameters that the system uses to generate the token. - subkeys: - - key: SecurityToken - title: Security Token - supportedOS: - iOS: - sharedipad: - mode: forbidden - userenrollment: - mode: forbidden - macOS: - introduced: n/a - visionOS: - introduced: n/a - type: - presence: optional - content: A security token to generate the server token. Required by the `com.apple.watch.pairing` - service type. - - key: PhoneUDID - title: Phone Identifier - supportedOS: - iOS: - sharedipad: - mode: forbidden - userenrollment: - mode: forbidden - macOS: - introduced: n/a - visionOS: - introduced: n/a - type: - presence: optional - content: The identifier of the phone paired to the watch. Required by the `com.apple.watch.pairing` - service type. - - key: WatchUDID - title: Watch Identifier - supportedOS: - iOS: - sharedipad: - mode: forbidden - userenrollment: - mode: forbidden - macOS: - introduced: n/a - visionOS: - introduced: n/a - type: - presence: optional - content: The identifier of the watch paired to the phone. Required by the `com.apple.watch.pairing` - service type. -- key: UDID - supportedOS: - iOS: - userenrollment: - mode: forbidden - macOS: - userenrollment: - mode: forbidden - visionOS: - userenrollment: - mode: forbidden - type: - presence: required - content: The device's UDID (unique device identifier). The system requires this - value if the enrollment type is a device enrollment. -- key: EnrollmentID - supportedOS: - iOS: - userenrollment: - mode: required - macOS: - userenrollment: - mode: required - visionOS: - userenrollment: - mode: required - type: - presence: required - content: The per-enrollment identifier for the device. The system requires this - value if the enrollment type is a user enrollment. -- key: EnrollmentUserID - supportedOS: - iOS: - introduced: n/a - macOS: - devicechannel: false - userenrollment: - mode: required - visionOS: - introduced: n/a - type: - presence: required - content: The per-enrollment identifier for the user. The system requires this value - if the enrollment type is a user enrollment on the user channel. -- key: UserShortName - supportedOS: - iOS: - sharedipad: - mode: required - macOS: - devicechannel: false - visionOS: - introduced: n/a - type: - presence: optional - content: |- - For macOS, this value is the short name of the user. - - For Shared iPad, this value is the Managed Apple Account identifier of the user. When present, it indicates that the token is for the user channel. -- key: UserID - supportedOS: - iOS: - sharedipad: - mode: required - macOS: - devicechannel: false - visionOS: - introduced: n/a - type: - presence: optional - content: |- - For macOS, this value is the ID of the user. - - For Shared iPad, this value is `FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF` to indicate that authentication doesn't occur. -- key: UserLongName - supportedOS: - iOS: - introduced: n/a - macOS: - devicechannel: false - visionOS: - introduced: n/a - type: - presence: required - content: The full name of the user. -responsekeys: -- key: TokenData - type: - presence: required - content: The token data. If the token is a string value, it needs to be a UTF-8-encoded - string. -notes: -- title: '' - content: |- - A server that supports this request needs to include a `com.apple.mdm.token` value in the `ServerCapabilities` key of the MDM profile payload to enroll the device. - - This request allows devices to fetch security-related tokens from the server and to retrieve different types of tokens for the various services that need them. Each service has a unique identifier, and can pass a specific set of parameters for the server to use when generating the token. If the server doesn't recognize the service type, it needs to return a `400` HTTP response status. - - > Note: - > The `GetBootstrapToken` request is a separate request specifically for the bootstrap token. -- title: Support access management for Managed Apple Accounts - content: |- - For the service type `com.apple.maid`, the Apple Identity Service requests this token when a Managed Apple Account is signing in, and then uses it to verify that the Managed Apple Account belongs to the same organization as the MDM server that enrolled the device. The token is a JSON Web Token (JWT) per RFC 7519 with the following claims: - - - `iss`: A `String`, per RFC 7519 section 4.1.1, that the server sets to the system-generated server identifier (`server_uuid`) that `AccountDetail` returns. - - `iat`: A `NumericDate`, per RFC 7519 section 4.1.6, that the server sets to the timestamp of the token generation. The Apple Identity Service uses this value to limit the time that the token is valid. - - `jti`: A `String`, per RFC 7519 section 4.1.7, that the server sets to a unique identifier (a random UUID) for the JWT. The Apple Identity Service uses this value to ensure that it only uses the token once. - - `service_type`: A `String` that the server sets to the value of the `TokenServiceType` key in the `CheckIn` request, which needs to be `com.apple.maid`. - - Sign the JWT using the server's private key that corresponds to the RFC 3280 public key certificate that's registered with Apple Business Manager or Apple School Manager. -- title: Support Apple Watch pairing - content: For the service type `com.apple.watch.pairing`, the MDM server requests - this token to enroll an Apple Watch, with the request coming from the phone that's - paired to the watch. The format of the token is implementation-defined, but the - phone and watch MDM servers need to use the same format. The purpose of this token - is to confirm the pairing relationship of the watch to the phone, and to ensure - that the phone is already enrolled in an MDM server that belongs to the same organization - as the watch MDM server. Ensure that the token is cryptographically protected - against tampering, spoofing, and replay attacks. diff --git a/mdm/checkin/returntoservice.yaml b/mdm/checkin/returntoservice.yaml deleted file mode 100644 index d8e9d17..0000000 --- a/mdm/checkin/returntoservice.yaml +++ /dev/null @@ -1,72 +0,0 @@ -title: Return To Service -description: Gets the return-to-service configuration from the server. -payload: - requesttype: ReturnToService - supportedOS: - iOS: - introduced: '26.0' - supervised: true - requiresdep: true - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: '26.0' - supervised: true - requiresdep: true - userenrollment: - mode: forbidden - watchOS: - introduced: n/a - content: Check-in protocol send ReturnToService request. -payloadkeys: -- key: MessageType - type: - presence: required - rangelist: - - ReturnToService - content: The message type, which requires a value of `ReturnToService`. -- key: UDID - type: - presence: required - content: The device's UDID (unique device identifier). The system requires this - value if the enrollment type is a device enrollment. -responsekeys: -- key: ReturnToService - type: - presence: required - content: A dictionary containing the configuration for return to service. - subkeys: - - key: Enabled - title: Use return to service - type: - presence: required - content: If `true`, the device automatically erases itself and then performs reenrollment. - - key: WiFiProfileData - type: - presence: optional - content: The Wi-Fi profile that installs after erasure when using return to service. - This is required when the device doesn't have Ethernet access. - - key: MDMProfileData - type: - presence: optional - content: |- - The MDM profile that installs after erasure when using return to service. If provided, the device uses this profile directly instead of fetching it from the server. This key is required if the device's Automated Device Enrollment profile contains the `configuration-web-url` key. - - The device always downloads the Automated Device Enrollment profile even when this key is present, so the supervision identity, MDM removability, and other settings still apply. However, the device doesn't use the specified URL in the Automated Device Enrollment profile to fetch the MDM profile. - - key: BootstrapToken - type: - presence: optional - content: |- - The system uses the bootstrap token for return to service with app preservation. Required when Automated Device Enrollment enables return to service for the device. - - If the bootstrap token isn't present, the device performs a full erasure and a regular return to service, and can't preserve any data for app preservation. -notes: -- title: '' - content: The device sends the `ReturnToService` message when the user triggers a - return to service, or when the device's idle timeout expires. The device only - sends this message when it's in the return-to-service mode that its Automated - Device Enrollment profile sets. diff --git a/mdm/checkin/setbootstraptoken.yaml b/mdm/checkin/setbootstraptoken.yaml deleted file mode 100644 index 0b61942..0000000 --- a/mdm/checkin/setbootstraptoken.yaml +++ /dev/null @@ -1,56 +0,0 @@ -title: Set Bootstrap Token -description: Sends the bootstrap token to the server. -payload: - requesttype: SetBootstrapToken - supportedOS: - iOS: - introduced: '26.0' - supervised: true - requiresdep: true - userenrollment: - mode: forbidden - macOS: - introduced: '10.15' - devicechannel: true - userchannel: false - supervised: true - requiresdep: false - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: '26.0' - supervised: true - requiresdep: true - userenrollment: - mode: forbidden - watchOS: - introduced: n/a - content: Check-in protocol set bootstrap token data request and response. -payloadkeys: -- key: MessageType - type: - presence: required - rangelist: - - SetBootstrapToken - content: The message type, which requires a value of `SetBootstrapToken`. -- key: BootstrapToken - type: - presence: optional - content: The device's bootstrap token data. If this field is missing or zero length, - the server needs to remove the bootstrap token for this device. -- key: AwaitingConfiguration - type: - presence: optional - default: false - content: If `true`, the device is awaiting a `Device-Configured-Command` command - before proceeding through Setup Assistant. -notes: -- title: '' - content: |- - A server that supports this request needs to include a `com.apple.mdm.bootstraptoken` value in the `ServerCapabilities` key of the MDM profile payload to enroll the device. - - This request changes or clears a device's bootstrap token data that the server stores. - - Requires a device enrolled using Automated Device Enrollment. diff --git a/mdm/checkin/tokenupdate.yaml b/mdm/checkin/tokenupdate.yaml deleted file mode 100644 index 78831e3..0000000 --- a/mdm/checkin/tokenupdate.yaml +++ /dev/null @@ -1,234 +0,0 @@ -title: Token Update -description: Updates the token for a device on the server. -payload: - requesttype: TokenUpdate - supportedOS: - iOS: - introduced: '4.0' - supervised: false - requiresdep: false - sharedipad: - mode: allowed - devicechannel: true - userchannel: true - userenrollment: - mode: allowed - macOS: - introduced: '10.7' - devicechannel: true - userchannel: true - supervised: false - requiresdep: false - userenrollment: - mode: allowed - tvOS: - introduced: '10.2' - supervised: false - visionOS: - introduced: '1.1' - supervised: false - requiresdep: false - userenrollment: - mode: allowed - watchOS: - introduced: '10.0' - supervised: false - content: Check-in protocol token update request and response. -payloadkeys: -- key: NotOnConsole - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.11' - devicechannel: false - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: required - content: If `true`, the device isn't on-console. -- key: MessageType - type: - presence: required - rangelist: - - TokenUpdate - content: The message type, which requires a value of `TokenUpdate`. -- key: Topic - type: - presence: required - content: The topic the device subscribes to. -- key: UDID - supportedOS: - iOS: - userenrollment: - mode: forbidden - macOS: - userenrollment: - mode: forbidden - visionOS: - userenrollment: - mode: forbidden - type: - presence: required - content: The device's UDID (unique device identifier). The system requires this - value if the enrollment type is a device enrollment. -- key: EnrollmentID - supportedOS: - iOS: - introduced: '13.0' - userenrollment: - mode: required - macOS: - introduced: '10.15' - userenrollment: - mode: required - tvOS: - introduced: n/a - visionOS: - userenrollment: - mode: required - watchOS: - introduced: n/a - type: - presence: required - content: |- - The per-enrollment identifier for the device. The system requires this value if the enrollment type is a user enrollment. - - Available in iOS 13 and later, macOS 10.15 and later, and visionOS 2 and later. -- key: EnrollmentUserID - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.15' - devicechannel: false - userenrollment: - mode: required - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: required - content: |- - The per-enrollment identifier for the user. The system requires this value if the enrollment type is a user enrollment on the user channel. - - Available in macOS 10.15 and later. -- key: UserShortName - supportedOS: - iOS: - introduced: '9.3' - sharedipad: - mode: required - macOS: - devicechannel: false - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: |- - For macOS, this value is the short name of the user. - - For Shared iPad, this value is the Managed Apple Account identifier of the user on Shared iPad. It indicates that the token is for the user channel. -- key: UserID - supportedOS: - iOS: - introduced: '9.3' - sharedipad: - mode: required - macOS: - devicechannel: false - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: |- - For macOS, this value is the ID of the user. - - For Shared iPad, this value is `FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF` to indicate that authentication doesn't occur. -- key: UserLongName - supportedOS: - iOS: - introduced: n/a - macOS: - devicechannel: false - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: required - content: The full name of the user. -- key: Token - type: - presence: required - content: The push token for the device. -- key: PushMagic - type: - presence: required - content: The magic string to include in the push notification message. -- key: UnlockToken - supportedOS: - iOS: - accessrights: AllowPasscodeRemovalAndLock - sharedipad: - mode: forbidden - userenrollment: - mode: forbidden - macOS: - introduced: n/a - visionOS: - accessrights: AllowPasscodeRemovalAndLock - userenrollment: - mode: forbidden - watchOS: - accessrights: AllowPasscodeRemovalAndLock - type: - presence: optional - content: The data to use to unlock the device. If provided, the server needs to - retain this data and send it when trying to implement `Clear-Passcode-Command`. -- key: AwaitingConfiguration - supportedOS: - iOS: - introduced: '9.0' - macOS: - introduced: '10.11' - userchannel: false - watchOS: - introduced: n/a - type: - presence: optional - default: false - content: |- - If `true` from the device channel, the device is awaiting a `Device-Configured-Command` command before proceeding through Setup Assistant. - - If `true` from the user channel (Shared iPad only), the device is awaiting a `User-Configured-Command` command before proceeding through Setup Assistant. -notes: -- title: '' - content: |- - The device sends an initial `TokenUpdate` message to the server when it installs the MDM payload. The server needs to send push messages to the device only after receiving the first `TokenUpdate` message. If the device reports that it is `AwaitingConfiguration`, the MDM server needs to send a `Device-Configured-Command` MDM command before the device allows the user to proceed in Setup Assistant. This gives the MDM server the opportunity to perform some setup using MDM commands. - - In addition to sending the initial `TokenUpdate` message, the device may send additional `TokenUpdate` messages to the check-in server at any time while it has a valid MDM enrollment. - - The use of `PushMagic` constrains the device to a unique MDM relationship. When a user removes the MDM profile, the device no longer listens to the former relationship, even if the user reestablishes a management relationship with the same server topic. Note that only the push topic is the same in this case; the server's address might change. This also helps when a user restores a device from backup that contains an older relationship. The use of `PushMagic` also ensures that the same organization owns both the server that receives the `CheckIn` message and the computer sending the push notifications. This is important because there's no way of knowing if the push topic belongs to the owner of the check-in server. It's conceivable that Apple might revoke a push token for one party, only to have that party reenroll people from some other topic that's actively pushing. The fact that all MDM push topics reside in the namespace `com.apple.mgmt.*` helps prevent this. - - The `PushMagic` or `UnlockToken` fields of subsequent `TokenUpdate` messages may be identical to those in previous messages, or may be different (and may differ in size from previous values). If different, the server needs to update its record for the device to the new values in the message. Failure to do so results in the server being unable to send push notifications or perform passcode resets. - - Although a device can send the `TokenUpdate` message multiple times, it might send it only once if the values in the message never change. Ensure your implementation doesn't rely on repeated messages to update lost server-side data or to recover from a failure to process a previous `TokenUpdate` message. Also note that `UnlockToken` is optional. Don't treat the absence of an `UnlockToken` in a `TokenUpdate` message as an invalidation of a previously received `UnlockToken`. - - > Note: - > The topic string for the MDM check-in protocol needs to start with `com.apple.mgmt.*` where `*` is a unique suffix. diff --git a/mdm/checkin/userauthenticate.yaml b/mdm/checkin/userauthenticate.yaml deleted file mode 100644 index 6d61ee6..0000000 --- a/mdm/checkin/userauthenticate.yaml +++ /dev/null @@ -1,55 +0,0 @@ -title: User Authenticate -description: Authenticates a user with a two-step authentication protocol. -payload: - requesttype: UserAuthenticate - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.7' - devicechannel: false - userchannel: true - supervised: false - requiresdep: false - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: Authenticate network or mobile users with MDM. -payloadkeys: -- key: MessageType - type: - presence: required - rangelist: - - UserAuthenticate - content: The message type, which requires a value of `UserAuthenticate`. -- key: UDID - type: - presence: required - content: The device's UDID (unique device identifier). The system requires this - value if the enrollment type is a device enrollment. -- key: UserID - type: - presence: required - content: The local mobile user's GUID or the network user's GUID from an Open Directory - record. -- key: DigestResponse - type: - presence: required - content: A string that the client provides in the second `User-Authenticate` request - after receiving `DigestChallenge` from the server on the first `User-Authenticate` - request. -notes: -- title: '' - content: |- - A `UserAuthenticate` handshake usually consists of two transactions between the client and the server. Upon receiving the first request from the client, the server needs to respond with a `200` status code and a dictionary containing a `DigestChallenge` key (string). - - A zero-length `DigestChallenge` from the server indicates that it doesn't require an `AuthToken` for the user. Otherwise, the client generates a digest from the user's short name, the user's clear-text password, and the `DigestChallenge` value that the server provides. The client sends the resulting digest in a second `UserAuthenticate` request to the server, which validates the response and returns a dictionary that contains an `AuthToken` value that the device sends in subsequent commands on the user channel (for both the `ServerURL` and `CheckInURL` endpoints). - - If the server rejects the `DigestResponse` value because of an invalid password, it needs to return a `200` response and an empty `AuthToken` value. If the server isn't going to manage the user, it returns a `410` status code to the initial `UserAuthenticate` request. The client doesn't make any additional requests to the server on behalf of the user for the duration of the login session. - - The next time the user logs in, the client sends a new request and the server can optionally return `410` again. The `AuthToken` remains valid until the next time the client sends a `UserAuthenticate` request. The client initiates a handshake each time a mobile or network user logs in. diff --git a/mdm/commands/account.configuration.yaml b/mdm/commands/account.configuration.yaml deleted file mode 100644 index cc7de20..0000000 --- a/mdm/commands/account.configuration.yaml +++ /dev/null @@ -1,133 +0,0 @@ -title: Account Configuration Command -description: Create and configure a local administrator account on a device. -payload: - requesttype: AccountConfiguration - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.11' - accessrights: None - devicechannel: true - userchannel: false - supervised: false - requiresdep: true - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: When a macOS (v10.11 and later) device is configured via DEP to enroll - in an MDM server and the DEP profile has the await_device_configuration flag set - to true, the AccountConfiguration command can be sent to the device to have it - create the local administrator account (thereby skipping the page to create this - account in Setup Assistant). This command can only be sent to a macOS device that - is in the AwaitingConfiguration state. -payloadkeys: -- key: SkipPrimarySetupAccountCreation - type: - presence: optional - default: false - content: If `true`, Setup Assistant skips the user interface for setting up primary - accounts and disables autologin. If `true`, you must specify a value for `AutoSetupAdminAccounts`. -- key: SetPrimarySetupAccountAsRegularUser - type: - presence: optional - default: false - content: If `true`, Setup Assistant creates the primary accounts as regular users, - and you must specify a value for `AutoSetupAdminAccounts`. -- key: PrimaryAccountFullName - supportedOS: - macOS: - introduced: '10.15' - type: - presence: optional - content: The full name for the primary account. If present, Setup Assistant uses - this value to prefill the Full Name field. However, Setup Assistant ignores this - value if `DontAutoPopulatePrimaryAccountInfo` is `true`. This value is available - in macOS 10.15 and later. -- key: PrimaryAccountUserName - supportedOS: - macOS: - introduced: '10.15' - type: - presence: optional - content: The account name for the primary account. If present, Setup Assistant uses - this value to prefill the User Name field. However, Setup Assistant ignores this - value if `DontAutoPopulatePrimaryAccountInfo` is `true`. This value is available - in macOS 10.15 and later. -- key: DontAutoPopulatePrimaryAccountInfo - supportedOS: - macOS: - introduced: '10.15' - type: - presence: optional - default: false - content: If `true`, Setup Assistant ignores the primary account information and - requires the user to enter that information. If `false`, Setup Assistant prefills - the Full Name field with `PrimaryAccountFullName` and the User Name field with - `PrimaryAccountUserName`. This value is available in macOS 10.15 and later. -- key: LockPrimaryAccountInfo - supportedOS: - macOS: - introduced: '10.15' - type: - presence: optional - default: false - content: |- - If `true`, and you provide values for `PrimaryAccountFullName` or `PrimaryAccountUserName`, Setup Assistant disables editing for the corresponding fields. `DontAutoPopulatePrimaryAccountInfo` must also be 0 (or missing). - - If the user's password is also available from authentication through ConfigurationURL, Setup Assistant automatically creates the primary account with that information and skips showing the user interface to view or edit these fields. - - This value is available in macOS 10.15 and later. -- key: AutoSetupAdminAccounts - type: - presence: optional - content: A dictionary that describes the administrator account to create with Setup - Assistant, which uses the first element and ignores additional elements. - subkeys: - - key: AutoSetupAdminAccountItem - type: - content: A dictionary that describes the administrator account to create with - Setup Assistant, which uses the first element and ignores additional elements. - subkeys: - - key: shortName - title: shortName - type: - presence: required - content: The short name of the user. - - key: fullName - title: fullName - type: - presence: optional - content: The full name of the user, which defaults to `shortName` if not specified. - - key: passwordHash - title: passwordHash - type: - presence: optional - content: Data that contains the pre-created salted PBKDF2 SHA512 password hash - for the account. - - key: hidden - title: hidden - type: - presence: optional - default: false - content: If `true`, this sets the account attribute to make the account hidden - in the Login Window and Users & Groups. -- key: ManagedLocalUserShortName - supportedOS: - macOS: - introduced: '11.0' - type: - presence: optional - content: If present, this is the short name of the local account to manage, which - can also be the account that results from setting `AutoSetupAdminAccounts` to - `true`. Otherwise, only the local account that Setup Assistant creates is a managed - account. This value is available in macOS 11 and later. -notes: -- title: '' - content: Refer to the following sections to determine supported channels and requirements, - and to see an example request and response. diff --git a/mdm/commands/application.extensions.listactive.yaml b/mdm/commands/application.extensions.listactive.yaml deleted file mode 100644 index 4a546cd..0000000 --- a/mdm/commands/application.extensions.listactive.yaml +++ /dev/null @@ -1,91 +0,0 @@ -title: Active NSExtensions Command -description: Get a list of active extensions for a user on a device. -payload: - requesttype: ActiveNSExtensions - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.13' - accessrights: QueryInstalledApps - devicechannel: false - userchannel: true - supervised: false - requiresdep: false - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: |- - Returns information about the active NSExtensions for a particular user. - NSExtensions are installed and enabled at the user level. There is no concept of "device" NSExtensions. - Requires "Query Installed Apps" right; supported on user channel only. -payloadkeys: -- key: FilterExtensionPoints - type: - presence: optional - content: An array of extension points. If you choose to provide this value, the - response only includes the app extensions for the extension points you specify. - subkeys: - - key: FilterExtensionPointsItem - type: -responsekeys: -- key: Extensions - type: - presence: required - content: An array of dictionaries that contains information about active extensions - on the device. - subkeys: - - key: ExtensionsItem - type: - content: A dictionary that contains information about an extension. - subkeys: - - key: Identifier - type: - presence: required - content: The identifier of the extension. - - key: ExtensionPoint - type: - presence: required - content: The `NSExtensionPointIdentifier` for the extension. - - key: DisplayName - type: - presence: required - content: The extension's display name. - - key: ContainerDisplayName - type: - presence: optional - content: The display name of the container. - - key: ContainerIdentifier - type: - presence: optional - content: The identifier of the container. - - key: Path - type: - presence: required - content: The path to the extension. - - key: Version - type: - presence: required - content: The version of the extension. - - key: UserElection - type: - presence: required - rangelist: - - Default - - Use - - Ignore - content: The user-selected state of the extension, which a user sets in the - Extensions preference pane in System Preferences. -notes: -- title: '' - content: |- - This command returns information about the active extensions for a user. Extensions exist for each user, not for the device. - - Extensions restricted from executing by Application Launch Restrictions or the `NSExtensionManagement` configuration profile won't appear in the response. - - Refer to the following sections to determine supported channels and requirements, and to see an example request and response. diff --git a/mdm/commands/application.extensions.mappings.yaml b/mdm/commands/application.extensions.mappings.yaml deleted file mode 100644 index 7e186ee..0000000 --- a/mdm/commands/application.extensions.mappings.yaml +++ /dev/null @@ -1,57 +0,0 @@ -title: NSExtension Mappings Command -description: Get a list of the installed extensions for a user on a device. -payload: - requesttype: NSExtensionMappings - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.13' - accessrights: QueryInstalledApps - devicechannel: false - userchannel: true - supervised: false - requiresdep: false - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: |- - This command returns information about installed extensions for a user. - The purpose of this command is to allow the server to build a mapping of - extension identifiers to extension points to provide a UI for generating - "com.apple.NSExtension" payloads. - Requires "Query Installed Apps" right; supported on user channel only -responsekeys: -- key: Extensions - type: - presence: required - content: An array of dictionaries that contains information about extensions on - the device. - subkeys: - - key: ExtensionsItem - type: - content: A dictionary that contains information about an extension. - subkeys: - - key: Identifier - type: - presence: required - content: The identifier of the extension. - - key: ExtensionPoint - type: - presence: required - content: The `NSExtensionPointIdentifier` for the extension. - - key: DisplayName - type: - presence: required - content: The display name of the extension. -notes: -- title: '' - content: |- - This list is a superset of the list that `ActiveNSExtensionsCommand` returns. It may contain extensions that the system never enables due to various restrictions. - - Refer to the following sections to determine supported channels and requirements, and to see an example request and response. diff --git a/mdm/commands/application.install.enterprise.yaml b/mdm/commands/application.install.enterprise.yaml deleted file mode 100644 index 00022b5..0000000 --- a/mdm/commands/application.install.enterprise.yaml +++ /dev/null @@ -1,136 +0,0 @@ -title: Install Enterprise Application Command -description: Install an enterprise app on a device. -payload: - requesttype: InstallEnterpriseApplication - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: 10.13.6 - accessrights: AllowAppInstallation - devicechannel: true - userchannel: false - supervised: false - requiresdep: false - userenrollment: - mode: allowed - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a -payloadkeys: -- key: Manifest - type: - presence: optional - content: A dictionary that specifies where to download the app. This value uses - the `ManifestURL` format. - subkeys: - - key: ANY - type: - presence: optional - content: A dictionary that specifies where to download the app. This value uses - the `ManifestURL` format. -- key: ManifestURL - type: - presence: optional - content: The URL of the app manifest, which needs to begin with `https:`. The manifest - is returned as a property list that uses the `ManifestURL` format. -- key: ManifestURLPinningCerts - type: - presence: optional - content: An array of DER-encoded certificates to pin the connection when fetching - the `ManifestURL`. - subkeys: - - key: ManifestURLPinningCertsItem - type: - presence: required - content: A certificate in DER-encoded format. -- key: PinningRevocationCheckRequired - type: - presence: optional - default: false - content: If `true`, certificate revocation checks require a positive response when - using certificate pinning with `ManifestURLPinningCerts`. -- key: InstallAsManaged - supportedOS: - macOS: - introduced: '11.0' - userenrollment: - mode: forbidden - type: - presence: optional - default: false - content: |- - If `true`, install the app as a managed app. Otherwise, the system installs the app as unmanaged. If you reinstall a manged app and omit this value or set it to `false`, the app becomes unmanaged. - - For manifest-based installs, if `true`, the system only considers apps installed in `/Applications` as managed. In macOS 11 through 13, the system requires that the `pkg` only contains a single signed app. - - Available in macOS 11 and later. -- key: ManagementFlags - supportedOS: - macOS: - introduced: '11.0' - userenrollment: - mode: forbidden - type: - presence: optional - rangelist: - - 1 - content: |- - The management flags. The possible values are: - - - `1`: If `InstallAsManaged` is `true`, remove the app upon removal of the MDM profile. - - Available in macOS 11 and later. -- key: Configuration - supportedOS: - macOS: - introduced: '11.0' - type: - presence: optional - content: A dictionary that contains the initial configuration of the app, if you - choose to provide it. Available in macOS 11 and later. - subkeys: - - key: ANY - type: - presence: optional - content: An app configuration. -- key: ChangeManagementState - supportedOS: - macOS: - introduced: '11.0' - userenrollment: - mode: forbidden - type: - presence: optional - rangelist: - - Managed - content: |- - The change management state. This value doesn't work with the user enrollments. The only possible value is: - - - `Managed`: Take management of the app if the user installed it already and `InstallAsManaged` is `true`. - - Available in macOS 11 and later. -- key: iOSApp - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '11.0' - tvOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, the app is an iOS app that can run on a Mac with Apple silicon - in macOS 11 and later. -notes: -- title: '' - content: |- - This command provides a more secure version of the `InstallApplication` command when that uses a `ManifestURL`. The request must contain either `Manifest` or `ManifestURL`. Using `Manifest` ignores the pinning options. When using `ManifestURL`, specify the pinning options to increase security. In macOS, the device returns an `Acknowledged` response after validating the parameters, but before downloading and installing the app. However, it doesn't notify the MDM server about errors that occur during the installation process. - - This command fails if Declarative Device Management is managing the app. - - Refer to the following sections to determine supported channels and requirements, and to see an example request and response. diff --git a/mdm/commands/application.install.yaml b/mdm/commands/application.install.yaml deleted file mode 100644 index ab25aec..0000000 --- a/mdm/commands/application.install.yaml +++ /dev/null @@ -1,404 +0,0 @@ -title: Install Application Command -description: Install a third-party app on a device. -payload: - requesttype: InstallApplication - supportedOS: - iOS: - introduced: '5.0' - accessrights: AllowAppInstallation - supervised: false - requiresdep: false - sharedipad: - mode: allowed - devicechannel: true - userchannel: false - userenrollment: - mode: allowed - macOS: - introduced: '10.9' - accessrights: AllowAppInstallation - devicechannel: true - userchannel: true - supervised: false - requiresdep: false - userenrollment: - mode: allowed - tvOS: - introduced: '10.2' - accessrights: AllowAppInstallation - supervised: false - visionOS: - introduced: '1.1' - accessrights: AllowAppInstallation - supervised: false - requiresdep: false - userenrollment: - mode: allowed - watchOS: - introduced: '10.0' - accessrights: AllowAppInstallation - supervised: false -payloadkeys: -- key: iTunesStoreID - type: - presence: optional - content: The app's iTunes Store identifier. -- key: Identifier - supportedOS: - iOS: - introduced: '7.0' - type: - presence: optional - content: |- - The app's bundle identifier. - - > Important: - > For a watchOS app, the identifier needs to be the watch's bundle identifier, which differs from the main bundle identifier for the iPhone to which the watch is paired. Obtain the watch's bundle identifier for an app with a watch bundle, in the `watchBundleId` key that's part of the Content Metadata query. For more information on this query, see `Getting App and Book Information`. -- key: Options - supportedOS: - iOS: - introduced: '7.0' - type: - presence: optional - content: A dictionary that contains the app installation options. - subkeys: - - key: PurchaseMethod - type: - presence: optional - rangelist: - - 0 - - 1 - default: 0 - content: |- - The app's purchase type, which must be one of the following values: - - - `0`: Free apps and Legacy Volume Purchase Program (VPP) with a redemption code. This option is only available in iOS. - - `1`: Volume Purchase Program (VPP) app assignment. - - Set this value to `1` to install first-party apps without user login to the iTunes Store, such as Mail or Safari, or to install an iOS app with user enrollment. -- key: ManifestURL - supportedOS: - iOS: - introduced: '7.0' - type: - presence: optional - content: The URL of the app manifest, which needs to begin with `https:`. The manifest - is returned as a property list that uses the `ManifestURL` format. -- key: ManagementFlags - supportedOS: - macOS: - introduced: '11.0' - userenrollment: - mode: forbidden - type: - presence: optional - rangelist: - - 1 - - 4 - - 5 - content: |- - A bitwise OR of the management flags. The possible values are: - - - `1`: If `InstallAsManaged` is `true`, remove the app upon removal of the MDM profile. - - `4`: Prevent backup of app data. - - `5`: Both `1` and `4`. - - Available in iOS 5 and later, macOS 11 and later, and tvOS 10.2 and later. -- key: Configuration - supportedOS: - iOS: - introduced: '7.0' - macOS: - introduced: '11.0' - type: - presence: optional - content: A dictionary that contains the initial configuration of the app, if you - choose to provide it. Available in iOS 7 and later, macOS 11 and later, and tvOS - 10.2 and later. - subkeys: - - key: ANY - type: - presence: optional - content: An app configuration key. -- key: Attributes - supportedOS: - iOS: - introduced: '7.0' - macOS: - introduced: n/a - type: - presence: optional - content: A dictionary that contains the initial attributes of the app, if you choose - to provide it. Available in iOS 7 and later, and tvOS 10.2 and later. - subkeys: - - key: VPNUUID - supportedOS: - tvOS: - introduced: n/a - type: - presence: optional - content: A per-app VPN unique identifier for this app. Available in iOS 7 and - later. - - key: ContentFilterUUID - supportedOS: - iOS: - introduced: '16.0' - tvOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: The content filter UUID for this app. Available in iOS 16 and later. - - key: DNSProxyUUID - supportedOS: - iOS: - introduced: '16.0' - tvOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: The DNS proxy UUID for this app. Available in iOS 16 and later. - - key: RelayUUID - supportedOS: - iOS: - introduced: '17.0' - tvOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: The relay UUID for this app. Available in iOS 17 and later. - - key: AssociatedDomains - supportedOS: - iOS: - introduced: '13.0' - tvOS: - introduced: n/a - type: - presence: optional - content: An array that contains the associated domains to add to this app. Available - in iOS 13 and later. - subkeys: - - key: AssociatedDomain - type: - - key: AssociatedDomainsEnableDirectDownloads - supportedOS: - iOS: - introduced: '14.0' - tvOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, perform claimed site association verification directly at - the domain instead of on Apple's servers. Only set this to `true` for domains - that can't access the internet. Available in iOS 14 and later. - - key: Removable - supportedOS: - iOS: - introduced: '14.0' - tvOS: - introduced: '14.0' - type: - presence: optional - default: true - content: If `false`, this app isn't removable while it's a managed app. Available - in iOS 14 and later, and tvOS 14 and later. - - key: TapToPayScreenLock - supportedOS: - iOS: - introduced: '16.4' - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: false - content: |- - If `true`, Tap to Pay on iPhone requires users to use Face ID or a passcode to unlock their device after every transaction that requires a customer's card PIN. If `false`, the user can configure this setting on their device. - - Available in iOS 16.4 and later. - - key: CellularSliceUUID - supportedOS: - iOS: - introduced: '17.0' - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: |- - The data network name (DNN) or app category. For DNN, the value is `DNN:name`, where `name` is the carrier-provided DNN name. For app category, the value is `AppCategory:category`, where `category` is a carrier-provided string like "Enterprise1". - - Available in iOS 17 and later. - - key: Hideable - supportedOS: - iOS: - introduced: '18.1' - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system prevents the user from hiding the app. It doesn't - affect the user's ability to leave it in the App Library, while removing it - from the Home Screen. - - key: Lockable - supportedOS: - iOS: - introduced: '18.1' - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system prevents the user from locking the app. This also - prevents the user from hiding the app. -- key: ChangeManagementState - supportedOS: - iOS: - introduced: '9.0' - userenrollment: - mode: forbidden - macOS: - introduced: '11.0' - userenrollment: - mode: forbidden - visionOS: - userenrollment: - mode: forbidden - type: - presence: optional - rangelist: - - Managed - content: |- - The change management state. This value doesn't work with the user enrollment feature introduced in iOS 13, or any type of account driven enrollment. Available in iOS 9 and later, macOS 11 and later, and tvOS 10.2 and later. The only possible value is: - - - `Managed`: Take management of the app if the user installed it already and `InstallAsManaged` is `true`. -- key: InstallAsManaged - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '11.0' - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: false - content: |- - If `true`, install the app as a managed app. Otherwise, the system installs the app as unmanaged. If you reinstall a manged app and omit this value or set it to `false`, the app becomes unmanaged. - - For manifest-based installs, if `true`, the system only considers apps installed in `/Applications` as managed. In macOS 11 through 13, the system requires that the `pkg` only contains a single signed app. - - Available in macOS 11 and later. -- key: iOSApp - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '11.0' - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, the app is an iOS app that can run on a Mac with Apple silicon - in macOS 11 and later. -responsekeys: -- key: Identifier - type: - presence: optional - content: |- - The app's bundle identifier, if the user accepted the request. - - > Note: - > For a watchOS app, the identifier is the watch's bundle identifier, which differs from the main bundle identifier for the iPhone that the watch is paired to. -- key: State - type: - presence: optional - rangelist: - - Queued - - NeedsRedemption - - Redeeming - - Prompting - - PromptingForLogin - - ValidatingPurchase - - Installing - - Managed - - ManagedButUninstalled - - UserInstalledApp - - UserRejected - - PromptingForUpdate - - PromptingForUpdateLogin - - ValidatingUpdate - - Updating - - UpdateRejected - - PromptingForManagement - - ManagementRejected - - Failed - - Unknown - content: The app's installation state, if the user accepted the request. If this - value is `NeedsRedemption`, the server needs to send a redemption code to complete - the app installation. -- key: RejectionReason - type: - presence: optional - rangelist: - - AppAlreadyInstalled - - AppAlreadyQueued - - AppStoreDisabled - - CouldNotVerifyAppID - - ManagementChangeNotSupported - - NotAnApp - - NotSupported - - Other - - PurchaseMethodNotSupported - - PurchaseMethodNotSupportedInMultiUser - content: The reason, if installation fails. macOS always returns "Other". -notes: -- title: '' - content: |- - The request must contain only one of these keys: `iTunesStoreID`, `Identifier`, or `ManifestURL`. - - Installation prompts the user to approve or cancel the update. If the device is supervised, the device only prompts when the app to install is in the foreground. - - Set the organization name that appears in this prompt in the `OrganizationInfo` dictionary using the `Settings` command. - - If the app is a managed app, this command updates it. This command fails if Declarative Device Management is managing the app. - - In macOS, the device returns an `Acknowledged` response after validating the parameters, but before downloading and installing the app. However, it doesn't notify the MDM server about errors that occur during the installation process. - - For macOS VPP app installations, if the app is device licensed, the system must receive the `InstallApplication` command on the device channel. If the app is user licensed, the system must receive the `InstallApplication` command on the user channel. - - Prior to iOS 16.0 and tvOS 16.0, this command would return `NotNow` when Setup Assistant was running. Starting in iOS 16.0 and tvOS 16.0, the command may be sent to supervised devices during Setup Assistant. However, you should only attempt to install device-based VPP apps or enterprise apps while in the awaiting configuration state, as it is unlikely the device would have an App Store account configured, and thus commands that depend on one will fail. - - Refer to the following sections to determine supported channels and requirements, and to see an example request and response. diff --git a/mdm/commands/application.installed.list.yaml b/mdm/commands/application.installed.list.yaml deleted file mode 100644 index ef5e907..0000000 --- a/mdm/commands/application.installed.list.yaml +++ /dev/null @@ -1,333 +0,0 @@ -title: Installed Application List Command -description: Get a list of the installed apps on a device. -payload: - requesttype: InstalledApplicationList - supportedOS: - iOS: - introduced: '5.0' - accessrights: AllowQueryApplications - supervised: false - requiresdep: false - sharedipad: - mode: allowed - devicechannel: true - userchannel: false - userenrollment: - mode: allowed - macOS: - introduced: '10.7' - accessrights: AllowQueryApplications - devicechannel: true - userchannel: true - supervised: false - requiresdep: false - userenrollment: - mode: forbidden - tvOS: - introduced: '10.2' - accessrights: AllowQueryApplications - supervised: false - visionOS: - introduced: '1.1' - accessrights: AllowQueryApplications - supervised: false - requiresdep: false - userenrollment: - mode: allowed - watchOS: - introduced: '10.0' - accessrights: AllowQueryApplications - supervised: false -payloadkeys: -- key: Identifiers - supportedOS: - iOS: - introduced: '7.0' - macOS: - introduced: '10.15' - type: - presence: optional - content: |- - An array of app identifiers. Provide this value to limit the response to only include these apps. This value is available in iOS 7 and later, macOS 10.15 and later, tvOS 10.2 and later, visionOS 1.1 and later, and watchOS 10 and later. - - > Important: - > For a watchOS app, the identifier needs to be the watch's bundle identifier, which differs from the main bundle identifier for the iPhone to which the watch is paired. Obtain the watch's bundle identifier for an app with a watch bundle, in the `watchBundleId` key that's part of the Content Metadata query. For more information on this query, see `Getting App and Book Information`. - subkeys: - - key: IdentifiersItem - type: -- key: ManagedAppsOnly - supportedOS: - iOS: - introduced: '7.0' - macOS: - introduced: '10.15' - type: - presence: optional - default: false - content: |- - If `true`, only get a list of managed apps, excluding ones that Declarative Device Management is managing. This value is available in iOS 7 and later, macOS 10.15 and later, and tvOS 10.2 and later. - - > Note: - > If the enrollment type is a user enrollment, the system always considers this key as set to `true` and only returns managed apps, excluding ones that Declarative Device Management is managing. -- key: Items - supportedOS: - iOS: - introduced: '14.0' - macOS: - introduced: n/a - tvOS: - introduced: '14.0' - type: - presence: optional - content: |- - An array of strings that represent keys in `InstalledApplicationListItem`. If present, the response only contains the keys listed here, except `Identifier` is always included. If not present, the response contains all keys. Starting in iOS 26, macOS 26, tvOS 26, watchOS 26, and visionOS 26, if this key isn't present, the response omits values that are expensive to calculate. - - > Tip: - > Only request the keys that you need, because some key values can take significant time and power to calculate on the device. - subkeys: - - key: ItemsItem - type: - rangelist: - - AdHocCodeSigned - - AppStoreVendable - - BetaApp - - BundleSize - - DeviceBasedVPP - - DistributorIdentifier - - DynamicSize - - ExternalVersionIdentifier - - HasUpdateAvailable - - Identifier - - Installing - - IsAppClip - - IsValidated - - Name - - ShortVersion - - Version -responsekeys: -- key: InstalledApplicationList - type: - presence: required - content: An array of dictionaries that describes each installed app. - subkeys: - - key: InstalledApplicationListItem - type: - content: A dictionary that describes an app list item. - subkeys: - - key: Identifier - type: - presence: optional - content: |- - The app's identifier. This key is always be present on iOS and tvOS, but may be missing on macOS. - - > Note: - > For a watchOS app, the identifier is the watch's bundle identifier, which differs from the main bundle identifier for the iPhone to which the watch is paired. - - key: ExternalVersionIdentifier - supportedOS: - iOS: - introduced: '11.0' - macOS: - introduced: '10.13' - tvOS: - introduced: '11.0' - type: - presence: optional - content: |- - The app's external version identifier. You can also retrieve this value from the App Store. For more information, see `Apps and Books for Organizations`. - - If the current external version identifier of an app on the App Store doesn't match the external version identifier reported by the device, there may be an app update available for the device. - - > Note: - > A newer version of an app might not be available for installation on the device for a variety of reasons. A common reason is that the device's operating system version or hardware is incompatible with the available version of the app. - - key: DistributorIdentifier - supportedOS: - iOS: - introduced: '17.4' - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: The marketplace hosted application's distributor ID. This value is - available in iOS 17.4 and later. - - key: Version - type: - presence: optional - content: The app's version. - - key: ShortVersion - supportedOS: - iOS: - introduced: '5.0' - type: - presence: optional - content: The app's short version. - - key: Name - type: - presence: optional - content: The app's name. - - key: BundleSize - supportedOS: - macOS: - introduced: '10.7' - type: - presence: optional - content: The app's static bundle size, in bytes. This value is expensive to - calculate. Starting in iOS 26, macOS 26, tvOS 26, watchOS 26, and visionOS - 26 it isn't present in the response unless it is included in the `Items` request - key. This value is available in iOS 5 and later, and macOS 10.7 and later, - tvOS 10.2 and later, watchOS 10 and later, and visionOS 1.1 and later. - - key: DynamicSize - supportedOS: - iOS: - introduced: '5.0' - macOS: - introduced: n/a - type: - presence: optional - content: The size of the app's file system in bytes, including the Documents, - Library, and other directories. This value is expensive to calculate. Starting - in iOS 26, tvOS 26, watchOS 26, and visionOS 26 it isn't present in the response - unless it is included in the `Items` request key. This value is available - in iOS 5 and later, tvOS 10.2 and later, watchOS 10 and later, and visionOS - 1.1 and later. - - key: IsValidated - supportedOS: - iOS: - introduced: '9.2' - macOS: - introduced: n/a - type: - presence: optional - content: If `true`, the app is valid and can run on the device. If the app is - enterprise-distributed and unvalidated, it won't be able to run until validation - has occurred. This value is available in iOS 9.2 and later, and tvOS 10.2 - and later. - - key: Installing - type: - presence: optional - content: If `true`, the app is downloading. If `false`, it's already installed. - - key: AppStoreVendable - supportedOS: - iOS: - introduced: '11.3' - macOS: - introduced: n/a - tvOS: - introduced: '11.3' - type: - presence: optional - content: If `true`, the app came from the App Store and can participate in store - features. For device-based Volume Purchase Program (VPP) apps, this value - is `false`. This value is available in iOS 11.3 and later, and tvOS 11.3 and - later. - - key: DeviceBasedVPP - supportedOS: - iOS: - introduced: '11.3' - macOS: - introduced: n/a - tvOS: - introduced: '11.3' - type: - presence: optional - content: If `true`, installing the app didn't require an Apple Account. This - value is available in iOS 11.3 and later, and tvOS 11.3 and later. - - key: BetaApp - supportedOS: - iOS: - introduced: '11.3' - macOS: - introduced: n/a - tvOS: - introduced: '11.3' - type: - presence: optional - content: If `true`, the app is part of the Apple Beta Software Program. This - value is available in iOS 11.3 and later, and tvOS 11.3 and later. - - key: AdHocCodeSigned - supportedOS: - iOS: - introduced: '11.3' - macOS: - introduced: n/a - tvOS: - introduced: '11.3' - type: - presence: optional - content: If `true`, the app is ad-hoc code signed. This query is available in - iOS 11.3 and later, and tvOS 11.3 and later. - - key: HasUpdateAvailable - supportedOS: - iOS: - introduced: '11.3' - macOS: - introduced: 10.13.4 - type: - presence: optional - content: If `true`, the app has an update available. This key is present only - for App Store apps. In macOS, this key is present only for Volume Purchase - Program (VPP) apps. This status updates daily and isn't always up-to-date - when installing an app. - - key: DownloadFailed - type: - presence: optional - default: false - content: If `true`, the download failed. - - key: DownloadWaiting - type: - presence: optional - default: false - content: If `true`, the app is in the initial state, which is waiting to download. - - key: DownloadPaused - type: - presence: optional - default: false - content: If `true`, the user paused the download. - - key: DownloadCancelled - type: - presence: optional - default: false - content: If `true`, the user canceled the download. - - key: IsAppClip - supportedOS: - iOS: - introduced: '16.0' - macOS: - introduced: n/a - tvOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, the app is an App Clip. Available in iOS 16 and later. - - key: Source - supportedOS: - iOS: - introduced: '17.2' - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: The source of the application. When the app is managed by Declarative - Device Management this value is `Declarative Device Management`. -notes: -- title: '' - content: |- - This command allows the server to query for installed 3rd party applications. The response also includes system apps in macOS, iOS 26 and later, tvOS 26 and later, visionOS 26 and later, and watchOS 26 and later. - - This command doesn't return apps that Declarative Device Management is managing if the `ManagedAppsOnly` key is set to `true`, or if the enrollment type is a user enrollment. - - Refer to the following sections to determine supported channels and requirements, and to see request and response examples for iOS and macOS. diff --git a/mdm/commands/application.invitetoprogram.yaml b/mdm/commands/application.invitetoprogram.yaml deleted file mode 100644 index 755f57f..0000000 --- a/mdm/commands/application.invitetoprogram.yaml +++ /dev/null @@ -1,59 +0,0 @@ -title: Invite To Program Command -description: Invite a user to join the Volume Purchase Program (VPP). -payload: - requesttype: InviteToProgram - supportedOS: - iOS: - introduced: '7.0' - accessrights: AllowAppInstallation - supervised: false - requiresdep: false - sharedipad: - mode: allowed - devicechannel: false - userchannel: true - userenrollment: - mode: forbidden - macOS: - introduced: '10.9' - accessrights: None - devicechannel: false - userchannel: true - supervised: false - requiresdep: false - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a -payloadkeys: -- key: ProgramID - type: - presence: required - rangelist: - - com.apple.cloudvpp - content: The program's identifier, which can only be `com.apple.cloudvpp`. -- key: InvitationURL - type: - presence: required - content: The Volume Purchase Program (VPP) invitation URL. -responsekeys: -- key: InvitationResult - type: - presence: required - rangelist: - - Acknowledged - - InvalidProgramID - - InvalidInvitationURL - content: The result of the command. -notes: -- title: '' - content: |- - This command allows a server to invite a user to join the Volume Purchase Program (VPP). It issues the invitation, but doesn't allow the server to monitor whether the user joins the program. This command yields a `NotNow` status if Setup Assistant is running. - - The command doesn't work with Account Driven enrollments. - - Refer to the following sections to determine supported channels and requirements, and to see an example request and response. diff --git a/mdm/commands/application.managed.list.yaml b/mdm/commands/application.managed.list.yaml deleted file mode 100644 index 8f8bf48..0000000 --- a/mdm/commands/application.managed.list.yaml +++ /dev/null @@ -1,202 +0,0 @@ -title: Managed Application List Command -description: Get the status of all managed apps on a device. -payload: - requesttype: ManagedApplicationList - supportedOS: - iOS: - introduced: '5.0' - accessrights: AllowAppInstallation - supervised: false - requiresdep: false - sharedipad: - mode: allowed - devicechannel: true - userchannel: false - userenrollment: - mode: allowed - macOS: - introduced: '11.0' - accessrights: AllowAppInstallation - devicechannel: true - userchannel: true - supervised: false - requiresdep: false - userenrollment: - mode: allowed - tvOS: - introduced: '10.2' - accessrights: AllowAppInstallation - supervised: false - visionOS: - introduced: '1.1' - accessrights: AllowAppInstallation - supervised: false - requiresdep: false - userenrollment: - mode: allowed - watchOS: - introduced: '10.0' - accessrights: AllowAppInstallation - supervised: false -payloadkeys: -- key: Identifiers - supportedOS: - iOS: - introduced: '7.0' - type: - presence: optional - content: |- - The bundle identifiers of the managed apps to include in the response. - - > Important: - > For a watchOS app, the identifier needs to be the watch's bundle identifier, which differs from the main bundle identifier for the iPhone to which the watch is paired. Obtain the watch's bundle identifier for an app with a watch bundle, in the `watchBundleId` key that's part of the Content Metadata query. For more information on this query, see `Getting App and Book Information`. - subkeys: - - key: IdentifiersItem - type: -responsekeys: -- key: ManagedApplicationList - type: - presence: required - content: A dictionary that contains status information about each managed app. The - response doesn't include apps that Declarative Device Management manages. - subkeytype: ManagedApplicationListItem - subkeys: - - key: ANY app identifier - type: - presence: required - content: The bundle identifier of the managed app. - subkeytype: ManagedApplicationItem - subkeys: - - key: Status - type: - presence: required - rangelist: - - Queued - - NeedsRedemption - - Redeeming - - Prompting - - PromptingForLogin - - ValidatingPurchase - - PromptingForUpdate - - PromptingForUpdateLogin - - PromptingForManagement - - ValidatingUpdate - - Updating - - Installing - - Managed - - ManagedButUninstalled - - Unknown - - UserInstalledApp - - UserRejected - - UpdateRejected - - ManagementRejected - - Failed - content: |- - The status of the managed app, which is one of the following values: - - - `Queued`: The app is scheduled for installation. - - `NeedsRedemption`: The app needs a redemption code to complete installation. - - `Redeeming`: The device is redeeming the redemption code for the app. - - `Prompting`: The app installation is prompting the user. - - `PromptingForLogin' - The app installation is prompting the user for App Store credentials. - - `ValidatingPurchase`: Validation of the app purchase is occurring. - - `PromptingForUpdate`: An app update is prompting the user. - - `PromptingForUpdateLogin`: An app update is prompting the user for App Store credentials. - - `PromptingForManagement`: Changing the app to a managed app is prompting the user. - - `ValidatingUpdate`: Validation of an app update is occurring. - - `Updating`: The app is updating. - - `Installing`: The app is installing. - - `Managed`: The installed app is a managed app. - - `ManagedButUninstalled`: The app is a managed app and the user removed it. Reinstalling the app reinstates it as a managed app. - - `Unknown`: The app state is unknown. - - The following statuses are transient and report only once: - - - `UserInstalledApp`: The user installed the app before managed app installation could occur. - - `UserRejected`: The user rejected the offer to install the app. - - `UpdateRejected`: The user rejected the offer to update the app. - - `ManagementRejected`:The user rejected management of an installed app. - - `Failed`: The app installation failed. - - key: ManagementFlags - type: - presence: required - content: |- - The bitwise OR of the following management flags: - * '1': Remove app upon removal of MDM profile. - * '4': Prevent backup of app data. - - key: UnusedRedemptionCode - supportedOS: - macOS: - introduced: n/a - tvOS: - introduced: n/a - type: - presence: required - content: If the user already purchased a paid app, this code is available for - use by another user. This code reports only once. This value is available - in iOS 5 and later. - - key: HasConfiguration - supportedOS: - iOS: - introduced: '7.0' - macOS: - introduced: '11.0' - type: - presence: required - content: If 'true', the app has an update available. This key is present only - for App Store apps. In macOS, this key is present only for Volume Purchase - Program (VPP) apps. This status updates daily and isn't always up-to-date - when installing an app. - - key: HasFeedback - supportedOS: - iOS: - introduced: '7.0' - macOS: - introduced: '11.3' - devicechannel: false - type: - presence: required - content: If 'true', the app has feedback for the server. This value is available - in iOS 7 and later, and tvOS 10.2 and later. On macOS 11.3 and later, this - value is available if the request was sent on the user channel. - - key: IsValidated - supportedOS: - iOS: - introduced: '9.2' - macOS: - introduced: n/a - type: - presence: required - content: If 'true', the app is valid and can run on the device. If the app is - enterprise-distributed and unvalidated, it won't be able to run until validation - has occurred. This value is available in iOS 9.2 and later, and tvOS 10.2 - and later. - - key: ExternalVersionIdentifier - supportedOS: - iOS: - introduced: '10.3' - macOS: - introduced: '11.3' - tvOS: - introduced: '10.2' - type: - presence: required - content: |- - The app's external version identifier. You can also retrieve this value from the App Store. For more information, see `Apps and Books for Organizations`. - - If the current external version identifier of an app on the App Store doesn't match the external version identifier reported by the device, there may be an app update available for the device. - - Available in iOS 10.3 and later, macOS 11.3 and later, and tvOS 10.2 and later. - - > Note: - > A newer version of an app might not be available for installation on the device for a variety of reasons. A common reason is that the device's operating system version or hardware is incompatible with the available version of the app. -notes: -- title: '' - content: |- - This command returns the status of managed apps from the App Store. - - Some statuses are transient and the device removes them after reporting them to the server. - - This command doesn't return apps that Declarative Device Management is managing. - - Refer to the following sections to determine supported channels and requirements, and to see an example request and response. diff --git a/mdm/commands/application.redemptioncode.yaml b/mdm/commands/application.redemptioncode.yaml deleted file mode 100644 index 7fda06a..0000000 --- a/mdm/commands/application.redemptioncode.yaml +++ /dev/null @@ -1,39 +0,0 @@ -title: Apply Redemption Code Command -description: Complete the installation of an app using a redemption code. -payload: - requesttype: ApplyRedemptionCode - supportedOS: - iOS: - introduced: '5.0' - accessrights: AllowAppInstallation - supervised: false - requiresdep: false - sharedipad: - mode: forbidden - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a -payloadkeys: -- key: Identifier - type: - presence: required - content: The bundle identifier of the app. -- key: RedemptionCode - type: - presence: required - content: The redemption code that applies to the app pending installation. -notes: -- title: '' - content: |- - This command provides a redemption code to complete installing an app. Use this when `InstallApplication` returns `NeedsRedemption`, or when `ManagedApplicationList` returns `NeedsRedemption` for the status of the app. - - Sending a redemption code to an app that doesn't need it produces an error. - - Refer to the following sections to determine supported channels and requirements, and to see an example request and response. diff --git a/mdm/commands/application.remove.yaml b/mdm/commands/application.remove.yaml deleted file mode 100644 index 4b012ae..0000000 --- a/mdm/commands/application.remove.yaml +++ /dev/null @@ -1,57 +0,0 @@ -title: Remove Application Command -description: Remove an app. -payload: - requesttype: RemoveApplication - supportedOS: - iOS: - introduced: '5.0' - accessrights: AllowAppInstallation - supervised: false - requiresdep: false - sharedipad: - mode: allowed - devicechannel: true - userchannel: false - userenrollment: - mode: allowed - macOS: - introduced: '11.0' - accessrights: AllowAppInstallation - devicechannel: true - userchannel: false - supervised: false - requiresdep: false - userenrollment: - mode: allowed - tvOS: - introduced: '10.2' - accessrights: AllowAppInstallation - supervised: false - visionOS: - introduced: '1.1' - accessrights: AllowAppInstallation - supervised: false - requiresdep: false - userenrollment: - mode: allowed - watchOS: - introduced: '10.0' - accessrights: AllowAppInstallation - supervised: false -payloadkeys: -- key: Identifier - type: - presence: required - content: |- - The bundle identifier of the managed app. - - > Important: - > For a watchOS app, the identifier needs to be the watch's bundle identifier, which differs from the main bundle identifier for the iPhone to which the watch is paired. Obtain the watch's bundle identifier for an app with a watch bundle, in the `watchBundleId` key that's part of the Content Metadata query. For more information on this query, see `Getting App and Book Information`. -notes: -- title: '' - content: |- - This command allows a server to remove managed apps. It also allows a server to remove unmanaged and system deletable apps on supervised devices in iOS 26 and later, tvOS 26 and later, visionOS 26 and later, and watchOS 26 and later. When the device removes an app, it also removes the data for the app. - - This command fails for apps that Declarative Device Management is managing. - - Refer to the following sections to determine supported channels and requirements, and to see an example request and response. diff --git a/mdm/commands/application.validate.yaml b/mdm/commands/application.validate.yaml deleted file mode 100644 index d031b20..0000000 --- a/mdm/commands/application.validate.yaml +++ /dev/null @@ -1,47 +0,0 @@ -title: Validate Applications Command -description: Force validation of developer and universal provisioning profiles for - enterprise apps. -payload: - requesttype: ValidateApplications - supportedOS: - iOS: - introduced: '9.2' - accessrights: AllowAppInstallation - supervised: false - requiresdep: false - sharedipad: - mode: allowed - devicechannel: true - userchannel: false - userenrollment: - mode: allowed - macOS: - introduced: n/a - tvOS: - introduced: '10.2' - accessrights: AllowAppInstallation - supervised: false - visionOS: - introduced: '1.1' - accessrights: AllowAppInstallation - supervised: false - requiresdep: false - userenrollment: - mode: allowed - watchOS: - introduced: n/a - content: This command allows the server to query for installed 3rd party applications. -payloadkeys: -- key: Identifiers - type: - presence: optional - content: The bundle identifiers of the enterprise apps to include for validation - of associated provisioning profiles, if you choose to provide them. Otherwise, - validation occurs for the provisioning profiles for the installed managed apps. - subkeys: - - key: IdentifiersItem - type: -notes: -- title: '' - content: Refer to the following sections to determine supported channels and requirements, - and to see an example request and response. diff --git a/mdm/commands/certificate.list.yaml b/mdm/commands/certificate.list.yaml deleted file mode 100644 index f97d6c5..0000000 --- a/mdm/commands/certificate.list.yaml +++ /dev/null @@ -1,88 +0,0 @@ -title: Certificate List Command -description: Get a list of installed certificates on a device. -payload: - requesttype: CertificateList - supportedOS: - iOS: - introduced: '4.0' - accessrights: AllowInspection - supervised: false - requiresdep: false - sharedipad: - mode: allowed - devicechannel: true - userchannel: false - userenrollment: - mode: allowed - macOS: - introduced: '10.7' - accessrights: AllowInspection - devicechannel: true - userchannel: true - supervised: false - requiresdep: false - userenrollment: - mode: allowed - tvOS: - introduced: '9.0' - accessrights: AllowInspection - supervised: false - visionOS: - introduced: '1.1' - accessrights: AllowInspection - supervised: false - requiresdep: false - userenrollment: - mode: allowed - watchOS: - introduced: '10.0' - accessrights: AllowInspection - supervised: false -payloadkeys: -- key: ManagedOnly - supportedOS: - iOS: - introduced: '13.0' - macOS: - introduced: '10.15' - tvOS: - introduced: '13.0' - type: - presence: optional - default: false - content: If `true`, only include certificates that MDM installed or that are in - the same profile as the MDM payload. User-enrolled devices ignore this value and - always only include managed certificates. This value is available in iOS 13 and - later, macOS 10.15 and later, and tvOS 13 and later. -responsekeys: -- key: CertificateList - type: - presence: required - content: An array of certificate list items that describes each certificate. - subkeys: - - key: CertificateListItem - type: - content: A dictionary that contains information about a certificate list item. - subkeys: - - key: CommonName - type: - presence: required - content: The certificate's common name. - - key: IsIdentity - type: - presence: required - content: If `true`, this is an identity certificate. - - key: Data - type: - presence: required - content: The certificate in DER-encoded X.509 format. -notes: -- title: '' - content: |- - This command allows the server to retrieve the list of installed certificates on the device. The command requires that the server has the Inspect Profile Manifest privilege. For user enrollment, this request returns only certificates pushed by MDM. - - This command doesn't return certificates that Declarative Device Management installs. Instead, use the Declarative Device Management `StatusSecurityCertificateList` status item to monitor the Declarative Device Management certificates. - - Starting with iOS 15.4, this command returns a Not Now response before the passcode-protected device's first unlock after a device boots. Between iOS 15.0 and iOS 15.4, devices in that state didn't respond with Not Now, but the response might not contain all identity certificates. - - Refer to the following sections to determine supported channels and requirements, and to see an example request and response. diff --git a/mdm/commands/declarativemanagement.yaml b/mdm/commands/declarativemanagement.yaml deleted file mode 100644 index 1c3e0e8..0000000 --- a/mdm/commands/declarativemanagement.yaml +++ /dev/null @@ -1,50 +0,0 @@ -title: Declarative Management Command -description: Enable your server to support declarative management or trigger a declarative - management synchronization operation on the device. -payload: - requesttype: DeclarativeManagement - supportedOS: - iOS: - introduced: '15.0' - supervised: false - requiresdep: false - sharedipad: - mode: allowed - devicechannel: true - userchannel: true - userenrollment: - mode: allowed - macOS: - introduced: '13.0' - devicechannel: true - userchannel: true - supervised: false - requiresdep: false - userenrollment: - mode: allowed - tvOS: - introduced: '16.0' - supervised: false - requiresdep: false - visionOS: - introduced: '1.1' - supervised: false - requiresdep: false - userenrollment: - mode: allowed - watchOS: - introduced: '10.0' - supervised: false - content: This command allows the server to turn on the declarative management engine - on the device (the first time it is used), or to trigger a declarative management - synchronization operation. -payloadkeys: -- key: Data - type: - presence: optional - content: The base64-encoded declarative management JSON request using a `TokensResponse`. -notes: -- title: '' - content: The server uses this command to turn on the declarative management engine - on the device the first time the server sends it. Subsequent commands trigger - a declarative management synchronization operation. diff --git a/mdm/commands/device.activationlock.bypasscode.yaml b/mdm/commands/device.activationlock.bypasscode.yaml deleted file mode 100644 index cb127a9..0000000 --- a/mdm/commands/device.activationlock.bypasscode.yaml +++ /dev/null @@ -1,53 +0,0 @@ -title: Activation Lock Bypass Code Command -description: Get the code to bypass Activation Lock on a device. -payload: - requesttype: ActivationLockBypassCode - supportedOS: - iOS: - introduced: '7.1' - accessrights: None - supervised: true - requiresdep: false - sharedipad: - mode: forbidden - userenrollment: - mode: forbidden - macOS: - introduced: '10.15' - accessrights: None - devicechannel: true - userchannel: false - supervised: true - requiresdep: false - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: '2.0' - accessrights: None - supervised: true - requiresdep: false - userenrollment: - mode: forbidden - watchOS: - introduced: n/a - content: Retrieves the Activation Lock bypass code from the device. This bypass - code is only available for 15 days after supervision. -responsekeys: -- key: ActivationLockBypassCode - type: - presence: required - content: The Activation Lock bypass code if it's available. -notes: -- title: '' - content: |- - This command allows organizations to retrieve the device's bypass code. Organizations can use the bypass code to remove the Activation Lock from supervised devices prior to device activation without knowing the user's personal Apple Account and password. - - Supervised devices generate a device-specific Activation Lock bypass code. The activation server verifies this code to bypass Activation Lock on the device. For more information, see `Creating and Using Bypass Codes`. - - A device creates a new bypass code when: - - - Setting up the device the first time. - - Erasing and not restoring the device from a backup. - - Erasing and restoring the device from a backup from a different device. diff --git a/mdm/commands/device.activationlock.clearbypasscode.yaml b/mdm/commands/device.activationlock.clearbypasscode.yaml deleted file mode 100644 index 8ad3a1c..0000000 --- a/mdm/commands/device.activationlock.clearbypasscode.yaml +++ /dev/null @@ -1,39 +0,0 @@ -title: Clear Activation Lock Bypass Code Command -description: Clear the Activation Lock bypass code on a device. -payload: - requesttype: ClearActivationLockBypassCode - supportedOS: - iOS: - introduced: '7.1' - accessrights: None - supervised: true - requiresdep: false - sharedipad: - mode: forbidden - userenrollment: - mode: forbidden - macOS: - introduced: '10.15' - accessrights: None - devicechannel: true - userchannel: false - supervised: true - requiresdep: false - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: '2.0' - accessrights: None - supervised: true - requiresdep: false - userenrollment: - mode: forbidden - watchOS: - introduced: n/a - content: Clears the Activation Lock bypass code from the device. -notes: -- title: '' - content: Refer to the following sections to determine supported channels and requirements, - and to see an example request and response. diff --git a/mdm/commands/device.configured.yaml b/mdm/commands/device.configured.yaml deleted file mode 100644 index 5c540ab..0000000 --- a/mdm/commands/device.configured.yaml +++ /dev/null @@ -1,46 +0,0 @@ -title: Device Configured Command -description: Inform the device that it can allow the user to continue in Setup Assistant. -payload: - requesttype: DeviceConfigured - supportedOS: - iOS: - introduced: '9.0' - accessrights: None - supervised: true - requiresdep: true - sharedipad: - mode: allowed - devicechannel: true - userchannel: false - userenrollment: - mode: forbidden - macOS: - introduced: '10.11' - accessrights: None - devicechannel: true - userchannel: false - supervised: false - requiresdep: true - userenrollment: - mode: forbidden - tvOS: - introduced: '10.2' - accessrights: None - supervised: true - visionOS: - introduced: '2.0' - accessrights: None - supervised: true - requiresdep: true - userenrollment: - mode: forbidden - watchOS: - introduced: n/a - content: Informs the device that it can continue past DEP enrollment. Only works - on devices in DEP that have their cloud configuration set to await configuration. -notes: -- title: '' - content: |- - This command only works on Device Enrollment Program (DEP) devices that have their cloud configuration set to await configuration. - - Refer to the following sections to determine supported channels and requirements, and to see an example request and response. diff --git a/mdm/commands/device.erase.yaml b/mdm/commands/device.erase.yaml deleted file mode 100644 index 26c6373..0000000 --- a/mdm/commands/device.erase.yaml +++ /dev/null @@ -1,188 +0,0 @@ -title: Erase Device Command -description: Remotely and immediately erase a device. -payload: - requesttype: EraseDevice - supportedOS: - iOS: - introduced: '4.0' - accessrights: AllowDeviceErase - supervised: false - requiresdep: false - sharedipad: - mode: allowed - devicechannel: true - userchannel: false - userenrollment: - mode: forbidden - macOS: - introduced: '10.7' - accessrights: AllowDeviceErase - devicechannel: true - userchannel: false - supervised: false - requiresdep: false - userenrollment: - mode: forbidden - tvOS: - introduced: '10.2' - accessrights: AllowDeviceErase - supervised: false - visionOS: - introduced: '1.1' - accessrights: AllowDeviceErase - supervised: false - requiresdep: false - userenrollment: - mode: forbidden - watchOS: - introduced: '10.0' - accessrights: AllowDeviceErase - supervised: false - content: This command allows the server to remotely erase the device. This command - requires the Device Erase right. -payloadkeys: -- key: PreserveDataPlan - supportedOS: - iOS: - introduced: '11.0' - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, preserve the data plan on an iPhone or iPad with eSIM functionality, - if one exists. This value is available in iOS 11 and later. -- key: DisallowProximitySetup - supportedOS: - iOS: - introduced: '11.3' - sharedipad: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, disable Proximity Setup on the next reboot and skip the pane - in Setup Assistant. This value is available in iOS 11 and later. Prior to iOS - 14, don't use this option with any other option. -- key: PIN - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.8' - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: The six-character PIN for Find My. This value is available in macOS 10.8 - and later. -- key: ObliterationBehavior - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '12.0' - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - rangelist: - - Default - - DoNotObliterate - - ObliterateWithWarning - - Always - content: |- - This key defines the fallback behavior for erasing a device. - - In macOS 12 and later, this command uses Erase All Content and Settings (EACS) on Mac computers with the Apple M1 chip or the Apple T2 Security Chip. On those devices, if EACS can't run, the device can use obliteration (macOS 11.x behavior). This key has no effect on machines prior to the T2 chip. For a list of supported macs, see [Mac models with the Apple T2 Security Chip](https://support.apple.com/en-us/HT208862). - - Upon receiving this command, the device performs preflight checks to determine if the device is in a state that allows EACS. The `status` of the `EraseDeviceResponse` is either `Acknowledged` or `Error`. - - The following values define the device's fallback behavior: - - - `DoNotObliterate`: If EACS preflight fails, the device responds to the server with an `Error` status and doesn't attempt to erase itself. - If EACS preflight succeeds, but EACS fails, the device doesn't attempt to erase itself. - - `ObliterateWithWarning`: If EACS preflight fails, the device responds with an `Acknowledged` status and then attempts to erase itself. - If EACS preflight succeeds, but EACS fails, the device attempts to erase itself. - - `Always`: The system doesn't attempt EACS. T2 and later devices always obliterate. - - `Default`: If EACS preflight fails, the device responds to the server with an `Error` status and then attempts to erase itself. - If EACS preflight succeeds, but EACS fails, the device attempts to erase itself. -- key: ReturnToService - supportedOS: - iOS: - introduced: '17.0' - macOS: - introduced: n/a - tvOS: - introduced: '18.0' - visionOS: - introduced: '26.0' - watchOS: - introduced: n/a - type: - presence: optional - content: The configuration settings for return to service. This value is available - in iOS 17 and later, with Shared iPad, in tvOS 18 and later, and in visionOS 26 - and later. - subkeys: - - key: Enabled - title: Use return to service - type: - presence: required - content: If `true`, the device tries to reenroll itself automatically after erasure. - The user needs to deactivate all activation locks for this feature to work correctly. - - key: WiFiProfileData - type: - presence: optional - content: The Wi-Fi profile that installs after erasure when using return to service. - This is required when the device doesn't have an Ethernet or cellular connection. - - key: MDMProfileData - type: - presence: optional - content: |- - The MDM profile that installs after erasure when using return to service. This key is required for all unsupervised devices, as well as supervised devices that don't enroll with Automated Device Enrollment. If provided, the device uses this profile directly instead of fetching it from the server. For devices that enroll with Automated Device Enrollment, this key isn't necessary unless the cloud configuration profile of the device contains the `configuration-web-url` key. - - The cloud configuration still downloads from Apple's servers when the profile contains this key, so the supervision identity, MDM removability, and other settings from the cloud configuration still apply. However, the device doesn't use the specified URL in the cloud configuration to fetch the MDM profile. - - key: BootstrapToken - supportedOS: - iOS: - introduced: '26.0' - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: '26.0' - watchOS: - introduced: n/a - type: - presence: optional - content: The bootstrap token the system uses to implement return to service with - app preservation. Required when enabling return to service through the cloud - configuration. -notes: -- title: '' - content: |- - This command allows the server to immediately erase a device, even a locked device, without warning the user. The device sends a response to the server, but it doesn't retry if it isn't successful the first time. - - Refer to the following sections to determine supported channels and requirements, and to see an example request and response. diff --git a/mdm/commands/device.esim.yaml b/mdm/commands/device.esim.yaml deleted file mode 100644 index 5139d78..0000000 --- a/mdm/commands/device.esim.yaml +++ /dev/null @@ -1,42 +0,0 @@ -title: Refresh Cellular Plans Command -description: Query a carrier URL for active eSIM cellular-plan profiles on a device. -payload: - requesttype: RefreshCellularPlans - supportedOS: - iOS: - introduced: '13.0' - accessrights: None - supervised: false - requiresdep: false - sharedipad: - mode: allowed - devicechannel: true - userchannel: false - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: |- - Instructs the device to query for active cellular plan eSIM "profiles" (not a profile in the MDM sense) - at the designated carrier eSIM server URL. This command is only supported on cellular devices, and only - a subset of those devices support eSIM configuration management. (Need details from CoreTelephony.) -payloadkeys: -- key: eSIMServerURL - type: - presence: required - content: The carrier's eSIM server URL to query. Obtain this URL from each carrier - separately. -notes: -- title: Error codes - content: |- - An error response uses one of the following error codes: - - - `36001`: Unable to communicate with the cellular software stack. - - `36002`: The hardware doesn't support this command. - - `36003`: The cellular stack was unable to perform the request. This error can also occur if the cellular stack is busy, in which case, retrying the command later may resolve the issue. diff --git a/mdm/commands/device.lock.yaml b/mdm/commands/device.lock.yaml deleted file mode 100644 index 7e0d477..0000000 --- a/mdm/commands/device.lock.yaml +++ /dev/null @@ -1,105 +0,0 @@ -title: Device Lock Command -description: Remotely and immediately lock a device. -payload: - requesttype: DeviceLock - supportedOS: - iOS: - introduced: '4.0' - accessrights: AllowPasscodeRemovalAndLock - supervised: false - requiresdep: false - sharedipad: - mode: allowed - devicechannel: true - userchannel: false - userenrollment: - mode: allowed - macOS: - introduced: '10.7' - accessrights: AllowPasscodeRemovalAndLock - devicechannel: true - userchannel: false - supervised: false - requiresdep: false - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: '2.0' - accessrights: AllowPasscodeRemovalAndLock - supervised: false - requiresdep: false - userenrollment: - mode: allowed - watchOS: - introduced: '10.0' - accessrights: AllowPasscodeRemovalAndLock - supervised: false - content: This command allows the server to immediately lock the device. This command - requires the Device Lock and Passcode Removal right. -payloadkeys: -- key: Message - supportedOS: - iOS: - introduced: '7.0' - sharedipad: - mode: ignored - macOS: - introduced: '10.14' - visionOS: - introduced: n/a - type: - presence: optional - content: The message to display on the Lock Screen of the device. This value doesn't - apply to a Shared iPad device. This value is available in iOS 4 and later, and - macOS 10.14 and later. -- key: PhoneNumber - supportedOS: - iOS: - introduced: '7.0' - sharedipad: - mode: ignored - macOS: - introduced: '11.5' - visionOS: - introduced: n/a - type: - presence: optional - content: The phone number to display on the Lock Screen. This value doesn't apply - to a Shared iPad device. This value is available in iOS 7 and later and macOS - 11.5 and later (for a Mac with Apple silicon only). -- key: PIN - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.8' - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: The six-character PIN for Find My. This value is available in macOS 10.8 - and later. -responsekeys: -- key: MessageResult - type: - presence: optional - content: |- - The message result if the command includes a message or phone number, which is one of the following values: - - - `Success`: The message displayed successfully. - - `DeviceInLostMode`: The device is in Lost Mode. - - `NoPasscodeSet`: The message didn't display because there isn't a set passcode. - - `Unknown`: An unknown error occurred. -notes: -- title: '' - content: |- - You can display a message and phone number on the Lock Screen if the user has set a passcode for the device, it isn't a Shared iPad, and it isn't in Lost Mode. In macOS, this command uses the Find My framework to lock a device, and fails if there's no recovery partition on the device. - - > Warning: - > Sending this command to a Mac with Apple silicon running a version of macOS before 11.5 deactivates the Mac. To reactivate that Mac, it needs a network connection and authentication by a local administrator with Secure Token enabled. - - Refer to the following sections to determine supported channels and requirements, and to see an example request and response. diff --git a/mdm/commands/device.lostmode.disable.yaml b/mdm/commands/device.lostmode.disable.yaml deleted file mode 100644 index 6457fe8..0000000 --- a/mdm/commands/device.lostmode.disable.yaml +++ /dev/null @@ -1,37 +0,0 @@ -title: Disable Lost Mode Command -description: Take the device out of Lost Mode. -payload: - requesttype: DisableLostMode - supportedOS: - iOS: - introduced: '9.3' - accessrights: None - supervised: true - requiresdep: false - sharedipad: - mode: allowed - devicechannel: true - userchannel: false - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: This command allows the server to take the device out of MDM lost mode. -notes: -- title: '' - content: |- - A device responds with error codes: - - - `12067`: If it isn't in Lost Mode. - - `12069`: If the request to disable Lost Mode failed. - - `12078`: If the command is invalid while in Lost Mode. - - Erasing a device also disables Lost Mode. To reenable Lost Mode, the MDM server needs to store the device's Lost Mode state before erasing it, and restore that state if the device enrolls again. - - Refer to the following sections to determine supported channels and requirements, and to see an example request and response. diff --git a/mdm/commands/device.lostmode.enable.yaml b/mdm/commands/device.lostmode.enable.yaml deleted file mode 100644 index 3cbf57a..0000000 --- a/mdm/commands/device.lostmode.enable.yaml +++ /dev/null @@ -1,49 +0,0 @@ -title: Enable Lost Mode Command -description: Enable Lost Mode on a device, which provides a message and phone number - on the Lock Screen. -payload: - requesttype: EnableLostMode - supportedOS: - iOS: - introduced: '9.3' - accessrights: None - supervised: true - requiresdep: false - sharedipad: - mode: allowed - devicechannel: true - userchannel: false - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: This command allows the server to put the device in MDM lost mode, with - a message, phone number, and footnote text. A message or phone number must be - provided. -payloadkeys: -- key: Message - type: - presence: optional - content: If present, the device displays this text on the Lock Screen. You must - provide this value if you don't provide a value for `PhoneNumber`. -- key: PhoneNumber - type: - presence: optional - content: If present, the device displays this phone number on the Lock Screen. You - must provide this value if you don't provide a value for `Message`. -- key: Footnote - type: - presence: optional - content: If present, the device displays this text at the bottom of the Lock Screen. -notes: -- title: '' - content: |- - While in Lost Mode, a device responds to invalid commands with error code `12078`. - - Refer to the following sections to determine supported channels and requirements, and to see an example request and response. diff --git a/mdm/commands/device.lostmode.location.yaml b/mdm/commands/device.lostmode.location.yaml deleted file mode 100644 index 41ff78f..0000000 --- a/mdm/commands/device.lostmode.location.yaml +++ /dev/null @@ -1,91 +0,0 @@ -title: Device Location Command -description: Request the location of a device when in Lost Mode. -payload: - requesttype: DeviceLocation - supportedOS: - iOS: - introduced: '9.3' - accessrights: None - supervised: true - requiresdep: false - sharedipad: - mode: allowed - devicechannel: true - userchannel: false - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a -responsekeys: -- key: Latitude - type: - presence: required - content: The latitude of the device's location. -- key: Longitude - type: - presence: required - content: The longitude of the device's location. -- key: HorizontalAccuracy - supportedOS: - iOS: - introduced: '10.3' - type: - presence: required - content: The radius of uncertainty for the location in meters, which is a negative - value if the horizontal accuracy is unknown. -- key: VerticalAccuracy - supportedOS: - iOS: - introduced: '10.3' - type: - presence: required - content: The accuracy of the altitude value in meters, which is a negative value - if the vertical accuracy is unknown. -- key: Altitude - supportedOS: - iOS: - introduced: '10.3' - type: - presence: required - content: The altitude of the device's location, which is a negative value if the - altitude is unknown. -- key: Speed - supportedOS: - iOS: - introduced: '10.3' - type: - presence: required - content: The speed of the device in meters per second, which is a negative value - if the speed is unknown. -- key: Course - supportedOS: - iOS: - introduced: '10.3' - type: - presence: required - content: The direction the device is traveling, which is a negative value if the - course is unknown. -- key: Timestamp - supportedOS: - iOS: - introduced: '10.3' - type: - presence: required - content: The RFC 3339 timestamp of when the server determines the location of the - device. -notes: -- title: '' - content: |- - A device responds with error codes: - - - `12067`: If it isn't in Lost mode. - - `12068`: If its location is unknown. - - `12078`: If the command is invalid while in Lost Mode. - - Refer to the following sections to determine supported channels and requirements, and to see an example request and response. diff --git a/mdm/commands/device.lostmode.playsound.yaml b/mdm/commands/device.lostmode.playsound.yaml deleted file mode 100644 index 5ce8318..0000000 --- a/mdm/commands/device.lostmode.playsound.yaml +++ /dev/null @@ -1,38 +0,0 @@ -title: Play Lost Mode Sound Command -description: Play the Lost Mode sound on a device that's in Lost Mode. -payload: - requesttype: PlayLostModeSound - supportedOS: - iOS: - introduced: '10.3' - accessrights: None - supervised: true - requiresdep: false - sharedipad: - mode: allowed - devicechannel: true - userchannel: false - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: This command allows the server to tell the device to play a sound if it - is in MDM Lost Mode. The sound will play until the device is either removed from - Lost Mode or a user disables the sound from the device. -notes: -- title: '' - content: |- - A device responds with error code: - - - `12067`: If it isn't in Lost mode. - - `12078`: If the command is invalid while in Lost Mode. - - The sound plays until the server disables Lost Mode or the user disables the sound on the device. - - Refer to the following sections to determine supported channels and requirements, and to see an example request and response. diff --git a/mdm/commands/device.restart.yaml b/mdm/commands/device.restart.yaml deleted file mode 100644 index 6cea5fd..0000000 --- a/mdm/commands/device.restart.yaml +++ /dev/null @@ -1,89 +0,0 @@ -title: Restart Device Command -description: Remotely and immediately restart a device. -payload: - requesttype: RestartDevice - supportedOS: - iOS: - introduced: '10.3' - accessrights: AllowPasscodeRemovalAndLock - supervised: true - requiresdep: false - sharedipad: - mode: allowed - devicechannel: true - userchannel: false - userenrollment: - mode: forbidden - macOS: - introduced: '10.13' - accessrights: AllowPasscodeRemovalAndLock - devicechannel: true - userchannel: false - supervised: false - requiresdep: false - userenrollment: - mode: forbidden - tvOS: - introduced: '10.2' - accessrights: AllowPasscodeRemovalAndLock - supervised: true - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: This command requires the Device Lock access right. The device will restart - immediately. -payloadkeys: -- key: RebuildKernelCache - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '11.0' - tvOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, the system rebuilds the kernel cache during a device restart. - If `BootstrapTokenAllowedForAuthentication` is `true` in the `SecurityInfo` response, - the device requests the bootstrap token from the MDM server prior to executing - this command. This value is available in macOS 11 and later. -- key: KextPaths - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '11.0' - tvOS: - introduced: n/a - type: - presence: optional - content: If `RebuildKernelCache` is `true`, this value specifies the paths to kexts - to add to the auxiliary kernel cache since the last kernel cache rebuild. If not - present, the system only adds previously discovered kexts to the kernel cache. - This value is available in macOS 11 and later. - subkeys: - - key: KextPathsItem - type: -- key: NotifyUser - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '11.4' - tvOS: - introduced: n/a - type: - presence: optional - default: false - content: |- - If `true`, notifies the user to restart the device at their convenience. No forced restart occurs unless the device is at `loginwindow` with no logged-in users. The user can dismiss the notification and ignore the request. No further notifications display unless you resend the command. - - This value is available in macOS 11.3 and later. -notes: -- title: '' - content: |- - A passcode-locked iOS device doesn't rejoin a Wi-Fi network after restarting, so it may not be able to communicate with the server. - - Refer to the following sections to determine supported channels and requirements, and to see an example request and response. diff --git a/mdm/commands/device.restrictions.clearpassword.yaml b/mdm/commands/device.restrictions.clearpassword.yaml deleted file mode 100644 index 8c95e34..0000000 --- a/mdm/commands/device.restrictions.clearpassword.yaml +++ /dev/null @@ -1,30 +0,0 @@ -title: Clear Restrictions Password Command -description: Clear the Screen Time password and the restrictions on a device. -payload: - requesttype: ClearRestrictionsPassword - supportedOS: - iOS: - introduced: '8.0' - accessrights: None - supervised: true - requiresdep: false - sharedipad: - mode: forbidden - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a -notes: -- title: '' - content: |- - In iOS 11 and earlier, this command clears the restrictions password and all restrictions that the password protects. - - In iOS 12.2 and later, if Screen Time uses iCloud to share its settings (Share Across Devices), this command disables Screen Time entirely and clears its restrictions. If the user is a child in an iCloud family, the command fails. Otherwise, if Screen Time isn't using iCloud, this command clears the passcode, but not the restrictions, and it leaves Screen Time enabled. - - Refer to the following sections to determine supported channels and requirements, and to see an example request and response. diff --git a/mdm/commands/device.restrictions.list.yaml b/mdm/commands/device.restrictions.list.yaml deleted file mode 100644 index a499a11..0000000 --- a/mdm/commands/device.restrictions.list.yaml +++ /dev/null @@ -1,140 +0,0 @@ -title: Restrictions Command -description: Get a list of restrictions on the device. -payload: - requesttype: Restrictions - supportedOS: - iOS: - introduced: '4.0' - accessrights: AllowQueryRestrictions - supervised: false - requiresdep: false - sharedipad: - mode: allowed - devicechannel: true - userchannel: true - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: '9.0' - accessrights: AllowQueryRestrictions - supervised: false - visionOS: - introduced: '1.1' - accessrights: AllowQueryRestrictions - supervised: false - requiresdep: false - userenrollment: - mode: forbidden - watchOS: - introduced: '10.0' - accessrights: AllowQueryRestrictions - supervised: false - content: This command allows the server to determine what restrictions are being - enforced on the device, and the total sum of all restrictions. This command requires - the Restrictions Query access right. This technically does work on macOS but it - returns a blank dictionary and there no plans to change this behavior. -payloadkeys: -- key: ProfileRestrictions - type: - presence: optional - default: false - content: If `true`, the device reports restrictions from each profile. This value - is available in iOS 4 and later, and tvOS 6.1 and later. -responsekeys: -- key: GlobalRestrictions - type: - presence: required - content: A dictionary that contains the global restrictions in effect. This value - is available in iOS 4 and later, and tvOS 6.1 and later. - subkeytype: RestrictionsDictionary - subkeys: &id001 - - key: restrictedBool - type: - presence: optional - content: A dictionary of Boolean profile restrictions. - subkeytype: BooleanDictionary - subkeys: - - key: ANY restriction name - type: - presence: optional - content: The Boolean restriction parameters. - subkeys: - - key: value - type: - presence: required - content: The value of the restriction. - - key: restrictedValue - type: - presence: optional - content: A dictionary of numeric profile restrictions. - subkeytype: ValueDictionary - subkeys: - - key: ANY restriction name - type: - presence: optional - content: The numeric restriction parameters. - subkeys: - - key: value - type: - presence: required - content: The value of the restriction. - - key: intersection - type: - presence: optional - content: A dictionary of intersected profile restrictions. Intersected restrictions - indicate that new restrictions can only reduce the number of strings in the - set. - subkeytype: IntersectionDictionary - subkeys: - - key: ANY restriction name - type: - presence: optional - content: The intersected restriction parameters. - subkeys: - - key: values - type: - presence: required - content: The values of the restriction. - subkeys: - - key: valuesItem - type: - - key: union - type: - presence: optional - content: A dictionary of unioned profile restrictions. Unioned restrictions indicate - that new restrictions can add to the set. - subkeytype: UnionDictionary - subkeys: - - key: ANY restriction name - type: - presence: optional - content: The unioned restriction parameters. - subkeys: - - key: values - type: - presence: required - content: The values of the restriction. - subkeys: - - key: valuesItem - type: -- key: ProfileRestrictions - type: - presence: required - content: A dictionary that contains dictionaries of restrictions from each profile. - This value is only available when `ProfileRestrictions` is `true` in the command. - The keys are the identifiers of the profiles. This value is available in iOS 4 - and later, and tvOS 6.1 and later. - subkeys: - - key: ANY profile identifier - type: - presence: optional - content: The profile identifiers. This dictionary is only available if `ProfileRestrictions` - is `true` in the command. - subkeytype: RestrictionsDictionary - subkeys: *id001 -notes: -- title: '' - content: Refer to the following sections to determine supported channels and requirements, - and to see an example request and response. diff --git a/mdm/commands/device.shutdown.yaml b/mdm/commands/device.shutdown.yaml deleted file mode 100644 index 16b2f01..0000000 --- a/mdm/commands/device.shutdown.yaml +++ /dev/null @@ -1,39 +0,0 @@ -title: Shut Down Device Command -description: Remotely and immediately shut down a device. -payload: - requesttype: ShutDownDevice - supportedOS: - iOS: - introduced: '10.3' - accessrights: AllowPasscodeRemovalAndLock - supervised: true - requiresdep: false - sharedipad: - mode: allowed - devicechannel: true - userchannel: false - userenrollment: - mode: forbidden - macOS: - introduced: '10.13' - accessrights: AllowPasscodeRemovalAndLock - devicechannel: true - userchannel: false - supervised: false - requiresdep: false - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: This command requires the Device Lock access right. The device will shut - down immediately. -notes: -- title: '' - content: |- - A passcode-locked iOS device doesn't rejoin a Wi-Fi network after a user restarts it and before they unlock it for the first time, so it can't communicate with the server if it needs Wi-Fi to do so. - - Refer to the following sections to determine supported channels and requirements, and to see an example request and response. diff --git a/mdm/commands/information.contentcaching.yaml b/mdm/commands/information.contentcaching.yaml deleted file mode 100644 index 10ec7e3..0000000 --- a/mdm/commands/information.contentcaching.yaml +++ /dev/null @@ -1,647 +0,0 @@ -title: Content Caching Information Command -description: Get the status of the content caches on a device. -payload: - requesttype: ContentCachingInformation - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: 10.15.4 - accessrights: AllowQueryNetworkInformation - devicechannel: true - userchannel: false - supervised: false - requiresdep: false - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: This command allows the server to query for information about Content Caching. -responsekeys: -- key: StatusResponse - type: - presence: required - content: A dictionary that contains the status of content caching on a device. - subkeys: - - key: Activated - type: - presence: optional - default: false - content: If `true`, the device has enabled content caching. Enabling content caching - doesn't guarantee service. See the `Active` key for the readiness of content - caching to serve requests. - - key: Active - type: - presence: optional - default: false - content: If `true`, content caching is ready to serve requests. - - key: ActualCacheUsed - type: - presence: optional - content: The actual amount of disk space, in bytes, that cached content uses. - See related values `CacheUsed` and `PersonalCacheUsed`. - - key: AlertsForPeerFilterRanges - type: - presence: optional - content: |- - The error conditions the content cache detected in the `PeerFilterRanges` in the installed `com.apple.AssetCache.managed` payload. - - To display these alerts on the device, set `DisplayAlerts` to `true` in the installed `ContentCaching` profile. - subkeys: - - key: ANY index - type: - presence: required - content: A dictionary that describes the alerts for the peer filter ranges. - The key name is the index into the `PeerFilterRanges` array in the installed - `com.apple.AssetCache.managed` payload. - subkeys: - - key: className - type: - presence: required - rangelist: - - AssetCacheUnfriendlyPeersInFilterRangeAlert - content: The type of the alert. - - key: postDate - type: - presence: required - content: The date of the alert. - - key: peerFilterRangeIndex - type: - presence: required - content: The index into the `PeerFilterRanges` in the installed ContentCaching - payload. - - key: addresses - type: - presence: required - content: An array of local IP addresses of peer content caches that rejected - requests from the content cache. - subkeys: - - key: address - type: - presence: required - content: Local IP address of a peer Content Cache that rejected requests - from this Content Cache. - - key: Alerts - type: - presence: optional - content: |- - An array that contains the error conditions the content cache detected that aren't related to peer filter ranges, parent content caches, or peer content caches. - - See `AlertsForPeerFilterRanges` for errors related to peer filter ranges. - - See `Parents` and `Peers` for errors related to parent and peer content caches. - - To display these alerts on the device, set `DisplayAlerts` to `true` in the installed `ContentCaching` profile. - subkeys: - - key: AlertsItem - type: - presence: required - content: A dictionary that describes an alert from the content cache. - subkeys: - - key: className - type: - presence: required - rangelist: - - AssetCacheLowSpaceAlert - - AssetCacheNoSpaceAlert - - AssetCacheRegistrationRejectedAlert - - AssetCacheRegistrationUnavailableAlert - - AssetCacheResourceMissingAlert - content: The type of the alert. - - key: postDate - type: - presence: required - content: The date of the alert. - - key: cacheLimit - type: - presence: optional - content: The limit, in bytes, for the content cache at the time of the alert. - This value only applies to `AssetCacheLowSpaceAlert` and `AssetCacheNoSpaceAlert` - types. - - key: reservedVolumeSpace - type: - presence: optional - content: The space, in bytes, that the system reserves at the time of the - alert. This value only applies to the `AssetCacheLowSpaceAlert` and `AssetCacheNoSpaceAlert` - types. - - key: resource - type: - presence: optional - content: The resource that was missing or inaccessible at the time of the - alert. This value only applies to the `AssetCacheResourceMissingAlert` type. - - key: pathPreventingAccess - type: - presence: optional - content: The subpath of the resource that was missing or inaccessible at the - time of the alert. This value only applies to the `AssetCacheResourceMissingAlert` - type. - - key: CacheDetails - type: - presence: optional - content: The amount of disk space that various categories of cached content use. - Apple defines these categories and they're subject to change. - subkeys: - - key: Category Name - type: - presence: required - content: The amount of disk space, in bytes, that this category of cached content - uses. - - key: CacheFree - type: - presence: optional - content: The amount of disk space, in bytes, available to the content cache. - - key: CacheLimit - type: - presence: optional - content: The maximum amount of disk space, in bytes, available to the content - cache. A value of `0` indicates an unlimited amount. This value corresponds - to `CacheLimit` in the installed `ContentCaching` profile. - - key: CacheStatus - type: - presence: optional - rangelist: - - LOWSPACE - - OK - content: The level of cache pressure. `LowSpace` means cache pressure is high. - - key: CacheUsed - type: - presence: optional - content: The amount of disk space, in bytes, cached content uses. Content caching - allocates space in its cache for entire files even when it stores only part - of those files in its cache. - - key: DataMigrationCompleted - type: - presence: optional - default: false - content: If `true`, the content cache finished moving from one volume to another. - - key: DataMigrationError - type: - presence: optional - content: The error that occurred while the content cache moved from one volume - to another. - subkeys: - - key: domain - type: - presence: required - content: The error domain. - - key: code - type: - presence: required - content: The error code. - - key: userInfo - type: - presence: optional - content: A dictionary that contains additional information about the error. - subkeys: - - key: ANY - type: - presence: optional - content: A dictionary that contains additional details about the error. - - key: DataMigrationProgress - type: - presence: optional - range: - min: 0.0 - max: 1.0 - content: A floating-point number between `0.0` and `1.0` that indicates the percentage - of progress in moving the content cache from one volume to another. A value - of `1.0` indicates that the content cache has fully migrated. - - key: MaxCachePressureLast1Hour - type: - presence: optional - range: - min: 0.0 - max: 1.0 - content: A floating-point number between `0.0` and `1.0` that represents how often - the cache needed more disk space over the last hour of operation. A lower value - is better. - - key: Parents - type: - presence: optional - content: An array of dictionaries that describes parent content caches. - subkeys: - - key: ParentsItem - type: - presence: optional - content: A dictionary that describes a parent content cache. - subkeys: - - key: address - type: - presence: required - content: The local IP address of the parent content cache. - - key: alert - type: - presence: optional - content: A dictionary that describes an alert related to the parent content - cache. - subkeys: - - key: className - type: - presence: required - rangelist: - - AssetCacheParentCycleAlert - - AssetCacheParentDepthAlert - content: The type of the alert. - - key: postDate - type: - presence: required - content: The date of the alert. - - key: addresses - type: - presence: required - content: An array of local IP addresses of parent content caches. - subkeys: - - key: address - type: - presence: required - content: Local IP address of a parent Content Cache. - - key: details - type: - presence: required - content: A dictionary that contains additional details about the parent content - cache. - subkeys: - - key: ac-power - type: - presence: optional - default: false - content: If `true`, the parent content cache power source is AC; otherwise, - an internal battery provides its power. - - key: cache-size - type: - presence: optional - content: The maximum amount of disk space, in bytes, available to the parent - content cache. - - key: capabilities - type: - presence: optional - content: A dictionary that describes the capabilities of the parent content - cache. - subkeys: - - key: im - type: - presence: optional - default: false - content: If `true`, the parent content cache is capable of imports and - uploads. - - key: ns - type: - presence: optional - default: false - content: If `true`, the parent content cache is capable of handling namespaces, - which is an aspect of personal caching. - - key: pc - type: - presence: optional - default: false - content: If `true`, the parent content cache is capable of caching personal - iCloud content. - - key: query-parameters - type: - presence: optional - default: false - content: If `true`, the parent content cache is capable of handling query - parameters in URLs. - - key: sc - type: - presence: optional - default: false - content: If `true`, the parent content cache is capable of caching shared - non-iCloud content. - - key: ur - type: - presence: optional - default: false - content: If `true`, the parent content cache is capable of prioritizing - imports and uploads. - - key: is-portable - type: - presence: optional - default: false - content: If `true`, the parent content cache computer is portable; for example, - a laptop. - - key: local-network - type: - presence: optional - content: A dictionary that describes the parent content cache's connection - to its local network. - subkeys: - - key: speed - type: - presence: optional - content: The transfer speed, in megabits per second, of the parent content - cache's connection to its local network. - - key: wired - type: - presence: optional - default: false - content: If `true`, the parent content cache has a wired connection to - its local network. If `false`, it has a wireless connection; for example, - Wi-Fi. - - key: guid - type: - presence: required - content: The unique identifier of the parent content cache. - - key: healthy - type: - presence: required - content: If `true,` the parent content cache is able to respond to requests - from this content cache. - - key: port - type: - presence: required - content: The IP port number the parent content cache listens to for requests. - - key: version - type: - presence: required - content: The version number of the parent content cache software. - - key: Peers - type: - presence: optional - content: An array of dictionaries that describes peer content caches. - subkeys: - - key: PeersItem - type: - presence: optional - content: A dictionary that describes a peer content cache. - subkeys: - - key: address - type: - presence: required - content: The local IP address of the peer content cache. - - key: alert - type: - presence: optional - content: A dictionary that describes an alert related to the peer content - cache. - subkeys: - - key: className - type: - presence: required - rangelist: - - AssetCachePeerCycleAlert - - AssetCacheUnfriendlyPeerAlert - content: The type of the alert. - - key: postDate - type: - presence: required - content: The date of the alert. - - key: addresses - type: - presence: optional - content: An array of local IP addresses of peer content caches. - subkeys: - - key: address - type: - presence: required - content: Local IP address of a peer Content Cache. - - key: peerAddress - type: - presence: optional - content: The local IP address of a peer content cache. - - key: details - type: - presence: required - content: A dictionary that contains additional details about the peer content - cache. - subkeys: - - key: ac-power - type: - presence: optional - default: false - content: If `true`, the peer content cache power source is AC; otherwise, - an internal battery provides its power. - - key: cache-size - type: - presence: optional - content: The maximum amount of disk space, in bytes, available to the peer - content cache. - - key: capabilities - type: - presence: optional - content: A dictionary that describes the capabilities of the peer content - cache. - subkeys: - - key: im - type: - presence: optional - default: false - content: If `true`, the peer content cache is capable of imports and uploads. - - key: ns - type: - presence: optional - default: false - content: If `true`, the peer content cache is capable of handling namespaces, - which is an aspect of personal caching. - - key: pc - type: - presence: optional - default: false - content: If `true`, the peer content cache is capable of caching personal - iCloud content. - - key: query-parameters - type: - presence: optional - default: false - content: If `true`, the peer content cache is capable of handling query - parameters in URLs. - - key: sc - type: - presence: optional - default: false - content: If `true`, the peer content cache is capable of caching shared - non-iCloud content. - - key: ur - type: - presence: optional - default: false - content: If `true`, the peer content cache is capable of prioritizing - imports and uploads. - - key: is-portable - type: - presence: optional - default: false - content: If `true`, the peer content cache computer is portable; for example, - a laptop. - - key: local-network - type: - presence: optional - content: A dictionary that describes the peer content cache's connection - to its local network. - subkeys: - - key: speed - type: - presence: optional - content: The transfer speed, in megabits per second, of the peer content - cache's connection to its local network. - - key: wired - type: - presence: optional - default: false - content: If `true`, the peer content cache has a wired connection to its - local network. If `false`, it has a wireless connection; for example, - Wi-Fi. - - key: friendly - type: - presence: required - content: If `true`, the peer content cache is able to respond to requests - from the content cache. - - key: guid - type: - presence: required - content: The unique identifier of the peer content cache. - - key: healthy - type: - presence: required - content: If `true`, the peer content cache is able to respond to requests - from the content cache. - - key: port - type: - presence: required - content: The IP port number the peer content cache listens to for requests. - - key: version - type: - presence: required - content: The version number of the peer content cache software. - - key: PersonalCacheFree - type: - presence: optional - content: The amount of disk space, in bytes, available to the content cache for - personal iCloud content. - - key: PersonalCacheLimit - type: - presence: optional - content: The maximum amount of disk space, in bytes, available to the content - cache for personal iCloud content. A value of `0` indicates an unlimited amount. - - key: PersonalCacheUsed - type: - presence: optional - content: The amount of disk space, in bytes, available to the content cache for - personal iCloud content. - - key: Port - type: - presence: optional - content: The IP port number the content cache listens to for requests from clients, - peers, and children. - - key: PrivateAddresses - type: - presence: optional - content: An array of the content cache's local IP addresses. - subkeys: - - key: PrivateAddressesItem - type: - presence: required - content: Local IP address at which the Content Cache listens for requests from - clients, peers, and children. - - key: PublicAddress - type: - presence: optional - content: The public IP address of the content cache. - - key: RegistrationError - type: - presence: optional - content: If present, the reason the content cache failed to register itself with - Apple. - - key: RegistrationResponseCode - type: - presence: optional - content: If present, the HTTP response code the content cache received when it - failed to register itself with Apple. - - key: RegistrationStarted - type: - presence: optional - content: The date when the content cache began registering itself with Apple. - This value is only available during registration attempts. - - key: RegistrationStatus - type: - presence: optional - rangelist: - - -1 - - 0 - - 1 - content: |- - The status of the content cache's registration with Apple, which is one of the following values: - - - `-1:` Failed - - `0:` Pending - - `1:` Succeeded - - key: RestrictedMedia - type: - presence: optional - default: false - content: If `true`, a restriction prevents caching of certain content types. - - key: ServerGUID - type: - presence: optional - content: The unique identifier of the content cache. - - key: StartupStatus - type: - presence: optional - rangelist: - - FAILED - - MIGRATING_DATA - - OK - - PENDING - content: The status of the content cache's registration with Apple. - - key: TetheratorStatus - type: - presence: optional - rangelist: - - -1 - - 0 - - 1 - content: |- - The status of tethered caching, which is content caching with a shared internet connection, which is one of the following values: - - - `-1:` Unknown - - `0:` Disabled - - `1:` Enabled - - key: TotalBytesAreSince - type: - presence: optional - content: The start date to use when collecting data for the other `TotalBytes` - values. - - key: TotalBytesDropped - type: - presence: optional - content: The amount of data, in bytes, that the content cache downloaded, but - couldn't add to its cache, since the `TotalBytesAreSince` date. - - key: TotalBytesImported - type: - presence: optional - content: The amount of data, in bytes, that the content cache received since the - `TotalBytesAreSince` date. - - key: TotalBytesReturnedToChildren - type: - presence: optional - content: The amount of data, in bytes, that the content cache served to its child - content cache since the `TotalBytesAreSince` date. - - key: TotalBytesReturnedToClients - type: - presence: optional - content: The amount of data, in bytes, that the content cache served to client - iOS, macOS, and tvOS devices since the `TotalBytesAreSince` date. - - key: TotalBytesReturnedToPeers - type: - presence: optional - content: The amount of data, in bytes, that the content cache served to peer content - caches since the `TotalBytesAreSince` date. - - key: TotalBytesStoredFromOrigin - type: - presence: optional - content: The amount of data, in bytes, that the content cache saved from the internet - since the `TotalBytesAreSince` date. - - key: TotalBytesStoredFromParents - type: - presence: optional - content: The amount of data, in bytes, that the content cache saved from parent - content caches since the `TotalBytesAreSince` date. - - key: TotalBytesStoredFromPeers - type: - presence: optional - content: The amount of data, in bytes, that the content cache saved from peer - content caches since the `TotalBytesAreSince` date. diff --git a/mdm/commands/information.device.yaml b/mdm/commands/information.device.yaml deleted file mode 100644 index bbdbba9..0000000 --- a/mdm/commands/information.device.yaml +++ /dev/null @@ -1,3294 +0,0 @@ -title: Device Information Command -description: Get detailed information about a device. -payload: - requesttype: DeviceInformation - supportedOS: - iOS: - introduced: '4.0' - accessrights: Special Case - supervised: false - requiresdep: false - sharedipad: - mode: allowed - devicechannel: true - userchannel: true - userenrollment: - mode: allowed - macOS: - introduced: '10.7' - accessrights: Special Case - devicechannel: true - userchannel: true - supervised: false - requiresdep: false - userenrollment: - mode: allowed - tvOS: - introduced: '9.0' - accessrights: Special Case - supervised: false - visionOS: - introduced: '1.1' - accessrights: Special Case - supervised: false - requiresdep: false - userenrollment: - mode: allowed - watchOS: - introduced: '10.0' - accessrights: Special Case - supervised: false - content: This command allows the server to query for specific device information. - It's supported in the user channel. -payloadkeys: -- key: Queries - type: - presence: required - content: An array of query dictionaries to get information about a device. - subkeys: - - key: QueriesItem - type: - content: A query dictionary to get information about a device. - subkeys: - - key: UDID - supportedOS: - iOS: - accessrights: n/a - userenrollment: - mode: forbidden - macOS: - accessrights: n/a - userenrollment: - mode: forbidden - tvOS: - accessrights: n/a - visionOS: - accessrights: n/a - userenrollment: - mode: forbidden - watchOS: - accessrights: n/a - type: - presence: optional - content: The key to get the unique identifier of the device. - - key: ProvisioningUDID - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '11.3' - accessrights: n/a - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: The key to get the device identifier for provisioning profiles. This - value differs from the UDID for a Mac with Apple silicon. Available in macOS - 11.3 and later. - - key: OrganizationInfo - supportedOS: - iOS: - introduced: '7.0' - accessrights: n/a - macOS: - introduced: '10.11' - tvOS: - introduced: '9.0' - accessrights: n/a - visionOS: - accessrights: n/a - watchOS: - accessrights: n/a - type: - presence: optional - content: The key to get the contents of `OrganizationInfo`. - - key: MDMOptions - supportedOS: - iOS: - introduced: '7.0' - accessrights: n/a - macOS: - introduced: '11.0' - tvOS: - introduced: '9.0' - accessrights: n/a - visionOS: - accessrights: n/a - watchOS: - introduced: '10.0' - type: - presence: optional - content: The key to get the contents of `MDMOptions`. - - key: LastCloudBackupDate - supportedOS: - iOS: - introduced: '8.0' - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - userenrollment: - mode: forbidden - watchOS: - introduced: n/a - type: - presence: optional - content: The key to get the date of the most-recent iCloud backup. Available - in iOS 8 and later. - - key: AwaitingConfiguration - supportedOS: - iOS: - introduced: '9.0' - accessrights: n/a - userenrollment: - mode: forbidden - macOS: - introduced: '10.11' - accessrights: n/a - userenrollment: - mode: forbidden - tvOS: - introduced: '10.2' - accessrights: n/a - visionOS: - introduced: '2.0' - userenrollment: - mode: forbidden - watchOS: - accessrights: n/a - type: - presence: optional - content: The key to determine whether the device is waiting for a `Device-Configured-Command` - command or `User-Configured-Command` command to continue through Setup Assistant - on the device channel or user channel, respectively. - - key: iTunesStoreAccountIsActive - supportedOS: - iOS: - introduced: '7.0' - accessrights: AllowAppInstallation - userenrollment: - mode: forbidden - macOS: - introduced: '10.9' - accessrights: AllowAppInstallation - userenrollment: - mode: forbidden - tvOS: - introduced: '9.0' - accessrights: AllowAppInstallation - visionOS: - introduced: n/a - watchOS: - accessrights: AllowAppInstallation - type: - presence: optional - content: The key to determine whether the iTunes Store account is active. Requires - the App Installation access right. - - key: iTunesStoreAccountHash - supportedOS: - iOS: - introduced: '8.0' - accessrights: AllowAppInstallation - userenrollment: - mode: forbidden - macOS: - introduced: '10.10' - accessrights: AllowAppInstallation - userenrollment: - mode: forbidden - tvOS: - introduced: '9.0' - accessrights: AllowAppInstallation - visionOS: - introduced: n/a - watchOS: - accessrights: AllowAppInstallation - type: - presence: optional - content: The key to get a hash of the logged-in iTunes Store account. Also see - `GetVppUserRequest`. Requires the App Installation access right. - - key: DeviceName - supportedOS: - iOS: - accessrights: AllowQueryDeviceInformation - macOS: - accessrights: AllowQueryDeviceInformation - tvOS: - accessrights: AllowQueryDeviceInformation - visionOS: - accessrights: AllowQueryDeviceInformation - watchOS: - accessrights: AllowQueryDeviceInformation - type: - presence: optional - content: The key to get the device name. Requires the Device Information access - right. - - key: OSVersion - supportedOS: - iOS: - accessrights: AllowQueryDeviceInformation - macOS: - accessrights: AllowQueryDeviceInformation - tvOS: - accessrights: AllowQueryDeviceInformation - visionOS: - accessrights: AllowQueryDeviceInformation - watchOS: - accessrights: AllowQueryDeviceInformation - type: - presence: optional - content: The key to get the operating system version. Requires the Device Information - access right. - - key: SupplementalOSVersionExtra - supportedOS: - iOS: - introduced: '16.1' - accessrights: AllowQueryDeviceInformation - macOS: - introduced: '13.0' - accessrights: AllowQueryDeviceInformation - tvOS: - introduced: '16.1' - accessrights: AllowQueryDeviceInformation - visionOS: - accessrights: AllowQueryDeviceInformation - watchOS: - accessrights: AllowQueryDeviceInformation - type: - presence: optional - content: The key to get the OS update Background Security Improvement version - letter, if a Background Security Improvement update is installed. Requires - the Device Information access right. - - key: BuildVersion - supportedOS: - iOS: - accessrights: AllowQueryDeviceInformation - macOS: - accessrights: AllowQueryDeviceInformation - tvOS: - accessrights: AllowQueryDeviceInformation - visionOS: - accessrights: AllowQueryDeviceInformation - watchOS: - accessrights: AllowQueryDeviceInformation - type: - presence: optional - content: The key to get the operating system version. Requires the Device Information - access right. - - key: SupplementalBuildVersion - supportedOS: - iOS: - introduced: '16.1' - accessrights: AllowQueryDeviceInformation - macOS: - introduced: '13.0' - accessrights: AllowQueryDeviceInformation - tvOS: - introduced: '16.1' - accessrights: AllowQueryDeviceInformation - visionOS: - accessrights: AllowQueryDeviceInformation - watchOS: - accessrights: AllowQueryDeviceInformation - type: - presence: optional - content: The key to get the build version for the currently installed Background - Security Improvement. If there's no installed Background Security Improvement, - this value is the same as `BuildVersion`. Requires the Device Information - access right. - - key: ModelName - supportedOS: - iOS: - accessrights: AllowQueryDeviceInformation - macOS: - accessrights: AllowQueryDeviceInformation - tvOS: - accessrights: AllowQueryDeviceInformation - visionOS: - accessrights: AllowQueryDeviceInformation - watchOS: - accessrights: AllowQueryDeviceInformation - type: - presence: optional - content: The key to get the model name, such as _iPhone_. Requires the Device - Information access right. - - key: Model - supportedOS: - iOS: - accessrights: AllowQueryDeviceInformation - macOS: - accessrights: AllowQueryDeviceInformation - tvOS: - accessrights: AllowQueryDeviceInformation - visionOS: - introduced: n/a - watchOS: - accessrights: AllowQueryDeviceInformation - type: - presence: optional - content: The key to get the model. Requires the Device Information access right. - - key: ModelNumber - supportedOS: - iOS: - introduced: '16.4' - accessrights: AllowQueryDeviceInformation - macOS: - introduced: '13.3' - accessrights: AllowQueryDeviceInformation - tvOS: - introduced: '16.4' - accessrights: AllowQueryDeviceInformation - visionOS: - accessrights: AllowQueryDeviceInformation - watchOS: - accessrights: AllowQueryDeviceInformation - type: - presence: optional - content: The key to get the device's hardware model number, including region - info, such as `MK1A3LL/A`. Requires the Device Information access right. Requires - a Mac with Apple silicon for macOS. - - key: IsAppleSilicon - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '12.0' - accessrights: AllowQueryDeviceInformation - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: The key to determine whether the device is a Mac with Apple silicon - (for example, an Apple M1 chip). Available in macOS 12 and later. - - key: ProductName - supportedOS: - iOS: - accessrights: AllowQueryDeviceInformation - macOS: - accessrights: AllowQueryDeviceInformation - tvOS: - accessrights: AllowQueryDeviceInformation - visionOS: - accessrights: AllowQueryDeviceInformation - watchOS: - accessrights: AllowQueryDeviceInformation - type: - presence: optional - content: The key to get the product name, such as _iPad8,12_. Requires the Device - Information access right. - - key: SerialNumber - supportedOS: - iOS: - accessrights: AllowQueryDeviceInformation - userenrollment: - mode: forbidden - macOS: - accessrights: AllowQueryDeviceInformation - userenrollment: - mode: forbidden - tvOS: - accessrights: AllowQueryDeviceInformation - visionOS: - accessrights: AllowQueryDeviceInformation - userenrollment: - mode: forbidden - watchOS: - accessrights: AllowQueryDeviceInformation - type: - presence: optional - content: The key to get the serial number. Requires the Device Information access - right. - - key: DeviceCapacity - supportedOS: - iOS: - accessrights: AllowQueryDeviceInformation - macOS: - accessrights: AllowQueryDeviceInformation - tvOS: - introduced: n/a - visionOS: - accessrights: AllowQueryDeviceInformation - watchOS: - accessrights: AllowQueryDeviceInformation - type: - presence: optional - content: The key to get the device's total capacity. Requires the Device Information - access right. Available in iOS 4 and later, and macOS 10.7 and later. - - key: AvailableDeviceCapacity - supportedOS: - iOS: - accessrights: AllowQueryDeviceInformation - macOS: - accessrights: AllowQueryDeviceInformation - tvOS: - introduced: n/a - visionOS: - accessrights: AllowQueryDeviceInformation - watchOS: - accessrights: AllowQueryDeviceInformation - type: - presence: optional - content: The key to get the available capacity. Requires the Device Information - access right. Available in iOS 4 and later, and macOS 10.7 and later. - - key: IMEI - supportedOS: - iOS: - deprecated: '16.0' - removed: '26.0' - accessrights: AllowQueryDeviceInformation - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: The key to get the International Mobile Equipment Identity (IMEI) number. - Requires the Device Information access right. Available as of iOS 4 and deprecated - in iOS 16. - - key: MEID - supportedOS: - iOS: - deprecated: '16.0' - removed: '26.0' - accessrights: AllowQueryDeviceInformation - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: The key to get the mobile equipment ID (MEID). Requires the Device - Information access right. Available as of iOS 4 and deprecated in iOS 16. - - key: ModemFirmwareVersion - supportedOS: - iOS: - accessrights: AllowQueryDeviceInformation - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: The key to get the modem firmware version. Requires the Device Information - access right. Available in iOS 4 and later. - - key: CellularTechnology - supportedOS: - iOS: - introduced: 4.2.6 - accessrights: AllowQueryDeviceInformation - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: The key to get the cellular technology type. Requires the Device Information - access right. Available in iOS 4.2.6 and later. - - key: BatteryLevel - supportedOS: - iOS: - introduced: '5.0' - accessrights: AllowQueryDeviceInformation - macOS: - introduced: '13.3' - accessrights: AllowQueryDeviceInformation - tvOS: - introduced: n/a - visionOS: - accessrights: AllowQueryDeviceInformation - watchOS: - accessrights: AllowQueryDeviceInformation - type: - presence: optional - content: The key to get the battery level. Requires the Device Information access - right. Available in iOS 5 and later. - - key: HasBattery - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '13.3' - accessrights: AllowQueryDeviceInformation - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: The key to determine whether the device has an internal battery. - - key: IsSupervised - supportedOS: - iOS: - introduced: '6.0' - accessrights: AllowQueryDeviceInformation - macOS: - introduced: '10.15' - tvOS: - introduced: '9.0' - accessrights: AllowQueryDeviceInformation - visionOS: - accessrights: AllowQueryDeviceInformation - watchOS: - accessrights: AllowQueryDeviceInformation - type: - presence: optional - content: The key to determine whether the device is supervised. Requires the - Device Information access right. Available in iOS 6 and later, macOS 10.15 - and later, and tvOS 9 and later. - - key: IsMultiUser - supportedOS: - iOS: - introduced: '9.3' - accessrights: AllowQueryDeviceInformation - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: The key to determine whether the device is a Shared iPad. Requires - the Device Information access right. Available in iOS 9.3 and later. - - key: IsDeviceLocatorServiceEnabled - supportedOS: - iOS: - introduced: '7.0' - accessrights: AllowQueryDeviceInformation - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - accessrights: AllowQueryDeviceInformation - watchOS: - accessrights: AllowQueryDeviceInformation - type: - presence: optional - content: The key to determine whether the system enabled a device locator service - such as Find My on the device. Requires the Device Information access right. - Available in iOS 7 and later. - - key: IsActivationLockEnabled - supportedOS: - iOS: - introduced: '7.0' - deprecated: '16.0' - accessrights: AllowQueryDeviceInformation - userenrollment: - mode: forbidden - macOS: - introduced: '10.15' - deprecated: '13.0' - accessrights: AllowQueryDeviceInformation - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - deprecated: '10.0' - accessrights: AllowQueryDeviceInformation - type: - presence: optional - content: The key to determine whether the system enabled Activation Lock on - the device. Requires the Device Information access right. Available as of - iOS 7 and macOS 10.15, and deprecated in iOS 16 and macOS 13. - - key: IsActivationLockSupported - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.15' - accessrights: AllowQueryDeviceInformation - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: The key to determine whether the device supports Activation Lock. Also - see `IsActivationLockManageable` in `ManagementStatus`. Available in macOS - 10.9 and later. - - key: IsDoNotDisturbInEffect - supportedOS: - iOS: - introduced: '7.0' - accessrights: AllowQueryDeviceInformation - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - accessrights: AllowQueryDeviceInformation - userenrollment: - mode: forbidden - watchOS: - accessrights: AllowQueryDeviceInformation - type: - presence: optional - content: The key to determine whether the device is in Do Not Disturb (DND) - mode. Requires the Device Information access right. Available in iOS 7 and - later. - - key: DeviceID - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: n/a - tvOS: - introduced: '9.0' - accessrights: AllowQueryDeviceInformation - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: The key to get the device ID. Requires the Device Information access - right. Available in tvOS 6 and later. - - key: EASDeviceIdentifier - supportedOS: - iOS: - introduced: '7.0' - accessrights: AllowQueryDeviceInformation - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - accessrights: AllowQueryDeviceInformation - watchOS: - introduced: n/a - type: - presence: optional - content: The key to get the device identifier for Exchange ActiveSync (EAS). - Requires the Device Information access right. Available in iOS 7 and later. - - key: IsCloudBackupEnabled - supportedOS: - iOS: - introduced: '7.1' - accessrights: AllowQueryDeviceInformation - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - accessrights: AllowQueryDeviceInformation - userenrollment: - mode: forbidden - watchOS: - introduced: n/a - type: - presence: optional - content: The key to determine whether the system enabled iCloud Backup on the - device. Requires the Device Information access right. Available in iOS 7.1 - and later. - - key: ActiveManagedUsers - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.11' - accessrights: AllowQueryDeviceInformation - userchannel: false - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: The key to get an array of directory GUIDs for logged-in managed users. - Requires the Device Information access right. Available in macOS 10.11 and - later. - - key: OSUpdateSettings - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.11' - deprecated: '26.0' - accessrights: AllowQueryDeviceInformation - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: The key to get the contents of `OSUpdateSettings`. Requires the Device - Information access right. Available in macOS 10.11 and later. - - key: LocalHostName - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.11' - accessrights: AllowQueryDeviceInformation - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: The key to get the local hostname from Bonjour. Available in macOS - 10.11 and later. - - key: HostName - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.11' - accessrights: AllowQueryDeviceInformation - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: The key to get the hostname. Available in macOS 10.11 and later. - - key: AutoSetupAdminAccounts - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.11' - accessrights: AllowQueryDeviceInformation - requiresdep: true - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: The key to get the contents of `AutoSetupAdminAccountsItem`, which - Setup Assistant automatically creates during enrollment. Requires the Device - Information access right. Available in macOS 10.11 and later. - - key: SystemIntegrityProtectionEnabled - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.12' - accessrights: AllowQueryDeviceInformation - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: The key to determine whether the system enabled System Integrity Protection - on the device. Requires the Device Information access right, and is available - in macOS 10.12 and later. - - key: SupportsLOMDevice - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '11.0' - accessrights: AllowQueryDeviceInformation - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: The key to determine whether the device can receive `PowerON`, `PowerOFF`, - and `Reset` commands from a lights-out management (LOM) controller. Available - in macOS 11 and later. - - key: IsMDMLostModeEnabled - supportedOS: - iOS: - introduced: '9.3' - accessrights: AllowQueryDeviceInformation - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - accessrights: AllowQueryDeviceInformation - type: - presence: optional - content: The key to determine whether the system enabled Managed Lost Mode on - the device. Requires the Device Information access right. Available in iOS - 9.3 and later. - - key: MaximumResidentUsers - supportedOS: - iOS: - introduced: '9.3' - accessrights: AllowQueryDeviceInformation - supervised: true - requiresdep: true - sharedipad: - mode: required - devicechannel: true - userchannel: false - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: The key to get the maximum number of users that can use this Shared - iPad device. In iOS 13.4 and later, this value is always `32`. Requires the - Device Information access right. Available in iOS 9.3 and later. - - key: EstimatedResidentUsers - supportedOS: - iOS: - introduced: '14.0' - accessrights: AllowQueryDeviceInformation - supervised: true - requiresdep: true - sharedipad: - mode: required - devicechannel: true - userchannel: false - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: The key to get the estimated number of users that can use this Shared - iPad device, according to the available space of the device and each user's - quota. Requires the Device Information access right. Available in iOS 14 and - later. - - key: QuotaSize - supportedOS: - iOS: - introduced: '13.4' - accessrights: AllowQueryDeviceInformation - supervised: true - requiresdep: true - sharedipad: - mode: required - devicechannel: true - userchannel: false - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: The key to get the quota size for each user on this Shared iPad device. - Requires the Device Information access right. Available in iOS 13.4 and later. - - key: ResidentUsers - supportedOS: - iOS: - introduced: '13.4' - accessrights: AllowQueryDeviceInformation - supervised: true - requiresdep: true - sharedipad: - mode: required - devicechannel: true - userchannel: false - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: The key to get the number of users currently on this Shared iPad device. - Requires the Device Information access right. Available in iOS 13.4 and later. - - key: UserSessionTimeout - supportedOS: - iOS: - introduced: '14.5' - accessrights: AllowQueryDeviceInformation - supervised: true - requiresdep: true - sharedipad: - mode: required - devicechannel: true - userchannel: false - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: The key to get the timeout interval for the user session. - - key: TemporarySessionTimeout - supportedOS: - iOS: - introduced: '14.5' - accessrights: AllowQueryDeviceInformation - supervised: true - requiresdep: true - sharedipad: - mode: required - devicechannel: true - userchannel: false - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: The key to get the timeout interval for the temporary session. - - key: TemporarySessionOnly - supportedOS: - iOS: - introduced: '14.5' - accessrights: AllowQueryDeviceInformation - supervised: true - requiresdep: true - sharedipad: - mode: required - devicechannel: true - userchannel: false - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: The key to determine whether the device allows only temporary sessions. - - key: ManagedAppleIDDefaultDomains - supportedOS: - iOS: - introduced: '16.0' - accessrights: AllowQueryDeviceInformation - supervised: true - requiresdep: true - sharedipad: - mode: required - devicechannel: true - userchannel: false - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: The key to get the list of domains that the device suggests on the - Shared iPad login screen. Available in iOS 16 and later. - - key: OnlineAuthenticationGracePeriod - supportedOS: - iOS: - introduced: '16.0' - accessrights: AllowQueryDeviceInformation - supervised: true - requiresdep: true - sharedipad: - mode: required - devicechannel: true - userchannel: false - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: The key to get the grace period for Shared iPad online authentication - (in days). Available in iOS 16 and later. - - key: SkipLanguageAndLocaleSetupForNewUsers - supportedOS: - iOS: - introduced: '16.2' - accessrights: AllowQueryDeviceInformation - supervised: true - requiresdep: true - sharedipad: - mode: required - devicechannel: true - userchannel: false - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: The key to determine whether the system skips the language and country/region - panes for new users on Shared iPad. - - key: PushToken - supportedOS: - iOS: - introduced: '9.3' - accessrights: AllowQueryDeviceInformation - sharedipad: - devicechannel: false - userenrollment: - mode: forbidden - macOS: - introduced: '10.12' - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: The key to get the push token for the current user-channel connection. - The MDM server ignores this query for the device channel. Requires the Device - Information access right. Available in iOS 9.3 and later, and macOS 10.12 - and later. - - key: DiagnosticSubmissionEnabled - supportedOS: - iOS: - introduced: '9.3' - accessrights: AllowQueryDeviceInformation - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - accessrights: AllowQueryDeviceInformation - watchOS: - accessrights: AllowQueryDeviceInformation - type: - presence: optional - content: The key to determine whether the system enabled the diagnostic submission - setting on the device. Requires the Device Information access right. Available - in iOS 9.3 and later. - - key: AppAnalyticsEnabled - supportedOS: - iOS: - introduced: '9.3' - accessrights: AllowQueryDeviceInformation - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - accessrights: AllowQueryDeviceInformation - watchOS: - accessrights: AllowQueryDeviceInformation - type: - presence: optional - content: The key to determine whether the device is sharing app analytics. Requires - the Device Information access right. Available in iOS 4 and later, and macOS - 10.7 and later. - - key: TimeZone - supportedOS: - iOS: - introduced: '14.0' - accessrights: AllowQueryDeviceInformation - macOS: - introduced: '26.0' - accessrights: AllowQueryDeviceInformation - tvOS: - introduced: '14.0' - accessrights: AllowQueryDeviceInformation - visionOS: - introduced: '2.0' - accessrights: AllowQueryDeviceInformation - watchOS: - accessrights: AllowQueryDeviceInformation - type: - presence: optional - content: The key to get the current Internet Assigned Numbers Authority (IANA) - time zone database name. Requires the Device Information access right. Available - in macOS 26 and later, iOS 14 and later, tvOS 14 and later, and visionOS 2 - and later. - - key: ICCID - supportedOS: - iOS: - deprecated: '16.0' - removed: '26.0' - accessrights: AllowQueryNetworkInformation - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: The key to get the integrated circuit card (ICC) identifier for the - installed SIM card. Requires the Network Information access right. Available - as of iOS 4 and deprecated in iOS 16. - - key: BluetoothMAC - supportedOS: - iOS: - accessrights: AllowQueryNetworkInformation - userenrollment: - mode: forbidden - macOS: - accessrights: AllowQueryNetworkInformation - userenrollment: - mode: forbidden - tvOS: - accessrights: AllowQueryNetworkInformation - visionOS: - accessrights: AllowQueryNetworkInformation - userenrollment: - mode: forbidden - watchOS: - introduced: n/a - type: - presence: optional - content: The key to get the Bluetooth media access control (MAC) address. Requires - the Network Information access right. - - key: WiFiMAC - supportedOS: - iOS: - accessrights: AllowQueryNetworkInformation - userenrollment: - mode: forbidden - macOS: - accessrights: AllowQueryNetworkInformation - userenrollment: - mode: forbidden - tvOS: - accessrights: AllowQueryNetworkInformation - visionOS: - accessrights: AllowQueryNetworkInformation - userenrollment: - mode: forbidden - watchOS: - accessrights: AllowQueryNetworkInformation - type: - presence: optional - content: The key to get the Wi-Fi MAC address. Requires the Network Information - access right. - - key: EthernetMAC - supportedOS: - iOS: - introduced: n/a - macOS: - accessrights: AllowQueryNetworkInformation - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: The key to get the primary Ethernet MAC address. Requires the Network - Information access right. Available in macOS 10.7 and later. - - key: CurrentCarrierNetwork - supportedOS: - iOS: - deprecated: '16.0' - removed: '26.0' - accessrights: AllowQueryNetworkInformation - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: The key to get the name of the current carrier network. Requires the - Network Information access right. Available as of iOS 4 and deprecated in - iOS 16. - - key: SIMCarrierNetwork - supportedOS: - iOS: - removed: '5.0' - accessrights: AllowQueryNetworkInformation - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: Apple no longer supports this query. Use `SubscriberCarrierNetwork` - instead. - - key: SubscriberCarrierNetwork - supportedOS: - iOS: - introduced: '5.0' - deprecated: '16.0' - removed: '26.0' - accessrights: AllowQueryNetworkInformation - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: The key to get the home carrier network. Requires the Network Information - access right. Available as of iOS 5 and deprecated in iOS 16. - - key: CarrierSettingsVersion - supportedOS: - iOS: - deprecated: '16.0' - removed: '26.0' - accessrights: AllowQueryNetworkInformation - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: The key to get the version of the carrier settings. Requires the Network - Information access right. Available as of iOS 4 and deprecated in iOS 16. - - key: PhoneNumber - supportedOS: - iOS: - deprecated: '16.0' - removed: '26.0' - accessrights: AllowQueryNetworkInformation - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: The key to get the raw phone number, without punctuation, and including - the country code. Requires the Network Information access right. Available - as of iOS 4 and deprecated in iOS 16. - - key: DataRoamingEnabled - supportedOS: - iOS: - introduced: '5.0' - accessrights: AllowQueryNetworkInformation - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: The key to determine whether the system enabled data roaming on the - device. Requires the Network Information access right. Available in iOS 5 - and later. - - key: VoiceRoamingEnabled - supportedOS: - iOS: - introduced: '5.0' - deprecated: '16.0' - removed: '26.0' - accessrights: AllowQueryNetworkInformation - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: The key to determine whether the system enabled voice roaming on the - device, which isn't available for all carriers. Requires the Network Information - access right. Available as of iOS 5 and deprecated in iOS 16. - - key: PersonalHotspotEnabled - supportedOS: - iOS: - introduced: '7.0' - accessrights: AllowQueryNetworkInformation - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: The key to determine whether the system enabled Personal Hotspot on - the device, which isn't available for all carriers. Requires the Network Information - access right. Available in iOS 7 and later. - - key: IsNetworkTethered - supportedOS: - iOS: - introduced: '10.3' - accessrights: AllowQueryNetworkInformation - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: The key to determine whether the device is network-tethered. Requires - the Network Information access right. Available in iOS 10.3 and later. - - key: IsRoaming - supportedOS: - iOS: - introduced: '4.2' - deprecated: '16.0' - removed: '26.0' - accessrights: AllowQueryNetworkInformation - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: The key to determine whether the device is roaming. Requires the Network - Information access right. Available in iOS 4.2 and later. - - key: SubscriberMCC - supportedOS: - iOS: - introduced: 4.2.6 - deprecated: '16.0' - removed: '26.0' - accessrights: AllowQueryNetworkInformation - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: The key to get the home mobile country code. Requires the Network Information - access right. Available as of iOS 4.2.6 and deprecated in iOS 16. - - key: SubscriberMNC - supportedOS: - iOS: - introduced: 4.2.6 - deprecated: '16.0' - removed: '26.0' - accessrights: AllowQueryNetworkInformation - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: The key to get the home mobile network code. Requires the Network Information - access right. Available as of iOS 4.2.6 and deprecated in iOS 16. - - key: CurrentMCC - supportedOS: - iOS: - deprecated: '16.0' - removed: '26.0' - accessrights: AllowQueryNetworkInformation - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: The key to get the current mobile country code (MCC). Requires the - Network Information access right. It's available as of iOS 4 and deprecated - in iOS 16. - - key: CurrentMNC - supportedOS: - iOS: - deprecated: '16.0' - removed: '26.0' - accessrights: AllowQueryNetworkInformation - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: The key to get the current mobile network code (MNC). Requires the - Network Information access right. Available as of iOS 4 and deprecated in - iOS 16. - - key: ServiceSubscriptions - supportedOS: - iOS: - introduced: '12.0' - accessrights: AllowQueryNetworkInformation - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: The key to get the contents of `ServiceSubscriptionProperty`. Requires - the Network Information access right. - - key: PINRequiredForEraseDevice - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '11.0' - accessrights: AllowQueryDeviceInformation - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: The key to determine whether the `EraseDeviceCommand` requires a PIN. - Available in macOS 11 and later. - - key: PINRequiredForDeviceLock - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '11.0' - accessrights: AllowQueryDeviceInformation - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: The key to determine whether the `DeviceLockCommand` requires a PIN. - Available in macOS 11 and later. - - key: SupportsiOSAppInstalls - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '11.0' - accessrights: AllowQueryDeviceInformation - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: The key to determine whether the macOS device supports iOS or iPadOS - app installs. Available in macOS 11 and later. - - key: SoftwareUpdateDeviceID - supportedOS: - iOS: - introduced: '15.0' - deprecated: '26.0' - userenrollment: - mode: forbidden - macOS: - introduced: '12.0' - deprecated: '26.0' - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - deprecated: '26.0' - userenrollment: - mode: forbidden - watchOS: - introduced: n/a - type: - presence: optional - content: The key to get the device identifier to look up available OS updates - through [https://gdmf.apple.com/v2/pmv](https://gdmf.apple.com/v2/pmv). Available - in iOS 15 and later, and macOS 12 and later. - - key: SoftwareUpdateSettings - supportedOS: - iOS: - introduced: '14.5' - deprecated: '26.0' - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: The key to get the device settings that control which updates appear - in the Software Update pane in Settings. Available in iOS 14.5 and later. - - key: AccessibilitySettings - supportedOS: - iOS: - introduced: '16.0' - supervised: true - sharedipad: - mode: allowed - devicechannel: false - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - supervised: true - type: - presence: optional - content: The key to get the current state of settable accessibility settings. - Available in iOS 16 and later. - - key: DevicePropertiesAttestation - supportedOS: - iOS: - introduced: '16.0' - userenrollment: - mode: allowed - macOS: - introduced: '14.0' - tvOS: - introduced: '16.0' - visionOS: - userenrollment: - mode: allowed - type: - presence: optional - content: The key to get an attestation of the device's properties. Available - in iOS 16 and later, macOS 14 and later, tvOS 16 and later, and watchOS 10 - and later. The hardware requirements for attestation are described below. - - key: EACSPreflight - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '13.3' - accessrights: AllowQueryDeviceInformation - userchannel: false - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: The key to determine whether the device can perform an `EraseDeviceCommand` - using Erase All Content and Settings (EACS). -- key: DeviceAttestationNonce - supportedOS: - iOS: - introduced: '16.0' - userenrollment: - mode: allowed - macOS: - introduced: '14.0' - tvOS: - introduced: '16.0' - visionOS: - userenrollment: - mode: allowed - type: - presence: optional - content: |- - A freshness code that appears in the resulting attestation. This value can contain up to 32 bytes of data. If specified, queries need to contain `DevicePropertiesAttestation`. - - The MDM server uses this value to prove that an attestation was recently generated. The system caches the most recently generated attestation on the device. If omitted or if the value matches the cached attestation, the system returns the cached attestation. To request a new attestation, provide a new freshness code. Requests for new attestations are rate limited. If it is fewer than 7 days since the system generated an attestation, the device returns the cached attestation rather than generating a new one. - - Available in iOS 16 and later, macOS 14 and later, tvOS 16 and later, and watchOS 10 and later. The hardware requirements for attestation are described below. -responsekeys: -- key: QueryResponses - type: - presence: required - content: A dictionary that contains information about the device. - subkeys: - - key: UDID - type: - content: The unique identifier of the device. - - key: ProvisioningUDID - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '11.3' - accessrights: n/a - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - content: The device identifier to use in provisioning profiles. This value differs - from the UDID on a Mac with Apple silicon. Available in macOS 11.3 and later. - - key: OrganizationInfo - supportedOS: - iOS: - introduced: '7.0' - macOS: - introduced: '10.11' - tvOS: - introduced: '9.0' - type: - content: The contents of `OrganizationInfo`. - subkeys: - - key: OrganizationName - type: - presence: required - content: A string that describes the organization operating the MDM server. - This value is available in iOS 7 and later, macOS 10.11 and later, and tvOS - 9 and later. - - key: OrganizationAddress - type: - presence: optional - content: The organization's address. Use the LF character (` `) to insert - line breaks. This value is available in iOS 7 and later, macOS 10.11 and later, - and tvOS 9 and later. - - key: OrganizationPhone - type: - presence: optional - content: The organization's phone number. This value is available in iOS 7 and - later, macOS 10.11 and later, and tvOS 9 and later. - - key: OrganizationEmail - type: - presence: optional - content: The organization's support email address. This value is available in - iOS 7 and later, macOS 10.11 and later, and tvOS 9 and later. - - key: OrganizationMagic - type: - presence: optional - content: A unique identifier for the various services a single organization - manages. This value is available in iOS 7 and later, macOS 10.11 and later, - and tvOS 9 and later. - - key: MDMOptions - supportedOS: - iOS: - introduced: '7.0' - macOS: - introduced: '11.0' - tvOS: - introduced: '9.0' - type: - content: The contents of `MDMOptions`. - subkeys: - - key: ActivationLockAllowedWhileSupervised - supportedOS: - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, a supervised device registers itself with Activation Lock - when the user enables Find My. Unsupervised devices ignore this value. This - value is available in iOS 7 and later, macOS 11 and later, and tvOS 9 and - later. - - key: BootstrapTokenAllowed - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '11.0' - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, the server supports Bootstrap Token commands. This value - is available in macOS 11 and later. - - key: PromptUserToAllowBootstrapTokenForAuthentication - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '11.0' - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, the device can accept a Bootstrap Token from the MDM server - instead of prompting for user authentication prior to installation. This only - applies when `BootstrapTokenAllowedForAuthentication` is `true` in the `SecurityInfo` - response. This value is available for a Mac with Apple silicon in macOS 11 - and later. - - key: LastCloudBackupDate - supportedOS: - iOS: - introduced: '8.0' - macOS: - introduced: n/a - tvOS: - introduced: n/a - watchOS: - introduced: n/a - type: - content: The date of the last iCloud backup. Available in iOS 8 and later. - - key: AwaitingConfiguration - supportedOS: - iOS: - introduced: '9.0' - macOS: - introduced: '10.11' - tvOS: - introduced: '10.2' - visionOS: - introduced: '2.0' - type: - content: |- - If `true` on the device channel, the device is still waiting for a `Device-Configured-Command` command to continue through Setup Assistant. - - If `true` on the user channel (Shared iPad only), the device is still waiting for a `User-Configured-Command` command to continue through Setup Assistant and finish login. - - key: iTunesStoreAccountIsActive - supportedOS: - iOS: - introduced: '7.0' - macOS: - introduced: '10.9' - tvOS: - introduced: '9.0' - visionOS: - introduced: n/a - type: - content: If `true`, the device has an active iTunes Store account. Requires the - App Installation access right. - - key: iTunesStoreAccountHash - supportedOS: - iOS: - introduced: '8.0' - macOS: - introduced: '10.10' - tvOS: - introduced: '9.0' - visionOS: - introduced: n/a - type: - content: A hash of the logged-in iTunes Store account. Also see `GetVppUserRequest`. - Requires the App Installation access right. - - key: DeviceName - type: - content: The device name. Requires the Device Information access right. - - key: OSVersion - type: - content: The operating system version. Requires the Device Information access - right. - - key: SupplementalOSVersionExtra - supportedOS: - iOS: - introduced: '16.1' - macOS: - introduced: '13.0' - tvOS: - introduced: '16.1' - type: - content: The OS update Background Security Improvement version letter. - - key: BuildVersion - type: - content: The operating system version. Requires the Device Information access - right. - - key: SupplementalBuildVersion - supportedOS: - iOS: - introduced: '16.1' - macOS: - introduced: '13.0' - tvOS: - introduced: '16.1' - type: - content: The supplemental OS build version. - - key: ModelName - type: - content: The model name, such as _iPhone_. Requires the Device Information access - right. - - key: Model - supportedOS: - visionOS: - introduced: n/a - type: - content: The model. Requires the Device Information access right. - - key: ModelNumber - type: - content: The device's hardware model number including region info, for example, - `MK1A3LL/A`. Requires the Device Information access right. Requires a Mac with - Apple silicon on macOS. - - key: IsAppleSilicon - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '12.0' - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - content: If `true`, the macOS device uses an Apple silicon chip. - - key: ProductName - type: - content: The product name, such as _iPad8,12_. Requires the Device Information - access right. - - key: SerialNumber - type: - content: The serial number. Requires the Device Information access right. - - key: DeviceCapacity - supportedOS: - tvOS: - introduced: n/a - type: - content: The total capacity in floating-point base-10 gigabytes (GB) on iOS and - macOS 12 or later. The capacity is in base-2 gibibytes (GiB) on macOS 11 and - earlier. Requires the Device Information access right. Available in iOS 4 and - later, and macOS 10.7 and later. - - key: AvailableDeviceCapacity - supportedOS: - tvOS: - introduced: n/a - type: - content: The available capacity in floating-point base-10 gigabytes (GB) in iOS - and macOS 12 or later. The capacity is in base-2 gibibytes (GiB) in macOS 11 - and earlier. Requires the Device Information access right. Available in iOS - 4 and later, and macOS 10.7 and later. - - key: IMEI - supportedOS: - iOS: - deprecated: '16.0' - removed: '26.0' - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - content: The International Mobile Equipment Identity (IMEI) number. Requires the - Device Information access right. Available as of iOS 4 and deprecated in iOS - 16. - - key: MEID - supportedOS: - iOS: - deprecated: '16.0' - removed: '26.0' - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - content: The mobile equipment identifier (MEID) number. Requires the Device Information - access right. Available as of iOS 4 and deprecated in iOS 16. - - key: ModemFirmwareVersion - supportedOS: - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - content: The modem firmware version. Requires the Device Information access right. - Available in iOS 4 and later. - - key: CellularTechnology - supportedOS: - iOS: - introduced: 4.2.6 - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - rangelist: - - 0 - - 1 - - 2 - - 3 - content: |- - The cellular technology type, which is one of the following values: - - `0`: None - - `1`: GSM - - `2`: CDMA - - `3`: GSM and CDMA - - Requires the Device Information access right. Available in iOS 4.2.6 and later. - - key: BatteryLevel - supportedOS: - iOS: - introduced: '5.0' - macOS: - introduced: '13.3' - tvOS: - introduced: n/a - type: - content: The battery level, between `0.0` and `1.0`, or `-1.0` if MDM can't determine - the battery level. Requires the Device Information access right. Available in - iOS 5 and later, and macOS 13.3 and later. - - key: HasBattery - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '13.3' - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - content: If `true`, the device has an internal battery. - - key: IsSupervised - supportedOS: - iOS: - introduced: '6.0' - macOS: - introduced: '10.15' - tvOS: - introduced: '9.0' - type: - content: If `true`, it's a supervised device. Requires the Device Information - access right. Available in iOS 6 and later, macOS 10.15 and later, and tvOS - 9 and later. - - key: IsMultiUser - supportedOS: - iOS: - introduced: '9.3' - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - content: If `true`, the device is a Shared iPad. Requires the Device Information - access right. Available in iOS 9.3 and later. - - key: IsDeviceLocatorServiceEnabled - supportedOS: - iOS: - introduced: '7.0' - macOS: - introduced: n/a - tvOS: - introduced: n/a - type: - content: If `true`, the device has enabled a device locator service, such as Find - My. Requires the Device Information access right. Available in iOS 7 and later. - - key: IsActivationLockEnabled - supportedOS: - iOS: - introduced: '7.0' - deprecated: '16.0' - macOS: - introduced: '10.9' - deprecated: '13.0' - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - deprecated: '10.0' - type: - content: If `true`, the device has enabled Activation Lock. Requires the Device - Information access right. Available as of iOS 7 and macOS 10.9, and deprecated - in iOS 16 and macOS 13. - - key: IsActivationLockSupported - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.9' - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - content: If `true`, the device supports Activation Lock. Also see `IsActivationLockManageable` - in `ManagementStatus`. Available in macOS 10.9 and later. - - key: IsDoNotDisturbInEffect - supportedOS: - iOS: - introduced: '7.0' - macOS: - introduced: n/a - tvOS: - introduced: n/a - type: - content: If `true`, the device is in Do Not Disturb (DND) mode. This value is - `true` even if DND is only in effect for a locked device. Requires the Device - Information access right. Available in iOS 7 and later. - - key: SupportsLOMDevice - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '11.0' - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - content: If `true`, the device can receive `PowerON`, `PowerOFF`, and `Reset` - commands from a lights-out management (LOM) controller. Available in macOS 11 - and later. - - key: DeviceID - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: n/a - tvOS: - introduced: '9.0' - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - content: The device identifier. Requires the Device Information access right. - Available in tvOS 6 and later. - - key: EASDeviceIdentifier - supportedOS: - iOS: - introduced: '7.0' - macOS: - introduced: n/a - tvOS: - introduced: n/a - watchOS: - introduced: n/a - type: - content: The device identifier for Exchange Active Sync (EAS). Requires the Device - Information access right. Available in iOS 7 and later. - - key: IsCloudBackupEnabled - supportedOS: - iOS: - introduced: '7.1' - macOS: - introduced: n/a - tvOS: - introduced: n/a - watchOS: - introduced: n/a - type: - content: If `true`, the device has enabled iCloud backup. Requires the Device - Information access right. Available in iOS 7.1 and later. - - key: ActiveManagedUsers - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.11' - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - content: An array of the directory GUIDs of the logged-in managed users. If one - of these users is currently logged in to the console, the `CurrentConsoleManagedUser` - key returns the GUID of that user. Requires the Device Information access right. - Available in macOS 10.11 and later. - subkeys: - - key: ActiveManagedUsersItems - type: - - key: OSUpdateSettings - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.11' - deprecated: '26.0' - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - content: The contents of ``OSUpdateSettings-dictionary``. Requires the Device - Information access right. Available in macOS 10.11 and later. - subkeys: - - key: CatalogURL - type: - presence: optional - content: The URL to the software update catalog the client is using. This value - is available in macOS 10.11 and later. - - key: IsDefaultCatalog - type: - content: If `true`, `CatalogURL` is the default catalog. This value is available - in macOS 10.11 and later. - - key: PreviousScanDate - type: - content: The date of the last software update scan. This value is available - in macOS 10.11 and later. - - key: PreviousScanResult - supportedOS: - macOS: - deprecated: '11.0' - removed: '15.0' - type: - presence: optional - content: The result code of last software update scan; `0` = success. This value - is available in macOS 10.11 and no longer available in macOS 15 and later. - - key: PerformPeriodicCheck - type: - content: If `true`, start a new scan. This value is available in macOS 10.11 - and later. - - key: AutoCheckEnabled - type: - content: The preference to automatically check for app updates. This value is - available in macOS 10.11 and later. - - key: BackgroundDownloadEnabled - type: - content: The preference to download app updates in the background. This value - is available in macOS 10.11 and later. - - key: AutomaticAppInstallationEnabled - type: - content: The preference to automatically install app updates. This value is - available in macOS 10.11 and later. - - key: AutomaticOSInstallationEnabled - type: - content: The preference to automatically install operating system updates. This - value is available in macOS 10.11 and later. - - key: AutomaticSecurityUpdatesEnabled - type: - content: The preference to automatically install system data files and security - updates. This value is available in macOS 10.11 and later. - - key: LocalHostName - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.11' - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - content: The local host name from Bonjour. Available in macOS 10.11 and later. - - key: HostName - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.11' - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - content: The host name. Available in macOS 10.11 and later. - - key: AutoSetupAdminAccounts - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.11' - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - content: The contents of ``AutoSetupAdminAccountsItem``, which Setup Assistant - automatically creates during DEP enrollment. Requires the Device Information - access right. Available in macOS 10.11 and later. - subkeys: - - key: AutoSetupAdminAccountsItem - type: - content: The response dictionary that contains the administrator setup information. - subkeys: - - key: GUID - type: - content: The `GeneratedUID` of the administrator account. This value is available - in macOS 10.11 and later. - - key: shortName - type: - content: The short name of the administrator account. This value is available - in macOS 10.11 and later. - - key: SystemIntegrityProtectionEnabled - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.12' - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - content: If `true`, the device has enabled System Integrity Protection. Requires - the Device Information access right. Available in macOS 10.12 and later. - - key: IsMDMLostModeEnabled - supportedOS: - iOS: - introduced: '9.3' - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - type: - content: If `true`, the device has enabled Managed Lost Mode. Requires the Device - Information access right. Available in iOS 9.3 and later. - - key: MaximumResidentUsers - supportedOS: - iOS: - introduced: '9.3' - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - content: The maximum number of users that can use this Shared iPad device. Starting - with iOS 13.4, the value that returns is always `32`. Requires the Device Information - access right. Available in iOS 9.3 and later. - - key: EstimatedResidentUsers - supportedOS: - iOS: - introduced: '14.0' - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - content: The estimated number of users that can use this Shared iPad device, according - to the space available on the device and each user's quota. Requires the Device - Information access right. Available in iOS 14 and later. - - key: QuotaSize - supportedOS: - iOS: - introduced: '13.4' - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - content: The quota size in megabytes for each user on this Shared iPad device. - Requires the Device Information access right. Available in iOS 13.4 and later. - - key: ResidentUsers - supportedOS: - iOS: - introduced: '13.4' - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - content: The number of users currently on this Shared iPad device. Requires the - Device Information access right. Available in iOS 13.4 and later. - - key: UserSessionTimeout - supportedOS: - iOS: - introduced: '14.5' - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - content: The timeout interval for the user session. A value of `0` indicates that - there's no timeout. - - key: TemporarySessionTimeout - supportedOS: - iOS: - introduced: '14.5' - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - content: The timeout interval for the temporary session. A value of `0` indicates - that there's no timeout. - - key: TemporarySessionOnly - supportedOS: - iOS: - introduced: '14.5' - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - content: If `true`, the device allows only temporary sessions. - - key: ManagedAppleIDDefaultDomains - supportedOS: - iOS: - introduced: '16.0' - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - content: The list of domains that the device suggests on the Shared iPad login - screen. Available in iOS 16 and later. - subkeys: - - key: AppleID domain - type: - - key: OnlineAuthenticationGracePeriod - supportedOS: - iOS: - introduced: '16.0' - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - content: The grace period for Shared iPad online authentication (in days). A value - of `0` indicates that the device requires online authentication for every login. - Available in iOS 16 and later. - - key: SkipLanguageAndLocaleSetupForNewUsers - supportedOS: - iOS: - introduced: '16.2' - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - content: If `true`, skip the language and country/region panes for new users on - Shared iPad. - - key: PushToken - supportedOS: - iOS: - introduced: '9.3' - macOS: - introduced: '10.12' - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - content: The push token for the user-channel connection, in the same format as - in `TokenUpdateRequest`. MDM ignores this query for the device channel. Requires - the Device Information access right. Available in iOS 9.3 and later, and macOS - 10.12 and later. - - key: DiagnosticSubmissionEnabled - supportedOS: - iOS: - introduced: '9.3' - macOS: - introduced: n/a - tvOS: - introduced: n/a - type: - content: If `true`, the device has enabled diagnostic submission. Requires the - Device Information access right. Available in iOS 9.3 and later. - - key: AppAnalyticsEnabled - supportedOS: - iOS: - introduced: '9.3' - macOS: - introduced: n/a - tvOS: - introduced: n/a - type: - content: If `true`, the device is sharing app analytics. Requires the Device Information - access right. Available in iOS 9.3 and later. - - key: TimeZone - supportedOS: - iOS: - introduced: '14.0' - macOS: - introduced: n/a - tvOS: - introduced: '14.0' - type: - content: The current Internet Assigned Numbers Authority (IANA) time zone database - name. Requires the Device Information access right. Available in iOS 14 and - later, and tvOS 14 and later. - - key: ICCID - supportedOS: - iOS: - deprecated: '16.0' - removed: '26.0' - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - content: The integrated circuit card (ICC) identifier for the installed SIM card. - Requires the Network Information access right. Available as of iOS 4 and deprecated - in iOS 16. - - key: BluetoothMAC - supportedOS: - watchOS: - introduced: n/a - type: - content: The Bluetooth media access control (MAC) address. Requires the Network - Information access right. - - key: WiFiMAC - type: - content: The Wi-Fi MAC address. Requires the Network Information access right. - - key: EthernetMAC - supportedOS: - iOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - content: The primary Ethernet MAC address. Requires the Network Information access - right. Available in macOS 10.7 and later. - - key: CurrentCarrierNetwork - supportedOS: - iOS: - deprecated: '16.0' - removed: '26.0' - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - content: The name of the current carrier network. Requires the Network Information - access right. Available as of iOS 4 and deprecated in iOS 16. - - key: SIMCarrierNetwork - supportedOS: - iOS: - removed: '5.0' - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - content: Apple no longer supports this query. Use `SubscriberCarrierNetwork` instead. - - key: SubscriberCarrierNetwork - supportedOS: - iOS: - introduced: '5.0' - deprecated: '16.0' - removed: '26.0' - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - content: The name of the home carrier network. Requires the Network Information - access right. Available as of iOS 5 and deprecated in iOS 16. - - key: CarrierSettingsVersion - supportedOS: - iOS: - deprecated: '16.0' - removed: '26.0' - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - content: The version of the carrier settings. Requires the Network Information - access right. Available as of iOS 4 and deprecated in iOS 16. - - key: PhoneNumber - supportedOS: - iOS: - deprecated: '16.0' - removed: '26.0' - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - content: The raw phone number without punctuation and including the country code. - Requires the Network Information access right. Available as of iOS 4 and deprecated - in iOS 16. - - key: DataRoamingEnabled - supportedOS: - iOS: - introduced: '5.0' - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - content: If `true`, the device has enabled data roaming. Requires the Network - Information access right. Available in iOS 5 and later. - - key: VoiceRoamingEnabled - supportedOS: - iOS: - introduced: '5.0' - deprecated: '16.0' - removed: '26.0' - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - content: If `true`, the device has enabled voice roaming, which isn't available - for all carriers. Requires the Network Information access right. Requires the - Device Information access right. Available as of iOS 5 and deprecated in iOS - 16. - - key: PersonalHotspotEnabled - supportedOS: - iOS: - introduced: '7.0' - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - content: If `true,` the device has enabled Personal Hotspot, which isn't available - for all carriers. Requires the Network Information access right. Available in - iOS 7 and later. - - key: IsNetworkTethered - supportedOS: - iOS: - introduced: '10.3' - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - content: If `true`, the device is network-tethered. Requires the Network Information - access right. Available in iOS 10.3 and later. - - key: IsRoaming - supportedOS: - iOS: - introduced: '4.2' - deprecated: '16.0' - removed: '26.0' - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - content: If `true`, the device is roaming. Requires the Network Information access - right. IAvailable as of iOS 4.2 and deprecated in iOS 16. - - key: SIMMCC - supportedOS: - iOS: - removed: 4.2.6 - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - content: Apple no longer supports this query. Use `SubscriberMCC` instead. - - key: SIMMNC - supportedOS: - iOS: - removed: 4.2.6 - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - content: Apple no longer supports this query. Use `SubscriberMNC` instead. - - key: SubscriberMCC - supportedOS: - iOS: - introduced: 4.2.6 - deprecated: '16.0' - removed: '26.0' - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - content: The home Mobile Country Code (MCC). Requires the Network Information - access right. Available as of iOS 4.2.6 and deprecated in iOS 16. - - key: SubscriberMNC - supportedOS: - iOS: - introduced: 4.2.6 - deprecated: '16.0' - removed: '26.0' - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - content: The key to get the home Mobile Network Code (MNC). Requires the Network - Information access right. Available as of iOS 4.2.6 and deprecated in iOS 16. - - key: CurrentMCC - supportedOS: - iOS: - deprecated: '16.0' - removed: '26.0' - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - content: The current mobile country code (MCC). Requires the Network Information - access right. Available as of iOS 4 and deprecated in iOS 16. - - key: CurrentMNC - supportedOS: - iOS: - deprecated: '16.0' - removed: '26.0' - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - content: The current mobile network code (MNC). Requires the Network Information - access right. Available as of iOS 4 and deprecated in iOS 16. - - key: ServiceSubscriptions - supportedOS: - iOS: - introduced: '12.0' - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - content: The contents of ``ServiceSubscriptionProperty``. Requires the Network - Information access right. - subkeys: - - key: ServiceSubscriptionProperty - type: - content: Properties of this Service Subscription. See below. - subkeys: - - key: CarrierSettingsVersion - type: - content: The version of the carrier settings. This value is available in iOS - 12 and later. - - key: CurrentCarrierNetwork - type: - content: The name of the current carrier network. This value is available - in iOS 12 and later. - - key: CurrentMCC - type: - content: The current mobile country code (MCC). This value is available in - iOS 12 and later. - - key: CurrentMNC - type: - content: The current mobile network code (MNC). This value is available in - iOS 12 and later. - - key: ICCID - type: - content: The integrated circuit card identifier (ICCID) value. This value - is available in iOS 12 and later. - - key: EID - supportedOS: - iOS: - introduced: '14.0' - macOS: - introduced: n/a - tvOS: - introduced: n/a - type: - content: The eSIM identifier. This value is available in iOS 14 and later. - - key: IMEI - type: - content: The device International Mobile Equipment Identity (IMEI) number. - This value is available in iOS 12 and later. - - key: IsDataPreferred - type: - content: If `true`, this subscription is the preference for data. This value - is available in iOS 12 and later. - - key: IsRoaming - type: - content: If `true`, the phone is roaming. This value is available in iOS 12 - and later. - - key: IsVoicePreferred - type: - content: If `true`, this subscription is the preference for voice. This value - is available in iOS 12 and later. - - key: Label - type: - content: The label of this subscription. This value is available in iOS 12 - and later. - - key: LabelID - type: - content: The unique identifier for this subscription. This value is available - in iOS 12 and later. - - key: MEID - type: - content: The device Mobile Equipment Identifier (MEID) number. This query - is available in iOS 12 and later. - - key: PhoneNumber - type: - content: The raw phone number without punctuation and including country code. - This value is available in iOS 12 and later. - - key: Slot - type: - content: The description of the slot that contains the SIM representing this - subscription. This value is available in iOS 12 and later. - - key: SubscriberCarrierNetwork - supportedOS: - iOS: - introduced: '16.0' - macOS: - introduced: n/a - tvOS: - introduced: n/a - type: - content: The name of the home carrier network. This value is available in - iOS 16 and later. - - key: PINRequiredForEraseDevice - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '11.0' - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - content: If `true`, the `EraseDeviceCommand` requires a PIN. Available in macOS - 11 and later. - - key: PINRequiredForDeviceLock - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '11.0' - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - content: If `true`, the `DeviceLockCommand` requires a PIN. Available in macOS - 11 and later. - - key: SupportsiOSAppInstalls - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '11.0' - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - content: If `true`, the device supports iOS or iPadOS app installs through MDM. - Available in macOS 11 and later. - - key: SoftwareUpdateDeviceID - supportedOS: - iOS: - introduced: '15.0' - deprecated: '26.0' - userenrollment: - mode: forbidden - macOS: - introduced: '12.0' - deprecated: '26.0' - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - deprecated: '26.0' - userenrollment: - mode: forbidden - watchOS: - introduced: n/a - type: - content: The device identifier to look up available OS updates through [https://gdmf.apple.com/v2/pmv](https://gdmf.apple.com/v2/pmv). - Available in iOS 15 and later, and macOS 12 and later. - - key: SoftwareUpdateSettings - supportedOS: - iOS: - introduced: '14.5' - deprecated: '26.0' - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - content: The device settings that control which updates appear in the Software - Update pane in Settings. Available in iOS 14.5 and later. - subkeys: - - key: RecommendationsCadence - type: - content: |- - Which software updates to present to the user. - - - `0`: Allows all updates (the default value). - - `1`: Allows only older updates. - - `2`: Allows only newer updates. - - No effect if the device qualifies for only a single update. - - key: AccessibilitySettings - supportedOS: - iOS: - introduced: '16.0' - supervised: true - sharedipad: - mode: allowed - devicechannel: false - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - supervised: true - type: - content: The current state of settable accessibility settings. Available in iOS - 16 and later. - subkeys: - - key: BoldTextEnabled - type: - content: If `true`, the device has enabled bold text. - - key: IncreaseContrastEnabled - supportedOS: - watchOS: - introduced: n/a - type: - content: If `true`, the device has enabled increase contrast. - - key: ReduceMotionEnabled - type: - content: If `true`, the device has enabled reduced motion. - - key: ReduceTransparencyEnabled - type: - content: If `true`, the device has enabled reduced transparency. - - key: TextSize - type: - rangelist: - - -1 - - 0 - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - - 8 - - 9 - - 10 - - 11 - content: |- - The accessibility text size apps that support dynamic text use. 0 is the smallest value, and 11 is the largest available. - - `-1` indicates that the current size is unknown or hasn't been explicitly set. - - key: TouchAccommodationsEnabled - type: - content: If `true`, the device has enabled touch accommodations. - - key: VoiceOverEnabled - type: - content: If `true`, the device has enabled voiceover. - - key: ZoomEnabled - type: - content: If `true`, the device has enabled zoom. - - key: GrayscaleEnabled - supportedOS: - iOS: - introduced: n/a - type: - content: If `true`, the device has enabled grayscale display. - - key: DevicePropertiesAttestation - supportedOS: - iOS: - introduced: '16.0' - userenrollment: - mode: allowed - macOS: - introduced: '14.0' - tvOS: - introduced: '16.0' - visionOS: - userenrollment: - mode: allowed - type: - content: |- - The key to get an attestation of the device's properties. Available in iOS 16 and later, macOS 14 and later, tvOS 16 and later, and watchOS 10 and later. The hardware requirements for attestation are described below. - - The value is an array of certificates in DER form that forms a certificate chain. The chain is rooted with the Apple CA `Apple Enterprise Attestation Root CA`. The first array item is the leaf certificate. The leaf certificate contains custom OIDs describing a device. The OS version of the device, and the type of enrollment, determine which OIDs are present in the certificate. If Apple's attestation servers are unable to verify a device property they generate a blank value, omit the OID entirely, or refuse to issue an attestation certificate. - - The following OIDs were introduced in iOS 16, iPadOS 16, tvOS 16, watchOS 10, visionOS 1 and macOS 14: - - - `1.2.840.113635.100.8.9.1` serial number: This is the serial number of the device. It is omitted if the enrollment is a user enrollment. - - `1.2.840.113635.100.8.9.2` UDID: For a Mac this has the same value as the `ProvisioningUDID` key, and does not match the UDID used elsewhere in the MDM protocol. It is omitted if the enrollment is a user enrollment. - - `1.2.840.113635.100.8.10.2` sepOS version: This is the version of the operating system running on the Secure Enclave when the attestation is generated. Typically this matches the version of the main operating system. - - `1.2.840.113635.100.8.11.1` Freshness code: This is the freshness code. See the `DeviceAttestationNonce`. This may not match the requested freshness code if a cached attestation was returned. - - The following OIDs were introduced in iOS 17.2, iPadOS 17.2, tvOS 17.2, watchOS 10.2, visionOS 1.l0, and macOS 14.2: - - - `1.2.840.113635.100.8.9.4` Software Update Device ID: This is an identifier of the device model. It is expected to match the `SoftwareUpdateDeviceID` in the `DeviceInformation`` response. This is the device identifier to use when looking up available OS updates through . - - `1.2.840.113635.100.8.10.1` OS Version: This is the version of iOS, iPadOS or tvOS running on the device when the attestation is generated. - - `1.2.840.113635.100.8.10.3` LLB Version: This is the version of the Low Level Bootloader firmware running on the device when the attestation is generated. For more information about the boot process, see the documentation of the boot process in the Apple Platform Security guide. - - The following OIDs were introduced in macOS 14.2: - - - `1.2.840.113635.100.8.13.1` System Integrity Protection (SIP) status: This indicates whether SIP is enabled or disabled when the attestation is generated. `0` indicates enabled, `1` indicates disabled. - - `1.2.840.113635.100.8.13.2` Secure boot status: This describes part of the configuration of the LocalPolicy when the attestation is generated. The values are `Full Security`, `Reduced Security`, or `Permissive Security`. For a description of these values see the Apple Platform Security guide. - - `1.2.840.113635.100.8.13.3` Third party kernel extensions allowed: This indicates whether third party kernel extensions are allowed. A value of `0` indicates third party kernel extensions are not allowed. Any other value means that some kinds of third party kernel extensions are allowed. - subkeys: - - key: AttestationCertificate - type: - - key: EACSPreflight - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '13.3' - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - content: |- - Specifies whether the device can perform an `EraseDeviceCommand` using Erase All Content and Settings (EACS), which is one of the following values: - - `success`: The device supports EACS. - - `not supported`: The device is too old to support EACS. - - `unknown failure`: A problem occurred for which there isn't a more specific error message. - - `(other string)`: A reason why the device can't perform EACS, such as "System is not sealed" -notes: -- title: '' - content: Refer to the following sections to determine supported channels and requirements, - and to see an example request and response. -- title: DeviceInformation attestation hardware support - content: |- - The following table indicates which System on Chips (SoCs) support DeviceInformation attestation. - Unsupported devices ignore the DevicePropertiesAttestation and DeviceAttestationNonce keys. - - | Support status | iPhone, iPad | Mac | Apple TV | Apple Watch | Vision Pro | - |----------------|--------------------------------------|---------------|-------------------------|----------------|------------| - | Unsupported | A10x Fusion and earlier | Intel | A10x Fusion and earlier | S3 and earlier | none | - | Supported | A11 Bionic and later
All M series | Apple Silicon | A12 Bionic and later | S4 and later | All | diff --git a/mdm/commands/information.security.yaml b/mdm/commands/information.security.yaml deleted file mode 100644 index 74fe3df..0000000 --- a/mdm/commands/information.security.yaml +++ /dev/null @@ -1,591 +0,0 @@ -title: Security Info Command -description: Get security-related information about a device. -payload: - requesttype: SecurityInfo - supportedOS: - iOS: - introduced: '4.0' - accessrights: AllowQuerySecurity - supervised: false - requiresdep: false - sharedipad: - mode: allowed - devicechannel: true - userchannel: false - userenrollment: - mode: allowed - macOS: - introduced: '10.7' - accessrights: AllowQuerySecurity - devicechannel: true - userchannel: true - supervised: false - requiresdep: false - userenrollment: - mode: allowed - tvOS: - introduced: '9.0' - accessrights: AllowQuerySecurity - supervised: false - visionOS: - introduced: '1.1' - accessrights: AllowQuerySecurity - supervised: false - requiresdep: false - userenrollment: - mode: allowed - watchOS: - introduced: '10.0' - accessrights: AllowQuerySecurity - supervised: false - content: This command queries the device for security-related information. Queries - are available if the MDM host has the Security Query right. -responsekeys: -- key: SecurityInfo - type: - presence: required - content: A dictionary that contains security-related information. - subkeys: - - key: HardwareEncryptionCaps - supportedOS: - macOS: - introduced: n/a - type: - content: |- - An integer that indicates the underlying hardware encryption capabilities of the device, which is one of the following values: - - - `1`: Block-level encryption - - `2`: File-level encryption - - `3`: Both block-level and file-level encryption - - > Important: - > For a device to have data protection, `HardwareEncryptionCaps` must be `3` and `PasscodePresent` must `true`. - - This value is available in iOS 4 and later, and tvOS 6 and later. - - key: PasscodePresent - supportedOS: - iOS: - userenrollment: - mode: forbidden - macOS: - introduced: n/a - visionOS: - userenrollment: - mode: forbidden - type: - content: If `true`, the device has a passcode. This key doesn't apply to User-Enrolled - devices. This value is available in iOS 4 and later, and tvOS 6 and later. - - key: PasscodeCompliant - supportedOS: - macOS: - introduced: n/a - type: - content: If `true`, the user's passcode is compliant with all requirements on - the device, including Exchange and other accounts. This value is available in - iOS 4 and later, and tvOS 6 and later. - - key: PasscodeCompliantWithProfiles - supportedOS: - iOS: - userenrollment: - mode: forbidden - macOS: - introduced: n/a - visionOS: - userenrollment: - mode: forbidden - type: - content: If `true`, the user's passcode is compliant with requirements from profiles. - This key doesn't apply to User-Enrolled devices. This value is available in - iOS 4 and later, and tvOS 6 and later. - - key: PasscodeLockGracePeriod - supportedOS: - iOS: - introduced: 9.3.2 - userenrollment: - mode: forbidden - macOS: - introduced: n/a - visionOS: - userenrollment: - mode: forbidden - type: - content: The user preference for the number of seconds before a locked screen - requires the device passcode to unlock it. This value is only available for - Shared iPad. - - key: PasscodeLockGracePeriodEnforced - supportedOS: - iOS: - introduced: 9.3.2 - userenrollment: - mode: forbidden - macOS: - introduced: n/a - visionOS: - userenrollment: - mode: forbidden - type: - content: The enforced value for the number of seconds before a locked screen requires - the device passcode to unlock it. If a device has a passcode, changing `PasscodeLockGracePeriod` - to a larger value doesn't take effect until the user logs out or removes the - passcode. This value is only available for Shared iPad. - - key: AutoLockTime - supportedOS: - iOS: - introduced: '17.0' - sharedipad: - mode: required - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - content: The number of seconds before a device goes to sleep after being idle. - This value is only available on Shared iPad in iOS 17 and later. - - key: FDE_Enabled - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.9' - userchannel: false - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - content: If `true`, the device has enabled FileVault full disk encryption (FDE). - This value is available in macOS 10.9 and later. - - key: FDE_HasPersonalRecoveryKey - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.9' - userchannel: false - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - content: If `true`, FileVault FDE has a personal recovery key. This value is available - in macOS 10.9 and later. - - key: FDE_HasInstitutionalRecoveryKey - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.9' - userchannel: false - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - content: If `true`, FileVault FDE has an institutional recovery key. This value - is available in macOS 10.9 and later. - - key: FDE_PersonalRecoveryKeyCMS - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.13' - userchannel: false - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - content: If the FileVault personal recovery key has enabled escrow with a recovery - key, this value contains the key. The certificate from the `FDERecoveryKeyEscrow` - profile encrypts the key and wraps it as CMS data. This value is available in - macOS 10.13 and later. - - key: FDE_PersonalRecoveryKeyDeviceKey - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.13' - userchannel: false - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - content: If the FileVault personal recovery key has enabled escrow with a recovery - key, this value is the device serial number. This is the value that displays - to the user at the EFI Login Window as part of the help message if they enter - their password incorrectly three times. The server also uses this value as an - index when saving the device personal recovery key. This replaces the `recordNumber` - that the server returned in the previous escrow mechanism. This value is available - in macOS 10.13 and later. - - key: SystemIntegrityProtectionEnabled - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.12' - userchannel: false - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - content: If `true`, System Integrity Protection (SIP) is active on the device. - This value is available in macOS 10.12 and later. - - key: FirewallSettings - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.12' - userchannel: false - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - content: A dictionary that contains the firewall settings. This value is available - in macOS 10.12 and later. - subkeys: - - key: FirewallEnabled - type: - content: If `true`, the firewall is on. - - key: BlockAllIncoming - type: - content: If `true`, the firewall blocks all incoming connections. - - key: StealthMode - type: - content: If true, stealth mode is active for the firewall. - - key: Applications - supportedOS: - macOS: - introduced: '10.12' - userenrollment: - mode: forbidden - type: - content: An array of dictionaries that describes the allowed applications. - subkeys: - - key: ApplicationsItem - type: - content: A dictionary that describes the allowed apps. - subkeys: - - key: Allowed - type: - content: If `true`, the app is an allowed app. - - key: BundleID - type: - content: The app's bundle identifier. - - key: Name - type: - content: The app's display name if it's determinable from the `BundleID`. - - key: LoggingEnabled - supportedOS: - macOS: - introduced: '12.0' - type: - content: If `true`, logging is enabled. - - key: LoggingOption - supportedOS: - macOS: - introduced: '12.0' - type: - rangelist: - - throttled - - brief - - detail - content: The type of logging emitted by the firewall. - - key: FirmwarePasswordStatus - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.13' - userchannel: false - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - content: A dictionary that contains the status of the EFI firmware password. This - value is available in macOS 10.13 and later. - subkeys: - - key: PasswordExists - type: - content: If `true`, the device has an EFI firmware password. - - key: ChangePending - type: - content: |- - If `true`, a firmware password change is pending. A device restart is necessary for this change to take effect. Until then, additional attempts to change the password fail. - - > Note: - > If `true`, the other values show the current state of the device, not the state after a restart. - - key: AllowOroms - type: - content: If `true`, enable ROMs. - - key: ManagementStatus - supportedOS: - iOS: - introduced: '13.0' - macOS: - introduced: 10.13.2 - tvOS: - introduced: '13.0' - type: - content: A dictionary that contains the status of the device's MDM enrollment. - subkeys: - - key: EnrolledViaDEP - supportedOS: - iOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - content: If `true`, the device enrolled in MDM through the Device Enrollment - Program (DEP). This value is available in macOS 10.13.2 and later. - - key: UserApprovedEnrollment - supportedOS: - iOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - content: If `true`, the enrollment was user-approved. If `false`, the device - may reject certain security-sensitive payloads or commands. This value is - available in macOS 10.13.2 and later. - - key: IsUserEnrollment - supportedOS: - macOS: - introduced: '10.15' - type: - content: If `true`, the device is user-enrolled. This value is available in - iOS 13 and later, and macOS 10.15 and later. - - key: IsActivationLockManageable - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.15' - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - content: If `true`, the type of enrollment allows the MDM to manage Activation - Lock for this device. This value is available in macOS 10.15 and later. - - key: SecureBoot - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.15' - userchannel: false - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - content: A dictionary that contains the device's Secure Boot settings. This value - is available in macOS 10.15 and later. - subkeys: - - key: SecureBootLevel - type: - rangelist: - - 'off' - - medium - - full - - not supported - content: The security level for the bootable operating system versions. - - key: ExternalBootLevel - type: - rangelist: - - allowed - - disallowed - - not supported - content: The device's external boot level, which indicates whether it allows - booting from an external device, disallows it, or doesn't support it. - - key: ReducedSecurity - supportedOS: - macOS: - introduced: '11.0' - type: - content: |- - Reports which security features the user disables in `recoveryOS`. This property is only present for a Mac with Apple silicon when `SecureBootLevel` is `medium`. - - Available in iOS 11 and later. - subkeys: - - key: ReducedSecurityItems - type: - subkeys: - - key: AllowsAnyAppleSignedOS - type: - content: If 'true', allows any signed version of trusted system software - from Apple to run. - - key: AllowsUserKextApproval - type: - content: If 'true', the user has control over kernel extensions. - - key: AllowsMDM - type: - content: If 'true', the MDM server controls kernel extensions and software - updates. - - key: RemoteDesktopEnabled - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: 10.14.4 - userchannel: false - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - content: If `true`, Remote Desktop is active on the device. This value is available - in macOS 10.14.4 and later. - - key: AuthenticatedRootVolumeEnabled - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '11.0' - userchannel: false - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - content: If `true`, the system booted using an Authenticated Root Volume. This - value is available in macOS 11 and later. - - key: BootstrapTokenAllowedForAuthentication - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '11.0' - userchannel: false - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - rangelist: - - allowed - - disallowed - - not supported - content: |- - This value specifies whether the Secure Enclave Processor (SEP) supports and allows secure operations to use the Bootstrap Token. The value is automatically set for devices enrolled through the Device Enrollment Program (DEP). The user can also manually set this value in the RecoveryOS. - - This value is available for a Mac with Apple silicon in macOS 11 and later. Not available for user enrollment. - - key: BootstrapTokenRequiredForSoftwareUpdate - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '11.0' - userchannel: false - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - content: |- - If `true`, the device can accept a Bootstrap Token from the MDM server instead of prompting for user authentication prior to installation. This only applies when `BootstrapTokenAllowedForAuthentication` is `true` in the `SecurityInfo` response. - - This value is available for a Mac with Apple silicon in macOS 11 and later. Not available for user enrollment. - - key: BootstrapTokenRequiredForKernelExtensionApproval - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '11.0' - userchannel: false - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - content: |- - If `true`, the device can accept a Bootstrap Token from the MDM server instead of prompting for user authentication prior to enabling kernel extensions. This includes enabling kexts through the `com.apple.syspolicy.kernel-extension-policy` payload or triggering the `RestartDevice` command with `RebuildKernelCache` set to `true`. This only applies when `BootstrapTokenAllowedForAuthentication` is `true` in the `SecurityInfo` response. - - This value is available for a Mac with Apple silicon in macOS 11 and later. Not available for user enrollment. - - key: IsRecoveryLockEnabled - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '11.5' - userchannel: false - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - content: If `true`, a password is required to enter recovery (see `SetRecoveryLockCommand`). - Available in macOS 11.5 and later and only on a Mac with Apple silicon. -notes: -- title: '' - content: Refer to the following sections to determine supported channels and requirements, - and to see an example request and response. diff --git a/mdm/commands/lom.devicerequest.yaml b/mdm/commands/lom.devicerequest.yaml deleted file mode 100644 index a5dc474..0000000 --- a/mdm/commands/lom.devicerequest.yaml +++ /dev/null @@ -1,105 +0,0 @@ -title: LOM Device Request Command -description: Send requests to a device using lights-out management (LOM). -payload: - requesttype: LOMDeviceRequest - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '11.0' - accessrights: DeviceLockAndRemovePasscode - devicechannel: true - userchannel: false - supervised: false - requiresdep: false - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: Used to send LOM requests ("PowerON", "PowerOFF", "Reset") to LOM Controller - which then forwards the request to LOM Devices. -payloadkeys: -- key: RequestList - type: - presence: required - content: An array of requests to perform. - subkeys: - - key: RequestListItem - type: - presence: required - content: A dictionary that contains a requested action to perform on a device - using lights-out management (LOM). - subkeys: - - key: DeviceRequestType - type: - presence: required - rangelist: - - PowerON - - PowerOFF - - Reset - content: The requested action to perform on the device. - - key: DeviceRequestUUID - type: - presence: required - content: The unique identifier of the request. - - key: DeviceDNSName - type: - presence: required - content: The DNS name of the device. This should match the `dNSName` in `SubjectAltName` - or an equivalent in a PKCS12 identity. - - key: PrimaryIPv6AddressList - type: - presence: required - content: An array that contains the IPv6 addresses for primary LOM-compatible - Ethernet interfaces for the device. - subkeys: - - key: PrimaryIPv6AddressListItem - type: - presence: required - - key: SecondaryIPv6AddressList - type: - presence: required - content: An array that contains the IPv6 addresses for secondary LOM-compatible - Ethernet interfaces for the device. - subkeys: - - key: SecondaryIPv6AddressListItem - type: - presence: required - - key: LOMProtocolVersion - type: - presence: required - content: The LOM protocol version that the device supports. Provide the same - value that `LOMProtocolVersion` receives in the `LOMSetupRequestResponse`. -responsekeys: -- key: ResponseList - type: - presence: required - content: An array of dictionaries that describes the status of each request. - subkeys: - - key: ResponseListItem - type: - presence: required - content: A dictionary that describes a response list item. - subkeys: - - key: DeviceRequestSuccess - type: - presence: required - content: If `true`, the request was successful. - - key: DeviceRequestUUID - type: - presence: required - content: The unique identifier of the request for this response list item. - - key: DeviceRequestReturnError - type: - presence: optional - content: If present, a description of the error for a failed request. -notes: -- title: '' - content: |- - This command requires the `DeviceLockAndRemovePasscode` access right, `LightsOutManagementLOM` configuration and is available in macOS 11 and later on [supported macOS devices](https://support.apple.com/guide/deployment/lights-out-management-payload-settings-dep580cf25bc/web). - - `DeviceDNSName` is the `CommonName` in the Identity issued on the client certificate from `LightsOutManagementLOM`. `LOMSetupRequestResponse` returns `PrimaryIPv6AddressList` and `SecondaryIPv6AddressList` after a successful deployment of Lights Out management configuration payload and subsequent `LOMSetupRequestCommand`. diff --git a/mdm/commands/lom.setuprequest.yaml b/mdm/commands/lom.setuprequest.yaml deleted file mode 100644 index 0fce9ad..0000000 --- a/mdm/commands/lom.setuprequest.yaml +++ /dev/null @@ -1,52 +0,0 @@ -title: LOM Setup Request Command -description: Get information from a device to set up lights-out management (LOM). -payload: - requesttype: LOMSetupRequest - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '11.0' - accessrights: DeviceLockAndRemovePasscode - devicechannel: true - userchannel: false - supervised: false - requiresdep: false - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: Queries the device for LOM setup information such as IP addresses, protocol - version, etc. The MDM server must send this command prior to sending the LOMDeviceRequest - command. -responsekeys: -- key: PrimaryIPv6AddressList - type: - presence: required - content: An array that contains the IPv6 addresses for primary LOM-compatible Ethernet - interfaces for the device. - subkeys: - - key: PrimaryIPv6AddressListItem - type: - presence: required -- key: SecondaryIPv6AddressList - type: - presence: required - content: An array that contains the IPv6 addresses for secondary LOM-compatible - Ethernet interfaces for the device. - subkeys: - - key: SecondaryIPv6AddressListItem - type: - presence: required -- key: LOMProtocolVersion - type: - presence: required - content: The LOM protocol version that the device supports. -notes: -- title: '' - content: This command requires the `DeviceLockAndRemovePasscode` access right, `LightsOutManagementLOM` - configuration and is available in macOS 11 and later on [supported macOS devices](https://support.apple.com/guide/deployment/lights-out-management-payload-settings-dep580cf25bc/web). diff --git a/mdm/commands/managed.application.attributes.yaml b/mdm/commands/managed.application.attributes.yaml deleted file mode 100644 index 5005da0..0000000 --- a/mdm/commands/managed.application.attributes.yaml +++ /dev/null @@ -1,223 +0,0 @@ -title: Managed Application Attributes Command -description: Query attributes in managed apps on a device. -payload: - requesttype: ManagedApplicationAttributes - supportedOS: - iOS: - introduced: '7.0' - accessrights: AllowAppInstallation - supervised: false - requiresdep: false - sharedipad: - mode: allowed - devicechannel: true - userchannel: false - userenrollment: - mode: allowed - macOS: - introduced: n/a - tvOS: - introduced: '10.2' - accessrights: AllowAppInstallation - supervised: false - visionOS: - introduced: '1.1' - accessrights: AllowAppInstallation - supervised: false - requiresdep: false - userenrollment: - mode: allowed - watchOS: - introduced: '10.0' - accessrights: AllowAppInstallation - supervised: false -payloadkeys: -- key: Identifiers - type: - presence: required - content: |- - The bundle identifiers of the managed apps. - - > Important: - > For a watchOS app, the identifier needs to be the watch's bundle identifier, which differs from the main bundle identifier for the iPhone to which the watch is paired. Obtain the watch's bundle identifier for an app with a watch bundle, in the `watchBundleId` key that's part of the Content Metadata query. For more information on this query, see `Getting App and Book Information`. - subkeys: - - key: IdentifiersItem - type: -responsekeys: -- key: ApplicationAttributes - type: - presence: required - content: An array of app attribute items. - subkeys: - - key: ApplicationAttributesItem - type: - content: A dictionary that contains a managed app attributes item. - subkeys: - - key: Identifier - type: - presence: required - content: |- - The app's bundle identifier. - - > Note: - > For a watchOS app, the identifier is the watch's bundle identifier, which differs from the main bundle identifier for the iPhone to which the watch is paired. - - key: Attributes - type: - presence: optional - content: The app's attributes. - subkeys: - - key: VPNUUID - supportedOS: - tvOS: - introduced: n/a - type: - presence: optional - content: A per-app VPN unique identifier for this app. - - key: ContentFilterUUID - supportedOS: - iOS: - introduced: '16.0' - tvOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: |- - The content Filter UUID assigned to this app. - - Available in iOS 16 and later. - - key: DNSProxyUUID - supportedOS: - iOS: - introduced: '16.0' - tvOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: |- - The DNS Proxy UUID assigned to this app. - - Available in iOS 16 and later. - - key: RelayUUID - supportedOS: - iOS: - introduced: '17.0' - tvOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: The relay UUID for this app. - - key: AssociatedDomains - supportedOS: - iOS: - introduced: '13.0' - tvOS: - introduced: n/a - type: - presence: optional - content: This app's associated domains. This value is available in iOS 13 - and later. - subkeys: - - key: AssociatedDomain - type: - - key: AssociatedDomainsEnableDirectDownloads - supportedOS: - iOS: - introduced: '14.0' - tvOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, perform claimed site association verification directly - at the domain instead of on Apple's servers. Only set this to `true` for - domains that can't access the internet. This value is available in iOS 14 - and later. - - key: Removable - supportedOS: - iOS: - introduced: '14.0' - tvOS: - introduced: '14.0' - type: - presence: optional - default: true - content: If `false`, this app isn't removable while it's a managed app. This - value is available in iOS 14 and later. - - key: TapToPayScreenLock - supportedOS: - iOS: - introduced: '16.4' - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: false - content: |- - If `true`, Tap to Pay on iPhone requires users to use Face ID or a passcode to unlock their device after every transaction that requires a customer's card PIN. If `false`, the user can configure this setting on their device. - - Available in iOS 16.4 and later. - - key: CellularSliceUUID - supportedOS: - iOS: - introduced: '17.0' - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: |- - The data network name (DNN) or app category. For DNN, the value is `DNN:name`, where `name` is the carrier-provided DNN name. For app category, the value is `AppCategory:category`, where `category` is a carrier-provided string like "Enterprise1". - - Available in iOS 17 and later. - - key: Hideable - supportedOS: - iOS: - introduced: '18.1' - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system prevents the user from hiding the app. It - doesn't affect the user's ability to leave it in the App Library, while - removing it from the Home Screen. - - key: Lockable - supportedOS: - iOS: - introduced: '18.1' - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system prevents the user from locking the app. This - also prevents the user from hiding the app. -notes: -- title: '' - content: |- - This command allows the server to get attributes of managed apps. - - The response doesn't include apps that Declarative Device Management is managing. - - Refer to the following sections to determine supported channels and requirements, and to see an example request and response. diff --git a/mdm/commands/managed.application.configuration.yaml b/mdm/commands/managed.application.configuration.yaml deleted file mode 100644 index 56fa9dd..0000000 --- a/mdm/commands/managed.application.configuration.yaml +++ /dev/null @@ -1,87 +0,0 @@ -title: Managed Application Configuration Command -description: Get app configurations from managed apps on a device. -payload: - requesttype: ManagedApplicationConfiguration - supportedOS: - iOS: - introduced: '7.0' - accessrights: AllowAppInstallation - supervised: false - requiresdep: false - sharedipad: - mode: allowed - devicechannel: true - userchannel: false - userenrollment: - mode: allowed - macOS: - introduced: '10.15' - accessrights: AllowAppInstallation - devicechannel: true - userchannel: false - supervised: false - requiresdep: false - userenrollment: - mode: allowed - tvOS: - introduced: '10.2' - accessrights: AllowAppInstallation - supervised: false - visionOS: - introduced: '1.1' - accessrights: AllowAppInstallation - supervised: false - requiresdep: false - userenrollment: - mode: allowed - watchOS: - introduced: '10.0' - accessrights: AllowAppInstallation - supervised: false -payloadkeys: -- key: Identifiers - type: - presence: required - content: |- - The bundle identifiers of the managed apps. - - > Important: - > For a watchOS app, the identifier needs to be the watch's bundle identifier, which differs from the main bundle identifier for the iPhone to which the watch is paired. Obtain the watch's bundle identifier for an app with a watch bundle, in the `watchBundleId` key that's part of the Content Metadata query. For more information on this query, see `Getting App and Book Information`. - subkeys: - - key: IdentifiersItem - type: -responsekeys: -- key: ApplicationConfigurations - type: - presence: required - content: An array of app configuration items. - subkeys: - - key: ApplicationConfigurationsItem - type: - content: A dictionary that contains a managed app's configurations item. - subkeys: - - key: Identifier - type: - presence: required - content: |- - The app's bundle identifier. - - > Note: - > For a watchOS app, the identifier is the watch's bundle identifier, which differs from the main bundle identifier for the iPhone to which the watch is paired. - - key: Configuration - type: - presence: optional - content: The app's configurations. - subkeys: - - key: ANY - type: - presence: optional - content: The app's configuration items. -notes: -- title: '' - content: |- - This command allows the server to get the configuration of managed apps. - - The response doesn't include apps that Declarative Device Management is managing. - - Refer to the following sections to determine supported channels and requirements, and to see an example request and response. diff --git a/mdm/commands/managed.application.feedback.yaml b/mdm/commands/managed.application.feedback.yaml deleted file mode 100644 index 43b578d..0000000 --- a/mdm/commands/managed.application.feedback.yaml +++ /dev/null @@ -1,81 +0,0 @@ -title: Managed Application Feedback Command -description: Get app feedback from a managed app on the device. -payload: - requesttype: ManagedApplicationFeedback - supportedOS: - iOS: - introduced: '7.0' - accessrights: AllowAppInstallation - supervised: false - requiresdep: false - sharedipad: - mode: allowed - devicechannel: true - userchannel: false - userenrollment: - mode: allowed - macOS: - introduced: '11.0' - accessrights: AllowAppInstallation - devicechannel: false - userchannel: true - userenrollment: - mode: allowed - tvOS: - introduced: '10.2' - accessrights: AllowAppInstallation - supervised: false - visionOS: - introduced: '1.1' - accessrights: AllowAppInstallation - supervised: false - requiresdep: false - userenrollment: - mode: allowed - watchOS: - introduced: n/a -payloadkeys: -- key: Identifiers - type: - presence: required - content: The bundle identifiers of the managed apps. - subkeys: - - key: IdentifiersItem - type: -- key: DeleteFeedback - type: - presence: optional - default: false - content: If `true`, delete the app's feedback dictionary after the server reads - it. Apps that are managed by Declarative Device Management are ignored. -responsekeys: -- key: ManagedApplicationFeedback - type: - presence: required - content: An array of managed app feedback items. - subkeys: - - key: ManagedApplicationFeedbackItem - type: - content: A dictionary that contains a managed app's feedback item. - subkeys: - - key: Identifier - type: - presence: required - content: The app's bundle identifier. - - key: Feedback - type: - presence: optional - content: The app's feedback. - subkeys: - - key: ANY - type: - presence: optional - content: The app's feedback items. -notes: -- title: '' - content: |- - This command allows the server to get the feedback information of managed apps. In macOS 12 and later, macOS supports this command on the user channel. - - The response doesn't include apps that Declarative Device Management is managing. - - Refer to the following sections to determine supported channels and requirements, and to see an example request and response. diff --git a/mdm/commands/media.install.yaml b/mdm/commands/media.install.yaml deleted file mode 100644 index 332b882..0000000 --- a/mdm/commands/media.install.yaml +++ /dev/null @@ -1,177 +0,0 @@ -title: Install Media Command -description: Install a book on a device. -payload: - requesttype: InstallMedia - supportedOS: - iOS: - introduced: '8.0' - accessrights: AllowAppInstallation - supervised: false - requiresdep: false - sharedipad: - mode: allowed - devicechannel: true - userchannel: false - userenrollment: - mode: allowed - macOS: - introduced: '10.9' - deprecated: '11.0' - removed: '11.0' - accessrights: AllowAppInstallation - devicechannel: false - userchannel: true - supervised: false - requiresdep: false - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: This command allows the server to install a book on a device. If the book - is already being managed, this command will update the book. -payloadkeys: -- key: iTunesStoreID - type: - presence: optional - content: The book's iTunes Store identifier. -- key: MediaURL - supportedOS: - macOS: - introduced: n/a - type: - presence: optional - content: The URL to retrieve the book. This value is available in iOS 8 and later. -- key: MediaType - type: - presence: required - rangelist: - - Book - content: The media type, which can only be `Book`. -- key: PersistentID - supportedOS: - macOS: - introduced: n/a - type: - presence: optional - content: The book's persistent identifier in reverse-DNS form; for example, `com.acme.manuals.training`. - This value is available in iOS 8 and later. -- key: Kind - supportedOS: - macOS: - introduced: n/a - type: - presence: optional - rangelist: - - pdf - - epub - - ibooks - content: |- - The kind of the media, which can be one of the following values: - - - `pdf`: A PDF file - - `epub`: An EPUB file in `gzip` format. - - `ibooks`: An iBooks Author file in `gzip` format. - - If you omit this value, its value is the file extension in the URL. This value is available in iOS 8 and later. -- key: Version - supportedOS: - macOS: - introduced: n/a - type: - presence: optional - content: The book's version number. This value is available in iOS 8 and later. -- key: Author - supportedOS: - macOS: - introduced: n/a - type: - presence: optional - content: The name of the book's author. This value is available in iOS 8 and later. -- key: Title - supportedOS: - macOS: - introduced: n/a - type: - presence: optional - content: The book's title. This value is available in iOS 8 and later. -responsekeys: -- key: iTunesStoreID - type: - presence: optional - content: The book's iTunes Store identifier, if present in the command. -- key: MediaURL - supportedOS: - macOS: - introduced: n/a - type: - presence: optional - content: The URL to retrieve the book, if present in the command. This value is - available in iOS 8 and later. -- key: PersistentID - supportedOS: - macOS: - introduced: n/a - type: - presence: optional - content: The book's persistent identifier, if present in the command. This value - is available in iOS 8 and later. -- key: MediaType - type: - presence: optional - content: The media type, which can only be `Book`. -- key: State - type: - presence: optional - rangelist: - - Queued - - PromptingForLogin - - Updating - - Installing - - Managed - - ManagedButUninstalled - - Installed - - Uninstalled - - Failed - - Unknown - content: The installation state of this book. The `Failed` and `Unknown` states - are transient and the device only reports them once. Books from the Book Store - report their state as `Installed` instead of `Managed`. -- key: RejectionReason - type: - presence: optional - rangelist: - - CouldNotVerifyITunesStoreID - - PurchaseNotFound - - AppStoreDisabled - - WrongMediaType - - DownloadInvalid - - EnterpriseBooksNotSupportedInMultiUser - content: |- - The reason, if installation fails, which is one of the following values: - - - `CouldNotVerifyITunesStoreID`: The `iTunesStoreID` is invalid. - - `PurchaseNotFound`: The Volume Purchase Program (VPP) license isn't in the user's history. - - `AppStoreDisabled`: App Store isn't available on the device. - - `WrongMediaType`: The media type is invalid. The only valid type is `Book`. - - `DownloadInvalid`: The URL doesn't lead to a valid book. - - `EnterpriseBooksNotSupportedInMultiUser`: Multiuser mode doesn't support enterprise books. -notes: -- title: '' - content: |- - The request must contain either the `iTunesStoreID` or `MediaURL`. The `MediaURL` must lead to a PDF file, an EPUB file in `gzip` format, or an iBooks Author document in `gzip` format. Books that MDM has installed become managed books. - - Use Volume Purchase Program (VPP) Licensing to obtain books from the Book Store. Books from the Book Store require that the device has enabled App Store. These books undergo backup, sync with iTunes, and remain on the device after removal of the MDM profile. - - Books that aren't from the Book Store don't require that the device has enabled App Store. These books don't undergo backup, don't sync with iTunes, and don't remain on the device after removal of the MDM profile. - - If the book already exists, this command updates the book and makes it visible to the MDM server. The user doesn't receive a prompt for a book installation or update unless they need to log in to complete a Book Store transaction. - - If you install a book from the Book Store with the same `iTunesStoreID` as an existing managed book, the new book replaces the existing one. - - If you install a book that isn't from the Book Store with the same `PersistentID` as an existing book that also isn't from the Book Store, the new book replaces the existing one. - - Refer to the following sections to determine supported channels and requirements, and to see an example request and response. diff --git a/mdm/commands/media.managed.list.yaml b/mdm/commands/media.managed.list.yaml deleted file mode 100644 index 7a22fd5..0000000 --- a/mdm/commands/media.managed.list.yaml +++ /dev/null @@ -1,90 +0,0 @@ -title: Managed Media List Command -description: Get a list of the managed books on a device. -payload: - requesttype: ManagedMediaList - supportedOS: - iOS: - introduced: '8.0' - accessrights: AllowAppInstallation - supervised: false - requiresdep: false - sharedipad: - mode: allowed - devicechannel: true - userchannel: false - userenrollment: - mode: allowed - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: This command allows the server to query for installed 3rd party applications. -responsekeys: -- key: Books - type: - presence: required - content: An array of dictionaries that describes managed books. - subkeys: - - key: BooksItem - type: - content: A dictionary that describes a managed book. - subkeys: - - key: iTunesStoreID - type: - presence: required - content: The book's iTunes Store identifier. - - key: State - type: - presence: optional - content: |- - The installation state of this book, which is one of the following values: - - - `Queued` - - `PromptingForLogin` - - `Updating` - - `Installing` - - `Managed` - - `ManagedButUninstalled` - - `Installed` - - `Uninstalled` - - `Failed` - - `Unknown` - - The `Failed` and `Unknown` states are transient and the device only reports them once. Books from the Book Store report their state as `Installed` instead of `Managed`. - - key: PersistentID - type: - presence: optional - content: The book's persistent identifier in reverse-DNS form; for example, - `com.acme.manuals.training`. - - key: Kind - type: - presence: optional - content: |- - The kind of the media, which is one of the following values: - - - `pdf`: A PDF file - - `epub`: An EPUB file in `gzip` format - - `ibooks`: An iBooks Author file in `gzip` format - - The file extension in the URL - - This value is available in iOS 8 and later. - - key: Version - type: - presence: optional - content: The book's version number. - - key: Author - type: - presence: optional - content: The name of the book's author. - - key: Title - type: - presence: optional - content: The book's title. -notes: -- title: '' - content: Refer to the following sections to determine supported channels and requirements, - and to see an example request and response. diff --git a/mdm/commands/media.remove.yaml b/mdm/commands/media.remove.yaml deleted file mode 100644 index 3b99ab3..0000000 --- a/mdm/commands/media.remove.yaml +++ /dev/null @@ -1,45 +0,0 @@ -title: Remove Media Command -description: Remove a previously installed book from a device. -payload: - requesttype: RemoveMedia - supportedOS: - iOS: - introduced: '8.0' - accessrights: AllowAppInstallation - supervised: false - requiresdep: false - sharedipad: - mode: allowed - devicechannel: true - userchannel: false - userenrollment: - mode: allowed - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: This command allows an MDM server to remove managed media. This command - returns Acknowledged even if the item is not found. -payloadkeys: -- key: MediaType - type: - presence: required - rangelist: - - Book - content: The media type, which can only be `Book`. -- key: iTunesStoreID - type: - presence: optional - content: The book's iTunes Store identifier. -- key: PersistentID - type: - presence: optional - content: The book's persistent identifier in reverse-DNS form; for example, `com.acme.manuals.training`. -notes: -- title: '' - content: Refer to the following sections to determine supported channels and requirements, - and to see an example request and response. diff --git a/mdm/commands/mirroring.request.yaml b/mdm/commands/mirroring.request.yaml deleted file mode 100644 index fe6d003..0000000 --- a/mdm/commands/mirroring.request.yaml +++ /dev/null @@ -1,71 +0,0 @@ -title: Request Mirroring Command -description: Prompt the user to share their screen using AirPlay Mirroring. -payload: - requesttype: RequestMirroring - supportedOS: - iOS: - introduced: '7.0' - accessrights: None - supervised: false - requiresdep: false - sharedipad: - mode: allowed - devicechannel: true - userchannel: false - userenrollment: - mode: allowed - macOS: - introduced: '10.10' - accessrights: None - devicechannel: true - userchannel: false - supervised: false - requiresdep: false - userenrollment: - mode: allowed - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: This command prompts the user to share their screen using AirPlay Mirroring. -payloadkeys: -- key: DestinationName - type: - presence: optional - content: The name of the AirPlay Mirroring destination. -- key: DestinationDeviceID - type: - presence: optional - content: The hardware address of the AirPlay Mirroring destination that identifies - the device, in the format `xx:xx:xx:xx:xx`. This value isn't case-sensitive. Not - available for Apple TV devices running tvOS 18 or later, use `DestinationName` - instead. -- key: ScanTime - type: - presence: optional - content: The number of seconds, from `10` to `300`, for the device to spend searching - for the destination. The default value is `30`. -- key: Password - type: - presence: optional - content: The screen-sharing password that the device uses when connecting to the - destination. -responsekeys: -- key: MirroringResult - type: - presence: optional - content: |- - The result of the request. One of these values: - - - `Prompting`: The user is receiving a prompt to share their screen. - - `DestinationNotFound`: The device is unable to reach the destination. - - `Cancelled`: The user canceled the request. - - `Unknown`: An unknown error occurred. -notes: -- title: '' - content: |- - Provide either the `DestinationName` or the `DestinationDeviceID`. If you provide both values, MDM uses `DestinationDeviceID`. - - Refer to the following sections to determine supported channels and requirements, and to see an example request and response. diff --git a/mdm/commands/mirroring.stop.yaml b/mdm/commands/mirroring.stop.yaml deleted file mode 100644 index 23ce02b..0000000 --- a/mdm/commands/mirroring.stop.yaml +++ /dev/null @@ -1,36 +0,0 @@ -title: Stop Mirroring Command -description: Stop mirroring the display to another device. -payload: - requesttype: StopMirroring - supportedOS: - iOS: - introduced: '7.0' - accessrights: None - supervised: true - requiresdep: false - sharedipad: - mode: allowed - devicechannel: true - userchannel: false - userenrollment: - mode: forbidden - macOS: - introduced: '10.10' - accessrights: None - devicechannel: true - userchannel: false - supervised: false - requiresdep: false - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: This command stops AirPlay mirroring. -notes: -- title: '' - content: Refer to the following sections to determine supported channels and requirements, - and to see an example request and response. diff --git a/mdm/commands/passcode.clear.yaml b/mdm/commands/passcode.clear.yaml deleted file mode 100644 index ae660a3..0000000 --- a/mdm/commands/passcode.clear.yaml +++ /dev/null @@ -1,43 +0,0 @@ -title: Clear Passcode Command -description: Remove the passcode from a device. -payload: - requesttype: ClearPasscode - supportedOS: - iOS: - introduced: '4.0' - accessrights: AllowPasscodeRemovalAndLock - supervised: false - requiresdep: false - sharedipad: - mode: forbidden - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: '1.1' - accessrights: AllowPasscodeRemovalAndLock - supervised: false - requiresdep: false - userenrollment: - mode: forbidden - watchOS: - introduced: '10.0' - accessrights: AllowPasscodeRemovalAndLock - supervised: false - content: This command allows the server to clear the passcode on the device. This - command requires the Device Lock and Passcode Removal right. -payloadkeys: -- key: UnlockToken - type: - presence: required - content: The unlock token value that the device provides in its `TokenUpdateMessage` - check-in message. -notes: -- title: '' - content: |- - Clearing the passcode in iOS 16 no longer adds the passcode to the history of passcodes. Therefore, the user can reuse the cleared passcode even when the `Passcode` payload has the `pinHistory` key set. - - Refer to the following sections to determine supported channels and requirements, and to see an example request and response. diff --git a/mdm/commands/passcode.firmware.set.yaml b/mdm/commands/passcode.firmware.set.yaml deleted file mode 100644 index cb3023c..0000000 --- a/mdm/commands/passcode.firmware.set.yaml +++ /dev/null @@ -1,64 +0,0 @@ -title: Set Firmware Password Command -description: Change or clear the firmware password on a device. -payload: - requesttype: SetFirmwarePassword - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.13' - accessrights: DeviceLockAndRemovePasscode - devicechannel: true - userchannel: false - supervised: false - requiresdep: false - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: Changes or clears the firmware password for the device. Requires the "Device - lock and passcode removal right". This command is not available on a Mac with - Apple silicon. -payloadkeys: -- key: CurrentPassword - type: - presence: optional - content: The current password, which you must set if the device has a firmware password. -- key: NewPassword - type: - presence: required - content: The new firmware password. Set to an empty string to clear the password. - The characters in this value must consist of low-ASCII, printable characters (`0x20` - through `0x7E`) to ensure that all characters are enterable on the EFI login screen. -- key: AllowOroms - type: - presence: optional - default: false - content: If `true`, enable ROMs. -responsekeys: -- key: SetFirmwarePassword - type: - presence: required - content: A dictionary containing the results of the command. - subkeys: - - key: PasswordChanged - type: - presence: required - content: If `true`, the password change succeeded. -notes: -- title: '' - content: |- - This command has a throttle interval to prevent executing it more frequently than every 30 seconds. Requests that occur within the throttle interval return an error. - - > Important: - > There's no way to set or clear a firmware password in MDM without knowing the current password, unless the server provides a way to prompt the administrator for the current password. Contact AppleCare service and support if the current password is unknown. - - After processing the command, the device restarts so that the new firmware password takes effect. This command returns an error and fails if a firmware password is already pending. - - Refer to the following sections to determine supported channels and requirements, and to see an example request and response. - - This command isn't supported on a Mac with Apple silicon. diff --git a/mdm/commands/passcode.firmware.verify.yaml b/mdm/commands/passcode.firmware.verify.yaml deleted file mode 100644 index a4cf91e..0000000 --- a/mdm/commands/passcode.firmware.verify.yaml +++ /dev/null @@ -1,48 +0,0 @@ -title: Verify Firmware Password Command -description: Verify the firmware password on a device. -payload: - requesttype: VerifyFirmwarePassword - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.13' - accessrights: None - devicechannel: true - userchannel: false - supervised: false - requiresdep: false - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: Verifies the device's firmware password. This command is not available - on a Mac with Apple silicon. -payloadkeys: -- key: Password - type: - presence: required - content: The password to verify. -responsekeys: -- key: VerifyFirmwarePassword - type: - presence: required - content: A dictionary containing the results of the command. - subkeys: - - key: PasswordVerified - type: - presence: required - content: If 'true', the provided password matched the firmware password set for - the device. -notes: -- title: '' - content: |- - This command has a throttle interval to prevent executing it more frequently than every 30 seconds. Requests that occur within the throttle interval return an error. - - Refer to the following sections to determine supported channels and requirements, and to see an example request and response. - - This command isn't supported on a Mac with Apple silicon. diff --git a/mdm/commands/passcode.recovery.set.yaml b/mdm/commands/passcode.recovery.set.yaml deleted file mode 100644 index c57fa06..0000000 --- a/mdm/commands/passcode.recovery.set.yaml +++ /dev/null @@ -1,41 +0,0 @@ -title: Set Recovery Lock Command -description: Set or clear the Recovery Lock password. -payload: - requesttype: SetRecoveryLock - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '11.5' - accessrights: DeviceLockAndRemovePasscode - devicechannel: true - userchannel: false - supervised: false - requiresdep: false - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: Sets or clears the recovery lock password (Apple Silicon devices only). - Requires the "Device lock and passcode removal right". -payloadkeys: -- key: CurrentPassword - type: - presence: optional - content: If the device has a Recovery Lock password set, the system requires the - current password. -- key: NewPassword - type: - presence: required - content: The new password for Recovery Lock. Set as an empty string to clear the - Recovery Lock password. -notes: -- title: '' - content: |- - This command sets, or clears, a password on booting to recoveryOS. When the device unenrolls MDM the system removes the recovery password. - - This command is only available on a Mac with Apple silicon. diff --git a/mdm/commands/passcode.recovery.verify.yaml b/mdm/commands/passcode.recovery.verify.yaml deleted file mode 100644 index 1dd3e18..0000000 --- a/mdm/commands/passcode.recovery.verify.yaml +++ /dev/null @@ -1,36 +0,0 @@ -title: Verify Recovery Lock Command -description: Verify the device's Recovery Lock password. -payload: - requesttype: VerifyRecoveryLock - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '11.5' - accessrights: DeviceLockAndRemovePasscode - devicechannel: true - userchannel: false - supervised: false - requiresdep: false - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: Verifies the device's recovery lock password. (AppleSilicon devices only) -payloadkeys: -- key: Password - type: - presence: required - content: The password to verify. -responsekeys: -- key: PasswordVerified - type: - presence: required - content: If `true`, the device verified the password. -notes: -- title: '' - content: This command is only available on a Mac with Apple silicon. diff --git a/mdm/commands/profile.install.yaml b/mdm/commands/profile.install.yaml deleted file mode 100644 index 21c7d68..0000000 --- a/mdm/commands/profile.install.yaml +++ /dev/null @@ -1,54 +0,0 @@ -title: Install Profile Command -description: Install a configuration profile on a device. -payload: - requesttype: InstallProfile - supportedOS: - iOS: - introduced: '4.0' - accessrights: AllowInstallationRemoval - supervised: false - requiresdep: false - sharedipad: - mode: allowed - devicechannel: true - userchannel: true - userenrollment: - mode: allowed - macOS: - introduced: '10.7' - accessrights: AllowInstallationRemoval - devicechannel: true - userchannel: true - supervised: false - requiresdep: false - userenrollment: - mode: allowed - tvOS: - introduced: '9.0' - accessrights: AllowInstallationRemoval - supervised: false - visionOS: - introduced: '1.1' - accessrights: AllowInstallationRemoval - supervised: false - requiresdep: false - userenrollment: - mode: allowed - watchOS: - introduced: '10.0' - accessrights: AllowInstallationRemoval - supervised: false - content: This command allows the host to install a configuration profile. The profile - may be encrypted using any installed identity certificate. The profile may also - be signed. This command requires the Profile Installation and Removal right. It's - supported in the user channel. -payloadkeys: -- key: Payload - type: - presence: required - content: The profile to install, which you can encrypt using any identity certificate - installed on the device. You can also sign the profile. -notes: -- title: '' - content: Refer to the following sections to determine supported channels and requirements, - and to see an example request and response. diff --git a/mdm/commands/profile.list.yaml b/mdm/commands/profile.list.yaml deleted file mode 100644 index 2c5e6cd..0000000 --- a/mdm/commands/profile.list.yaml +++ /dev/null @@ -1,197 +0,0 @@ -title: Profile List Command -description: Get a list of installed profiles on a device. -payload: - requesttype: ProfileList - supportedOS: - iOS: - introduced: '4.0' - accessrights: AllowInspection - supervised: false - requiresdep: false - sharedipad: - mode: allowed - devicechannel: true - userchannel: true - userenrollment: - mode: allowed - macOS: - introduced: '10.7' - accessrights: AllowInspection - devicechannel: true - userchannel: true - supervised: false - requiresdep: false - userenrollment: - mode: allowed - tvOS: - introduced: '9.0' - accessrights: AllowInspection - supervised: false - visionOS: - introduced: '1.1' - accessrights: AllowInspection - supervised: false - requiresdep: false - userenrollment: - mode: allowed - watchOS: - introduced: '10.0' - accessrights: AllowInspection - supervised: false - content: This command allows the MDM server to query for the profiles installed - on the device. This command requires the Inspect Profile Manifest right. It's - supported on the user channel. -payloadkeys: -- key: ManagedOnly - supportedOS: - iOS: - introduced: '13.0' - macOS: - introduced: '10.15' - tvOS: - introduced: '13.0' - type: - presence: optional - default: false - content: If `true`, only include profiles that MDM has installed. For user enrollments, - the device ignores this key and always limits the results to managed profiles. - This value is available in iOS 13 and later, macOS 10.5 and later, and tvOS 13 - and later. -responsekeys: -- key: ProfileList - type: - presence: required - content: An array of dictionaries that describes each installed profile. - subkeys: - - key: ProfileListItem - type: - content: A dictionary that describes a profile list item. - subkeys: - - key: PayloadUUID - type: - presence: required - content: The unique identifier for the profile. - - key: PayloadIdentifier - type: - presence: required - content: The reverse-DNS-style identifier of the profile; for example, `com.example.myprofile`. - - key: PayloadVersion - type: - presence: optional - content: The version of the configuration profile as a whole, not of the individual - profiles within it. The value should be `1`. - - key: PayloadDisplayName - type: - presence: optional - content: The human-readable name of the profile. - - key: PayloadOrganization - type: - presence: optional - content: The human-readable name of the organization that provided the profile. - - key: PayloadDescription - type: - presence: optional - content: The description of the profile. - - key: PayloadRemovalDisallowed - type: - presence: optional - default: false - content: If `true`, the user can't delete the profile unless it has a removal - password and the user provides it. The framework ignores this field on unsupervised - devices. - - key: HasRemovalPasscode - type: - presence: optional - default: false - content: If `true`, the profile has a passcode for removal. - - key: IsEncrypted - type: - presence: optional - default: false - content: If `true`, it's an encrypted profile. - - key: SignerCertificates - type: - presence: optional - content: An array that contains the certificate for signing the profile, followed - by any intermediate certificates, in DER-encoded X.509 format. - subkeys: - - key: CertificateItem - type: - content: DER-encoded X.509 certificate - - key: IsManaged - supportedOS: - macOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, the current MDM service installed the profile. MDM doesn't - return this value for supervised devices, and can remove or replace all profiles - on supervised devices. - - key: Source - supportedOS: - iOS: - introduced: '18.0' - macOS: - introduced: '15.0' - tvOS: - introduced: '18.0' - visionOS: - introduced: '2.0' - watchOS: - introduced: '11.0' - type: - presence: optional - content: A string set to `Declarative Device Management` when the profile is - managed by Declarative Device Management. - - key: PayloadContent - type: - presence: optional - content: An array of payload content items. This value isn't present if `IsEncrypted` - is `true`. - subkeys: - - key: PayloadContentItem - type: - content: A dictionary that describes a profile payload content item. - subkeys: - - key: PayloadType - type: - presence: required - content: The type of payload, such as `com.apple.wifi.managed`. - - key: PayloadVersion - type: - presence: required - rangelist: - - 1 - content: The version of the payload. The value is `1`. - - key: PayloadIdentifier - type: - presence: required - content: The reverse-DNS-style identifier of the payload, such as `com.example.mypayload`. - - key: PayloadUUID - supportedOS: - iOS: - introduced: '17.0' - macOS: - introduced: '14.0' - tvOS: - introduced: '17.0' - type: - presence: required - content: The unique identifier of the payload. - - key: PayloadDisplayName - type: - presence: optional - content: The human-readable name of the payload. - - key: PayloadDescription - type: - presence: optional - content: A description of the payload. - - key: PayloadOrganization - type: - presence: optional - content: The human-readable name of the organization that provided the payload. -notes: -- title: '' - content: Refer to the following sections to determine supported channels and requirements, - and to see an example request and response. diff --git a/mdm/commands/profile.provisioning.install.yaml b/mdm/commands/profile.provisioning.install.yaml deleted file mode 100644 index ea09672..0000000 --- a/mdm/commands/profile.provisioning.install.yaml +++ /dev/null @@ -1,55 +0,0 @@ -title: Install Provisioning Profile Command -description: Install a provisioning profile on a device. -payload: - requesttype: InstallProvisioningProfile - supportedOS: - iOS: - introduced: '4.0' - accessrights: AllowProvisioningInstallationRemoval - supervised: false - requiresdep: false - sharedipad: - mode: allowed - devicechannel: true - userchannel: false - userenrollment: - mode: allowed - macOS: - introduced: '11.0' - accessrights: None - devicechannel: true - userchannel: false - supervised: false - requiresdep: false - userenrollment: - mode: allowed - tvOS: - introduced: '10.2' - accessrights: AllowProvisioningInstallationRemoval - supervised: false - visionOS: - introduced: '1.1' - accessrights: AllowProvisioningInstallationRemoval - supervised: false - requiresdep: false - userenrollment: - mode: allowed - watchOS: - introduced: '10.0' - accessrights: AllowProvisioningInstallationRemoval - supervised: false - content: This command allows the server to install a provisioning profile. No error - occurs if the provisioning profile is already installed. This command requires - the Provisioning Profile Installation and Removal right. On macOS, this command - is for iOS and iPadOS style provisioning profiles only. -payloadkeys: -- key: ProvisioningProfile - type: - presence: required - content: The provisioning profile. -notes: -- title: '' - content: |- - No error occurs if the provisioning profile is already present. - - Refer to the following sections to determine supported channels and requirements, and to see an example request and response. diff --git a/mdm/commands/profile.provisioning.list.yaml b/mdm/commands/profile.provisioning.list.yaml deleted file mode 100644 index 20bb611..0000000 --- a/mdm/commands/profile.provisioning.list.yaml +++ /dev/null @@ -1,83 +0,0 @@ -title: Provisioning Profile List Command -description: Get a list of installed provisioning profiles on a device. -payload: - requesttype: ProvisioningProfileList - supportedOS: - iOS: - introduced: '4.0' - accessrights: AllowProvisioningInspection - supervised: false - requiresdep: false - sharedipad: - mode: allowed - devicechannel: true - userchannel: false - userenrollment: - mode: allowed - macOS: - introduced: '11.0' - accessrights: None - devicechannel: true - userchannel: false - supervised: false - requiresdep: false - userenrollment: - mode: allowed - tvOS: - introduced: '10.2' - accessrights: AllowProvisioningInspection - supervised: false - visionOS: - introduced: '1.1' - accessrights: AllowProvisioningInspection - supervised: false - requiresdep: false - userenrollment: - mode: allowed - watchOS: - introduced: '10.0' - accessrights: AllowProvisioningInspection - supervised: false - content: This command allows the server to retrieve the list of installed provisioning - profiles on the device. This command requires the Inspect Provisioning Profiles - right. On macOS, this command is for iOS and iPadOS style provisioning profiles - only. -payloadkeys: -- key: ManagedOnly - supportedOS: - iOS: - introduced: '13.0' - tvOS: - introduced: '13.0' - type: - presence: optional - default: false - content: If `true`, only include profiles that MDM has installed. For user enrollments, - the device ignores this key and always limits the results to managed profiles. - This value is available in iOS 13 and later, and tvOS 13 and later. -responsekeys: -- key: ProvisioningProfileList - type: - presence: required - content: An array of dictionaries that describes each installed profile. - subkeys: - - key: ProvisioningProfileListItem - type: - content: A dictionary that describes a provisioning profile list item. - subkeys: - - key: Name - type: - presence: required - content: The display name of the provisioning profile. - - key: UUID - type: - presence: required - content: The unique identifier for the provisioning profile. - - key: ExpiryDate - type: - presence: optional - content: The expiry date of the provisioning profile. -notes: -- title: '' - content: Refer to the following sections to determine supported channels and requirements, - and to see an example request and response. diff --git a/mdm/commands/profile.provisioning.remove.yaml b/mdm/commands/profile.provisioning.remove.yaml deleted file mode 100644 index 75fff51..0000000 --- a/mdm/commands/profile.provisioning.remove.yaml +++ /dev/null @@ -1,55 +0,0 @@ -title: Remove Provisioning Profile Command -description: Remove a previously installed provisioning profile from a device. -payload: - requesttype: RemoveProvisioningProfile - supportedOS: - iOS: - introduced: '4.0' - accessrights: AllowProvisioningInstallationRemoval - supervised: false - requiresdep: false - sharedipad: - mode: allowed - devicechannel: true - userchannel: false - userenrollment: - mode: allowed - macOS: - introduced: '11.0' - accessrights: None - devicechannel: true - userchannel: false - supervised: false - requiresdep: false - userenrollment: - mode: allowed - tvOS: - introduced: '10.2' - accessrights: AllowProvisioningInstallationRemoval - supervised: false - visionOS: - introduced: '1.1' - accessrights: AllowProvisioningInstallationRemoval - supervised: false - requiresdep: false - userenrollment: - mode: allowed - watchOS: - introduced: '10.0' - accessrights: AllowProvisioningInstallationRemoval - supervised: false - content: This command allows the server to remove a provisioning profile. This command - requires the Provisioning Profile Installation and Removal right. On macOS, this - command is for iOS and iPadOS style provisioning profiles only. -payloadkeys: -- key: UUID - type: - presence: required - content: The unique identifier of the provisioning profile to remove. -notes: -- title: '' - content: |- - Refer to the following sections to determine supported channels and requirements, and to see an example request and response. - - > Note: - > Don't remove a provisioning profile to revoke access to an enterprise app. An app continues to be usable until the device restarts, even with no provisioning profile. Provisioning profiles also synchronize with iTunes and the system reinstalls them when users sync devices. For more information on removing apps, see `Remove-Application-Command`. diff --git a/mdm/commands/profile.remove.yaml b/mdm/commands/profile.remove.yaml deleted file mode 100644 index 69b167b..0000000 --- a/mdm/commands/profile.remove.yaml +++ /dev/null @@ -1,51 +0,0 @@ -title: Remove Profile Command -description: Remove a previously installed profile from the device. -payload: - requesttype: RemoveProfile - supportedOS: - iOS: - introduced: '4.0' - accessrights: AllowInstallationRemoval - supervised: false - requiresdep: false - sharedipad: - mode: allowed - devicechannel: true - userchannel: true - userenrollment: - mode: allowed - macOS: - introduced: '10.7' - accessrights: AllowInstallationRemoval - devicechannel: true - userchannel: true - supervised: false - requiresdep: false - userenrollment: - mode: allowed - tvOS: - introduced: '9.0' - accessrights: AllowInstallationRemoval - supervised: false - visionOS: - introduced: '1.1' - accessrights: AllowInstallationRemoval - supervised: false - requiresdep: false - userenrollment: - mode: allowed - watchOS: - introduced: '10.0' - accessrights: AllowInstallationRemoval - supervised: false - content: This command allows the server to remove a profile. This command requires - the Profile Installation and Removal Right. It's supported in the user channel. -payloadkeys: -- key: Identifier - type: - presence: required - content: The identifier of the profile to remove. -notes: -- title: '' - content: Refer to the following sections to determine supported channels and requirements, - and to see an example request and response. diff --git a/mdm/commands/remotedesktop.disable.yaml b/mdm/commands/remotedesktop.disable.yaml deleted file mode 100644 index d36ae8c..0000000 --- a/mdm/commands/remotedesktop.disable.yaml +++ /dev/null @@ -1,28 +0,0 @@ -title: Disable Remote Desktop Command -description: Disable Remote Desktop on a device. -payload: - requesttype: DisableRemoteDesktop - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: 10.14.4 - devicechannel: true - userchannel: false - supervised: true - requiresdep: false - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: Disable Remote Desktop. -notes: -- title: '' - content: |- - This command disables Remote Desktop on the device, and prevents any further remote event processing. It removes any `PostEvent` Transparency Consent and Control (TCC) ability, unless the device already has an installed TCC configuration profile with that ability enabled. - - Refer to the following sections to determine supported channels and requirements, and to see an example request and response. diff --git a/mdm/commands/remotedesktop.enable.yaml b/mdm/commands/remotedesktop.enable.yaml deleted file mode 100644 index 04760f1..0000000 --- a/mdm/commands/remotedesktop.enable.yaml +++ /dev/null @@ -1,34 +0,0 @@ -title: Enable Remote Desktop Command -description: Enable Remote Desktop on a device. -payload: - requesttype: EnableRemoteDesktop - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: 10.14.4 - devicechannel: true - userchannel: false - supervised: true - requiresdep: false - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: Enable Remote Desktop. -notes: -- title: '' - content: |- - This command enables the following capabilities on the device: - - - Remote Desktop with the All Users access - - The ability to receive remote events - - The Observe, Control, and Show being Observed options - - All other options remain unchanged. - - Refer to the following sections to determine supported channels and requirements, and to see an example request and response. diff --git a/mdm/commands/rotate.file.vault.key.yaml b/mdm/commands/rotate.file.vault.key.yaml deleted file mode 100644 index 7f0e38e..0000000 --- a/mdm/commands/rotate.file.vault.key.yaml +++ /dev/null @@ -1,94 +0,0 @@ -title: Rotate FileVault Key Command -description: Change the FileVault primary password on a device. -payload: - requesttype: RotateFileVaultKey - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.9' - accessrights: DeviceLockAndRemovePasscode - devicechannel: true - userchannel: false - supervised: false - requiresdep: false - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: This command allows for changing a device's FileVaultMaster password. -payloadkeys: -- key: KeyType - type: - presence: required - rangelist: - - personal - - institutional - content: The type of FileVault key you want to change the password for. Set this - value to `personal` and set a value for `Password` in the `FileVaultUnlock` dictionary - to enable unlocking a device with a password. Set this value to `institutional` - and set values for `PrivateKeyExport` and `PrivateKeyExportPassword` in the `FileVaultUnlock` - dictionary. -- key: FileVaultUnlock - type: - presence: required - content: A dictionary that contains FileVault unlock options. - subkeys: - - key: Password - title: Password - type: - presence: optional - content: A FileVault user's password, or if using a CoreStorage volume, the personal - recovery key. - - key: PrivateKeyExport - title: PrivateKeyExport - supportedOS: - macOS: - deprecated: '10.15' - type: - presence: optional - content: The data for a .p12 export of the private key for the current institutional - recovery key, which requires that `KeyType` is `institutional`. The system ignores - this key on APFS volumes. - - key: PrivateKeyExportPassword - title: PrivateKeyExportPassword - supportedOS: - macOS: - deprecated: '10.15' - type: - presence: optional - content: The password for `PrivateKeyExport`. Either `Password` or both `PrivateKeyExport` - and `PrivateKeyExportPassword` must be present. The system ignores this key - on APFS volumes. -- key: NewCertificate - type: - presence: optional - content: A DER-encoded certificate for creating a new institutional recovery key, - which the system requires if `KeyType` is `institutional`. -- key: ReplyEncryptionCertificate - type: - presence: optional - content: A DER-encoded certificate for encrypting the new personal recovery key - in a wrapper conforming to the IETF Cryptographic Message Syntax (CMS) standard. -responsekeys: -- key: RotateResult - type: - presence: optional - content: The result of rotating the personal recovery key. - subkeytype: RotateResultItem - subkeys: - - key: EncryptedNewRecoveryKey - type: - presence: optional - content: A new personal recovery key that is encrypted using a `ReplyEncryptionCertificate` - as a CMS-compliant envelope. -notes: -- title: '' - content: |- - Change the FileVault password periodically to mitigate the security risk of deployed devices. - - Refer to the following sections to determine supported channels and requirements, and to see an example request and response. diff --git a/mdm/commands/set.auto.admin.password.yaml b/mdm/commands/set.auto.admin.password.yaml deleted file mode 100644 index e77ba92..0000000 --- a/mdm/commands/set.auto.admin.password.yaml +++ /dev/null @@ -1,48 +0,0 @@ -title: Set Auto Admin Password Command -description: Update the local administrator account password. -payload: - requesttype: SetAutoAdminPassword - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.11' - accessrights: None - devicechannel: true - userchannel: false - supervised: false - requiresdep: true - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: Allows changing the password of a local admin account that was created - by Setup Assistant during DEP enrollment via the AccountConfiguration command. -payloadkeys: -- key: GUID - type: - presence: required - content: The unique identifier of the local administrator account. If this value - doesn't match the GUID of an administrator account that MDM created during Device - Enrollment Program (DEP) enrollment, the command returns an error. -- key: passwordHash - type: - presence: required - content: |- - The precreated salted SHA-512 PBKDF2 password hash for the account. - - Create this hash on the server using the CommonCrypto libraries, or equivalent, as a salted SHA-512 PBKDF2 dictionary that contains these elements: - - - `entropy`: The derived key from the password hash; for example, from `CCKeyDerivationPBKDF()` - - `salt`: The 32-byte randomized salt; for example, from `CCRandomCopyBytes()` - - `iterations:` The number of iterations; for example, from `CCCalibratePBKDF()` using a minimum hash time of 100 milliseconds, or if unknown, a number in the range of 20,000 to 40,000 iterations - - Place the dictionary that contains these elements into an outer dictionary with the key `SALTED-SHA512-PBKDF2`. Convert this dictionary to binary data before setting it as the value for `passwordHash`. -notes: -- title: '' - content: Refer to the following sections to determine supported channels and requirements, - and to see an example request and response. diff --git a/mdm/commands/settings.yaml b/mdm/commands/settings.yaml deleted file mode 100644 index 36eae47..0000000 --- a/mdm/commands/settings.yaml +++ /dev/null @@ -1,1345 +0,0 @@ -title: Settings Command -description: Configure settings on a device. -payload: - requesttype: Settings - supportedOS: - iOS: - introduced: '5.0' - accessrights: AllowSettings - supervised: false - requiresdep: false - sharedipad: - mode: allowed - devicechannel: true - userchannel: true - userenrollment: - mode: allowed - macOS: - introduced: '10.9' - accessrights: AllowSettings - devicechannel: true - userchannel: true - supervised: false - requiresdep: false - userenrollment: - mode: allowed - tvOS: - introduced: '9.0' - accessrights: AllowSettings - supervised: false - visionOS: - introduced: '1.1' - accessrights: AllowSettings - supervised: false - requiresdep: false - userenrollment: - mode: allowed - watchOS: - introduced: '10.0' - accessrights: AllowSettings - supervised: false - content: This command allows the server to set settings on the device. These settings - take effect on a one-time basis. The user may still be able to change the settings - at a later time. This command requires the ApplySettings right. -payloadkeys: -- key: Settings - type: - presence: required - content: An array of dictionaries that contains the settings. - subkeys: - - key: Wallpaper - supportedOS: - iOS: - introduced: '8.0' - supervised: true - sharedipad: - mode: allowed - devicechannel: true - userchannel: false - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: A dictionary that contains wallpaper settings. This setting doesn't support - user enrollment. Available in iOS 8 and later. Starting in iOS 16 and iPadOS - 17, when setting the wallpaper for the first time, both locations update. After - that, you can set either location separately. - subkeys: - - key: Item - type: - presence: required - rangelist: - - Wallpaper - content: A string that identifies this setting. - - key: Image - type: - presence: required - content: A Base64-encoded image in either PNG or JPG format to use for wallpaper. - - key: Where - type: - presence: required - rangelist: - - 1 - - 2 - - 3 - content: |- - A number that indicates where to use the wallpaper, which is one of the following values: - - - `1`: Lock Screen - - `2`: Home Screen - - `3`: Both Lock and Home Screens. - - In iOS 16 and later, and iPadOS 17 and later, when you set the wallpaper for the first time, the system sets both the Lock Screen and Home Screen. After that, you can separately set each location. - - key: DataRoaming - supportedOS: - iOS: - sharedipad: - mode: allowed - devicechannel: true - userchannel: false - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: A dictionary that contains data roaming settings. This setting requires - the Network Information access right, and doesn't support user enrollment. Available - in iOS 5 and later. - subkeys: - - key: Item - type: - presence: required - rangelist: - - DataRoaming - content: A string that identifies this setting. - - key: Enabled - type: - presence: required - content: If `true`, enable data roaming, which also enables voice roaming. If - `false`, disable data roaming. - - key: VoiceRoaming - supportedOS: - iOS: - deprecated: '16.0' - sharedipad: - mode: allowed - devicechannel: true - userchannel: false - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: A dictionary that contains voice roaming settings. This setting requires - the Network Information access right, and doesn't support user enrollment. Available - in iOS 5 and later. - subkeys: - - key: Item - type: - presence: required - rangelist: - - VoiceRoaming - content: A string that identifies this setting. - - key: Enabled - type: - presence: required - content: If `true`, enable voice roaming. If `false`, disable voice roaming, - which also disables data roaming. The setting is only available for certain - carriers. - - key: PersonalHotspot - supportedOS: - iOS: - accessrights: AllowQueryNetworkInformation - sharedipad: - mode: allowed - devicechannel: true - userchannel: false - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: A dictionary that contains Personal Hotspot settings. This setting requires - the Network Information access right, and doesn't support user enrollment. Available - in iOS 5 and later. - subkeys: - - key: Item - type: - presence: required - rangelist: - - PersonalHotspot - content: A string that identifies this setting. - - key: Enabled - type: - presence: required - content: If `true`, enable Personal Hotspot. If `false`, disable Personal Hotspot. - - key: Bluetooth - supportedOS: - iOS: - introduced: '11.3' - supervised: true - sharedipad: - mode: allowed - devicechannel: true - userchannel: false - userenrollment: - mode: forbidden - macOS: - introduced: 10.13.4 - userchannel: false - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: A dictionary that contains Bluetooth settings. This setting requires - the Network Information access right, doesn't support user enrollment, and is - available only on supervised devices. Available in iOS 11.3 and later, and macOS - 10.13.4 and later. - subkeys: - - key: Item - type: - presence: required - rangelist: - - Bluetooth - content: A string that identifies this setting. - - key: Enabled - type: - presence: required - content: If `true`, enable the Bluetooth setting. If `false`, disable the Bluetooth - setting. - - key: ApplicationConfiguration - supportedOS: - iOS: - introduced: '7.0' - accessrights: AllowAppInstallation - sharedipad: - mode: allowed - devicechannel: true - userchannel: false - macOS: - introduced: '10.15' - accessrights: AllowAppInstallation - userchannel: false - tvOS: - introduced: '10.2' - accessrights: AllowAppInstallation - visionOS: - accessrights: AllowAppInstallation - watchOS: - accessrights: AllowAppInstallation - type: - presence: optional - content: A dictionary that contains the configurations to apply to the app. Omit - this setting to remove existing configurations. This setting requires the App - Management access right, supports user enrollment, and is available in iOS 7 - and later, macOS 10.15 and later, and tvOS 10.2 and later. This setting fails - for apps that Declarative Device Management manages. - subkeys: - - key: Item - type: - presence: required - rangelist: - - ApplicationConfiguration - content: A string that identifies this setting. - - key: Identifier - type: - presence: required - content: |- - The bundle identifier of the managed app. - - > Important: - > For a watchOS app, the identifier needs to be the watch's bundle identifier, which differs from the main bundle identifier for the iPhone to which the watch is paired. Obtain the watch's bundle identifier for an app with a watch bundle, in the `watchBundleId` key that's part of the Content Metadata query. For more information on this query, see `Getting App and Book Information`. - - key: Configuration - type: - presence: optional - content: A dictionary that contains the configurations to apply to the app. - Omit this setting to remove existing configurations. - subkeys: - - key: ANY - type: - presence: optional - content: A dictionary that contains configurations. - - key: ApplicationAttributes - supportedOS: - iOS: - introduced: '7.0' - accessrights: AllowAppInstallation - sharedipad: - mode: allowed - devicechannel: true - userchannel: false - macOS: - introduced: n/a - tvOS: - introduced: '10.2' - accessrights: AllowAppInstallation - visionOS: - accessrights: AllowAppInstallation - watchOS: - accessrights: AllowAppInstallation - type: - presence: optional - content: A dictionary that contains the attributes to apply to the app. Omit this - setting to remove existing attributes. This setting supports user enrollment, - is available in iOS 7 and later, and tvOS 10.2 and later. This setting fails - for apps that Declarative Device Management manages. - subkeys: - - key: Item - type: - presence: required - rangelist: - - ApplicationAttributes - content: A string that identifies this setting. - - key: Identifier - type: - presence: required - content: |- - The bundle identifier of the app. - - > Important: - > For a watchOS app, the identifier needs to be the watch's bundle identifier, which differs from the main bundle identifier for the iPhone to which the watch is paired. Obtain the watch's bundle identifier for an app with a watch bundle, in the `watchBundleId` key that's part of the Content Metadata query. For more information on this query, see `Getting App and Book Information`. - - key: Attributes - type: - presence: optional - content: A dictionary that contains the attributes to apply to the app. Omit - this setting to remove existing attributes. This setting is available in iOS - 7 and later, and tvOS 10.2 and later. - subkeys: - - key: VPNUUID - supportedOS: - tvOS: - introduced: n/a - type: - presence: optional - content: A per-app VPN unique identifier for this app. Available in iOS 7 - and later. - - key: ContentFilterUUID - supportedOS: - iOS: - introduced: '16.0' - tvOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: The content filter UUID for this app. Available in iOS 16 and later. - - key: DNSProxyUUID - supportedOS: - iOS: - introduced: '16.0' - tvOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: The DNS proxy UUID for this app. Available in iOS 16 and later. - - key: RelayUUID - supportedOS: - iOS: - introduced: '17.0' - tvOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: The relay UUID for this app. Available in iOS 17 and later. - - key: AssociatedDomains - supportedOS: - iOS: - introduced: '13.0' - tvOS: - introduced: n/a - type: - presence: optional - content: An array that contains the associated domains to add to this app. - Available in iOS 13 and later. - subkeys: - - key: AssociatedDomain - type: - - key: AssociatedDomainsEnableDirectDownloads - supportedOS: - iOS: - introduced: '14.0' - tvOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, perform claimed site association verification directly - at the domain, instead of on Apple's servers. Only set this to `true` for - domains that can't access the internet. Available in iOS 14 and later. - - key: Removable - supportedOS: - iOS: - introduced: '14.0' - tvOS: - introduced: '14.0' - type: - presence: optional - default: true - content: If `false`, this app isn't removable while it's managed. Available - in iOS 14 and later, and tvOS 14 and later. - - key: TapToPayScreenLock - supportedOS: - iOS: - introduced: '16.4' - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: false - content: |- - If true, the system require Tap to Pay on iPhone users to use Face ID or a passcode to unlock their device after every transaction that requires a customer's card PIN. If `false`, the user can configure this setting on their device. - - Available in iOS 16.4 and later. - - key: CellularSliceUUID - supportedOS: - iOS: - introduced: '17.0' - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: |- - The data network name (DNN) or app category. For DNN, the value is `DNN:name`, where `name` is the carrier-provided DNN name. For app category, the value is `AppCategory:category`, where `category` is a carrier-provided string like "Enterprise1"`.` - - Available in iOS 17 and later. - - key: Hideable - supportedOS: - iOS: - introduced: '18.1' - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system prevents the user from hiding the app. It - doesn't affect the user's ability to leave it in the App Library, while - removing it from the Home Screen. - - key: Lockable - supportedOS: - iOS: - introduced: '18.1' - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system prevents the user from locking the app. This - also prevents the user from hiding the app. - - key: DeviceName - supportedOS: - iOS: - supervised: true - sharedipad: - mode: allowed - devicechannel: true - userchannel: false - userenrollment: - mode: forbidden - macOS: - introduced: '10.10' - userchannel: false - userenrollment: - mode: forbidden - visionOS: - introduced: '2.0' - supervised: true - userenrollment: - mode: forbidden - watchOS: - introduced: n/a - type: - presence: optional - content: A dictionary that contains device name settings. This setting doesn't - support user enrollment, and is available only on supervised devices. Available - in iOS 5 and later, macOS 10.10 and later, and visionOS 2 and later. - subkeys: - - key: Item - type: - presence: required - rangelist: - - DeviceName - content: A string that identifies this setting. - - key: DeviceName - type: - presence: required - content: The device's name. - - key: HostName - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.11' - userchannel: false - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: A dictionary that contains hostname settings. This setting doesn't support - user enrollment, and is available in macOS 10.11 and later. - subkeys: - - key: Item - type: - presence: required - rangelist: - - HostName - content: The string that defines this setting type. - - key: HostName - type: - presence: required - content: The hostname for the device. - - key: OrganizationInfo - supportedOS: - iOS: - sharedipad: - mode: allowed - devicechannel: true - userchannel: false - macOS: - introduced: '10.9' - userchannel: false - type: - presence: optional - content: A dictionary that contains settings about the organization operating - the MDM server. This setting supports user enrollment. Available in iOS 5 and - later. - subkeys: - - key: Item - type: - presence: required - rangelist: - - OrganizationInfo - content: The string that defines this setting type. - - key: OrganizationInfo - type: - presence: optional - content: A dictionary that contains information about the organization operating - the MDM server. Omit this setting to remove existing information. - subkeys: - - key: OrganizationName - type: - presence: required - content: A string that describes the organization operating the MDM server - for display to the user during certain operations, such as purchasing or - installing apps. - - key: OrganizationShortName - supportedOS: - iOS: - introduced: '13.0' - macOS: - introduced: '10.15' - tvOS: - introduced: '13.0' - type: - presence: optional - content: A shorter version of `OrganizationName`, preferably a single word - or abbreviation, suitable for display to the user in places where a very - short name is necessary. - - key: OrganizationAddress - type: - presence: optional - content: The organization's address. Use the LF character (` `) to insert - line breaks. - - key: OrganizationPhone - type: - presence: optional - content: The organization's phone number. - - key: OrganizationEmail - type: - presence: optional - content: The organization's support email address. - - key: OrganizationMagic - type: - presence: optional - content: A unique identifier for the various services a single organization - manages. - - key: DefaultApplications - supportedOS: - iOS: - introduced: '18.2' - sharedipad: - mode: forbidden - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: '2.2' - userenrollment: - mode: forbidden - watchOS: - introduced: n/a - type: - presence: optional - content: A dictionary that contains default application bundle identifiers for - each default application type that can be set. - subkeys: - - key: WebBrowser - type: - presence: optional - content: The bundle identifier of the app the system sets as the default web - browser. This app must be an eligible web browser for the region of the device. - - key: Calling - supportedOS: - iOS: - introduced: '26.0' - sharedipad: - mode: forbidden - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: The bundle identifier of the app that the system sets as the default - calling app. This app must be an eligible calling app. - - key: Messaging - supportedOS: - iOS: - introduced: '26.0' - sharedipad: - mode: forbidden - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: The bundle identifier of the app that the system sets as the default - messaging app. This app must be an eligible messaging app. - - key: MDMOptions - supportedOS: - iOS: - introduced: '7.0' - sharedipad: - mode: allowed - devicechannel: true - userchannel: false - macOS: - introduced: '10.15' - userchannel: false - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: '2.0' - watchOS: - introduced: n/a - type: - presence: optional - content: A dictionary that contains settings related to the MDM protocol. This - setting doesn't support user enrollment. Available in iOS 7 and later, macOS - 10.15 and later, and visionOS 2 and later. - subkeys: - - key: Item - type: - presence: required - rangelist: - - MDMOptions - content: The string that defines this setting type. - - key: MDMOptions - type: - presence: required - content: A dictionary of MDM options. - subkeys: - - key: ActivationLockAllowedWhileSupervised - type: - presence: optional - default: false - content: If `true`, a supervised device registers itself with Activation Lock - when the user enables Find My. This setting is available for supervised - devices in iOS 7 and later, and macOS 10.15 and later. - - key: BootstrapTokenAllowed - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.15' - deprecated: '11.0' - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, the server supports the Bootstrap Token commands. - - key: PromptUserToAllowBootstrapTokenForAuthentication - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '11.0' - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, warn the user that they need to reboot into RecoveryOS - and allow the MDM server to use the Bootstrap Token for authentication for - certain sensitive operations; for example, enabling kernel extensions or - installing certain types of software updates. Set this value to `false` - if your MDM server doesn't need to perform these operations. The value provided - here overrides the value specified in MDM, and only applies when `BootstrapTokenAllowedForAuthentication` - is `true` in the `SecurityInfo` response. This value is available for a - Mac with Apple silicon in macOS 11 and later. - - key: IdleRebootAllowed - supportedOS: - iOS: - introduced: '18.4' - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, the device automatically reboots while locked after several - days of inactivity. This is set to `false` by default when a supervised - device enrolls. - - key: MaximumResidentUsers - supportedOS: - iOS: - introduced: '9.3' - deprecated: '13.4' - sharedipad: - mode: required - devicechannel: true - userchannel: false - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: A dictionary that contains settings for maximum resident users. Apple - deprecated this setting in iOS 13.4. Use 'SharedDeviceConfiguration` instead. - This setting is available only for Shared iPad. - subkeys: - - key: Item - type: - presence: required - rangelist: - - MaximumResidentUsers - content: A string that identifies this setting. - - key: MaximumResidentUsers - type: - presence: required - content: |- - The maximum number of users that can use the device. If this value is greater than the value for the maximum possible number of users that the device supports, the MDM server uses that value instead. - - This setting requires that the device is in the `AwaitingConfiguration` phase before it receives the `DeviceConfiguredCommand` message. - - When a device reaches the maximum number of resident users and a new user tries to sign in, the MDM server removes a synchronized user to make space for the new user. If there are no synchronized users, the new user sign-in fails. A synchronized user is a user that has completed syncing their data. - - key: SharedDeviceConfiguration - supportedOS: - iOS: - introduced: '13.4' - sharedipad: - mode: required - devicechannel: true - userchannel: false - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: A dictionary that contains shared device configuration settings. This - setting is available only for Shared iPad in iOS 13.4 and later. - subkeys: - - key: Item - supportedOS: - visionOS: - introduced: '26.0' - supervised: true - type: - presence: required - rangelist: - - SharedDeviceConfiguration - content: A string that identifies this setting. - - key: QuotaSize - type: - presence: optional - content: The quota size, in megabytes (MB), for each user on the shared device, - or if the quota size is too small, the minimum quota size. Available to Temporary - Sessions Only guest users on iOS 17+. - - key: ResidentUsers - type: - presence: optional - content: The expected number of users. If this value is greater than the value - for the maximum possible number of users that the device supports, the MDM - server uses that value instead. - - key: UserSessionTimeout - supportedOS: - iOS: - introduced: '14.5' - type: - presence: optional - content: |- - The timeout, in seconds, for the user session. The user session logs out automatically after the specified period of inactivity. The minimum value is 30 seconds. Setting this value to `0` removes the timeout. - - Available in iOS 14.5 and later. - - key: TemporarySessionTimeout - supportedOS: - iOS: - introduced: '14.5' - visionOS: - introduced: '26.0' - supervised: true - type: - presence: optional - content: |- - The timeout, in seconds, for the temporary session. The temporary session logs out automatically after the specified period of inactivity. The minimum value is 30 seconds. Setting this value to `0` removes the timeout. - - Available in iOS 14.5 and later. - - key: TemporarySessionOnly - supportedOS: - iOS: - introduced: '14.5' - type: - presence: optional - default: false - content: |- - If `true`, the user only sees the Guest Welcome pane and can only log in as a guest user. - - If `false`, the user can sign in with a Managed Apple Account (the existing behavior). - - Available in iOS 14.5 and later. - - key: ManagedAppleIDDefaultDomains - supportedOS: - iOS: - introduced: '16.0' - type: - presence: optional - content: |- - A list of domains that the Shared iPad login screen displays. The user can pick a domain from the list to complete their Managed Apple Account. - - If this list contains more than 3 domains, the system picks 3 at random for display. Available in iOS 16 and later. - subkeys: - - key: AppleID domain - type: - - key: OnlineAuthenticationGracePeriod - supportedOS: - iOS: - introduced: '16.0' - type: - presence: optional - content: |- - A grace period (in days) for Shared iPad online authentication. The Shared iPad only verifies the user's passcode locally during login for users that already exist on the device. However, the system requires an online authentication (against Apple's identity server) after the number of days specified by this setting. - - Setting this value to 0 enforces online authentication every time. - - Available in iOS 16 and later. - - key: SkipLanguageAndLocaleSetupForNewUsers - supportedOS: - iOS: - introduced: '16.2' - type: - presence: optional - default: false - content: |- - If `true`, the system picks the system language and locale automatically for the new Shared iPad user. - - Available in iOS 16.2 and later. - - key: AwaitUserConfiguration - supportedOS: - iOS: - introduced: '17.0' - type: - presence: optional - content: |- - If enabled, the Shared iPad device enters Setup Assistant after the user triggers a login. The MDM server has a chance to configure the device and user. After configuration, the server needs to send a `User-Configured-Command` command to the user channel to unblock the login. This feature requires the device to have network access during the login process. - - Available in iOS 17 and later. - subkeys: - - key: Enabled - type: - presence: required - content: If `true`, the device stops at the Setup Assistant pane after user - login. The user can't use the device until it receives a `User-Configured-Command` - command. - - key: PasscodePolicy - supportedOS: - iOS: - introduced: '17.0' - type: - presence: optional - content: A dictionary that contains passcode policies. - subkeys: - - key: PasscodeLockGracePeriod - type: - presence: optional - rangelist: - - 0 - - 60 - - 300 - - 900 - - 3600 - - 14400 - content: |- - The number of seconds before a locked screen requires the user to enter the device passcode to unlock it. The minimum value is `0` seconds and the maximum value is `14400` seconds. - - If a device has a passcode, a change to a larger value doesn't take effect until the user logs out or removes the passcode. For this reason, it's better to set this value before the user sets a passcode. - - If the value is less than one of the known values, the device uses the next lowest value. For example a value of 299 results in an effective setting of 60. - - This setting won't take effect if `TemporarySessionOnly` is `true` because there's no passcode for a temporary session. - - key: AutoLockTime - type: - presence: optional - content: The number of seconds before a device goes to sleep after being idle. - The minimum value for this setting is `120` seconds. - - key: DiagnosticSubmission - supportedOS: - iOS: - introduced: '9.3' - sharedipad: - mode: required - devicechannel: true - userchannel: false - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: A dictionary that contains diagnostic submission settings. This setting - is available only for Shared iPad in iOS 9.3 and later. - subkeys: - - key: Item - type: - presence: required - rangelist: - - DiagnosticSubmission - content: The string that defines this setting type. - - key: Enabled - type: - presence: required - content: If `true`, enables diagnostic submission. If `false`, disables diagnostic - submission. - - key: AppAnalytics - supportedOS: - iOS: - introduced: 9.3.2 - sharedipad: - mode: required - devicechannel: true - userchannel: false - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: A dictionary that contains settings for sharing app analytics. This setting - is available only for Shared iPad in iOS 9.3.2 and later. - subkeys: - - key: Item - type: - presence: required - rangelist: - - AppAnalytics - content: A string that identifies this setting. - - key: Enabled - type: - presence: required - content: If `true`, enable sharing app analytics with app developers. If `false`, - disable sharing app analytics. - - key: PasscodeLockGracePeriod - supportedOS: - iOS: - introduced: 9.3.2 - deprecated: '17.0' - sharedipad: - mode: required - devicechannel: true - userchannel: false - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: |- - A dictionary that contains password lock grace period settings. This setting is available only for Shared iPad in iOS 9.3.2 and later. - This key is deprecated. Use 'PasscodeLockGracePeriod' in SettingsCommand.Command.Settings.SharedDeviceConfiguration.PasscodePolicy instead. - subkeys: - - key: Item - type: - presence: required - rangelist: - - PasscodeLockGracePeriod - content: A string that identifies this setting. - - key: PasscodeLockGracePeriod - type: - presence: required - rangelist: - - 0 - - 60 - - 300 - - 900 - - 3600 - - 14400 - content: |- - The number of seconds before a locked screen requires the user to enter the device passcode to unlock it. The minimum value is `0` seconds and the maximum value is `14400` seconds. - - If a device has a passcode, a change to a larger value doesn't take effect until the user logs out or removes the passcode. For this reason, it's better to set this value before the user sets a passcode. - - If the value is less than one of the known values, the device uses the next lowest value. For example a value of 299 results in an effective setting of 60. - - This setting won't take effect if `TemporarySessionOnly` is `true` because there's no passcode for a temporary session. - - key: TimeZone - supportedOS: - iOS: - introduced: '14.0' - supervised: true - sharedipad: - mode: allowed - devicechannel: true - userchannel: false - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: '14.0' - supervised: true - visionOS: - introduced: '2.0' - supervised: true - userenrollment: - mode: forbidden - watchOS: - introduced: n/a - type: - presence: optional - content: A dictionary that contains time zone settings. This setting is available - only on supervised devices and doesn't support user enrollment. Available in - iOS 14 and later, tvOS 14 and later, and visionOS 2 and later. - subkeys: - - key: Item - type: - presence: required - rangelist: - - TimeZone - content: A string that identifies this setting. - - key: TimeZone - type: - presence: required - content: |- - The Internet Assigned Numbers Authority (IANA) time zone database name. - - If the `forceAutomaticDateAndTime` restriction is set in `Restrictions`, this setting fails with an error. Otherwise, setting this value disables automatic time zone logic. The user is still be able to change the time zone; for example, by turning automatic date and time back on. The intention is to allow setting the time zone when automatic determination isn't be available, such as when Location Services are off. - - key: SoftwareUpdateSettings - supportedOS: - iOS: - introduced: '14.5' - deprecated: '26.0' - supervised: true - sharedipad: - mode: allowed - devicechannel: true - userchannel: false - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: A dictionary that contains software update settings. This setting doesn't - support user enrollment. Available in iOS 14.5 and later. - subkeys: - - key: Item - type: - presence: required - rangelist: - - SoftwareUpdateSettings - content: A string that represents the type of updates that should appear in - the Software Update pane in Settings. Supervised only. - - key: RecommendationCadence - type: - presence: required - rangelist: - - 0 - - 1 - - 2 - content: |- - This value defines how the system presents software updates to the user. When there's more than one available update for the user, the system behaves as follows: - - - `0`: Presents both options to the user. - - `1`: Presents the lower numbered (oldest) software update version. - - `2`: Presents only the highest numbered (most recent) release available for the device. - - This value has no effect when there's only one available update; the system shows the single available update to the user regardless of the value of this setting. - - Available in iOS 14.5 and later. - - key: AccessibilitySettings - supportedOS: - iOS: - introduced: '16.0' - supervised: true - sharedipad: - mode: allowed - devicechannel: false - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - supervised: true - type: - presence: optional - content: A dictionary that contains accessibility settings. Available in iOS 16 - and later. - subkeys: - - key: Item - type: - presence: required - rangelist: - - AccessibilitySettings - content: Sets various accessibility settings. The system allows only keys with - explicitly provided values. - - key: BoldTextEnabled - type: - presence: optional - default: false - content: If `true`, the system enables bold text. - - key: IncreaseContrastEnabled - supportedOS: - watchOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, the system enables increase contrast. - - key: ReduceMotionEnabled - type: - presence: optional - default: false - content: If `true`, the system enables reduced motion. - - key: ReduceTransparencyEnabled - type: - presence: optional - default: false - content: If `true`, the system enables reduced transparency. - - key: TextSize - type: - presence: optional - rangelist: - - 0 - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - - 8 - - 9 - - 10 - - 11 - default: 4 - content: The accessibility text size apps that support dynamic text use. `0` - is the smallest value, and `11` is the largest available. - - key: TouchAccommodationsEnabled - type: - presence: optional - default: false - content: If `true`, the system enables touch accommodations. - - key: VoiceOverEnabled - type: - presence: optional - default: false - content: If `true`, the system enables voiceover. - - key: ZoomEnabled - type: - presence: optional - default: false - content: If `true`, the system enables zoom. - - key: GrayscaleEnabled - supportedOS: - iOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, the system enables grayscale display. -responsekeys: -- key: Settings - type: - presence: optional - content: A dictionary that describes the results of configuring settings. - subkeys: - - key: Status - type: - presence: required - content: |- - The status of the setting, which is one of the following values: - - - `Acknowledged`: The device processed the command successfully. - - `Error`: An error occurred. See the `ErrorChain` for more details. - - key: ErrorChain - type: - presence: optional - content: An array of dictionaries that describes any errors that occurred. - subkeys: - - key: ErrorChainItem - type: - content: A dictionary that describes an error chain item. - subkeys: - - key: ANY - type: - presence: required - content: A dictionary that contains additional details about the error. - - key: Identifier - supportedOS: - iOS: - introduced: '7.0' - macOS: - introduced: n/a - tvOS: - introduced: '10.2' - type: - presence: optional - content: |- - The app identifier to which this error applies. - - > Note: - > For a watchOS app, the identifier is the watch's bundle identifier, which differs from the main bundle identifier for the iPhone to which the watch is paired. -notes: -- title: '' - content: |- - Users may be able to change the settings later if a profile isn't set to restrict such changes. - - Refer to the following sections to determine supported channels and requirements, and to see an example request and response. diff --git a/mdm/commands/system.update.available.yaml b/mdm/commands/system.update.available.yaml deleted file mode 100644 index be0387d..0000000 --- a/mdm/commands/system.update.available.yaml +++ /dev/null @@ -1,253 +0,0 @@ -title: Available OS Updates Command -description: Get a list of available operating-system updates for a device. -payload: - requesttype: AvailableOSUpdates - supportedOS: - iOS: - introduced: '9.0' - deprecated: '26.0' - accessrights: AllowAppInstallation - supervised: true - requiresdep: false - sharedipad: - mode: allowed - devicechannel: true - userchannel: false - userenrollment: - mode: forbidden - macOS: - introduced: '10.11' - deprecated: '26.0' - accessrights: None - devicechannel: true - userchannel: false - supervised: false - requiresdep: false - userenrollment: - mode: forbidden - tvOS: - introduced: '12.0' - deprecated: '26.0' - accessrights: AllowAppInstallation - devicechannel: true - supervised: true - requiresdep: false - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: Queries the device for a list of available OS updates. On OS X, a ScheduleOSUpdateScan - must be performed to update the results returned by this query. -responsekeys: -- key: AvailableOSUpdates - type: - presence: required - content: |- - An array of dictionaries that contains only the most recent available updates in iOS and tvOS, and possibly multiple available updates in macOS. Follow the instructions in the Managed Apps and Updates section of the Apple Software Lookup Service to find a complete catalog of iOS and tvOS updates. - - In macOS 14 and later, `AvailableOSUpdates` doesn't include InstallAssistant-based, full-replacement installers. It only contains over-the-air (OTA) updates. OTA updates can update or upgrade the OS and support all `InstallAction` options. - - If a Software Update is actively managed by a Declarative Device Management Specific Enforcement configuration, the device ignores this command as it applies to the actively managed update. This command can return information for unmanaged updates, such as System Applications and Configuration Data. For information about available updates when using Declarative Device Management, see [Using the Apple Software Lookup Service](https://support.apple.com/guide/deployment/depafd2fad80/web). - subkeys: - - key: AvailableOSUpdatesItem - type: - presence: required - content: The response dictionary that describes the available operating-system - updates item. - subkeys: - - key: ProductKey - type: - presence: required - content: The product key that represents the update. - - key: HumanReadableName - type: - presence: required - content: The human-readable name of the update in the current user's current - locale. - - key: HumanReadableNameLocale - supportedOS: - iOS: - introduced: n/a - tvOS: - introduced: n/a - type: - presence: required - content: The locale, in IOS639-1 Alpha-2 code format, of the `HumanReadableName` - value. This value is available in macOS 10.11 and later. - - key: MetadataURL - supportedOS: - iOS: - introduced: n/a - tvOS: - introduced: n/a - type: - presence: required - content: A URL where the MDM server can request additional localized names for - this update. This key isn't present for certain updates, such as mobile software - updates (MSUs) or major OS updates. This value is available in macOS 10.11 - and later. - - key: ProductName - supportedOS: - macOS: - introduced: n/a - type: - presence: required - content: The product name; for example, _iOS_. This value is available in iOS - 9.0 and later, and tvOS 12.0 and later. - - key: Version - type: - presence: required - content: The version of the update. - - key: Build - type: - presence: required - content: The build number of the update. - - key: DownloadSize - supportedOS: - macOS: - introduced: '10.12' - type: - presence: required - content: The storage size necessary to download the software update. Prior to - macOS 10.14, this only includes major operating-system updates. In macOS 10.14 - and later, this also includes minor updates. - - key: InstallSize - supportedOS: - macOS: - introduced: n/a - type: - presence: required - content: The storage size necessary to install the update. This value is available - in iOS 9.0 and later, and tvOS 12.0 and later. - - key: AppIdentifiersToClose - supportedOS: - iOS: - introduced: n/a - tvOS: - introduced: n/a - type: - presence: required - content: An array that contains app identifiers of apps to close so you can - install the update. This value is available in macOS 10.11 and later. - subkeys: - - key: AppIdentifiersToCloseItem - type: - - key: IsCritical - type: - presence: optional - default: false - content: If `true`, this is a critical update. - - key: IsConfigDataUpdate - supportedOS: - iOS: - introduced: n/a - tvOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, this is an update to a configuration file. This value is - available in macOS 10.11 and later. - - key: IsFirmwareUpdate - supportedOS: - iOS: - introduced: n/a - tvOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, this is an update to firmware. This value is available in - macOS 10.11 and later. - - key: IsMajorOSUpdate - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: 10.11.4 - tvOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, this is a major update; for example, 10.15.x to 11. This - value is available in macOS 10.11 and later. - - key: RestartRequired - type: - presence: optional - default: false - content: If `true`, the device restarts after installing the update. - - key: AllowsInstallLater - type: - presence: optional - default: false - content: If `true`, download the software update and install it later. - - key: DeferredUntil - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: 10.12.4 - tvOS: - introduced: n/a - type: - presence: optional - content: If present, the date when you want the update to install. This value - is available in macOS 10.12.4 and later. - - key: RequiresBootstrapToken - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '11.0' - tvOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, the device can accept a Bootstrap Token from the MDM server - instead of prompting for user authentication prior to installation. This only - applies when `BootstrapTokenAllowedForAuthentication` is `true` in the `SecurityInfo` - response. This value is available for a Mac with Apple silicon in macOS 11 - and later. - - key: IsSecurityResponse - supportedOS: - iOS: - introduced: '16.2' - macOS: - introduced: '13.1' - tvOS: - introduced: '16.2' - type: - presence: required - content: If `true`, this update is a Background Security Improvement. - - key: SupplementalBuildVersion - supportedOS: - iOS: - introduced: '16.2' - macOS: - introduced: '13.1' - tvOS: - introduced: '16.2' - type: - presence: optional - content: The build version for the Background Security Improvement update, for - example, `13A999`, which is the same as `Build`. - - key: SupplementalOSVersionExtra - supportedOS: - iOS: - introduced: '16.2' - macOS: - introduced: '13.1' - tvOS: - introduced: '16.2' - type: - presence: optional - content: The Background Security Improvement OS version suffix, for example, - `(a)`. Only present if this is a Background Security Improvement update. -notes: -- title: '' - content: |- - A device must have a total of `DownloadSize` + `InstallSize` bytes available to successfully install a software update. In macOS, execute the `ScheduleOSUpdateScan` command to update the results that this command returns. In iOS and tvOS, the list only contains the latest available updates. - - Refer to the following sections to determine supported channels and requirements, and to see an example request and response. diff --git a/mdm/commands/system.update.scan.yaml b/mdm/commands/system.update.scan.yaml deleted file mode 100644 index 9d2a1ee..0000000 --- a/mdm/commands/system.update.scan.yaml +++ /dev/null @@ -1,40 +0,0 @@ -title: Schedule OS Update Scan Command -description: Schedule a background scan for operating-system updates on a device. -payload: - requesttype: ScheduleOSUpdateScan - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.11' - deprecated: '26.0' - accessrights: None - devicechannel: true - userchannel: false - supervised: true - requiresdep: false - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: Requests that the device perform a background scan for OS updates. -payloadkeys: -- key: Force - type: - presence: optional - default: false - content: If `true`, force a scan to start immediately. Otherwise, the scan starts - at a system-determined time. -responsekeys: -- key: ScanInitiated - type: - presence: required - content: If `true`, the scan started successfully. -notes: -- title: '' - content: Refer to the following sections to determine supported channels and requirements, - and to see an example request and response. diff --git a/mdm/commands/system.update.schedule.yaml b/mdm/commands/system.update.schedule.yaml deleted file mode 100644 index 1701da4..0000000 --- a/mdm/commands/system.update.schedule.yaml +++ /dev/null @@ -1,220 +0,0 @@ -title: Schedule OS Update Command -description: Schedule an update of the operating system on a device. -payload: - requesttype: ScheduleOSUpdate - supportedOS: - iOS: - introduced: '9.0' - deprecated: '26.0' - accessrights: AllowAppInstallation - supervised: true - requiresdep: false - sharedipad: - mode: allowed - devicechannel: true - userchannel: false - userenrollment: - mode: forbidden - macOS: - introduced: '10.11' - deprecated: '26.0' - accessrights: None - devicechannel: true - userchannel: false - supervised: true - requiresdep: false - userenrollment: - mode: forbidden - tvOS: - introduced: '12.0' - deprecated: '26.0' - accessrights: AllowAppInstallation - devicechannel: true - supervised: true - requiresdep: false - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: This command allows the server to schedule an OS update. -payloadkeys: -- key: Updates - type: - presence: required - content: |- - An array of dictionaries specifying the updates to download or install. If this value is missing, the device applies the default behavior for handling updates. - The device ignores this command and an informational error is returned, if a software update is managed by a Declarative Device Management `SoftwareUpdateEnforcementSpecific` configuration, as the configuration takes precedence. - subkeys: - - key: UpdatesItem - type: - presence: required - content: A dictionary that describes the available operating-system updates item. - subkeys: - - key: ProductKey - type: - presence: optional - content: The product key that represents the update. - - key: ProductVersion - supportedOS: - iOS: - introduced: '11.3' - macOS: - introduced: '12.0' - tvOS: - introduced: '12.2' - type: - presence: optional - content: |- - The version of the update, which the system requires if `ProductKey` isn't present. This value is available in iOS 11.3 and later, macOS 12 and later, and tvOS 12.2 and later. - - > Note: - > This value isn't available for use with Background Security Improvement updates. - - key: InstallAction - type: - presence: required - rangelist: - - Default - - DownloadOnly - - InstallASAP - - NotifyOnly - - InstallLater - - InstallForceRestart - content: |- - The install action, which is one of the following values: - - - `Default`: Download or install the update, depending on the current state. You can check the `UpdateResults` dictionary to review scheduled updates. This value is available in iOS 9 and later, macOS 10.11 and later, and tvOS 12 and later. - - `DownloadOnly`: Download the software update without installing it. This value is available in iOS 9 and later, macOS 11 and later, and tvOS 12 and later. - - `InstallASAP`: In iOS and tvOS, install a previously downloaded software update. In macOS, download the software update and trigger the restart countdown notification. This value is available in iOS 9 and later, macOS 10.11 and later, and tvOS 12 and later. - - `NotifyOnly`: Download the software update and notify the user through the App Store. This value is available in macOS 10.11 and later. - - `InstallLater`: Download the software update and install it at a later time. This value is available in macOS 10.11 and later. - - `InstallForceRestart`: Perform the `Default` action, and then force a restart if the update requires it. This value is available in macOS 11 and later. - - - > Warning: - > `InstallForceRestart` may result in data loss. - - key: MaxUserDeferrals - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '12.0' - tvOS: - introduced: n/a - type: - presence: optional - content: |- - The maximum number of times the system allows the user to postpone an update before it's installed. The system prompts the user once a day. - - This key is only supported when `InstallAction` is `InstallLater` and only supported for minor OS updates (for example, macOS 12.x to 12.y). - - key: Priority - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '12.3' - tvOS: - introduced: n/a - type: - presence: optional - rangelist: - - Low - - High - default: Low - content: |- - The scheduling priority for downloading and preparing the requested update. This is only supported for minor OS updates (macOS 12.x to 12.y). - - Available in macOS 12.3 and later. Prior versions of macOS used a priority of `Low`. -responsekeys: -- key: UpdateResults - type: - presence: required - content: An array of dictionaries that describes the results of processing operating-system - updates. - subkeys: - - key: UpdateResultsItem - type: - presence: required - content: The response dictionary that describes the result of processing an operating-system - update. - subkeys: - - key: ProductKey - type: - presence: required - content: The product key that represents the update. - - key: InstallAction - type: - presence: required - rangelist: - - Error - - DownloadOnly - - InstallASAP - - NotifyOnly - - InstallLater - - InstallForceRestart - content: |- - The install action that the device scheduled, which is one of the following values: - - - `Error`: An error occurred during scheduling. - - `DownloadOnly`: Download the software update without installing it. - - `InstallASAP`: Install a previously downloaded software update. - - `NotifyOnly`: Download the software update and notify the user through the App Store. This value is available in macOS 10.11 and later. - - `InstallLater`: Download the software update and install it at a later time. This value is available in macOS 10.11 and later. - - `InstallForceRestart`: Perform the `Default` action, and then force a restart if the update requires it. This value is available in macOS 11 and later. - - key: Status - type: - presence: required - rangelist: - - Idle - - Downloading - - DownloadFailed - - DownloadRequiresComputer - - DownloadInsufficientSpace - - DownloadInsufficientPower - - DownloadInsufficientNetwork - - Installing - - InstallInsufficientSpace - - InstallInsufficientPower - - InstallPhoneCallInProgress - - InstallFailed - content: |- - The status of the update, which is one of the following values: - - - `Idle`: The update is idle. - - `Downloading`: The software update is downloading. - - `DownloadFailed`: The download failed. - - `DownloadRequiresComputer`: Tether the device to download this update. This value is only available in iOS. - - `DownloadInsufficientSpace`: There isn't enough space to download the update. - - `DownloadInsufficientPower`: There isn't enough power to download the update. - - `DownloadInsufficientNetwork`: The network capacity is insufficient to download the update. - - `Installing`: The software update is installing. - - `InstallInsufficientSpace`: There isn't enough space to install the update. - - `InstallInsufficientPower`: There isn't enough power to install the update. - - `InstallPhoneCallInProgress`: Installation couldn't occur because a phone call is in progress. - - `InstallFailed`: Installation failed due to an unspecified reason. - - key: ErrorChain - type: - presence: optional - content: A dictionary that describes an error chain. - subkeys: - - key: ErrorChainItem - type: - content: A dictionary that describes an error chain item. - subkeys: - - key: ANY - type: - presence: required - content: The error details. -notes: -- title: '' - content: |- - Only supervised iOS, macOS, and tvOS devices are eligible for software update management. - - This command can only schedule operating-system updates in iOS and tvOS, however, it can also schedule a variety of system software updates in macOS. - - Downloading and installing updates in iOS and tvOS is a two-step process. Send a `ScheduleOSUpdate` command with `Default` for `InstallAction` to download the updates. Then send another `ScheduleOSUpdate` command with a `Default` `InstallAction` to install the updates. Software updates may require a restart, which prevents the device from responding. When this happens, the MDM server resends the `ScheduleOSUpdate` command when the device checks in again, however, the device won't return a value for `UpdateResults`. - - This command uses the `UpdatesItem` `InstallAction` values to offer varying degrees of control to the user of a device. The user can control the update with the `NotifyOnly` and `DownloadOnly` actions, which don't initiate the update process at all. The `InstallASAP` and `InstallForceRestart` actions attempt to install the update as soon as possible. On iOS devices with a passcode, the user must authorize the update by entering their passcode, allowing them to defer the update a limited number of times. After the user reaches that limit, the system prompts to update every time the device returns to the Home Screen. This makes the device virtually unusable until the user approves the software update. On macOS devices, the `InstallLater` action provides a similar behavior, which specifies how many times the user may defer the update before it's forced. - - A device may return a different `InstallAction` than requested. - - Refer to the following sections to determine supported channels and requirements, and to see an example request and response. diff --git a/mdm/commands/system.update.status.yaml b/mdm/commands/system.update.status.yaml deleted file mode 100644 index 5135bc8..0000000 --- a/mdm/commands/system.update.status.yaml +++ /dev/null @@ -1,138 +0,0 @@ -title: OS Update Status Command -description: Get the status of operating-system updates on a device. -payload: - requesttype: OSUpdateStatus - supportedOS: - iOS: - introduced: '9.0' - deprecated: '26.0' - accessrights: AllowAppInstallation - supervised: true - requiresdep: false - sharedipad: - mode: allowed - devicechannel: true - userchannel: false - userenrollment: - mode: forbidden - macOS: - introduced: 10.11.5 - deprecated: '26.0' - accessrights: None - devicechannel: true - userchannel: false - supervised: true - requiresdep: false - userenrollment: - mode: forbidden - tvOS: - introduced: '12.0' - deprecated: '26.0' - accessrights: AllowAppInstallation - devicechannel: true - supervised: true - requiresdep: false - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: Queries the device for the status of software updates. -responsekeys: -- key: OSUpdateStatus - type: - presence: required - content: |- - An array of dictionaries that describes the statuses of software updates. The array is empty if there are no software updates currently in progress. - This command only returns the status for System Applications and Configuration Data updates when a software update is managed by a Declarative Device Management `SoftwareUpdateEnforcementSpecific` configuration. - subkeys: - - key: OSUpdateStatusItem - type: - presence: required - content: A dictionary that describes the status of a software update. - subkeys: - - key: ProductKey - type: - presence: required - content: The product key that represents the update. - - key: IsDownloaded - type: - presence: required - content: If `true`, the update has finished downloading. - - key: DownloadPercentComplete - type: - presence: required - content: A floating-point number between `0.0` and `1.0` that indicates the - download progress as a percentage. - - key: Status - type: - presence: required - content: |- - The status of the update, which is one of the following values: - - - `Idle`: The update is idle. - - `Downloading`: The software update is downloading and subsequently preparing. - - `Installing`: The software update is installing. - - key: MaxDeferrals - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '12.3' - tvOS: - introduced: n/a - type: - presence: optional - content: |- - The number of times a user can defer this OS update. - - Available in macOS 12.3 and later. - - key: DeferralsRemaining - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '12.3' - tvOS: - introduced: n/a - type: - presence: optional - content: |- - The number of remaining user deferrals for this OS update. - - Available in macOS 12.3 and later. - - key: NextScheduledInstall - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '12.3' - tvOS: - introduced: n/a - type: - presence: optional - content: |- - The date of the next attempt at installing this OS update. - - Available in macOS 12.3 and later. - - key: PastNotifications - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '12.3' - tvOS: - introduced: n/a - type: - presence: optional - content: |- - The dates/times when the OS notified the user about installing this OS update. - - Available in macOS 12.3 and later. - subkeys: - - key: PastNotificationDate - title: Past Notification Date - type: -notes: -- title: '' - content: Refer to the following sections to determine supported channels and requirements, - and to see an example request and response. diff --git a/mdm/commands/user.configured.yaml b/mdm/commands/user.configured.yaml deleted file mode 100644 index af1b683..0000000 --- a/mdm/commands/user.configured.yaml +++ /dev/null @@ -1,31 +0,0 @@ -title: User Configured Command -description: Inform the device that it can continue past Setup Assistant and finish - login. -payload: - requesttype: UserConfigured - supportedOS: - iOS: - introduced: '17.0' - accessrights: None - supervised: true - requiresdep: true - sharedipad: - mode: required - devicechannel: false - userchannel: true - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: Inform the device that it can continue past Setup Assistant and finish - login. Only works on Shared iPads that have the AwaitUserConfiguration feature - enabled. -notes: -- title: '' - content: Refer to the following sections to determine supported channels and requirements. diff --git a/mdm/commands/user.delete.yaml b/mdm/commands/user.delete.yaml deleted file mode 100644 index be58985..0000000 --- a/mdm/commands/user.delete.yaml +++ /dev/null @@ -1,73 +0,0 @@ -title: Delete User Command -description: Delete a user's account from a device. -payload: - requesttype: DeleteUser - supportedOS: - iOS: - introduced: '9.3' - accessrights: None - supervised: false - requiresdep: false - sharedipad: - mode: required - devicechannel: true - userchannel: false - userenrollment: - mode: forbidden - macOS: - introduced: '10.13' - accessrights: None - devicechannel: true - userchannel: false - supervised: true - requiresdep: false - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: This command allows the server to delete a user that has an active account - on the device. -payloadkeys: -- key: UserName - type: - presence: optional - content: The user name of the account to delete. This key is required when the value - for `DeleteAllUsers` is absent or `false`. -- key: ForceDeletion - supportedOS: - macOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, the system deletes the account even if the user has data that's - pending sync to the cloud. This value is available on iOS 9.3 and later. -- key: DeleteAllUsers - supportedOS: - iOS: - introduced: '14.0' - macOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, the system attempts to delete all users from the device. If - `ForceDeletion` is `false`, the system generates an error instead and doesn't - delete users who have data that's pending sync. This value is available in iOS - 14 and later. -notes: -- title: '' - content: Refer to the following sections to determine supported channels and requirements, - and to see an example request and response. -- title: Error codes - content: |- - An error response uses one of the following error codes: - - - `12071`: The user doesn't exist. - - `12072`: The user is currently logged in. - - `12073`: The user has data to sync and ForceDeletion is false or unspecified. - - `12074`: Unable to delete the user. In macOS, this error code also returns for an attempt to delete the last administrator account. diff --git a/mdm/commands/user.list.yaml b/mdm/commands/user.list.yaml deleted file mode 100644 index dca9107..0000000 --- a/mdm/commands/user.list.yaml +++ /dev/null @@ -1,125 +0,0 @@ -title: User List Command -description: Get a list of users with active accounts on a device. -payload: - requesttype: UserList - supportedOS: - iOS: - introduced: '9.3' - accessrights: None - supervised: false - requiresdep: false - sharedipad: - mode: required - devicechannel: true - userchannel: false - userenrollment: - mode: forbidden - macOS: - introduced: '10.13' - accessrights: None - devicechannel: true - userchannel: false - supervised: true - requiresdep: false - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: This command allows the server to query for a list of users that have an - active account on the device. -responsekeys: -- key: Users - type: - presence: required - content: An array of user dictionaries that contains information about the active - accounts. - subkeys: - - key: UsersItem - type: - presence: required - content: A dictionary that contains information about an active account on a device. - subkeys: - - key: UserName - type: - presence: required - content: The user name for the account. In macOS, this is the short name of - the user account. This value is available in iOS 9.3 and later, and macOS - 10.13 and later. - - key: FullName - supportedOS: - iOS: - introduced: n/a - type: - presence: required - content: The user's full name. This value is available in macOS 10.13 and later. - - key: UID - supportedOS: - iOS: - introduced: n/a - type: - presence: required - content: The user's unique identifier. This value is available in macOS 10.13 - and later. - - key: UserGUID - supportedOS: - iOS: - introduced: n/a - type: - presence: required - content: The user's `GeneratedUID`. This value is available in macOS 10.13 and - later. - - key: IsLoggedIn - type: - presence: required - content: If `true`, the user is currently logged in on the device. This value - is available in iOS 9.3 and later, and macOS 10.13 and later. - - key: HasDataToSync - supportedOS: - macOS: - introduced: n/a - type: - presence: required - content: If `true`, the user has data to sync to the cloud. This value is available - in iOS 9.3 and later. - - key: DataQuota - supportedOS: - macOS: - introduced: n/a - type: - presence: required - content: If present, the user's data quota in bytes. This isn't present if the - account doesn't enforce a quota. This value is available in iOS 9.3 and later. - - key: DataUsed - supportedOS: - macOS: - introduced: n/a - type: - presence: required - content: The amount of data, in bytes, that the user has used. This value is - available in iOS 9.3 and later. - - key: MobileAccount - supportedOS: - iOS: - introduced: n/a - type: - presence: required - content: If `true`, the account is a mobile account. This value is available - in macOS 10.13 and later. - - key: HasSecureToken - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '11.0' - type: - presence: required - content: If `true`, the user currently has a secure token set. This value is - available in macOS 11 and later. -notes: -- title: '' - content: Refer to the following sections to determine supported channels and requirements, - and to see an example request and response. diff --git a/mdm/commands/user.logout.yaml b/mdm/commands/user.logout.yaml deleted file mode 100644 index 28adf75..0000000 --- a/mdm/commands/user.logout.yaml +++ /dev/null @@ -1,31 +0,0 @@ -title: Log Out User Command -description: Force the current user to log out of a device. -payload: - requesttype: LogOutUser - supportedOS: - iOS: - introduced: '9.3' - accessrights: None - supervised: false - requiresdep: false - sharedipad: - mode: required - devicechannel: true - userchannel: false - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: This command allows the server to force the current user to logout. -notes: -- title: '' - content: |- - After logging out the user, MDM commands aren't available on the device for up to 2 minutes. - - Refer to the following sections to determine supported channels and requirements, and to see an example request and response. diff --git a/mdm/commands/user.unlock.yaml b/mdm/commands/user.unlock.yaml deleted file mode 100644 index dcad0b2..0000000 --- a/mdm/commands/user.unlock.yaml +++ /dev/null @@ -1,36 +0,0 @@ -title: Unlock User Account Command -description: Unlock a user account that the system locked because of too many failed - password attempts. -payload: - requesttype: UnlockUserAccount - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.13' - accessrights: DeviceLockAndRemovePasscode - devicechannel: true - userchannel: false - supervised: false - requiresdep: false - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: This command allows the server to unlock a local user account that has - been locked due to too many failed password attempts. Requires "Device lock and - passcode removal right". -payloadkeys: -- key: UserName - type: - presence: required - content: The user name of the local account, which can be any local account on the - system, not just a managed user account. -notes: -- title: '' - content: Refer to the following sections to determine supported channels and requirements, - and to see an example request and response. diff --git a/mdm/errors/psso.required.yaml b/mdm/errors/psso.required.yaml deleted file mode 100644 index b106340..0000000 --- a/mdm/errors/psso.required.yaml +++ /dev/null @@ -1,78 +0,0 @@ -title: Error Code Platform SSO Required -description: An error response that indicates Platform SSO is required. -payload: - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '26.0' - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a -payloadkeys: -- key: code - type: - presence: required - rangelist: - - com.apple.psso.required - content: Indicates that the device needs to do Platform SSO before enrollment and - setup can proceed. -- key: description - type: - presence: optional - content: A description of the error. Only use this for logging purposes and don't - display it to the user. -- key: message - type: - presence: optional - content: A description of the error to display to the user. -- key: details - type: - presence: required - content: A dictionary that contains additional data about the error code. - subkeys: - - key: ProfileURL - type: - presence: required - content: The URL of the profile containing an `ExtensibleSingleSignOn` profile - payload that the device uses to configure the SSO extension for Platform SSO. - - key: Package - type: - presence: required - content: A dictionary that specifies the package that the device uses to install - an app with the SSO app extension used for Platform SSO. - subkeys: - - key: ManifestURL - type: - presence: required - content: The URL of the app manifest, which needs to begin with `https:`. - - key: PinningCerts - type: - presence: optional - content: An array of DER-encoded certificates to pin the connection when fetching - the `ManifestURL`. - subkeys: - - key: PinningCertsItem - type: - presence: required - content: A certificate in DER-encoded format. - - key: PinningRevocationCheckRequired - type: - presence: optional - default: false - content: If `true`, certificate revocation checks require a positive response - when using certificate pinning with `PinningCerts`. - - key: AuthURL - type: - presence: required - content: The URL the device uses to create an `ASWebAuthenticationSession` to - trigger Platform SSO authentication, once the profile and app are installed. -notes: -- title: '' - content: |- - The schema for a JSON or property list XML document that an MDM server's 403 response body contains. The response headers need to include a "Content-Type" header that indicates whether the response returns JSON or XML. - - The MDM server returns this response when a device enrolls in MDM during Setup Assistant and it requires the user to sign-in using Platform SSO before it allows enrollment and setup to proceed. diff --git a/mdm/errors/softwareupdate.required.yaml b/mdm/errors/softwareupdate.required.yaml deleted file mode 100644 index a2ffe8d..0000000 --- a/mdm/errors/softwareupdate.required.yaml +++ /dev/null @@ -1,78 +0,0 @@ -title: Error Code Software Update Required -description: An error response that indicates the system requires a software update. -payload: - supportedOS: - iOS: - introduced: '17.0' - macOS: - introduced: '14.0' - tvOS: - introduced: n/a - visionOS: - introduced: '26.0' - watchOS: - introduced: n/a -payloadkeys: -- key: code - type: - presence: required - rangelist: - - com.apple.softwareupdate.required - content: Indicates that the device needs to perform a software update before enrollment - and setup can proceed. -- key: description - type: - presence: optional - content: A description of the error. Only use this for logging purposes and don't - display it to the user. -- key: message - type: - presence: optional - content: A description of the error to display to the user. -- key: details - type: - presence: required - content: A dictionary that contains additional data about the error code. - subkeys: - - key: OSVersion - type: - presence: required - content: The OS version that the device needs to update to, for example, "16.1". - This identifier can include a supplemental version identifier, for example, - "16.1 (a)". - - key: BuildVersion - type: - presence: optional - content: The build version that the device needs to update to, for example, "20A242. - The systems uses the build version for testing during seeding periods. This - identifier can include a supplemental version identifier, for example, "20A242a". - If the `BuildVersion` isn't consistent with the `OSVersion`, `OSVersion` take - precedence. - - key: RequireBetaProgram - supportedOS: - iOS: - introduced: '17.5' - macOS: - introduced: '14.5' - type: - presence: optional - content: The device enrolls in the beta program, allowing enforced software updates - to beta program OS versions. The device remains in the beta program after the - system completes the enforced software update. - subkeys: - - key: Description - type: - presence: required - content: A human readable description of the beta program. - - key: Token - type: - presence: required - content: The AxM seeding service token for the AxM organization the MDM server - is part of. The system uses this token to enroll the device in the corresponding - beta program. -notes: -- title: '' - content: |- - The schema for a JSON or property list XML document that an MDM server's 403 response body contains. The response headers need to include a "Content-Type" header that indicates whether the response returns JSON or XML. - - The MDM server returns this response when a device enrolls in MDM during Setup Assistant and it requires the device to perform a software update before it can continue with enrollment and setup. diff --git a/mdm/errors/unrecognized.device.yaml b/mdm/errors/unrecognized.device.yaml deleted file mode 100644 index dfa6657..0000000 --- a/mdm/errors/unrecognized.device.yaml +++ /dev/null @@ -1,37 +0,0 @@ -title: Error Unrecognized Device -description: An error response that indicates a device needs to unenroll. -payload: - supportedOS: - iOS: - introduced: '17.0' - macOS: - introduced: '14.0' - tvOS: - introduced: '17.0' - visionOS: - introduced: '1.1' - watchOS: - introduced: '10.0' -payloadkeys: -- key: code - type: - presence: required - rangelist: - - com.apple.unrecognized.device - content: Indicates that the device is not recognized by the server. This causes - the device to unenroll from MDM. -- key: description - type: - presence: optional - content: A description of the error. Only use this for logging purposes and don't - display it to the user. -- key: message - type: - presence: optional - content: A description of the error to display to the user. -notes: -- title: '' - content: |- - The schema for a JSON or property list XML document that an MDM server's 403 response body contains. The response headers need to include a "Content-Type" header that indicates whether the response returns JSON or XML. - - The MDM server returns this response when it doesn't recognize the device making the request. This causes the device to unenroll from the MDM server. Use this error instead of the server returning a 401 response to cause an unenroll. diff --git a/mdm/errors/watch.pairing.token.missing.yaml b/mdm/errors/watch.pairing.token.missing.yaml deleted file mode 100644 index b8a5909..0000000 --- a/mdm/errors/watch.pairing.token.missing.yaml +++ /dev/null @@ -1,47 +0,0 @@ -title: Error Code Pairing Token Missing -description: An error response that indicates a missing pairing token. -payload: - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: '10.0' -payloadkeys: -- key: code - type: - presence: required - rangelist: - - com.apple.watch.pairing.token.missing - content: Indicates that the pairing token, which the system requires to enroll the - watch, is missing. -- key: description - type: - presence: optional - content: A description of the error. Only use this for logging purposes and don't - display it to the user. -- key: message - type: - presence: optional - content: A description of the error to display to the user. -- key: details - type: - presence: required - content: A dictionary that contains additional data about the error code. - subkeys: - - key: security-token - type: - presence: required - content: The security token to pass to the phone's MDM server to create the pairing - token. This token needs to be a random UUID string. -notes: -- title: '' - content: |- - The schema for a JSON or property list XML document that an MDM server's 403 response body contains. The response headers need to include a "Content-Type" header that indicates whether the response returns JSON or XML. - - The system returns this response when an Apple Watch enrolls in MDM, but the watch doesn't include a `PAIRING_TOKEN` in the `MachineInfo` request. After the watch receives this response, it fetches a pairing token from the phone's MDM server through a request to the phone. Then, the watch repeats the enrollment request and includes the pairing token. diff --git a/mdm/errors/well-known.failed.yaml b/mdm/errors/well-known.failed.yaml deleted file mode 100644 index eee1c6f..0000000 --- a/mdm/errors/well-known.failed.yaml +++ /dev/null @@ -1,37 +0,0 @@ -title: Error Well-known Failed -description: An error response that indicates a well-known service discovery request - failed. -payload: - supportedOS: - iOS: - introduced: '17.5' - macOS: - introduced: '14.5' - tvOS: - introduced: n/a - visionOS: - introduced: '1.2' - watchOS: - introduced: n/a -payloadkeys: -- key: code - type: - presence: required - rangelist: - - com.apple.well-known.failed - content: Indicates that the well-known request has failed. -- key: description - type: - presence: optional - content: A description of the error. Only use this for logging purposes and don't - display it to the user. -- key: message - type: - presence: optional - content: A description of the error to display to the user. -notes: -- title: '' - content: |- - The schema for a JSON or property list XML document that an MDM server's 403 response body contains. The response headers need to include a "Content-Type" header that indicates whether the response returns JSON or XML. - - The MDM server returns this response to reject a well-known service discovery request from a device made during an account driven enrollment. diff --git a/mdm/profiles/CommonPayloadKeys.yaml b/mdm/profiles/CommonPayloadKeys.yaml deleted file mode 100644 index 74a5f19..0000000 --- a/mdm/profiles/CommonPayloadKeys.yaml +++ /dev/null @@ -1,84 +0,0 @@ -title: Common Payload Keys -description: The properties common to all payloads. -payload: - payloadtype: CommonPayloadKeys - supportedOS: - iOS: - introduced: '4.0' - multiple: false - supervised: false - allowmanualinstall: true - sharedipad: - mode: allowed - devicechannel: true - userchannel: true - userenrollment: - mode: allowed - macOS: - introduced: '10.7' - multiple: false - devicechannel: true - userchannel: true - supervised: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: allowed - tvOS: - introduced: '9.0' - multiple: false - supervised: false - allowmanualinstall: true - visionOS: - introduced: '1.0' - multiple: false - supervised: false - allowmanualinstall: true - userenrollment: - mode: allowed - watchOS: - introduced: '1.0' - multiple: false - allowmanualinstall: true -payloadkeys: -- key: PayloadIdentifier - type: - presence: required - content: |- - The reverse-DNS-style identifier for the payload. This identifier is usually the same as the `TopLevel` value, with an additional appended component. This string must be unique within the profile. - - During a profile replacement, the system updates payloads with the same `PayloadIdentifier` and `PayloadUUID` in the old and new profiles. -- key: PayloadUUID - type: - presence: required - content: |- - The globally unique identifier for the payload. The actual content is unimportant, but must be globally unique. In macOS, use `uuidgen` to generate UUIDs. - - During a profile replacement, the system updates payloads with the same `PayloadIdentifier` and `PayloadUUID` in the old and new profiles. -- key: PayloadType - type: - presence: required - content: The payload type, which each payload domain's reference page specifies. -- key: PayloadVersion - type: - presence: required - rangelist: - - 1 - content: The version of this specific payload. -- key: PayloadDescription - type: - presence: optional - content: The human-readable description of this payload. This description appears - on the Detail screen. -- key: PayloadDisplayName - type: - presence: optional - content: The human-readable name for the profile payload. The name appears on the - Detail screen and doesn't need to be unique. -- key: PayloadOrganization - type: - presence: optional - content: The human-readable string containing the name of the organization that - provides the profile. This value doesn't need to match the organization payload - value in the enclosing dictionary. diff --git a/mdm/profiles/GlobalPreferences.yaml b/mdm/profiles/GlobalPreferences.yaml deleted file mode 100644 index 73643f8..0000000 --- a/mdm/profiles/GlobalPreferences.yaml +++ /dev/null @@ -1,37 +0,0 @@ -title: Global Preferences -description: The payload to configure global preferences. -payload: - payloadtype: .GlobalPreferences - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.7' - multiple: false - devicechannel: true - userchannel: true - supervised: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: Global preferences on macOS -payloadkeys: -- key: MultipleSessionEnabled - type: - presence: optional - default: true - content: If `false`, disables fast user switching. -- key: com.apple.autologout.AutoLogOutDelay - type: - presence: optional - content: The `autologout` delay, in seconds. A value of `0` means `autologout` is - off. In some cases, this delay may be restricted to values between 5 minutes and - 24 hours. diff --git a/mdm/profiles/TopLevel.yaml b/mdm/profiles/TopLevel.yaml deleted file mode 100644 index c21207c..0000000 --- a/mdm/profiles/TopLevel.yaml +++ /dev/null @@ -1,227 +0,0 @@ -title: Top Level -description: The top-level payload properties for all profiles. -payload: - payloadtype: TopLevel - supportedOS: - iOS: - introduced: '4.0' - multiple: false - supervised: false - allowmanualinstall: true - sharedipad: - mode: allowed - devicechannel: true - userchannel: true - userenrollment: - mode: allowed - macOS: - introduced: '10.7' - multiple: false - devicechannel: true - userchannel: true - supervised: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: allowed - tvOS: - introduced: '9.0' - multiple: false - supervised: false - allowmanualinstall: true - visionOS: - introduced: '1.0' - multiple: false - supervised: false - allowmanualinstall: true - userenrollment: - mode: allowed - watchOS: - introduced: '1.0' - multiple: false - allowmanualinstall: true -payloadkeys: -- key: PayloadIdentifier - type: - presence: required - content: The reverse-DNS style identifier (`com.example.myprofile`, for example) - that identifies the profile. The system uses this string to determine whether - to replace an existing profile or add it as a new profile. -- key: PayloadUUID - type: - presence: required - content: The globally unique identifier for the profile. The actual content is unimportant. - In macOS, you can use `uuidgen` to generate reasonable UUIDs. -- key: PayloadType - type: - presence: required - rangelist: - - Configuration - content: The type of payload. The only supported value is `Configuration`. -- key: PayloadVersion - type: - presence: required - rangelist: - - 1 - content: The version number of the profile format, which needs to be `1`. This number - represents the version of the configuration profile as a whole, not of the individual - profiles within it. -- key: PayloadContent - type: - presence: required - content: The array of payload dictionaries. If `IsEncrypted` is `true`, this array - isn't needed. - subkeys: - - key: PayloadContentItem - type: - content: The payload-specific content for this profile. - subkeys: - - key: ANY - type: - presence: required - content: A payload item as defined by each payload type. -- key: EncryptedPayloadContent - type: - presence: optional - content: Enabled if `IsEncrypted` is `true`. -- key: PayloadDescription - type: - presence: optional - content: The description of the profile, shown on the Detail screen for the profile. - Make this description detailed enough to help the user decide whether to install - the profile. -- key: PayloadDisplayName - type: - presence: optional - content: The human-readable name for the profile, which doesn't need to be unique. - The system displays this value on the Detail screen. -- key: PayloadOrganization - type: - presence: optional - content: The human-readable string that contains the name of the organization that - provided the profile. -- key: PayloadRemovalDisallowed - supportedOS: - iOS: - supervised: true - userenrollment: - mode: forbidden - tvOS: - supervised: true - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: false - content: |- - If present and set to `true`, the user can't delete the profile unless the profile has a removal password and the user provides it. - - On macOS 10.15 and later, this key only affects removal of _manually_ installed profiles. If set to `true` and no profile removal payload is present, removing the profile requires admin auth. - - On macOS versions prior to 10.15, this key prevents admins from removing MDM installed profiles. However, as of macOS 10.15, users can never remove MDM profiles, not even the admin. - - On iOS users can't remove a MDM profile. - - Requires a supervised device. -- key: PayloadScope - supportedOS: - macOS: - introduced: '10.8' - type: - presence: optional - rangelist: - - System - - User - content: A string that defines whether to install the profile for the system or - the user. In many cases, it determines the location of certificate items, such - as keychains. Though it's not possible to declare different payload scopes, payloads - like VPN can automatically install their items in both scopes, if needed. -- key: RemovalDate - type: - presence: optional - content: The date when the system automatically removes the profile. -- key: DurationUntilRemoval - type: - presence: optional - content: The number of seconds until the profile is automatically removed. If the - `RemovalDate` key is present, the system uses whichever field yields the earliest - date. -- key: PayloadExpirationDate - supportedOS: - watchOS: - introduced: n/a - type: - presence: optional - content: The date when a profile is no longer valid and the system presents an update - button to the user. -- key: TargetDeviceType - supportedOS: - iOS: - introduced: '12.2' - macOS: - introduced: '10.15' - tvOS: - introduced: '12.2' - visionOS: - introduced: '1.1' - watchOS: - introduced: '5.2' - type: - presence: optional - rangelist: - - 0 - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - default: 0 - content: |- - The type of platform of the target device. Specifying the platform type helps prevent unintended installations. - - For interactive installations on iOS devices, specifying a target platform avoids interstitial alerts that prompt the user to choose a profile target when multiple targets are eligible. - - Allowed values: - - - `0`: Any/unspecified - - `1`: iPhone/iPad/iPod Touch - - `2`: Apple Watch - - `3`: HomePod - - `4`: Apple TV - - `5`: Mac - - `6`: Vision Pro -- key: ConsentText - type: - presence: optional - content: |- - A dictionary that includes: - - - A key that contains the IETF BCP 47 identifier for a language, such as _en_ or _jp_ - - A value that contains the agreement localized to language specified by the key - - The dictionary can also contain an optional key, `default`, with its value consisting of the unlocalized (usually in _en_) agreement. - - The system always displays the agreement in a dialog, and the user needs to agree before the system can install the profile. - - The system chooses a localized version in the order of preference that the user specifies in macOS, or based on the user's current language setting in iOS. If there's no exact match, the system uses the default localization. If there's no default localization, the system uses the _en_ localization. If there's no _en_ localization, the system uses the first available localization. - - > Tip: - > Provide a default value, if possible. The system won't display a warning if the user's locale doesn't match any localization in the `ConsentText` dictionary. - subkeys: - - key: ConsentTextItem - type: - presence: required - content: The dictionary containing a key that consists of the IETF BCP 47 identifier - for a language (for example, en or jp) and a value that consists of the agreement - localized to that language. - subkeys: - - key: ANY - type: - presence: required - content: The key consisting of the IETF BCP 47 identifier for a language (for - example, en or jp) and the value consisting of the agreement localized to - that language. diff --git a/mdm/profiles/com.apple.ADCertificate.managed.yaml b/mdm/profiles/com.apple.ADCertificate.managed.yaml deleted file mode 100644 index daa608c..0000000 --- a/mdm/profiles/com.apple.ADCertificate.managed.yaml +++ /dev/null @@ -1,132 +0,0 @@ -title: Active Directory Certificate -description: The payload that configures Active Directory Certificate settings. -payload: - payloadtype: com.apple.ADCertificate.managed - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.7' - multiple: true - devicechannel: true - userchannel: true - supervised: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: allowed - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: A certificate can be requested from a Microsoft Certificate Authority (CA) - using DCE/RPC and the Active Directory Certificate profile payload instructions - detailed at support.apple.com/kb/HT5357. -payloadkeys: -- key: CertServer - title: Certificate Server - type: - presence: required - content: The fully qualified host name of the CA. -- key: CertTemplate - title: Certificate Template - type: - presence: required - content: The certificate template for your environment. The default user certificate - value is \`User\`. The default computer certificate value is \`Machine\`. -- key: Description - title: Description - type: - presence: optional - content: A user-friendly description of the certification identity. -- key: CertificateRenewalTimeInterval - title: Certificate Renewal Time Interval - type: - presence: optional - content: The number of days in advance of certificate expiration that the notification - center notifies the user. -- key: CertificateAuthority - title: Certificate Authority - supportedOS: - macOS: - introduced: '10.8' - type: - presence: optional - content: |- - The name of the certificate authority (CA), which is determined from the common name (CN) of the Active Directory entry. Available in macOS 10.8 and later. Valid values: - - - CN= - - CN=`Certification Authorities` - - CN=`Public Key Services` - - CN=`Services` - - CN=`Configuration` - - CN= -- key: CertificateAcquisitionMechanism - title: Certificate Acquisition Mechanism - supportedOS: - macOS: - introduced: '10.8' - type: - presence: optional - content: This value is most commonly `RPC`; if using web enrollment, use `HTTP`. - Available in macOS 10.8 and later. -- key: AllowAllAppsAccess - title: Allow All Apps Access - supportedOS: - macOS: - introduced: '10.10' - type: - presence: optional - default: false - content: If `true`, gives apps access to the private key. Available in macOS 10.10 - and later. -- key: PromptForCredentials - title: Prompt for Credentials - supportedOS: - macOS: - introduced: '10.8' - type: - presence: optional - default: false - content: If `true`, the system prompts the user for credentials when is installs - the profile. This key applies only to user certificates with the Manual Download - profile delivery method. Omit this key for computer certificates. Available in - macOS 10.8 and later. -- key: KeyIsExtractable - title: Key Is Extractable - supportedOS: - macOS: - introduced: '10.10' - type: - presence: optional - default: false - content: If `true`, the system allows exporting the private key. Available in macOS - 10.10 and later. -- key: Keysize - title: Key Size - supportedOS: - macOS: - introduced: '10.11' - type: - presence: optional - default: 2048 - content: The RSA key size for the certificate signing request (CSR). Available in - macOS 10.11 and later. -- key: EnableAutoRenewal - title: Enable Auto Renewal - supportedOS: - macOS: - introduced: 10.13.4 - type: - presence: optional - default: false - content: If `true`, the certificate obtained with this payload attempts auto-renewal. - Auto-renewal can only be used with device Active Directory certificate payloads. - Available in macOS 10.13.4 and later. -notes: -- title: '' - content: To get a certificate from a Microsoft CA, follow the instructions at [Request - a certificate from a Microsoft Certificate Authority](https://support.apple.com/en-us/HT204602). diff --git a/mdm/profiles/com.apple.AIM.account.yaml b/mdm/profiles/com.apple.AIM.account.yaml deleted file mode 100644 index b47373c..0000000 --- a/mdm/profiles/com.apple.AIM.account.yaml +++ /dev/null @@ -1,72 +0,0 @@ -title: AIM Account -description: The payload that configures an AIM account on the device. -payload: - payloadtype: com.apple.AIM.account - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.7' - deprecated: '10.13' - removed: '10.14' - multiple: true - devicechannel: false - userchannel: true - supervised: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: An AIM payload creates an AIM account on the device. -payloadkeys: -- key: AIMAccountDescription - title: Account Description - type: - presence: optional - content: The description of the account. -- key: AIMHostName - title: Account Hostname - type: - presence: required - rangelist: - - slogin.oscar.aol.com - content: The server address. -- key: AIMUserName - title: Account Username - type: - presence: optional - content: The user's login name. -- key: AIMPassword - title: Account Password - type: - presence: optional - content: The user's password. -- key: AIMUseSSL - title: Use SSL - type: - presence: optional - default: true - content: If `true`, enables SSL. -- key: AIMPort - title: Port Number - type: - presence: optional - range: - min: 0 - max: 65535 - default: 5190 - content: The connection port for the server. -- key: AIMAuthentication - title: AIM Authentication - type: - presence: required - rangelist: - - AIMAuthPassword - content: The authentication method for the account. diff --git a/mdm/profiles/com.apple.AssetCache.managed.yaml b/mdm/profiles/com.apple.AssetCache.managed.yaml deleted file mode 100644 index 49aa62b..0000000 --- a/mdm/profiles/com.apple.AssetCache.managed.yaml +++ /dev/null @@ -1,302 +0,0 @@ -title: Content Caching -description: The payload that configures the Content Caching service. -payload: - payloadtype: com.apple.AssetCache.managed - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: 10.13.4 - multiple: false - devicechannel: true - userchannel: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: Configures the Content Caching service. -payloadkeys: -- key: AllowCacheDelete - supportedOS: - macOS: - introduced: '10.15' - type: - presence: optional - default: true - content: If true, the system purges content from the cache automatically when it - needs disk space for other apps when free disk space runs low on the computer. - Set to `false` to maximize effectiveness of Content Caching. Available in macOS - 10.15 and later. -- key: AllowPersonalCaching - supportedOS: - macOS: - introduced: 10.13.4 - type: - presence: optional - default: true - content: |- - If `true`, the system caches the user's iCloud data. Changes to this value don't have an immediate effect. Clients may take some time, such as hours or days, to react to changes. - - > Note: - > At least one of the `AllowPersonalCaching` or `AllowSharedCaching` keys need to be `true`. -- key: AllowSharedCaching - supportedOS: - macOS: - introduced: 10.13.4 - type: - presence: optional - default: true - content: |- - If `true`, the system caches non-iCloud content, such as apps and software updates. Changes to this value don't have an immediate effect. Clients may take some time, such as hours or days, to react to changes. - - > Note: - > At least one of the `AllowPersonalCaching` or `AllowSharedCaching` keys need to be `true`. -- key: AutoActivation - supportedOS: - macOS: - introduced: 10.13.4 - type: - presence: optional - default: false - content: |- - If `true`, the system automatically activates the content cache when possible and prevents disabling it. If `allowContentCaching` is `false`, `AutoActivation` is also `false`. - - Removing a profile that set `AutoActivation` to `true` doesn't deactivate the Content Cache. -- key: AutoEnableTetheredCaching - supportedOS: - macOS: - introduced: 10.15.4 - type: - presence: optional - default: false - content: |- - If `true`, the system automatically enables Internet connection sharing when possible and prevent disabling Internet connection sharing. `DenyTetheredCaching` overrides `AutoEnableTetheredCaching`. Tethered caching requires Content Caching. - - Available in macOS 10.15.4 and later. -- key: CacheLimit - supportedOS: - macOS: - introduced: 10.13.4 - type: - presence: optional - default: 0 - content: The maximum number of bytes of disk space to use for the content cache. - Set to `0` for unlimited disk space. -- key: DataPath - supportedOS: - macOS: - introduced: 10.13.4 - type: - presence: optional - default: /Library/Application Support/Apple/AssetCache/Data - content: |- - The path to the directory used to store cached content. Changing this setting manually doesn't automatically move cached content from the old location to the new one. To move content automatically, use the Sharing preference's Content Caching pane. The value must be (or end with) `/Library/Application Support/Apple/AssetCache/Data`. - - The system creates a directory and its intermediates for the given data path if it doesn't already exist. The directory is owned by `_assetcache:_assetcache` and has mode 0750. Its immediate parent directory (`.../Library/Application Support/Apple/AssetCache`) is owned by `_assetcache:_assetcache` and has mode `0755`. -- key: DenyTetheredCaching - supportedOS: - macOS: - introduced: 10.13.4 - type: - presence: optional - default: false - content: If `true`, the system disables tethered caching. -- key: DisplayAlerts - supportedOS: - macOS: - introduced: '10.15' - type: - presence: optional - default: false - content: If `true`, Content Caching displays exceptional conditions (alerts) as - system notifications in the upper corner of the screen. Alerts were automatically - displayed starting in macOS 10.13. In macOS 10.15 the alerts are off by default, - but still available through this setting. Available in macOS 10.15 and later. -- key: KeepAwake - supportedOS: - macOS: - introduced: '10.15' - type: - presence: optional - default: false - content: If `true`, the system prevents the computer from sleeping as long as Content - Caching is on (System Preferences > Sharing > Content Caching is on). Customers - who want Content Caching to be as available as much as possible should turn this - setting on. Available in macOS 10.15 and later. -- key: ListenRanges - supportedOS: - macOS: - introduced: 10.13.4 - type: - presence: optional - content: An array of dictionaries that describe a range of client IP addresses to - serve. - subkeytype: Ranges - subkeys: &id001 - - key: RangesItem - type: - content: A range of IP addresses to cache. - subkeys: - - key: type - supportedOS: - macOS: - introduced: 10.13.4 - type: - presence: optional - rangelist: - - IPv4 - - IPv6 - default: IPv4 - content: The IP address type. - - key: first - supportedOS: - macOS: - introduced: 10.13.4 - type: - presence: required - content: The first IP address in the range. - - key: last - supportedOS: - macOS: - introduced: 10.13.4 - type: - presence: required - content: The last IP address in the range. -- key: ListenRangesOnly - supportedOS: - macOS: - introduced: 10.13.4 - type: - presence: optional - default: false - content: If `true`, the content cache provides content to the clients in the `ListenRanges`. -- key: ListenWithPeersAndParents - supportedOS: - macOS: - introduced: 10.13.4 - type: - presence: optional - default: true - content: If `true`, the content cache provides content to the clients in the union - of the `ListenRanges`, `PeerListenRanges` and `Parents`. -- key: LocalSubnetsOnly - supportedOS: - macOS: - introduced: 10.13.4 - type: - presence: optional - default: true - content: If `true`, the content cache offers content to clients only on the same - immediate local network only. No content is offered to clients on other networks - reachable by the content cache. If `LocalSubnetsOnly` is `true`, the system ignores - `ListenRanges`. -- key: LogClientIdentity - supportedOS: - macOS: - introduced: 10.13.4 - type: - presence: optional - default: false - content: If `true`, the Content Cache logs the IP address and port number of the - clients that request content. -- key: Parents - supportedOS: - macOS: - introduced: 10.13.4 - type: - presence: optional - content: An array of the local IP addresses of other content caches that this cache - should download from or upload to, instead of downloading from or uploading to - Apple directly. The system ignores invalid addresses and addresses of computers - that aren't content caches. The system skips Parent caches that become unavailable. - If all parent content caches become unavailable, the content cache downloads from - or uploads to Apple directly, until a parent content cache becomes available again. - subkeys: - - key: ParentsItem - type: - presence: required - content: An IP address. -- key: ParentSelectionPolicy - supportedOS: - macOS: - introduced: 10.13.4 - type: - presence: optional - rangelist: - - first-available - - url-path-hash - - random - - round-robin - - sticky-available - default: round-robin - content: |- - The policy to implement when choosing among more than one configured parent content cache. With every policy, the system skips parent caches that are temporarily unavailable. Allowed values: - - - `first-available`: Always use the first available parent in the Parents list. Use this policy to designate permanent primary, secondary, and subsequent parents. - - `url-path-hash`: Hash the path part of the requested URL so that the same parent is always used for the same URL. This is useful for maximizing the size of the combined caches of the parents. - - `random`: Choose a parent at random. Use this policy for load balancing. - - `round-robin`: Rotate through the parents in order. Use this policy for load balancing. - - `sticky-available`: Use the first available parent in the Parents list until it becomes unavailable, then advance to the next one. Use this policy for designating floating primary, secondary, and subsequent parents. -- key: PeerFilterRanges - supportedOS: - macOS: - introduced: 10.13.4 - type: - presence: optional - content: An array of dictionaries describing a range of peer IP addresses that the - content cache uses to filter its list of peers to query for content. The content - cache only queries peers in `PeerFilterRanges`. When `PeerFilterRanges` is an - empty array, the content cache doesn't query any peers. - subkeytype: Ranges - subkeys: *id001 -- key: PeerListenRanges - supportedOS: - macOS: - introduced: 10.13.4 - type: - presence: optional - content: An array of dictionaries describing a range of peer IP addresses the content - cache responds to. When `PeerListenRanges` is an empty array, the content cache - responds with an error to all cache queries. - subkeytype: Ranges - subkeys: *id001 -- key: PeerLocalSubnetsOnly - supportedOS: - macOS: - introduced: 10.13.4 - type: - presence: optional - default: true - content: If `true`, the content cache only peers with other content caches on the - same immediate local network, rather than with content caches that use the same - public IP address as the device. When `PeerLocalSubnetsOnly` is `true`, it overrides - the configuration of `PeerFilterRanges` and `PeerListenRanges`. If the network - changes, the local network peering restrictions update appropriately. If `false`, - the content cache defers to `PeerFilterRanges` and `PeerListenRanges` for configuring - the peering restrictions. -- key: Port - supportedOS: - macOS: - introduced: 10.13.4 - type: - presence: optional - default: 0 - content: The TCP port number on which the content cache accepts requests for uploads - or downloads. Set to `0` to pick a random, available port. -- key: PublicRanges - supportedOS: - macOS: - introduced: 10.13.4 - type: - presence: optional - content: An array of dictionaries describing a range of public IP addresses that - the cloud servers should use for matching clients to content caches. - subkeytype: Ranges - subkeys: *id001 diff --git a/mdm/profiles/com.apple.Dictionary.yaml b/mdm/profiles/com.apple.Dictionary.yaml deleted file mode 100644 index a1e70ed..0000000 --- a/mdm/profiles/com.apple.Dictionary.yaml +++ /dev/null @@ -1,30 +0,0 @@ -title: 'Parental Controls: Dictionary' -description: The payload that configures parental control dictionary restrictions. -payload: - payloadtype: com.apple.Dictionary - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.7' - multiple: false - devicechannel: true - userchannel: true - supervised: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: Parental controls dictionary restrictions. -payloadkeys: -- key: parentalControl - type: - presence: required - content: If `true`, enables parental controls dictionary restrictions. diff --git a/mdm/profiles/com.apple.DirectoryService.managed.yaml b/mdm/profiles/com.apple.DirectoryService.managed.yaml deleted file mode 100644 index 9102048..0000000 --- a/mdm/profiles/com.apple.DirectoryService.managed.yaml +++ /dev/null @@ -1,274 +0,0 @@ -title: Directory Service -description: The payload that configures an Active Directory (AD) domain. -payload: - payloadtype: com.apple.DirectoryService.managed - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.8' - multiple: true - devicechannel: true - userchannel: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: allowed - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: In macOS 10.9 and later, a configuration profile can be used to configure - macOS to join an Active Directory (AD) domain. Advanced AD options available via - Directory Utility or the dsconfigad command line tool can also be set using a - configuration profile. -payloadkeys: -- key: HostName - title: HostName - type: - presence: required - content: The Active Directory domain to join. -- key: UserName - title: UserName - type: - presence: optional - content: The user name of the account for the domain. -- key: Password - title: Password - type: - presence: optional - content: The password of the account for the domain. -- key: ClientID - title: Client ID - type: - presence: optional - content: The client's identifier. -- key: Description - title: Description - type: - presence: optional - content: The directory service description. -- key: ADOrganizationalUnit - title: ADOrganizationalUnit - type: - presence: optional - content: The organizational unit to add the joining computer object to. -- key: ADMountStyle - title: ADMountStyle - type: - presence: optional - content: 'The network home protocol to use: `afp` or `smb`.' -- key: ADCreateMobileAccountAtLoginFlag - title: ADCreateMobileAccountAtLoginFlag - supportedOS: - macOS: - introduced: '10.9' - type: - presence: optional - default: false - content: If `true`, the system enables the `ADCreateMobileAccountAtLogin` key. -- key: ADCreateMobileAccountAtLogin - title: ADCreateMobileAccountAtLogin - type: - presence: optional - default: false - content: If `true`, the system creates a mobile account at login. -- key: ADWarnUserBeforeCreatingMAFlag - title: ADWarnUserBeforeCreatingMAFlag - supportedOS: - macOS: - introduced: '10.9' - type: - presence: optional - default: false - content: If `true`, the system enables the `ADWarnUserBeforeCreatingMA` key. -- key: ADWarnUserBeforeCreatingMA - title: ADWarnUserBeforeCreatingMA - type: - presence: optional - default: false - content: If `true`, the system enables the warning before creating the mobile account. -- key: ADForceHomeLocalFlag - title: ADForceHomeLocalFlag - supportedOS: - macOS: - introduced: '10.9' - type: - presence: optional - default: false - content: If `true`, the system enables the `ADForceHomeLocal` key. -- key: ADForceHomeLocal - title: ADForceHomeLocal - type: - presence: optional - default: false - content: If `true`, the system forces a local home directory. -- key: ADUseWindowsUNCPathFlag - title: ADUseWindowsUNCPathFlag - supportedOS: - macOS: - introduced: '10.9' - type: - presence: optional - default: false - content: If `true`, the system enables the `ADUseWindowsUNCPath` key. -- key: ADUseWindowsUNCPath - title: ADUseWindowsUNCPath - type: - presence: optional - default: false - content: If `true`, the system uses the UNC path from Active Directory to derive - the network home location. -- key: ADAllowMultiDomainAuthFlag - title: ADAllowMultiDomainAuthFlag - supportedOS: - macOS: - introduced: '10.9' - type: - presence: optional - default: false - content: If `true`, the system enables the `ADAllowMultiDomainAuth` key. -- key: ADAllowMultiDomainAuth - title: ADAllowMultiDomainAuth - type: - presence: optional - default: false - content: If `true`, the system allows authentication from any domain in the namespace. -- key: ADDefaultUserShellFlag - title: ADDefaultUserShellFlag - type: - presence: optional - default: false - content: If `true`, the system enables the `ADDefaultUserShell` key. -- key: ADDefaultUserShell - title: ADDefaultUserShell - type: - presence: optional - content: The default user shell. -- key: ADMapUIDAttributeFlag - title: ADMapUIDAttributeFlag - type: - presence: optional - default: false - content: If `true`, the system enables the `ADMapUIDAttribute` key. -- key: ADMapUIDAttribute - title: ADMapUIDAttribute - type: - presence: optional - content: The map UID to attribute. -- key: ADMapGIDAttributeFlag - title: ADMapGIDAttributeFlag - type: - presence: optional - default: false - content: If `true`, the system enables the `ADMapGIDAttribute` key. -- key: ADMapGIDAttribute - title: ADMapGIDAttribute - type: - presence: optional - content: The map GID to attribute. -- key: ADMapGGIDAttributeFlag - title: ADMapGGIDAttributeFlag - type: - presence: optional - default: false - content: If `true`, the system enables the `ADMapGGIDAttributeFlag` key. -- key: ADMapGGIDAttribute - title: ADMapGGIDAttribute - type: - presence: optional - content: The map group GID to attribute. -- key: ADPreferredDCServerFlag - title: ADPreferredDCServerFlag - type: - presence: optional - default: false - content: If `true`, the system enables the `ADPreferredDCServer` key. -- key: ADPreferredDCServer - title: ADPreferredDCServer - type: - presence: optional - content: The preferred domain server. -- key: ADDomainAdminGroupListFlag - title: ADDomainAdminGroupListFlag - type: - presence: optional - default: false - content: If `true`, the system enables the `ADDomainAdminGroupList` key. -- key: ADDomainAdminGroupList - title: ADDomainAdminGroupList - type: - presence: optional - content: The list of Active Directory groups with admin access. - subkeys: - - key: ADDomainAdminGroupListItem - type: -- key: ADNamespaceFlag - title: ADNamespaceFlag - type: - presence: optional - default: false - content: If `true`, the system enables the `ADNamespace` key. -- key: ADNamespace - title: ADNamespace - type: - presence: optional - content: The primary user account naming convention; either `forest` or `domain`. -- key: ADPacketSignFlag - title: ADPacketSignFlag - supportedOS: - macOS: - introduced: '10.8' - type: - presence: optional - default: false - content: If `true`, the system enables the `ADPacketSign` key. -- key: ADPacketSign - title: ADPacketSign - type: - presence: optional - content: The packet signing policy. -- key: ADPacketEncryptFlag - title: ADPacketEncryptFlag - type: - presence: optional - default: false - content: If `true`, the system enables the `ADPacketEncrypt` key. -- key: ADPacketEncrypt - title: ADPacketEncrypt - type: - presence: optional - content: The packet encryption policy. -- key: ADRestrictDDNSFlag - title: ADRestrictDDNSFlag - type: - presence: optional - default: false - content: If `true`, the system enables the `ADRestrictDDNS` key. -- key: ADRestrictDDNS - title: ADRestrictDDNS - supportedOS: - macOS: - introduced: '10.8' - type: - presence: optional - content: An array of strings that represent the interfaces allowed for dynamic DNS - updates, such as en0 and en1. - subkeys: - - key: ADRestrictDDNSItem - type: -- key: ADTrustChangePassIntervalDaysFlag - title: ADTrustChangePassIntervalDaysFlag - type: - presence: optional - default: false - content: If `true`, the system enables the `ADTrustChangePassIntervalDays` key. -- key: ADTrustChangePassIntervalDays - title: ADTrustChangePassIntervalDays - type: - presence: optional - content: The number of days before requiring a change of the computer trust account - password. Set to `0` to disable the feature. diff --git a/mdm/profiles/com.apple.DiscRecording.yaml b/mdm/profiles/com.apple.DiscRecording.yaml deleted file mode 100644 index fc9239d..0000000 --- a/mdm/profiles/com.apple.DiscRecording.yaml +++ /dev/null @@ -1,37 +0,0 @@ -title: 'Media Management: Disc Burning' -description: The payload that configures disc-burning settings. -payload: - payloadtype: com.apple.DiscRecording - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.7' - multiple: false - devicechannel: true - userchannel: true - supervised: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a -payloadkeys: -- key: BurnSupport - type: - presence: required - rangelist: - - 'off' - - authenticate - - 'on' - content: |- - Configure disc-burn. Allowed values: - - `off`: The system disables disc burning. - - `on`: The system allows normal default operation. Setting this key to `on` doesn't enable disc burn support if other mechanisms or preferences disabled it. Needs to be enabled with the `Finder` profile. - - `authenticate`: The system requires authentication. diff --git a/mdm/profiles/com.apple.MCX(Accounts).yaml b/mdm/profiles/com.apple.MCX(Accounts).yaml deleted file mode 100644 index 1d30336..0000000 --- a/mdm/profiles/com.apple.MCX(Accounts).yaml +++ /dev/null @@ -1,41 +0,0 @@ -title: Accounts -description: The payload that configures guest accounts. -payload: - payloadtype: com.apple.MCX - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.7' - multiple: true - devicechannel: true - userchannel: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a -payloadkeys: -- key: EnableGuestAccount - supportedOS: - macOS: - introduced: '10.7' - type: - presence: optional - default: false - content: If `true`, the system enables the guest account. -- key: DisableGuestAccount - supportedOS: - macOS: - introduced: '10.7' - type: - presence: optional - default: false - content: If `true`, the system disables the guest account. This property has no - effect if `EnableGuestAccount` is `true`. diff --git a/mdm/profiles/com.apple.MCX(EnergySaver).yaml b/mdm/profiles/com.apple.MCX(EnergySaver).yaml deleted file mode 100644 index cd43751..0000000 --- a/mdm/profiles/com.apple.MCX(EnergySaver).yaml +++ /dev/null @@ -1,149 +0,0 @@ -title: Energy Saver -description: The payload that configures Energy Saver settings. -payload: - payloadtype: com.apple.MCX - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.7' - multiple: true - devicechannel: true - userchannel: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a -payloadkeys: -- key: com.apple.EnergySaver.desktop.ACPower - type: - presence: optional - content: The settings for a desktop computer. - subkeytype: PowerSettings - subkeys: &id001 - - key: Display Sleep Timer - type: - presence: optional - range: - min: 0 - max: 180 - content: The display sleep time, in minutes. A value of 0 means never. - - key: Disk Sleep Timer - type: - presence: optional - range: - min: 0 - max: 180 - content: The disk sleep time, in minutes. A value of 0 means never. - - key: System Sleep Timer - type: - presence: optional - range: - min: 0 - max: 180 - content: System sleep time, in minutes. A value of 0 means never. - - key: Reduce Processor Speed - type: - presence: optional - rangelist: - - 0 - - 1 - content: May not be available on all systems. - - key: Dynamic Power Step - type: - presence: optional - rangelist: - - 0 - - 1 - content: May not be available on all systems. - - key: Wake on LAN - type: - presence: optional - rangelist: - - 0 - - 1 - content: If `true`, enables "Wake for network access." - - key: Wake On Modem Ring - type: - presence: optional - rangelist: - - 0 - - 1 - content: If `true`, enables "Wake for modem ring." - - key: Automatic Restart On Power Loss - type: - presence: optional - rangelist: - - 0 - - 1 - content: If `true`, enables "Start up automatically after a power failure." -- key: com.apple.EnergySaver.portable.ACPower - type: - presence: optional - content: The settings for a laptop computer using AC power. - subkeytype: PowerSettings - subkeys: *id001 -- key: com.apple.EnergySaver.portable.BatteryPower - type: - presence: optional - content: The settings for a laptop computer using battery power. - subkeytype: PowerSettings - subkeys: *id001 -- key: com.apple.EnergySaver.desktop.Schedule - type: - presence: optional - content: The schedule for turning a computer on and off. - subkeytype: EnergySaver Schedule - subkeys: - - key: RepeatingPowerOn - type: - presence: optional - content: The schedule for turning the device on. - subkeytype: RepeatingPowerItem - subkeys: &id002 - - key: eventtype - type: - presence: required - rangelist: - - wake - - poweron - - wakepoweron - - sleep - - shutdown - - restart - content: The type of action defined by this schedule. - - key: weekdays - type: - presence: optional - content: |- - One or more days of the week in an unsigned integer bitmap: - - - `1` = Mon - - `2` = Tue - - `4` = Wed - - `8` = Thu - - `16` = Fri - - `32` = Sat - - `64` = Sun - - key: time - type: - presence: optional - content: The time, in minutes, since midnight. - - key: RepeatingPowerOff - type: - presence: optional - content: The schedule for turning the device off. - subkeytype: RepeatingPowerItem - subkeys: *id002 -- key: SleepDisabled - type: - presence: optional - default: false - content: If `true`, disables sleep. diff --git a/mdm/profiles/com.apple.MCX(FileVault2).yaml b/mdm/profiles/com.apple.MCX(FileVault2).yaml deleted file mode 100644 index 1e2fa26..0000000 --- a/mdm/profiles/com.apple.MCX(FileVault2).yaml +++ /dev/null @@ -1,43 +0,0 @@ -title: FDE FileVault Options -description: The payload that configures FileVault options. -payload: - payloadtype: com.apple.MCX - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.7' - multiple: false - devicechannel: true - userchannel: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: The FileVault accounts payload sets up options for enabling FileVault. -payloadkeys: -- key: dontAllowFDEDisable - type: - presence: optional - default: false - content: If `true`, the system won't disable FileVault. -- key: dontAllowFDEEnable - type: - presence: optional - default: false - content: If `true`, the system won't enable FileVault. -- key: DestroyFVKeyOnStandby - supportedOS: - macOS: - introduced: '10.10' - type: - presence: optional - default: false - content: If `true`, the system won't store th FileVault key across restarts. diff --git a/mdm/profiles/com.apple.MCX(Mobililty).yaml b/mdm/profiles/com.apple.MCX(Mobililty).yaml deleted file mode 100644 index 49eab48..0000000 --- a/mdm/profiles/com.apple.MCX(Mobililty).yaml +++ /dev/null @@ -1,58 +0,0 @@ -title: Mobile Accounts -description: The payload that configures mobile accounts on the device. -payload: - payloadtype: com.apple.MCX - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.7' - multiple: false - devicechannel: true - userchannel: true - supervised: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: Sets up mobile account options for network based user accounts. -payloadkeys: -- key: com.apple.cachedaccounts.CreateAtLogin - type: - presence: optional - default: false - content: If `true`, the system creates the mobile account at login time. -- key: com.apple.cachedaccounts.WarnOnCreate - type: - presence: optional - default: false - content: If `true`, the system asks the user whether to create the mobile account - and it allows the user to not create it. -- key: cachedaccounts.WarnOnCreate.allowNever - type: - presence: optional - default: false - content: If `true`, the system allows the user to stop the prompts about mobile - account creation every time the user logs in. This key is only valid if `com.apple.cachedaccounts.WarnOnCreate` - is `true`. -- key: cachedaccounts.expiry.delete.disusedSeconds - type: - presence: optional - default: -1 - content: The minimum number of seconds a mobile account can exist before the system - makes an automatic attempt to remove the mobile account. Set to `0` to attempt - removing it at the next login or logout. Set to `-1` to never attempt removing - the mobile account. -- key: cachedaccounts.askForSecureTokenAuthBypass - type: - presence: optional - default: false - content: If `true`, the system bypasses the secure token authorization dialog. This - dialog only appears on APFS volumes. diff --git a/mdm/profiles/com.apple.MCX(TimeServer).yaml b/mdm/profiles/com.apple.MCX(TimeServer).yaml deleted file mode 100644 index a61f946..0000000 --- a/mdm/profiles/com.apple.MCX(TimeServer).yaml +++ /dev/null @@ -1,43 +0,0 @@ -title: Time Server -description: The payload that configures the time server. -payload: - payloadtype: com.apple.MCX - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: 10.12.4 - multiple: false - devicechannel: true - userchannel: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: Settings for time zone and server. If multiple profiles with this payload - are sent, the device's time server will be set to the value in the last payload - installed. Removing the payload will not change the settings back to the prior - settings. -payloadkeys: -- key: timeServer - type: - presence: optional - content: The NTP server to connect to. In macOS 10.13 and later, only one time server - is supported. -- key: timeZone - type: - presence: optional - content: The time zone path location string in `/usr/share/zoneinfo/`; for example, - `America/Denver` or `Zulu`. -notes: -- title: '' - content: If multiple profiles with this payload are sent, the system sets the device's - time server to the value in the last payload installed. Removing the payload won't - change the settings back to the prior settings. diff --git a/mdm/profiles/com.apple.MCX(WiFi).yaml b/mdm/profiles/com.apple.MCX(WiFi).yaml deleted file mode 100644 index 132254d..0000000 --- a/mdm/profiles/com.apple.MCX(WiFi).yaml +++ /dev/null @@ -1,48 +0,0 @@ -title: Wi-Fi Managed Settings -description: The payload that configures managed Wi-Fi settings. -payload: - payloadtype: com.apple.MCX - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.9' - multiple: true - devicechannel: true - userchannel: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a -payloadkeys: -- key: RequireAdminForIBSS - supportedOS: - macOS: - introduced: '10.9' - type: - presence: optional - default: false - content: If `true`, requires administrator authorization to enable IBSS. -- key: RequireAdminForAirPortNetworkChange - supportedOS: - macOS: - introduced: '10.9' - type: - presence: optional - default: false - content: If `true`, requires administrator authorization for network changes. -- key: RequireAdminToTurnAirPortOnOff - supportedOS: - macOS: - introduced: '10.9' - type: - presence: optional - default: false - content: If `true`, requires administrator authorization to turn Wi-Fi on or off. diff --git a/mdm/profiles/com.apple.MCX.FileVault2.yaml b/mdm/profiles/com.apple.MCX.FileVault2.yaml deleted file mode 100644 index 8e9ae61..0000000 --- a/mdm/profiles/com.apple.MCX.FileVault2.yaml +++ /dev/null @@ -1,133 +0,0 @@ -title: FDE FileVault -description: The payload that configures FileVault. -payload: - payloadtype: com.apple.MCX.FileVault2 - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.9' - multiple: false - devicechannel: true - userchannel: false - requiresdep: false - userapprovedmdm: true - allowmanualinstall: true - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: The FileVault payload only works on macOS to enable or disable FileVault. - Starting with macOS 10.15, this payload requires UAMDM to enable FileVault. -payloadkeys: -- key: Enable - type: - presence: required - rangelist: - - 'On' - - 'Off' - content: Set to `On` to enable FileVault and set to `Off` to disable FileVault. - Payloads set to `On` sent through MDM need to either include full authentication - information in the payload or have the `Defer` option set to `true`. When `Defer` - is `true`, the system prompts for the authentication information when the user - enables FileVault. -- key: Defer - type: - presence: optional - default: false - content: If `true`, the system defers enabling FileVault until the designated user - logs out. For details, see `fdesetup(8)`. Only a local user or a mobile account - user can enable FileVault. -- key: UserEntersMissingInfo - type: - presence: optional - default: false - content: If `true`, the system enables a prompt for missing user name or password - fields. -- key: UseRecoveryKey - type: - presence: optional - default: true - content: If `true`, the system creates a personal recovery key and displays it to - the user. -- key: ShowRecoveryKey - type: - presence: optional - default: true - content: If `false`, the system prevents display of the personal recovery key to - the user after the system enables FileVault. -- key: OutputPath - type: - presence: optional - content: The path to the location of the recovery key and computer information property - list. -- key: Certificate - type: - presence: optional - content: The DER-encoded certificate data if the system creates an institutional - recovery key. This key isn't supported on a Mac with Apple silicon. -- key: PayloadCertificateUUID - type: - presence: optional - content: The UUID of the payload within the same profile containing the asymmetric - recovery key certificate payload. -- key: Username - type: - presence: optional - content: The user name of the Open Directory user to add to FileVault. -- key: Password - type: - presence: optional - content: The password of the Open Directory user to add to FileVault. Use the `UserEntersMissingInfo` - key to prompt for this information. -- key: UseKeychain - type: - presence: optional - default: false - content: If `true` and you don't include certificate information in this payload, - the system uses the keychain created at `/Library/Keychains/FileVaultMaster.keychain` - when it adds the institutional recovery key. -- key: DeferForceAtUserLoginMaxBypassAttempts - type: - presence: optional - range: - min: -1 - max: 9999 - content: The maximum number of times users can bypass enabling FileVault before - the system requires the user to enable it to log in. If the value is `0`, the - system requires the user to enable FileVault the next time they attempt to log - in. Set this key to `-1` to disable this feature. -- key: DeferDontAskAtUserLogout - supportedOS: - macOS: - introduced: '10.10' - type: - presence: optional - default: false - content: If `true`, the system prevents requests to enable FileVault at user logout - time. -- key: ForceEnableInSetupAssistant - supportedOS: - macOS: - introduced: '14.0' - requiresdep: true - allowmanualinstall: false - type: - presence: optional - default: false - content: |- - If `true`, and installation of this payload occurs after enrolling with MDM in Setup Assistant, the system requests Setup Assistant to enable FileVault at setup time. - - To use this, enable the Await Device Configured DEP configuration option and send this profile with this key set, before sending the `DeviceConfiguredCommand`. - - An admin SecureToken user is required, otherwise the FileVault pane does not appear. -notes: -- title: '' - content: |- - FileVault 2 performs full XTS-AES 128 encryption on the contents of a volume. Removing the FileVault payload doesn't disable FileVault. - - As of macOS 10.15, FileVault settings require supervision or user approval when installed manually. diff --git a/mdm/profiles/com.apple.MCX.TimeMachine.yaml b/mdm/profiles/com.apple.MCX.TimeMachine.yaml deleted file mode 100644 index 2d7e238..0000000 --- a/mdm/profiles/com.apple.MCX.TimeMachine.yaml +++ /dev/null @@ -1,69 +0,0 @@ -title: Time Machine -description: The payload that configures Time Machine. -payload: - payloadtype: com.apple.MCX.TimeMachine - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.7' - multiple: false - devicechannel: true - userchannel: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a -payloadkeys: -- key: AutoBackup - type: - presence: optional - default: true - content: If `true`, performs automatic backups at regular intervals. -- key: BackupAllVolumes - type: - presence: optional - default: false - content: If `true`, backs up only the startup volume by default. -- key: BackupDestURL - type: - presence: required - content: The URL of the backup destination. -- key: BackupSizeMB - type: - presence: optional - default: 0 - content: The backup size limit, in megabytes. Set to 0 for unlimited. -- key: BackupSkipSys - type: - presence: optional - default: false - content: If `true`, skips system files and folders by default. -- key: MobileBackups - type: - presence: optional - default: true - content: If `true`, create local backup snapshots when not connected to the network. -- key: BasePaths - type: - presence: optional - content: The list of paths to back up besides the startup volume. - subkeys: - - key: BasePathItem - type: - presence: required -- key: SkipPaths - type: - presence: optional - content: The path to skip from start volume. - subkeys: - - key: SkipPathItem - type: - presence: required diff --git a/mdm/profiles/com.apple.ManagedClient.preferences.yaml b/mdm/profiles/com.apple.ManagedClient.preferences.yaml deleted file mode 100644 index f0b654c..0000000 --- a/mdm/profiles/com.apple.ManagedClient.preferences.yaml +++ /dev/null @@ -1,62 +0,0 @@ -title: Managed Preferences -description: The payload that configures managed preferences. -payload: - payloadtype: com.apple.ManagedClient.preferences - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.7' - multiple: true - devicechannel: true - userchannel: true - supervised: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a -payloadkeys: -- key: PayloadContent - type: - presence: required - content: The dictionary containing app preference domains. The key names are application - preference domain identifiers (for example, `com.example.my-app`), or the string - `.GlobalPreferences` for the global domain. The values are the corresponding forced - and set-once preferences. - subkeys: - - key: ANY - type: - presence: required - content: The dictionary containing app preference domains. - subkeytype: PreferenceDomain - subkeys: - - key: Forced - type: - presence: optional - content: The dictionary of forced settings. - subkeys: &id001 - - key: Settings - type: - presence: required - subkeys: - - key: mcx_preference_settings - type: - presence: required - content: The dictionary of settings. - subkeys: - - key: ANY - type: - presence: optional - content: The setting/value pairs. - - key: Set-Once - type: - presence: optional - content: The dictionary of one-time settings. - subkeys: *id001 diff --git a/mdm/profiles/com.apple.NSExtension.yaml b/mdm/profiles/com.apple.NSExtension.yaml deleted file mode 100644 index 83f194c..0000000 --- a/mdm/profiles/com.apple.NSExtension.yaml +++ /dev/null @@ -1,64 +0,0 @@ -title: NSExtension Management -description: The payload that configures the extensions that the system allows or - disallows to run on the device. -payload: - payloadtype: com.apple.NSExtension - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.13' - multiple: true - devicechannel: true - userchannel: true - supervised: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: Specifies which NSExtension extensions are to be allowed or disallowed - on a system. Extensions can be managed by bundleID allow/deny lists and "extension - points". -payloadkeys: -- key: AllowedExtensions - type: - presence: optional - content: An array of bundle identifiers for allowed extensions. - subkeys: - - key: AllowedExtensionsItem - type: - presence: required - content: An extension identifier. -- key: DeniedExtensions - type: - presence: optional - content: An array of bundle identifiers for extensions that the system doesn't allow - to run. - subkeys: - - key: DeniedExtensionsItem - type: - presence: required - content: An extension identifier. -- key: DeniedExtensionPoints - type: - presence: optional - content: An array of extension points for extensions that the system doesn't allow - to run. - subkeys: - - key: DeniedExtensionPointsItem - type: - presence: required - content: An extension identifier. -notes: -- title: '' - content: |- - You can manage extensions by bundle identifiers in allow and deny lists, or by a deny list of extension points. - - You can also start with all public extensions disallowed. To do so, include `AllPublicExtensionPoints` in `DeniedExtensionPoints`. This causes the system to expand the list to include all extensions that belong to any public extension points. This expansion occurs at evaluation time. The list of extension points can change from release to release. The expanded list disallows Apple and third-party extensions, but still allows extensions that belong to system-critcial extension points to execute. diff --git a/mdm/profiles/com.apple.SetupAssistant.managed.yaml b/mdm/profiles/com.apple.SetupAssistant.managed.yaml deleted file mode 100644 index 9f4483d..0000000 --- a/mdm/profiles/com.apple.SetupAssistant.managed.yaml +++ /dev/null @@ -1,169 +0,0 @@ -title: Setup Assistant -description: The payload that configures Setup Assistant settings. -payload: - payloadtype: com.apple.SetupAssistant.managed - supportedOS: - iOS: - introduced: '14.0' - multiple: false - supervised: true - allowmanualinstall: true - sharedipad: - mode: allowed - devicechannel: true - userchannel: false - userenrollment: - mode: forbidden - macOS: - introduced: '10.12' - multiple: false - devicechannel: true - userchannel: true - supervised: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: On macOS, this payload can specify Setup Assistant options for either the - system or particular users. -payloadkeys: -- key: SkipCloudSetup - supportedOS: - iOS: - introduced: n/a - macOS: - deprecated: '15.0' - type: - presence: optional - default: false - content: If `true`, the system skips the Apple Account setup pane. -- key: SkipSiriSetup - supportedOS: - iOS: - introduced: n/a - macOS: - deprecated: '15.0' - type: - presence: optional - default: false - content: If `true`, the system skips the Siri setup pane. -- key: SkipPrivacySetup - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: 10.13.4 - deprecated: '15.0' - type: - presence: optional - default: false - content: If `true`, the system skips the Privacy consent pane. -- key: SkipiCloudStorageSetup - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: 10.13.4 - deprecated: '15.0' - type: - presence: optional - default: false - content: If `true`, the system skips the iCloud Storage pane. -- key: SkipTrueTone - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: 10.13.6 - deprecated: '15.0' - type: - presence: optional - default: false - content: If `true`, the system skips the True Tone Display pane. -- key: SkipAppearance - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.14' - deprecated: '15.0' - type: - presence: optional - default: false - content: If `true`, the system skips the Choose Your Look pane. -- key: SkipTouchIDSetup - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.15' - deprecated: '15.0' - type: - presence: optional - default: false - content: If `true`, the system skips the Touch ID setup pane. -- key: SkipScreenTime - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.15' - deprecated: '15.0' - type: - presence: optional - default: false - content: If `true`, the system skips the Screen Time pane. -- key: SkipAccessibility - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '11.0' - deprecated: '15.0' - type: - presence: optional - default: false - content: If `true`, the system skips the Accessibility pane. -- key: SkipSetupItems - supportedOS: - iOS: - introduced: '14.0' - macOS: - introduced: '15.0' - type: - presence: optional - content: An array of strings that describe the setup items to skip. `SkipKeys` provides - a list of valid strings and their meanings. Available in iOS 14 and later, and - macOS 15 and later. - subkeys: - - key: SkipSetupItems - type: -- key: SkipUnlockWithWatch - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '12.0' - deprecated: '15.0' - type: - presence: optional - default: false - content: If `true`, the system skips the Unlock With Apple Watch pane. -- key: SkipWallpaper - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '14.1' - deprecated: '15.0' - type: - presence: optional - default: false - content: If 'true', the system skips the Wallpaper selection window. diff --git a/mdm/profiles/com.apple.ShareKitHelper.yaml b/mdm/profiles/com.apple.ShareKitHelper.yaml deleted file mode 100644 index 8d1f590..0000000 --- a/mdm/profiles/com.apple.ShareKitHelper.yaml +++ /dev/null @@ -1,48 +0,0 @@ -title: ShareKit -description: The payload that configures ShareKit. -payload: - payloadtype: com.apple.ShareKitHelper - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.9' - deprecated: '10.12' - multiple: false - devicechannel: true - userchannel: true - supervised: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: macOS only. Specifies which ShareKit plugin can be accessed on client. - Both allow and disallow lists can be specified. -payloadkeys: -- key: SHKAllowedShareServices - type: - presence: optional - content: The list of plugin IDs that show up in the user's Share menu. If this array - exists, only these items are permitted. - subkeys: - - key: SHKAllowedShareServicesItem - type: - presence: required - content: A plugin ID. -- key: SHKDeniedShareServices - type: - presence: optional - content: The list of plugin IDs that won't show up in the user's Share menu. This - key is used only if there is no `SHKAllowedShareServices` key. - subkeys: - - key: SHKDeniedShareServicesItem - type: - presence: required - content: A plugin ID. diff --git a/mdm/profiles/com.apple.SoftwareUpdate.yaml b/mdm/profiles/com.apple.SoftwareUpdate.yaml deleted file mode 100644 index 944c647..0000000 --- a/mdm/profiles/com.apple.SoftwareUpdate.yaml +++ /dev/null @@ -1,110 +0,0 @@ -title: Software Update -description: The payload that configures the software update policy. -payload: - payloadtype: com.apple.SoftwareUpdate - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.7' - deprecated: '26.0' - multiple: false - devicechannel: true - userchannel: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: Software update catalog options. -payloadkeys: -- key: CatalogURL - supportedOS: - macOS: - introduced: '10.7' - deprecated: '11.0' - userenrollment: - mode: forbidden - type: - presence: optional - content: The URL of the software update catalog. This property is not supported - in macOS 11 and later. -- key: AllowPreReleaseInstallation - title: Allow Pre-Release Update Installation - supportedOS: - macOS: - introduced: '10.9' - type: - presence: optional - default: true - content: If `true`, prerelease software can be installed on this computer. -- key: restrict-software-update-require-admin-to-install - supportedOS: - macOS: - introduced: '10.14' - type: - presence: optional - default: false - content: If `true`, restrict app installations to admin users. This key has the - same function as the `restrict-store-require-admin-to-install` key in the `com.apple.appstore` - payload. -- key: AutomaticallyInstallMacOSUpdates - supportedOS: - macOS: - introduced: '10.15' - type: - presence: optional - default: true - content: If `false`, restricts the "Install macOS Updates" option and prevents the - user from changing the option. -- key: AutomaticallyInstallAppUpdates - supportedOS: - macOS: - introduced: '10.15' - type: - presence: optional - default: true - content: If `false`, deselects the "Install app updates from the App Store" option - and prevents the user from changing the option. -- key: AutomaticCheckEnabled - supportedOS: - macOS: - introduced: '10.15' - type: - presence: optional - default: true - content: If `false`, deselects the "Check for updates" option and prevents the user - from changing the option. -- key: AutomaticDownload - supportedOS: - macOS: - introduced: '10.15' - type: - presence: optional - default: true - content: If `false`, deselects the "Download new updates when available from the - App Store" option and prevents the user from changing the option. -- key: CriticalUpdateInstall - supportedOS: - macOS: - introduced: '10.15' - type: - presence: optional - default: true - content: If `false`, disables the automatic installation of critical updates and - prevents the user from changing the "Install system data files and security updates" - option. -- key: ConfigDataInstall - supportedOS: - macOS: - introduced: '10.15' - type: - presence: optional - default: true - content: If `false`, restricts the automatic installation of configuration data. diff --git a/mdm/profiles/com.apple.SystemConfiguration.yaml b/mdm/profiles/com.apple.SystemConfiguration.yaml deleted file mode 100644 index 3a465a8..0000000 --- a/mdm/profiles/com.apple.SystemConfiguration.yaml +++ /dev/null @@ -1,136 +0,0 @@ -title: Network Proxy Configuration -description: The payload that configures network proxies for a device. -payload: - payloadtype: com.apple.SystemConfiguration - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.7' - multiple: false - devicechannel: true - userchannel: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a -payloadkeys: -- key: Proxies - type: - presence: required - content: The dictionary containing all the proxies for this device. - subkeys: - - key: FTPEnable - type: - presence: optional - content: If `true`, enables FTP proxy. - - key: FTPPassive - type: - presence: optional - content: If `true`, enables passive FTP mode. - - key: FTPPort - type: - presence: optional - content: The FTP proxy port. - - key: FTPProxy - type: - presence: optional - content: The host name or IP address for the FTP proxy. - - key: GopherEnable - type: - presence: optional - content: If `true`, enables gopher proxy. - - key: GopherPort - type: - presence: optional - content: The gopher proxy port. - - key: GopherProxy - type: - presence: optional - content: The host name or IP address for the gopher proxy. - - key: HTTPEnable - type: - presence: optional - content: If `true`, enables web proxy. - - key: HTTPPort - type: - presence: optional - content: The web proxy port. - - key: HTTPProxy - type: - presence: optional - content: The host name or IP address for the web proxy. - - key: HTTPSEnable - type: - presence: optional - content: If `true`, enables secure web proxy. - - key: HTTPSPort - type: - presence: optional - content: The secure web proxy port. - - key: HTTPSProxy - type: - presence: optional - content: The host name or IP address for the secure web proxy. - - key: ProxyAutoConfigEnable - type: - presence: optional - content: If `true`, enables automatic proxy configuration. - - key: ProxyAutoConfigURLString - type: - presence: optional - content: The automatic proxy configuration URL. - - key: ProxyCaptiveLoginAllowed - supportedOS: - macOS: - introduced: '10.9' - type: - presence: optional - content: If 1, allows client to log into captive portal network. - - key: RTSPEnable - type: - presence: optional - content: If `true`, enable streaming proxy. - - key: RTSPPort - type: - presence: optional - content: The streaming proxy port. - - key: RTSPProxy - type: - presence: optional - content: The host name or IP address for the streaming proxy. - - key: SOCKSEnable - type: - presence: optional - content: If `true`, enable the SOCKS proxy. - - key: SOCKSPortinteger - type: - presence: optional - content: The SOCKS proxy port. - - key: SOCKSProxy - type: - presence: optional - content: The host name or IP address for the SOCKS proxy. - - key: FallBackAllowed - type: - presence: optional - content: |- - If `1`, enables fallback. Default is `1`. - - For managed devices, if not supplied, the default is `0`. - - key: ExceptionsList - type: - presence: optional - content: The list of hosts and domains that should bypass proxy settings. - subkeys: - - key: Exception - type: - presence: required - content: Bypass proxy settings for these Hosts & Domains diff --git a/mdm/profiles/com.apple.TCC.configuration-profile-policy.yaml b/mdm/profiles/com.apple.TCC.configuration-profile-policy.yaml deleted file mode 100644 index 80a2a9c..0000000 --- a/mdm/profiles/com.apple.TCC.configuration-profile-policy.yaml +++ /dev/null @@ -1,313 +0,0 @@ -title: Privacy Preferences Policy Control -description: The payload that configures privacy preferences. -payload: - payloadtype: com.apple.TCC.configuration-profile-policy - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.14' - multiple: true - devicechannel: true - userchannel: false - requiresdep: false - userapprovedmdm: true - allowmanualinstall: false - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a -payloadkeys: -- key: Services - type: - presence: required - content: A dictionary whose keys are limited to the privacy policy control services. In - the case of conflicting specifications, the most restrictive setting (deny) is - used. - subkeys: - - key: AddressBook - type: - presence: optional - content: Specifies the policies for contact information managed by the Contacts.app. - subkeytype: Identity - subkeys: &id001 - - key: IdentityDict - type: - content: A dictionary listing apps and the privacy policy to apply to them. - subkeys: - - key: Identifier - type: - presence: required - content: |- - The bundle ID or installation path of the binary. - - > Note: - > This value is case-sensitive. - - key: IdentifierType - type: - presence: required - rangelist: - - bundleID - - path - content: The type of identifier value. Application bundles must be identified - by bundle ID. Nonbundled binaries must be identified by installation path. - Helper tools embedded within an application bundle automatically inherit - the permissions of their enclosing app bundle. - - key: CodeRequirement - type: - presence: required - content: Obtained via the command `codesign -display -r -`. - - key: StaticCode - type: - presence: optional - default: false - content: If `true`, statically validate the code requirement. Used only if - the process invalidates its dynamic code signature. - - key: Allowed - type: - presence: optional - content: |- - If `true`, access is granted; otherwise, the process doesn't have access. The user isn't prompted and can't change this value. - - > Note: - > Every payload needs to include either `Authorization` or `Allowed`, but not both. - - key: Authorization - supportedOS: - macOS: - introduced: '11.0' - type: - presence: optional - rangelist: - - Allow - - Deny - - AllowStandardUserToSetSystemService - content: |- - The `Authorization` key is an optional replacement for the `Allowed` key, which has one of the following possible values: - - - `Allow`: Equivalent to a `true` value for the `Allowed` key - - `Deny`: Equivalent to a `false` value for the `Allowed` key - - `AllowStandardUserToSetSystemService`: Allows a standard (non-admin) user to configure the permissions for the specified app in the Privacy preferences for services that otherwise require admin authorization; only valid for the `ListenEvent` and `ScreenCapture` services - - > Note: - > Every payload needs to include either `Authorization` or `Allowed`, but not both. - - Available in macOS 11 and later. - - key: Comment - type: - presence: optional - content: Not used. - - key: AEReceiverIdentifier - type: - presence: optional - content: The identifier of the process receiving an AppleEvent sent by the - Identifier process. This identifier is required for AppleEvents service; - not valid for other services. - - key: AEReceiverIdentifierType - type: - presence: optional - rangelist: - - bundleID - - path - content: The type of AEReceiverIdentifier value, either `bundleID` or `path`. - This setting is required for AppleEvents service; not valid for other services. - - key: AEReceiverCodeRequirement - type: - presence: optional - content: The code requirement for the receiving binary. This code requirement - is required for AppleEvents service; not valid for other services. - - key: Calendar - type: - presence: optional - content: Specifies the policies for calendar information managed by the Calendar.app. - subkeytype: Identity - subkeys: *id001 - - key: Reminders - type: - presence: optional - content: Specifies the policies for reminders information managed by the Reminders - app. - subkeytype: Identity - subkeys: *id001 - - key: Photos - type: - presence: optional - content: The pictures managed by the Photos app in `~/Pictures/.photoslibrary`. - subkeytype: Identity - subkeys: *id001 - - key: Camera - type: - presence: optional - content: A system camera. Access to the camera can't be given in a profile; it - can only be denied. - subkeytype: Identity - subkeys: *id001 - - key: Microphone - type: - presence: optional - content: A system microphone. Access to the microphone can't be given in a profile; - it can only be denied. - subkeytype: Identity - subkeys: *id001 - - key: Accessibility - type: - presence: optional - content: Specifies the policies for the app via the Accessibility subsystem. The - ability to grant access by this profile is deprecated as of macOS 26.2, and - will be removed in macOS 27.0. - subkeytype: Identity - subkeys: *id001 - - key: PostEvent - type: - presence: optional - content: Specifies the policies for the application to use CoreGraphics APIs to - send CGEvents to the system event stream. - subkeytype: Identity - subkeys: *id001 - - key: SystemPolicyAllFiles - type: - presence: optional - content: Allows the application access to all protected files, including system - administration files. - subkeytype: Identity - subkeys: *id001 - - key: SystemPolicySysAdminFiles - type: - presence: optional - content: Allows the application access to some files used in system administration. - subkeytype: Identity - subkeys: *id001 - - key: AppleEvents - type: - presence: optional - content: Specifies the policies for the app sending restricted AppleEvents to - another process. - subkeytype: Identity - subkeys: *id001 - - key: MediaLibrary - supportedOS: - macOS: - introduced: '10.15' - type: - presence: optional - content: Allows the application to access Apple Music, music and video activity, - and the media library. - subkeytype: Identity - subkeys: *id001 - - key: FileProviderPresence - supportedOS: - macOS: - introduced: '10.15' - type: - presence: optional - content: Allows a File Provider application to know when the user is using files - managed by the File Provider. - subkeytype: Identity - subkeys: *id001 - - key: ListenEvent - supportedOS: - macOS: - introduced: '10.15' - type: - presence: optional - content: Allows the application to use CoreGraphics and HID APIs to listen to - (receive) CGEvents and HID events from all processes. Access to these events - can't be given in a profile; it can only be denied. - subkeytype: Identity - subkeys: *id001 - - key: ScreenCapture - supportedOS: - macOS: - introduced: '10.15' - type: - presence: optional - content: Allows the application to capture (read) the contents of the system display. - Access to the contents can't be given in a profile; it can only be denied. - subkeytype: Identity - subkeys: *id001 - - key: SpeechRecognition - supportedOS: - macOS: - introduced: '10.15' - type: - presence: optional - content: Allows the application to use the system Speech Recognition facility - and to send speech data to Apple. - subkeytype: Identity - subkeys: *id001 - - key: SystemPolicyDesktopFolder - supportedOS: - macOS: - introduced: '10.15' - type: - presence: optional - content: Allows the application to access files in the user's Desktop folder. - subkeytype: Identity - subkeys: *id001 - - key: SystemPolicyDocumentsFolder - supportedOS: - macOS: - introduced: '10.15' - type: - presence: optional - content: Allows the application to access files in the user's Documents folder. - subkeytype: Identity - subkeys: *id001 - - key: SystemPolicyDownloadsFolder - supportedOS: - macOS: - introduced: '10.15' - type: - presence: optional - content: Allows the application to access files in the user's Downloads folder. - subkeytype: Identity - subkeys: *id001 - - key: SystemPolicyNetworkVolumes - supportedOS: - macOS: - introduced: '10.15' - type: - presence: optional - content: Allows the application to access files on network volumes. - subkeytype: Identity - subkeys: *id001 - - key: SystemPolicyRemovableVolumes - supportedOS: - macOS: - introduced: '10.15' - type: - presence: optional - content: Allows the application to access files on removable volumes. - subkeytype: Identity - subkeys: *id001 - - key: SystemPolicyAppBundles - supportedOS: - macOS: - introduced: '13.0' - type: - presence: optional - content: Allows the application to update or delete other apps. Available in macOS - 13 and later. - subkeytype: Identity - subkeys: *id001 - - key: SystemPolicyAppData - supportedOS: - macOS: - introduced: '14.0' - type: - presence: optional - content: Specifies the policies for the app to access the data of other apps. - subkeytype: Identity - subkeys: *id001 - - key: BluetoothAlways - supportedOS: - macOS: - introduced: '11.0' - type: - presence: optional - content: Specifies the policies for the app to access Bluetooth devices. - subkeytype: Identity - subkeys: *id001 diff --git a/mdm/profiles/com.apple.airplay.security.yaml b/mdm/profiles/com.apple.airplay.security.yaml deleted file mode 100644 index 693eb42..0000000 --- a/mdm/profiles/com.apple.airplay.security.yaml +++ /dev/null @@ -1,59 +0,0 @@ -title: AirPlay Security -description: The payload that configures Apple TV for a particular style of AirPlay - security. -payload: - payloadtype: com.apple.airplay.security - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: n/a - tvOS: - introduced: '11.0' - multiple: false - supervised: false - allowmanualinstall: true - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: Manages the AirPlay Security settings on Apple TV (Settings > AirPlay > - Security). Use this payload to lock Apple TV to a particular style of AirPlay - security. The setting can enable/disable an on-screen passcode, or require a specific - password phrase. -payloadkeys: -- key: SecurityType - title: Security Type - type: - presence: required - rangelist: - - PASSCODE_ONCE - - PASSCODE_ALWAYS - - PASSWORD - content: |- - The security policy for AirPlay. Allowed values: - - - `PASSCODE_ONCE`: Requires an onscreen passcode on first connection from a device. Subsequent connections from the same device aren't prompted. - - `PASSCODE_ALWAYS`: Requires an onscreen passcode for every AirPlay connection. After an AirPlay connection ends, the system allows reconnecting within 30 seconds without a password. - - `PASSWORD`: Requires the passphrase set for `Password`. - - > Note: - > `NONE` was deprecated in tvOS 11.3. Existing profiles that use `NONE` get the `PASSWORD_ONCE` behavior. -- key: AccessType - title: Access Type - type: - presence: required - rangelist: - - ANY - - WIFI_ONLY - content: |- - The access policy for AirPlay. - - `ANY` allows connections from both Ethernet, Wi-Fi, and Apple Wireless Direct Link. - - `WIFI_ONLY` allows connections only from devices on the same Ethernet or Wi-Fi network as Apple TV. -- key: Password - title: Password - type: - presence: optional - content: The AirPlay password; required if `SecurityType` is `PASSWORD`. diff --git a/mdm/profiles/com.apple.airplay.yaml b/mdm/profiles/com.apple.airplay.yaml deleted file mode 100644 index 85bff41..0000000 --- a/mdm/profiles/com.apple.airplay.yaml +++ /dev/null @@ -1,154 +0,0 @@ -title: AirPlay -description: The payload that configures AirPlay settings. -payload: - payloadtype: com.apple.airplay - supportedOS: - iOS: - introduced: '7.0' - multiple: true - supervised: false - allowmanualinstall: true - sharedipad: - mode: allowed - devicechannel: true - userchannel: false - userenrollment: - mode: allowed - macOS: - introduced: '10.10' - multiple: true - devicechannel: true - userchannel: true - supervised: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: allowed - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: macOS supports more than one payload, iOS does not. Supported on the user - channel for macOS only. -payloadkeys: -- key: AllowList - title: AllowList - supportedOS: - iOS: - introduced: '14.5' - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: '11.3' - userenrollment: - mode: ignored - type: - presence: optional - content: If present, only AirPlay destinations in this list are available to the - device. This allow list applies to supervised devices. - subkeys: &id001 - - key: AllowListItem - title: AllowList Content Item - supportedOS: - iOS: - introduced: '7.0' - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: '10.10' - userenrollment: - mode: ignored - type: - presence: required - subkeys: - - key: DeviceID - title: Device ID - supportedOS: - iOS: - deprecated: '18.0' - macOS: - deprecated: '15.0' - type: - presence: optional - format: ^([0-9A-Fa-f]{2}:){5}([0-9A-Fa-f]{2})$ - content: |- - The device ID of the AirPlay destination in the format `xx:xx:xx:xx:xx:xx`. This field isn't case-sensitive. - - The system limits the list of visible AirPlay destinations to devices that are present in the `AllowList` field of all installed AirPlay payloads. - - Specifying the same MACAddress more than once, whether in the same payload across different payloads, results in undefined behavior. - - As of tvOS 18, `DeviceID` isn't supported. - - key: DeviceName - title: Device Name - supportedOS: - iOS: - introduced: '18.0' - macOS: - introduced: '15.0' - type: - presence: optional - content: |- - The name of the AirPlay device. - - The system limits the list of visible AirPlay destinations to devices that are present in the `AllowList` field of all installed AirPlay payloads. -- key: Passwords - title: Passwords - type: - presence: optional - content: If present, sets passwords for known AirPlay destinations. Using multiple - entries for the same destination, whether within the same payload or across multiple - installed payloads, is an error and results in undefined behavior. - subkeys: - - key: PasswordsItem - title: Password Content Item - type: - presence: required - subkeys: - - key: DeviceName - title: Device Name - supportedOS: - macOS: - introduced: '15.0' - type: - presence: optional - content: The name of the AirPlay destination; used in iOS, and available in - macOS 15 and later. - - key: Password - title: Password - type: - presence: required - content: The password for the AirPlay destination. - - key: DeviceID - supportedOS: - iOS: - introduced: n/a - macOS: - deprecated: '15.0' - type: - presence: optional - content: |- - The device ID of the AirPlay destination; used in macOS. - - Deprecated in macOS 15 and later as tvOS 18 AirPlay destinations don't support it; use `DeviceName` instead. -- key: Whitelist - title: Whitelist - supportedOS: - iOS: - deprecated: '14.5' - supervised: true - userenrollment: - mode: forbidden - macOS: - deprecated: '11.3' - userenrollment: - mode: ignored - type: - presence: optional - content: Use `AllowList` instead. This key is deprecated in iOS 14.5 and macOS 11.3. - subkeys: *id001 diff --git a/mdm/profiles/com.apple.airprint.yaml b/mdm/profiles/com.apple.airprint.yaml deleted file mode 100644 index f6995c8..0000000 --- a/mdm/profiles/com.apple.airprint.yaml +++ /dev/null @@ -1,98 +0,0 @@ -title: AirPrint -description: The payload that configures AirPrint printer discoverability in the user's - printer list. -payload: - payloadtype: com.apple.airprint - supportedOS: - iOS: - introduced: '7.0' - multiple: true - supervised: false - allowmanualinstall: true - sharedipad: - mode: allowed - devicechannel: true - userchannel: false - userenrollment: - mode: allowed - macOS: - introduced: '10.10' - multiple: true - devicechannel: true - userchannel: true - supervised: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: allowed - tvOS: - introduced: n/a - visionOS: - introduced: '2.0' - multiple: true - supervised: false - allowmanualinstall: true - userenrollment: - mode: allowed - watchOS: - introduced: n/a -payloadkeys: -- key: AirPrint - title: Air print - type: - presence: required - content: An array of AirPrint printers that are presented to the user. - subkeys: - - key: AirPrintItem - title: Identifier - type: - subkeys: - - key: IPAddress - title: IP Address - supportedOS: - iOS: - introduced: '7.0' - type: - presence: required - content: The IP address or hostname of the AirPrint destination. - - key: ResourcePath - title: Resource Path - supportedOS: - iOS: - introduced: '7.0' - type: - presence: required - content: |- - The resource path associated with the printer. This path corresponds to the `rp` parameter of the `_ipps.tcp` Bonjour record. For example: - - - `printers/Canon_MG5300_series` - - `printers/Xerox_Phaser_7600` - - `ipp/print` - - `Epson_IPP_Printer` - - key: Port - title: Port Number - supportedOS: - iOS: - introduced: '11.0' - macOS: - introduced: n/a - type: - presence: optional - range: - min: 0 - max: 65535 - content: The listening port of the AirPrint destination. Available only in iOS - 11 and later. - - key: ForceTLS - title: Force TLS - supportedOS: - iOS: - introduced: '11.0' - macOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, AirPrint connections are secured by Transport Layer Security - (TLS). Available only in iOS 11 and later. diff --git a/mdm/profiles/com.apple.apn.managed.yaml b/mdm/profiles/com.apple.apn.managed.yaml deleted file mode 100644 index fb931af..0000000 --- a/mdm/profiles/com.apple.apn.managed.yaml +++ /dev/null @@ -1,77 +0,0 @@ -title: APN -description: The payload that configures access point names. -payload: - payloadtype: com.apple.apn.managed - supportedOS: - iOS: - introduced: '4.0' - deprecated: '7.0' - multiple: false - supervised: false - allowmanualinstall: true - sharedipad: - mode: allowed - devicechannel: true - userchannel: false - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: |- - Not supported in macOS. - This technically does install on watchOS but we are removing the supportedOS dictionary. The cellular payload should be used instead. - Only applies to the preferred data SIM. - Deprecated. Use Cellular instead. -payloadkeys: -- key: DefaultsData - type: - presence: required - content: The list of access point names (APNs). - subkeys: - - key: apns - type: - presence: required - content: An array of APN dictionaries (\`APN.DefaultsData.Apns\`). - subkeys: - - key: apnsItem - type: - content: A dictionary that describes an APN configuration. - subkeys: - - key: apn - type: - presence: required - content: The access point name. - - key: username - type: - presence: optional - content: The user name. If missing, the device prompts for it during profile - installation. - - key: password - type: - presence: optional - content: The password for the user. For obfuscation purposes, the system encodes - the password. If missing, the device prompts for the password during profile - installation. - - key: proxy - type: - presence: optional - content: The IP address or URL of the APN proxy. - - key: proxyPort - type: - presence: optional - content: The port number of the APN proxy. -- key: DefaultsDomainName - type: - presence: required - rangelist: - - com.apple.managedCarrier - content: The domain name. -notes: -- title: '' - content: This profile is deprecated. Use the `Cellular` profile instead. diff --git a/mdm/profiles/com.apple.app.lock.yaml b/mdm/profiles/com.apple.app.lock.yaml deleted file mode 100644 index 33b4632..0000000 --- a/mdm/profiles/com.apple.app.lock.yaml +++ /dev/null @@ -1,209 +0,0 @@ -title: App Lock -description: The payload that configures a device to run a single app. -payload: - payloadtype: com.apple.app.lock - supportedOS: - iOS: - introduced: '6.0' - multiple: false - supervised: true - allowmanualinstall: true - sharedipad: - mode: allowed - devicechannel: true - userchannel: false - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: '10.2' - multiple: false - supervised: true - allowmanualinstall: true - visionOS: - introduced: n/a - watchOS: - introduced: n/a -payloadkeys: -- key: App - title: App - type: - presence: required - content: A dictionary that contains information about the app. - subkeys: - - key: Identifier - title: Identifier - type: - presence: required - content: The app's bundle identifier. - - key: Options - title: Options - supportedOS: - iOS: - introduced: '7.0' - type: - presence: optional - content: A dictionary of options that the user can't change. - subkeys: - - key: DisableTouch - title: Disable Touch - type: - presence: optional - default: false - content: If `true`, the system disables the touch screen. In tvOS, it disables - the touch surface on the Apple TV Remote. - - key: DisableDeviceRotation - title: Disable Device Rotation - supportedOS: - tvOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, the system disables device rotation sensing. - - key: DisableVolumeButtons - title: Disable Volume Buttons - supportedOS: - tvOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, the system disables the volume buttons. - - key: DisableRingerSwitch - title: Disable Ringer Switch - supportedOS: - tvOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, the system disables the ringer switch. When disabled, the - ringer behavior depends on what position the switch was in when it was first - disabled. - - key: DisableSleepWakeButton - title: Disable Sleep Wake Button - supportedOS: - tvOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, the system disables the sleep/wake button. - - key: DisableAutoLock - title: Disable Auto Lock - type: - presence: optional - default: false - content: If `true`, the device doesn't automatically go to sleep after an idle - period. - - key: EnableVoiceOver - title: Enable Voice Over - type: - presence: optional - default: false - content: If `true`, the system enables VoiceOver. - - key: EnableZoom - title: Enable Zoom - type: - presence: optional - default: false - content: If `true`, the system enables Zoom. - - key: EnableInvertColors - title: Enable Invert Colors - type: - presence: optional - default: false - content: If `true`, the system enables Invert Colors. - - key: EnableAssistiveTouch - title: Enable Assistive Touch - supportedOS: - tvOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, the system enables AssistiveTouch. - - key: EnableSpeakSelection - title: Enable Speak Selection - supportedOS: - tvOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, the system enables Speak Selection. - - key: EnableMonoAudio - title: Enable Mono Audio - supportedOS: - tvOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, the system enables Mono Audio. - - key: EnableVoiceControl - title: Enable Voice Control - supportedOS: - iOS: - introduced: '13.0' - tvOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, the system enables Voice Control. - - key: UserEnabledOptions - title: User Enabled Options - supportedOS: - iOS: - introduced: '7.0' - type: - presence: optional - content: A dictionary of user-editable options. - subkeys: - - key: VoiceControl - title: Voice Control - supportedOS: - iOS: - introduced: '13.0' - tvOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, the system allows the user to toggle Voice Control. - - key: VoiceOver - title: Voice Over - type: - presence: optional - default: false - content: If `true`, the system allows the user to toggle VoiceOver. - - key: Zoom - title: Zoom - type: - presence: optional - default: false - content: If `true`, the system allows the user to toggle Zoom. - - key: InvertColors - title: Invert Colors - type: - presence: optional - default: false - content: If `true`, the system allows the user to toggle Invert Colors. - - key: AssistiveTouch - title: Assistive Touch - supportedOS: - tvOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, the system allows the user to toggle AssistiveTouch. -notes: -- title: '' - content: |- - With an app lock profile, the device locks to the specified app until removal of the profile. The device returns to the app automatically upon wake or restart. - - Only use an app lock payload after installing the target app. diff --git a/mdm/profiles/com.apple.applicationaccess.new.yaml b/mdm/profiles/com.apple.applicationaccess.new.yaml deleted file mode 100644 index 1b1f17a..0000000 --- a/mdm/profiles/com.apple.applicationaccess.new.yaml +++ /dev/null @@ -1,113 +0,0 @@ -title: 'Parental Controls: Application Restrictions' -description: The payload that configures parental controls for apps. -payload: - payloadtype: com.apple.applicationaccess.new - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.7' - multiple: true - devicechannel: true - userchannel: true - supervised: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: |- - Parental controls application restrictions. - Order of evaluation: - (1) Certain system applications and utilities are always allowed to run - (2) The "whiteList" is searched to see if a matching entry is found by bundleID. If a match is found, the "appID" and "detachedSignature" - (if present) are used to verify the signature of the application being launched. If the signature is valid and matches the designated - requirement (in the "appID" key), the application is allowed to launch. - (3) (deprecated) If the path to the binary being launched matches (or is in a subdirectory) of a path in "pathBlackList", the binary is denied. - (4) (deprecated) If the path to the binary being launched matches (or is a subdirectory) of a path in "pathWhiteList", the binary is allowed to launch. - (5) The binary is denied permission to launch. -payloadkeys: -- key: familyControlsEnabled - type: - presence: required - content: If `true`, enables app access restrictions. -- key: whiteList - type: - presence: optional - content: The allow list of app item dictionaries. - subkeytype: ApplicationItem - subkeys: &id001 - - key: whiteListItem - type: - content: A dictionary defining an app for parental control. - subkeys: - - key: bundleID - type: - presence: required - content: The bundle ID of the app. - - key: appID - type: - presence: required - content: The identifier of the app. Obtain this value from the Security framework - using `SecCodeCopyDesignatedRequirement`. - - key: detachedSignature - type: - presence: optional - content: The signature for an unsigned binary. - - key: disabled - type: - presence: optional - default: false - content: If `true`, this app isn't added to the allow list. - - key: subApps - type: - presence: optional - content: An array of nested helper applications. - subkeytype: ApplicationItem - subkeys: *id001 - - key: displayName - type: - presence: optional - content: The name used for display purposes. -- key: pathBlackList - supportedOS: - macOS: - deprecated: '10.15' - type: - presence: optional - content: The paths to apps in the deny list. This property is deprecated in macOS - 10.15 and later. - subkeys: - - key: pathBlackListItem - type: - presence: required - content: A path. -- key: pathWhiteList - supportedOS: - macOS: - deprecated: '10.15' - type: - presence: optional - content: The paths to apps in the allow list. This property is deprecated in macOS - 10.15 and later. - subkeys: - - key: pathWhiteListItem - type: - presence: required - content: A path. -notes: -- title: '' - content: |- - To determine if an app can be launched, the app is evaluated with these rules: - - - Certain system app and utilities are always allowed to run. - - The allow list is searched to see if the `bundleID` has a matching entry. If a match is found, `appID` and `detachedSignature` (if present) are used to verify the signature of the app being launched. If the signature is valid and matches the designated requirement (in the appID key), the app is allowed to launch. - - If the path to the binary being launched matches or is in a subdirectory of a path in the deny list, the binary is denied. - - If the path to the binary being launched matches or is a subdirectory of a path in the allow list, the binary is allowed to launch. - - The binary is denied permission to launch. diff --git a/mdm/profiles/com.apple.applicationaccess.yaml b/mdm/profiles/com.apple.applicationaccess.yaml deleted file mode 100644 index 41580f3..0000000 --- a/mdm/profiles/com.apple.applicationaccess.yaml +++ /dev/null @@ -1,4705 +0,0 @@ -title: Restrictions -description: The payload that configures restrictions on a device. -payload: - payloadtype: com.apple.applicationaccess - supportedOS: - iOS: - introduced: '4.0' - multiple: true - supervised: false - allowmanualinstall: true - sharedipad: - mode: allowed - devicechannel: true - userchannel: true - userenrollment: - mode: allowed - macOS: - introduced: '10.7' - multiple: true - devicechannel: true - userchannel: true - supervised: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: allowed - tvOS: - introduced: '9.0' - multiple: true - supervised: false - allowmanualinstall: true - visionOS: - introduced: '1.1' - multiple: true - supervised: false - allowmanualinstall: true - userenrollment: - mode: allowed - watchOS: - introduced: '10.0' - multiple: true - supervised: false - allowmanualinstall: true -payloadkeys: -- key: allowAccountModification - supportedOS: - iOS: - introduced: '7.0' - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: '14.0' - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: '2.0' - supervised: true - userenrollment: - mode: forbidden - watchOS: - supervised: true - type: - presence: optional - default: true - content: If `false`, the system disables modification of accounts, such as Apple - Accounts, and internet-based accounts, such as Mail, Contacts, and Calendar. -- key: allowActivityContinuation - title: Allow Handoff - supportedOS: - iOS: - introduced: '8.0' - userenrollment: - mode: forbidden - macOS: - introduced: '10.15' - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: '2.0' - userenrollment: - mode: forbidden - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system disables activity continuation. Support for this - restriction on unsupervised devices and with Managed Apple Accounts is deprecated. - In a future release, this restriction will begin requiring supervision and will - apply to personal Apple Accounts only. -- key: allowAddingGameCenterFriends - title: Allow Adding Game Center Friends - supportedOS: - iOS: - introduced: 4.2.1 - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: '10.13' - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system prohibits adding friends to Game Center. Requires - a supervised device in iOS 13 and later. -- key: allowAirDrop - supportedOS: - iOS: - introduced: '7.0' - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: '10.13' - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: '2.0' - supervised: true - userenrollment: - mode: forbidden - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system disables AirDrop. -- key: allowAirPlayIncomingRequests - title: Allow incoming AirPlay requests - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '12.3' - userenrollment: - mode: forbidden - tvOS: - introduced: '10.2' - supervised: true - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system disables incoming AirPlay requests. -- key: allowAirPrint - title: Allow AirPrint - supportedOS: - iOS: - introduced: '11.0' - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system disables AirPrint. -- key: allowAirPrintCredentialsStorage - title: Allow storage of AirPrint credentials in Keychain - supportedOS: - iOS: - introduced: '11.0' - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system disables Keychain storage of user name and password - for AirPrint. -- key: allowAirPrintiBeaconDiscovery - title: Allow discovery of AirPrint printers using iBeacons - supportedOS: - iOS: - introduced: '11.0' - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system disables iBeacon discovery of AirPrint printers, - which prevents spurious AirPrint Bluetooth beacons from phishing for network traffic. -- key: allowAppCellularDataModification - title: Allow Modifying Cellular Data Usage for Apps Settings - supportedOS: - iOS: - introduced: '7.0' - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system disables changing settings for cellular data usage - for apps. -- key: allowAppClips - title: Allow App Clips - supportedOS: - iOS: - introduced: '14.0' - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system prevents a user from adding any App Clips, and removes - any existing App Clips on the device. -- key: allowAppInstallation - title: Allow App Installation - supportedOS: - iOS: - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: '2.0' - supervised: true - userenrollment: - mode: forbidden - watchOS: - supervised: true - type: - presence: optional - default: true - content: |- - If `false`, the system disables the App Store and removes its icon from the Home Screen. Users are unable to install or update their apps. This applies to App Store apps, marketplace apps, and locally installed apps (using Configurator, Xcode, and so forth). - - In iOS 10 and later, MDM commands can override this restriction. Requires a supervised device in iOS 13 and later. -- key: allowAppleIntelligenceReport - title: Allow Apple Intelligence Report - supportedOS: - iOS: - introduced: '18.4' - supervised: true - sharedipad: - mode: forbidden - userenrollment: - mode: forbidden - macOS: - introduced: '15.4' - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system disables Apple Intelligence reports. -- key: allowApplePersonalizedAdvertising - supportedOS: - iOS: - introduced: '14.0' - sharedipad: - mode: ignored - userenrollment: - mode: forbidden - macOS: - introduced: '12.0' - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: '2.0' - userenrollment: - mode: forbidden - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system limits Apple personalized advertising. -- key: allowAppRemoval - title: Allow App Removal - supportedOS: - iOS: - introduced: 4.2.1 - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - supervised: true - type: - presence: optional - default: true - content: If `false`, the system disables removal of apps from an iOS device. This - applies to App Store apps, marketplace apps, and locally installed apps (using - Configurator, Xcode, and so forth). -- key: allowAppsToBeHidden - title: Allow Hiding Apps - supportedOS: - iOS: - introduced: '18.0' - supervised: true - sharedipad: - mode: ignored - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, disables the ability for the user to hide apps. It doesn't - affect the user's ability to leave it in the App Library, while removing it from - the Home Screen. -- key: allowAppsToBeLocked - title: Allow Locking Apps - supportedOS: - iOS: - introduced: '18.0' - supervised: true - sharedipad: - mode: ignored - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, disables the ability for the user to lock apps. Because hiding - apps also requires locking them, disallowing locking also disallows hiding. -- key: allowARDRemoteManagementModification - title: Allow modifying Remote Management Sharing setting - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '14.0' - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system prevents modifying the Remote Management Sharing - setting in System Settings. -- key: allowAssistant - title: Allow Siri - supportedOS: - iOS: - introduced: '5.0' - macOS: - introduced: '14.0' - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: '2.0' - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system disables Siri. -- key: allowAssistantUserGeneratedContent - supportedOS: - iOS: - introduced: '7.0' - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - supervised: true - type: - presence: optional - default: true - content: If `false`, the system prevents Siri from querying user-generated content - from the web. -- key: allowAssistantWhileLocked - title: Allow Siri While Locked - supportedOS: - iOS: - introduced: '5.1' - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system disables Siri when the device is locked. The system - ignores this restriction if the device doesn't have a passcode set. -- key: allowAutoCorrection - title: Allow Auto Correction - supportedOS: - iOS: - introduced: 8.1.3 - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system disables keyboard autocorrection. -- key: allowAutoDim - title: Allow Auto Dim - supportedOS: - iOS: - introduced: '17.4' - supervised: true - sharedipad: - mode: forbidden - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, disables auto dim on iPads with OLED displays. -- key: allowAutomaticAppDownloads - title: Allow Automatic App Downloads - supportedOS: - iOS: - introduced: '9.0' - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - supervised: true - type: - presence: optional - default: true - content: If `false`, the system prevents automatic downloading of apps purchased - on other devices. This setting doesn't affect updates to existing apps. -- key: allowAutomaticScreenSaver - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: n/a - tvOS: - introduced: '15.4' - supervised: true - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system disables Apple TV's automatic screen saver. -- key: allowAutoUnlock - supportedOS: - iOS: - introduced: '14.5' - sharedipad: - mode: forbidden - userenrollment: - mode: forbidden - macOS: - introduced: '10.12' - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system disallows auto unlock. Support for this restriction - on unsupervised devices is deprecated. -- key: allowBluetoothModification - title: Allow modifying Bluetooth settings - supportedOS: - iOS: - introduced: '11.0' - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: '13.0' - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system prevents modification of Bluetooth settings. -- key: allowBluetoothSharingModification - title: Allow modifying Bluetooth Sharing setting - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '14.0' - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system prevents modifying Bluetooth settings in System - Settings. -- key: allowBookstore - title: Allow Bookstore - supportedOS: - iOS: - introduced: '6.0' - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: '15.0' - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system removes the Book Store tab from the Books app. -- key: allowBookstoreErotica - title: Allow Bookstore Erotica - supportedOS: - iOS: - introduced: '6.0' - userenrollment: - mode: forbidden - macOS: - introduced: '15.0' - userenrollment: - mode: forbidden - tvOS: - introduced: '11.3' - deprecated: '17.0' - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system prevents the user from downloading Apple Books media - that's tagged as erotica. Support for this restriction on unsupervised devices - is deprecated. -- key: allowCallRecording - title: Allow Call Recording - supportedOS: - iOS: - introduced: '18.1' - supervised: true - sharedipad: - mode: forbidden - userenrollment: - mode: forbidden - macOS: - introduced: '26.0' - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, disables call recording. -- key: allowCamera - title: Allow Camera Use - supportedOS: - iOS: - userenrollment: - mode: forbidden - macOS: - introduced: '10.11' - userenrollment: - mode: forbidden - tvOS: - introduced: '17.0' - visionOS: - introduced: '2.0' - userenrollment: - mode: forbidden - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system disables the camera and removes its icon from the - Home Screen, and users are unable to take photographs. Support for this restriction - on unsupervised devices is deprecated. -- key: allowCellularPlanModification - supportedOS: - iOS: - introduced: '11.0' - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system prevents users from changing settings related to - their cellular plan (available only on select carriers). -- key: allowChat - title: Allow use of iMessage - supportedOS: - iOS: - introduced: '5.0' - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system disables the use of iMessage with supervised devices. - If the device supports text messaging, the user can still send and receive text - messages. -- key: allowCloudAddressBook - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.12' - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system disables iCloud Contacts services. -- key: allowCloudBackup - title: Allow iCloud Backup - supportedOS: - iOS: - introduced: '5.0' - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: '2.0' - userenrollment: - mode: forbidden - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system disables backing up the device to iCloud. Support - for this restriction on unsupervised devices is deprecated. -- key: allowCloudBookmarks - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.12' - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system disables iCloud Bookmark sync. -- key: allowCloudCalendar - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.12' - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system disables iCloud Calendar services. -- key: allowCloudDesktopAndDocuments - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: 10.12.4 - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system disables iCloud Desktop and Document services. -- key: allowCloudDocumentSync - title: Allow iCloud Document Sync - supportedOS: - iOS: - introduced: '5.0' - supervised: true - sharedipad: - mode: forbidden - userenrollment: - mode: forbidden - macOS: - introduced: '10.11' - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: '2.0' - supervised: true - userenrollment: - mode: forbidden - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system disables document and key-value syncing to iCloud. - Requires a supervised device in iOS 13 and later, and Shared iPad doesn't support - it. Support for this restriction on unsupervised devices and with Managed Apple - Accounts is deprecated. -- key: allowCloudFreeform - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '14.0' - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system disallows iCloud Freeform services. -- key: allowCloudKeychainSync - supportedOS: - iOS: - introduced: '7.0' - userenrollment: - mode: forbidden - macOS: - introduced: '10.12' - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: '2.0' - userenrollment: - mode: forbidden - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system disables iCloud Keychain synchronization. Support - for this restriction on unsupervised devices and with Managed Apple Accounts is - deprecated. -- key: allowCloudMail - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.12' - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system disables iCloud Mail services. -- key: allowCloudNotes - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.12' - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system disables iCloud Notes services. -- key: allowCloudPhotoLibrary - title: Allow iCloud Photo Library - supportedOS: - iOS: - introduced: '9.0' - userenrollment: - mode: forbidden - macOS: - introduced: '10.12' - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: '2.0' - userenrollment: - mode: forbidden - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system disables iCloud Photo Library. The system removes - any photos from local storage that aren't fully downloaded from iCloud Photo Library - to the device. Support for this restriction on unsupervised devices and with Managed - Apple Accounts is deprecated. -- key: allowCloudPrivateRelay - supportedOS: - iOS: - introduced: '15.0' - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: '12.0' - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: '2.0' - supervised: true - userenrollment: - mode: forbidden - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system disables iCloud Private Relay. Support for this - restriction on unsupervised devices and with Managed Apple Accounts is deprecated. -- key: allowCloudReminders - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.12' - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system disables iCloud Reminder services. -- key: allowContentCaching - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.13' - userchannel: false - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system disables content caching. This restriction is not - supported on the user channel. -- key: allowContinuousPathKeyboard - title: Allow Continuous Path Keyboard - supportedOS: - iOS: - introduced: '13.0' - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system disables QuickPath keyboard. -- key: allowDefaultBrowserModification - title: Allow default browser modification - supportedOS: - iOS: - introduced: '18.2' - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, disables default browser preference modification. The MDM Settings - command to set the default browser preference still works when applying this. -- key: allowDefaultCallingAppModification - title: Allow default calling app modification - supportedOS: - iOS: - introduced: '18.4' - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, disables default calling app preference modification. The MDM - Settings command to set the default calling app preference still works when applying - this. -- key: allowDefaultMessagingAppModification - title: Allow default messaging app modification - supportedOS: - iOS: - introduced: '18.4' - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, disables default messaging app preference modification. The - MDM Settings command to set the default messaging app preference still works when - applying this. -- key: allowDefinitionLookup - title: Allow Define - supportedOS: - iOS: - introduced: 8.1.3 - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: '10.11' - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system disables definition lookup. -- key: allowDeviceNameModification - title: Allow Modifying Device Name - supportedOS: - iOS: - introduced: '9.0' - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: '14.0' - userenrollment: - mode: forbidden - tvOS: - introduced: '11.0' - supervised: true - visionOS: - introduced: '2.0' - supervised: true - userenrollment: - mode: forbidden - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system prevents the user from changing the device name. -- key: allowDeviceSleep - title: Allow Device Sleep - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: n/a - tvOS: - introduced: '13.0' - supervised: true - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system prevents the device from automatically sleeping. -- key: allowDiagnosticSubmission - title: Allow diagnostic submission - supportedOS: - iOS: - introduced: '6.0' - macOS: - introduced: '10.13' - tvOS: - introduced: n/a - visionOS: - introduced: '2.0' - type: - presence: optional - default: true - content: If `false`, the system prevents the device from automatically submitting - diagnostic reports to Apple. -- key: allowDiagnosticSubmissionModification - title: Allow modifying diagnostics settings - supportedOS: - iOS: - introduced: 9.3.2 - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: '2.0' - supervised: true - userenrollment: - mode: forbidden - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system disables changing the diagnostic submission and - app analytics settings in the Diagnostics & Usage UI in Settings. -- key: allowDictation - title: Allow dictation - supportedOS: - iOS: - introduced: '10.3' - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: '10.13' - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system disallows dictation input. -- key: allowedCameraRestrictionBundleIDs - title: Allowed Exceptions to Camera Restriction - supportedOS: - iOS: - introduced: '26.0' - supervised: true - allowmanualinstall: false - sharedipad: - mode: forbidden - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: If present, the system exempts apps with bundle IDs in the array from the - `allowCamera` restriction. The system doesn't grant these apps access to the camera - automatically; they're only exempted from the `allowCamera` restriction. This - key has no effect when the camera isn't restricted. Multiple payloads combine - using an intersect operation. Requires a supervised device. - subkeys: - - key: bundleIDException - title: Bundle ID to be excepted - type: -- key: allowedExternalIntelligenceWorkspaceIDs - title: Allowed External Intelligence Workspace IDs - supportedOS: - iOS: - introduced: '18.3' - supervised: true - allowmanualinstall: false - sharedipad: - mode: forbidden - userenrollment: - mode: forbidden - macOS: - introduced: '15.3' - allowmanualinstall: false - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: '2.4' - supervised: true - allowmanualinstall: false - userenrollment: - mode: forbidden - watchOS: - introduced: n/a - type: - presence: optional - content: An array of strings, but currently restricted to a single element. If present, - Apple Intelligence allows use of only the given external integration workspace - ID, and requires a sign-in to make requests. The user is required to sign in to - integrations that support signing in. Multiple payloads combine using an intersect - operation. This means the allowed set of workspace IDs can become the empty set - if multiple payloads specify conflicting values. - subkeys: - - key: allowedWorkspaceID - title: Allowed Workspace ID - type: -- key: allowEnablingRestrictions - title: Allow Configuring Restrictions or ScreenTime - supportedOS: - iOS: - introduced: '8.0' - supervised: true - sharedipad: - mode: ignored - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: '2.0' - supervised: true - userenrollment: - mode: forbidden - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system disables the Enable Restrictions option in the Restrictions - UI in Settings. If `false` in iOS 12 and later, the system disables the Enable - ScreenTime option in the ScreenTime UI in Settings and disables ScreenTime if - already enabled. -- key: allowEnterpriseAppTrust - title: Allow Trusting Enterprise Apps - supportedOS: - iOS: - introduced: '9.0' - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: '2.0' - userenrollment: - mode: forbidden - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system removes the Trust Enterprise Developer button in - Settings > General > VPN & Device Management, which prevents provisioning apps - by universal provisioning profiles. This restriction applies to free developer - accounts and enterprise app developers that aren't implicitly trusted by apps - that install through MDM. This restriction doesn't revoke previously granted trust. -- key: allowEnterpriseBookBackup - title: Allow Enterprise Books Backup - supportedOS: - iOS: - introduced: '8.0' - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system disables backup of Enterprise books. -- key: allowEnterpriseBookMetadataSync - title: Allow Enterprise Books Notes and Highlights Sync - supportedOS: - iOS: - introduced: '8.0' - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system disables sync of Enterprise books, notes, and highlights. -- key: allowEraseContentAndSettings - title: Allow Erase All Content and Settings - supportedOS: - iOS: - introduced: '8.0' - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: '12.0' - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: '2.0' - supervised: true - userenrollment: - mode: forbidden - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system disables the Erase All Content and Settings option - in the Reset UI. -- key: allowESIMModification - title: Allow eSIM Modification - supportedOS: - iOS: - introduced: '12.1' - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system disables modifications of eSIMs. -- key: allowESIMOutgoingTransfers - title: Allow eSIM Outgoing Transfers - supportedOS: - iOS: - introduced: '18.0' - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, prevents the transfer of an eSIM from the device on which the - restriction is installed to a different device. -- key: allowExplicitContent - title: Allow Explicit Content - supportedOS: - iOS: - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: '15.0' - userenrollment: - mode: forbidden - tvOS: - introduced: '11.3' - supervised: true - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: |- - If `false`, the system hides explicit music or video content purchased from the iTunes Store. The system marks explicit content as such by content providers, such as record labels, when sold through the iTunes Store. Explicit content in the News and Podcast apps is also hidden. - - Requires a supervised device in iOS 13 and later. Support for this restriction on unsupervised devices is deprecated. -- key: allowExternalIntelligenceIntegrations - title: Allow external intelligence integrations - supportedOS: - iOS: - introduced: '18.2' - sharedipad: - mode: forbidden - userenrollment: - mode: allowed - macOS: - introduced: '15.2' - userenrollment: - mode: allowed - tvOS: - introduced: n/a - visionOS: - introduced: '2.4' - userenrollment: - mode: allowed - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, disables the use of external, cloud-based intelligence services - with Siri. In iOS, this restriction is temporarily allowed on unsupervised and - user enrollments. In a future release, this restriction will require supervision, - and will be ignored on unsupervised devices. -- key: allowExternalIntelligenceIntegrationsSignIn - title: Allow external intelligence integrations sign-in - supportedOS: - iOS: - introduced: '18.2' - sharedipad: - mode: forbidden - userenrollment: - mode: allowed - macOS: - introduced: '15.2' - userenrollment: - mode: allowed - tvOS: - introduced: n/a - visionOS: - introduced: '2.4' - userenrollment: - mode: allowed - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, forces external intelligence providers into anonymous mode. - If a user is already signed in to an external intelligence provider, applying - this restriction signs them out when attempting the next request. -- key: allowFileSharingModification - title: Allow modifying File Sharing setting - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '14.0' - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system prevents modifying File Sharing setting in System - Settings. -- key: allowFilesNetworkDriveAccess - supportedOS: - iOS: - introduced: '13.1' - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: '2.0' - supervised: true - userenrollment: - mode: forbidden - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system prevents connecting to network drives in the Files - app. -- key: allowFilesUSBDriveAccess - supportedOS: - iOS: - introduced: '13.0' - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system prevents connecting to any connected USB devices - in the Files app. -- key: allowFindMyDevice - supportedOS: - iOS: - introduced: '13.0' - supervised: true - sharedipad: - mode: forbidden - userenrollment: - mode: forbidden - macOS: - introduced: '10.15' - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system disables Find My Device in the Find My app. -- key: allowFindMyFriends - supportedOS: - iOS: - introduced: '13.0' - supervised: true - sharedipad: - mode: forbidden - userenrollment: - mode: forbidden - macOS: - introduced: '10.15' - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system disables Find My Friends in the Find My app. -- key: allowFindMyFriendsModification - supportedOS: - iOS: - introduced: '7.0' - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system disables changes to Find My Friends. -- key: allowFingerprintForUnlock - title: Allow Touch ID to Unlock Device - supportedOS: - iOS: - introduced: '7.0' - userenrollment: - mode: forbidden - macOS: - introduced: 10.12.4 - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: '2.0' - userenrollment: - mode: forbidden - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system prevents Touch ID, Face ID, or Optic ID from unlocking - a device. Support for this restriction on unsupervised devices is deprecated. -- key: allowFingerprintModification - title: Allow Modifying Touch ID Fingerprints - supportedOS: - iOS: - introduced: '8.3' - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: '14.0' - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: '2.0' - supervised: true - userenrollment: - mode: forbidden - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system prevents the user from modifying Touch ID or Face - ID. -- key: allowGameCenter - title: Allow Game Center - supportedOS: - iOS: - introduced: '6.0' - supervised: true - sharedipad: - mode: ignored - userenrollment: - mode: forbidden - macOS: - introduced: '10.13' - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system disables Game Center, and the system removes its - icon from the Home Screen. -- key: allowGenmoji - title: Allow Genmoji - supportedOS: - iOS: - introduced: '18.0' - supervised: true - sharedipad: - mode: forbidden - userenrollment: - mode: forbidden - macOS: - introduced: '15.0' - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: '2.4' - supervised: true - userenrollment: - mode: forbidden - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, prohibits creating new Genmoji. -- key: allowGlobalBackgroundFetchWhenRoaming - title: Allow Automatic Sync While Roaming - supportedOS: - iOS: - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system disables global background fetch activity when an - iOS phone is roaming. Support for this restriction on unsupervised devices is - deprecated. -- key: allowHostPairing - supportedOS: - iOS: - introduced: '7.0' - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system disables host pairing with the exception of the - supervision host. If there's no configured supervision host certificate, the system - disables all pairing. Host pairing lets the administrator control whether an iOS - device can pair with a host Mac or PC. -- key: allowImagePlayground - title: Allow Image Playground - supportedOS: - iOS: - introduced: '18.0' - supervised: true - sharedipad: - mode: forbidden - userenrollment: - mode: forbidden - macOS: - introduced: '15.0' - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: '2.4' - supervised: true - userenrollment: - mode: forbidden - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, prohibits the use of image generation. -- key: allowImageWand - title: Allow Image Wand - supportedOS: - iOS: - introduced: '18.0' - supervised: true - sharedipad: - mode: forbidden - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: '2.4' - supervised: true - userenrollment: - mode: forbidden - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, prohibits the use of Image Wand. -- key: allowInAppPurchases - title: Allow In App Purchases - supportedOS: - iOS: - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system prohibits in-app purchasing. Support for this restriction - on unsupervised devices is deprecated. -- key: allowInternetSharingModification - title: Allow modifying Internet Sharing setting - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '14.0' - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system prevents modifying the Internet Sharing setting - in System Settings. -- key: allowiPhoneMirroring - title: Allow iPhone mirroring - supportedOS: - iOS: - introduced: '18.0' - supervised: true - sharedipad: - mode: forbidden - userenrollment: - mode: forbidden - macOS: - introduced: '15.0' - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, prohibits the use of iPhone Mirroring. In macOS, this prevents - the Mac from mirroring any iPhone. In iOS, this prevents the iPhone from mirroring - to any Mac. -- key: allowiPhoneWidgetsOnMac - title: Allow iPhone widget on Mac - supportedOS: - iOS: - introduced: '17.0' - supervised: true - sharedipad: - mode: forbidden - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system disallows iPhone widgets on a Mac that signs in - with the same Apple Account for iCloud. -- key: allowiTunes - title: Allow use of iTunes - supportedOS: - iOS: - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system disables the iTunes Music Store and removes its - icon from the Home Screen. Users can't preview, purchase, or download content. - Requires a supervised device in iOS 13 and later. -- key: allowiTunesFileSharing - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.13' - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system disables iTunes file sharing services. -- key: allowKeyboardShortcuts - title: Allow Keyboard Shortcuts - supportedOS: - iOS: - introduced: '9.0' - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system disables keyboard shortcuts. -- key: allowListedAppBundleIDs - title: Allow Listed Apps - supportedOS: - iOS: - introduced: '15.0' - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: '15.0' - supervised: true - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: If present, the system only shows or can launch apps with bundle IDs in - the array. Include the value `com.apple.webapp` to allow all webclips. This applies - to App Store apps, marketplace apps, and locally installed apps (using Configurator, - Xcode, and so forth). - subkeys: - - key: appAllowlistedBundleID - title: Allow Listed App - type: -- key: allowLiveVoicemail - title: Allow Live Voicemail - supportedOS: - iOS: - introduced: '17.2' - supervised: true - sharedipad: - mode: forbidden - userenrollment: - mode: forbidden - macOS: - introduced: '26.0' - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system disables live voicemail on the device. -- key: allowLocalUserCreation - title: Allow creating users in System Settings - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '14.0' - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system prevents creating users in System Settings. -- key: allowLockScreenControlCenter - supportedOS: - iOS: - introduced: '7.0' - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system prevents Control Center from appearing on the Lock - Screen. -- key: allowLockScreenNotificationsView - supportedOS: - iOS: - introduced: '7.0' - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system disables the Notifications history view on the Lock - Screen, so users can't view past notifications. However, they can still see notifications - when they arrive. -- key: allowLockScreenTodayView - supportedOS: - iOS: - introduced: '7.0' - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system disables the Today view in Notification Center on - the Lock Screen. -- key: allowMailPrivacyProtection - supportedOS: - iOS: - introduced: '15.2' - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system disables Mail Privacy Protection on the device. -- key: allowMailSmartReplies - supportedOS: - iOS: - introduced: '18.4' - supervised: true - sharedipad: - mode: forbidden - userenrollment: - mode: forbidden - macOS: - introduced: '15.4' - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: '2.4' - supervised: true - userenrollment: - mode: forbidden - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, disables smart replies in Mail. -- key: allowMailSummary - supportedOS: - iOS: - introduced: '18.1' - supervised: true - sharedipad: - mode: forbidden - userenrollment: - mode: forbidden - macOS: - introduced: '15.1' - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: '2.4' - supervised: true - userenrollment: - mode: forbidden - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, disables the ability to create summaries of email messages - manually. This doesn't affect automatic summary generation. -- key: allowManagedAppsCloudSync - title: Allow iCloud Sync for Managed Apps - supportedOS: - iOS: - introduced: '8.0' - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: '2.0' - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system prevents managed apps from using iCloud sync. -- key: allowManagedToWriteUnmanagedContacts - title: Allow managed apps to write to managed contacts accounts - supportedOS: - iOS: - introduced: '12.0' - allowmanualinstall: false - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: '2.0' - allowmanualinstall: false - userenrollment: - mode: forbidden - watchOS: - introduced: n/a - type: - presence: optional - default: false - content: |- - If `true`, the system allows managed apps to write contacts to unmanaged accounts. If `allowOpenFromManagedToUnmanaged` is `true`, this restriction has no effect. - - > Important: - > Use MDM to install profiles that contain this restriction. -- key: allowMarketplaceAppInstallation - title: Allow App Installation from alternative marketplaces - supportedOS: - iOS: - introduced: '17.4' - supervised: true - sharedipad: - mode: forbidden - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system prevents installation of alternative marketplace - apps from the web and prevents any installed alternative marketplace apps from - installing apps. -- key: allowMediaSharingModification - title: Allow modifying Media Sharing setting - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '15.1' - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, prevents modification of Media Sharing settings. -- key: allowMultiplayerGaming - title: Allow Multiplayer Gaming - supportedOS: - iOS: - introduced: '4.1' - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: '10.13' - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system prohibits multiplayer gaming. -- key: allowMusicService - title: Allow Apple Music - supportedOS: - iOS: - introduced: '9.3' - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: '10.12' - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system disables the Music service, and the Music app reverts - to classic mode. -- key: allowNews - title: Allow use of News - supportedOS: - iOS: - introduced: '9.0' - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system disables News. -- key: allowNFC - supportedOS: - iOS: - introduced: '14.2' - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system disables NFC. -- key: allowNotesTranscription - supportedOS: - iOS: - introduced: '18.4' - supervised: true - sharedipad: - mode: forbidden - userenrollment: - mode: forbidden - macOS: - introduced: '15.4' - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, disables transcription in Notes. -- key: allowNotesTranscriptionSummary - supportedOS: - iOS: - introduced: '18.3' - supervised: true - sharedipad: - mode: forbidden - userenrollment: - mode: forbidden - macOS: - introduced: '15.3' - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, disables transcription summarization in Notes. -- key: allowNotificationsModification - title: Allow Modifying Notifications Settings - supportedOS: - iOS: - introduced: '9.3' - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: '2.0' - supervised: true - userenrollment: - mode: forbidden - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system disables modification of notification settings. -- key: allowOpenFromManagedToUnmanaged - title: Enable allow open from managed to unmanaged - supportedOS: - iOS: - introduced: '7.0' - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: '2.0' - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, documents in managed apps and accounts open only in other managed - apps and accounts. -- key: allowOpenFromUnmanagedToManaged - title: Enable allow open from unmanaged to managed - supportedOS: - iOS: - introduced: '7.0' - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: '2.0' - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, documents in unmanaged apps and accounts open only in other - unmanaged apps and accounts. -- key: allowOTAPKIUpdates - supportedOS: - iOS: - introduced: '7.0' - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system disables over-the-air PKI updates. Setting this - restriction to `false` doesn't disable CRL and OCSP checks. -- key: allowPairedWatch - title: Allow Pairing With Apple Watch - supportedOS: - iOS: - introduced: '9.0' - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system disables pairing with an Apple Watch, and the system - unpairs any currently paired Apple Watch and erases its content. -- key: allowPassbookWhileLocked - title: Allow Wallet While Locked - supportedOS: - iOS: - introduced: '6.0' - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system hides Passbook notifications from the Lock Screen. -- key: allowPasscodeModification - title: Allow Modifying Passcode - supportedOS: - iOS: - introduced: '9.0' - supervised: true - sharedipad: - mode: forbidden - userenrollment: - mode: forbidden - macOS: - introduced: '10.13' - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: '2.0' - supervised: true - userenrollment: - mode: forbidden - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system prevents adding, changing, or removing the passcode. - The system ignores this restriction on Shared iPad. -- key: allowPasswordAutoFill - supportedOS: - iOS: - introduced: '12.0' - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: '10.14' - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: '2.0' - supervised: true - userenrollment: - mode: forbidden - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: |- - If `false`, the system disables: - - - The AutoFill Passwords feature in iOS, with Keychain and third-party password managers - - Prompting the user to use a saved password in Safari or in apps - - Automatic strong passwords - - Suggesting strong passwords to users - - However, if `false`, the system doesn't prevent AutoFill for contact info and credit cards in Safari. -- key: allowPasswordProximityRequests - supportedOS: - iOS: - introduced: '12.0' - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: '10.14' - userenrollment: - mode: forbidden - tvOS: - introduced: '12.0' - deprecated: '17.4' - supervised: true - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system disables requesting passwords from nearby devices. -- key: allowPasswordSharing - supportedOS: - iOS: - introduced: '12.0' - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: '10.14' - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: '2.0' - supervised: true - userenrollment: - mode: forbidden - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system disables sharing passwords with the AirDrop passwords - feature, or with the Passwords app. -- key: allowPersonalHotspotModification - title: Allow modifying Personal Hotspot settings - supportedOS: - iOS: - introduced: '12.2' - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system disables modifications of the personal hotspot setting. -- key: allowPersonalizedHandwritingResults - title: Allow personalized handwriting results - supportedOS: - iOS: - introduced: '18.0' - supervised: true - sharedipad: - mode: forbidden - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If false, prevents the system from generating text in the user's handwriting. -- key: allowPhotoStream - title: Allow Photo Stream - supportedOS: - iOS: - introduced: '5.0' - deprecated: '17.0' - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system disables Photo Stream. -- key: allowPodcasts - supportedOS: - iOS: - introduced: '8.0' - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system disables podcasts. -- key: allowPredictiveKeyboard - title: Allow Predictive Keyboard - supportedOS: - iOS: - introduced: 8.1.3 - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system disables predictive keyboards. -- key: allowPrinterSharingModification - title: Allow modifying Printer Sharing setting - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '14.0' - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system prevents modifying Printer Sharing settings in System - Settings. -- key: allowProximitySetupToNewDevice - supportedOS: - iOS: - introduced: '11.0' - supervised: true - sharedipad: - mode: ignored - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, disables the prompt to set up new devices that are nearby. -- key: allowRadioService - title: Allow iTunes Radio - supportedOS: - iOS: - introduced: '9.3' - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system disables Apple Music Radio. -- key: allowRapidSecurityResponseInstallation - title: Allow Background Security Improvement Installation - supportedOS: - iOS: - introduced: '16.0' - deprecated: '26.0' - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: '13.0' - deprecated: '26.0' - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system prohibits installation of Background Security Improvements. -- key: allowRapidSecurityResponseRemoval - title: Allow Background Security Improvement Removal - supportedOS: - iOS: - introduced: '16.0' - deprecated: '26.0' - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: '13.0' - deprecated: '26.0' - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system prohibits removal of Background Security Improvements. -- key: allowRCSMessaging - supportedOS: - iOS: - introduced: '18.1' - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, prevents the use of RCS messaging. -- key: allowRemoteAppleEventsModification - title: Allow modifying Remote Apple Events Sharing setting - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '14.0' - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system prevents modifying Remote Apple Events Sharing settings - in System Settings. -- key: allowRemoteAppPairing - title: Allow pairing with Remote app - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: n/a - tvOS: - introduced: '10.2' - supervised: true - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system disables pairing Apple TV for use with the Control - Center widget. -- key: allowRemoteScreenObservation - title: Allow Remote Screen Observation - supportedOS: - iOS: - introduced: '9.3' - macOS: - introduced: 10.14.4 - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system disables remote screen observation by the Classroom - app. Nest this key beneath `allowScreenShot` as a subrestriction. If `allowScreenShot` - is `false`, the Classroom app doesn't observe remote screens. Requires a supervised - device until iOS 13 and macOS 10.15. Allowed for user enrollments in macOS 12 - and later. -- key: allowSafari - title: Allow use of Safari - supportedOS: - iOS: - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system disables the Safari web browser app, and the system - removes its icon from the Home Screen. This setting also prevents users from opening - web clips. Requires a supervised device in iOS 13 and later. -- key: allowSafariHistoryClearing - supportedOS: - iOS: - introduced: '26.0' - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: '26.0' - devicechannel: true - userchannel: true - allowmanualinstall: false - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: '26.0' - supervised: true - userenrollment: - mode: forbidden - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system disables the ability to clear browsing history in - Safari. -- key: allowSafariPrivateBrowsing - supportedOS: - iOS: - introduced: '26.0' - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: '26.0' - devicechannel: true - userchannel: true - allowmanualinstall: false - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: '26.0' - supervised: true - userenrollment: - mode: forbidden - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system disables the ability to use private browsing in - Safari. -- key: allowSafariSummary - supportedOS: - iOS: - introduced: '18.4' - supervised: true - sharedipad: - mode: forbidden - userenrollment: - mode: forbidden - macOS: - introduced: '15.4' - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: '2.4' - supervised: true - userenrollment: - mode: forbidden - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system disables the ability to summarize content in Safari. -- key: allowSatelliteConnection - title: Allow use of satellite connectivity - supportedOS: - iOS: - introduced: '18.2' - supervised: true - sharedipad: - mode: forbidden - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system prohibits the connection to and use of satellite - services. -- key: allowScreenShot - title: Allow Screenshots and Screen Recording - supportedOS: - iOS: - introduced: '3.1' - macOS: - introduced: 10.14.4 - tvOS: - introduced: n/a - visionOS: - introduced: '2.0' - type: - presence: optional - default: true - content: If `false`, the system disables saving a screenshot of the display and - capturing a screen recording. It also disables the Classroom app from observing - remote screens. -- key: allowSharedDeviceTemporarySession - supportedOS: - iOS: - introduced: '13.4' - supervised: true - sharedipad: - mode: required - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system makes temporary sessions unavailable on Shared iPad. -- key: allowSharedStream - title: Allow Shared Stream - supportedOS: - iOS: - introduced: '6.0' - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system disables Shared Photo Stream. Support for this restriction - on unsupervised devices is deprecated. -- key: allowSpellCheck - title: Allow Spell Check - supportedOS: - iOS: - introduced: 8.1.3 - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system disables the keyboard spell checker. -- key: allowSpotlightInternetResults - title: Allow Siri Suggestions - supportedOS: - iOS: - introduced: '8.0' - userenrollment: - mode: forbidden - macOS: - introduced: '10.11' - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system disables Spotlight Internet search results in Siri - Suggestions. Support for this restriction on unsupervised devices is deprecated. -- key: allowStartupDiskModification - title: Allow modifying Startup Disk settings - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '14.0' - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system prevents modification of Startup Disk settings in - System Settings. -- key: allowSystemAppRemoval - supportedOS: - iOS: - introduced: '11.0' - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: '2.0' - supervised: true - userenrollment: - mode: forbidden - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system disables the removal of system apps from the device. -- key: allowTimeMachineBackup - title: Allow modifying Time Machine settings - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '14.0' - userchannel: false - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system prevents modification of Time Machine settings in - System Settings. This restriction is not supported on the user channel. -- key: allowUIAppInstallation - title: Allow App Installation from App Store - supportedOS: - iOS: - introduced: '9.0' - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: '2.0' - supervised: true - userenrollment: - mode: forbidden - watchOS: - supervised: true - type: - presence: optional - default: true - content: |- - If `false`, the system disables the App Store and removes its icon from the Home Screen. However, users can continue to install or update their apps either locally (via Configurator, Xcode, and so forth), or using alternative marketplace apps. - - In iOS 10 and later, MDM commands can override this restriction. -- key: allowUIConfigurationProfileInstallation - title: Allow UI Configuration Profile Installation - supportedOS: - iOS: - introduced: '6.0' - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: '13.0' - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: '2.0' - supervised: true - userenrollment: - mode: forbidden - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system prohibits the user from installing configuration - profiles and certificates interactively. -- key: allowUniversalControl - title: Allow Universal Control - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '13.0' - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system disables Universal Control. -- key: allowUnmanagedToReadManagedContacts - title: Allow unmanaged apps to read managed contacts accounts - supportedOS: - iOS: - introduced: '12.0' - allowmanualinstall: false - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: '2.0' - allowmanualinstall: false - watchOS: - introduced: n/a - type: - presence: optional - default: false - content: |- - If `true`, the system allows unmanaged apps to read from managed contacts accounts. If `allowOpenFromManagedToUnmanaged` is `true`, this restriction has no effect. - - > Important: - > Use MDM to install profiles that contain this restriction. -- key: allowUnpairedExternalBootToRecovery - supportedOS: - iOS: - introduced: '14.5' - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, the system allows unpaired devices to boot devices into recovery. -- key: allowUntrustedTLSPrompt - title: Allow user to accept untrusted TLS certificates - supportedOS: - iOS: - introduced: '5.0' - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: '1.1' - userenrollment: - mode: forbidden - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system automatically rejects untrusted HTTPS certificates - without prompting the user. -- key: allowUSBRestrictedMode - supportedOS: - iOS: - introduced: 11.4.1 - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: '13.0' - userchannel: false - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system allows iOS devices to always connect to USB accessories - while locked. In macOS, allows new USB and Thunderbolt accessories, and SD cards - to connect without authorization. If the system has Lockdown mode enabled, it - ignores this value. This restriction is not supported on the user channel. -- key: allowVideoConferencing - title: Allow Video Conferencing - supportedOS: - iOS: - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: '2.0' - supervised: true - userenrollment: - mode: forbidden - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system hides the FaceTime app. Requires a supervised device - in iOS 13 and later. -- key: allowVideoConferencingRemoteControl - title: Allow Video Conferencing Remote Control - supportedOS: - iOS: - introduced: '18.4' - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, disables the ability for a remote FaceTime session to request - control of the device. -- key: allowVisualIntelligenceSummary - title: Allow Visual Intelligence Summary - supportedOS: - iOS: - introduced: '18.3' - supervised: true - sharedipad: - mode: forbidden - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system disables visual intelligence summarization. -- key: allowVoiceDialing - title: Allow Voice Dialing While Device is Locked - supportedOS: - iOS: - deprecated: '17.0' - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system disables voice dialing if the device is locked with - a passcode. -- key: allowVPNCreation - title: Allow Adding VPN Configurations (Supervised devices only) - supportedOS: - iOS: - introduced: '11.0' - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: '2.0' - supervised: true - userenrollment: - mode: forbidden - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system allows only managed apps to create VPN configurations. - Prior to iOS 18, the system also allows unmanaged apps to create VPN configurations. -- key: allowWallpaperModification - title: Allow Modifying Wallpaper - supportedOS: - iOS: - introduced: '9.0' - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: '10.13' - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system prevents changing the wallpaper. -- key: allowWebDistributionAppInstallation - title: Allow App Installation from web sites - supportedOS: - iOS: - introduced: '17.5' - supervised: true - sharedipad: - mode: forbidden - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the device prevents installation of apps directly from the - web. -- key: allowWritingTools - title: Allow writing tools - supportedOS: - iOS: - introduced: '18.0' - supervised: true - sharedipad: - mode: forbidden - userenrollment: - mode: forbidden - macOS: - introduced: '15.0' - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: '2.4' - supervised: true - userenrollment: - mode: forbidden - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, disables Apple Intelligence writing tools. -- key: autonomousSingleAppModePermittedAppIDs - supportedOS: - iOS: - introduced: '7.0' - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: If present, the system allows apps identified by the bundle IDs listed - in the array to autonomously enter Single App Mode. - subkeys: - - key: appAutonomousSingleAppModePermittedID - title: Apps allow list for Autonomous Single App Mode - type: -- key: blacklistedAppBundleIDs - title: Blacklisted Apps - supportedOS: - iOS: - introduced: '9.3' - deprecated: '15.0' - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: '11.0' - deprecated: '15.0' - supervised: true - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: Use `blockedAppBundleIDs` instead. - subkeys: - - key: appBlacklistedBundleID - title: Blacklisted App - type: -- key: blockedAppBundleIDs - title: Blocked Apps - supportedOS: - iOS: - introduced: '15.0' - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: '15.0' - supervised: true - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: |- - If present, the system prevents showing or launching apps with bundle IDs in the array. Include the value `com.apple.webapp` to restrict all webclips. This applies to App Store apps, marketplace apps, and locally installed apps (using Configurator, Xcode, and so forth). - - > Note: - > Denying system apps may disable other functionality. For example, denying the App Store app may prevent users from accepting the terms and conditions for the user-based Volume Purchase Program (VPP). - subkeys: - - key: appBlockedBundleID - title: Blocked App - type: -- key: deniedICCIDsForiMessageFaceTime - supportedOS: - iOS: - introduced: '26.0' - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: An array of strings representing ICCIDs of cellular plans. The device prevents - use of any matching cellular networks in iMessage and FaceTime. The array must - contain no more than 4 ICCID strings. - subkeys: - - key: deniedICCIDForiMessageFaceTime - title: Denied ICCID for iMessage and FaceTime - type: - content: An ICCID. -- key: deniedICCIDsForRCS - supportedOS: - iOS: - introduced: '26.0' - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: An array of strings representing ICCIDs of cellular plans. The device prevents - use of any matching cellular networks with RCS messaging. The array must contain - no more than 4 ICCID strings. - subkeys: - - key: deniedICCIDForRCS - title: Denied ICCID for RCS - type: - content: An ICCID. -- key: enforcedFingerprintTimeout - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '12.0' - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: 172800 - content: The value, in seconds, after which the fingerprint unlock requires a password - to authenticate. The default value is 48 hours. -- key: enforcedSoftwareUpdateDelay - supportedOS: - iOS: - introduced: '11.3' - deprecated: '26.0' - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: 10.13.4 - deprecated: '26.0' - userenrollment: - mode: forbidden - tvOS: - introduced: '12.2' - deprecated: '26.0' - supervised: true - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - range: - min: 1 - max: 90 - default: 30 - content: How many days to delay a software update on the device. With this restriction - in place, the user doesn't see a software update until the specified number of - days after the software update release date. The restrictions `forceDelayedAppSoftwareUpdates` - and `forceDelayedSoftwareUpdates` use this value. -- key: enforcedSoftwareUpdateMajorOSDeferredInstallDelay - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '11.3' - deprecated: '26.0' - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - range: - min: 1 - max: 90 - default: 30 - content: This restriction allows the administrator to set the number of days to - delay a major software upgrade on the device. When this restriction is in place, - the user sees a software upgrade only after the specified delay after the release - of the software upgrade. This value controls the delay for `forceDelayedMajorSoftwareUpdates`. -- key: enforcedSoftwareUpdateMinorOSDeferredInstallDelay - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '11.3' - deprecated: '26.0' - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - range: - min: 1 - max: 90 - default: 30 - content: This restriction allows the administrator to set the number of days to - delay a minor OS software update on the device. When this restriction is in place, - the user sees a software update only after the specified delay after the release - of the software update. This value controls the delay for `forceDelayedSoftwareUpdates`. -- key: enforcedSoftwareUpdateNonOSDeferredInstallDelay - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '11.3' - deprecated: '26.0' - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - range: - min: 1 - max: 90 - default: 30 - content: This restriction allows the administrator to set the number of days to - delay an app software update on the device. When this restriction is in place, - the user sees a non-OS software update only after the specified delay after the - release of the software. This value controls the delay for `forceDelayedAppSoftwareUpdates`. -- key: forceAirDropUnmanaged - title: Treat AirDrop as Unmanaged Destination - supportedOS: - iOS: - introduced: '9.0' - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: '2.0' - watchOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, the system considers AirDrop to be an unmanaged drop target. -- key: forceAirPlayIncomingRequestsPairingPassword - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, the system forces all devices sending AirPlay requests to this - device to use a pairing password. This key isn't supported in tvOS 10.2 and later. - Use the AirPlay Security Payload instead. -- key: forceAirPlayOutgoingRequestsPairingPassword - supportedOS: - iOS: - introduced: '7.1' - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, the system forces all devices receiving AirPlay requests from - this device to use a pairing password. -- key: forceAirPrintTrustedTLSRequirement - title: Disallow AirPrint to destinations with untrusted certificates - supportedOS: - iOS: - introduced: '11.0' - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, the system requires trusted certificates for TLS printing communication. -- key: forceAssistantProfanityFilter - title: Enable Siri Profanity Filter - supportedOS: - iOS: - introduced: '5.0' - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: '10.13' - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, the system forces the use of the profanity filter for Siri and - dictation. Requires a supervised device in iOS. -- key: forceAuthenticationBeforeAutoFill - supportedOS: - iOS: - introduced: '11.0' - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: '2.0' - supervised: true - userenrollment: - mode: forbidden - watchOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, the user needs to authenticate before the system can autofill - passwords or credit card information in Safari and apps. If this restriction isn't - enforced, the user can toggle this feature in Settings. Only supported on devices - with Face ID or Touch ID. -- key: forceAutomaticDateAndTime - supportedOS: - iOS: - introduced: '12.0' - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: '12.2' - supervised: true - visionOS: - introduced: '2.0' - supervised: true - userenrollment: - mode: forbidden - watchOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, the system enables the Set Automatically feature in Date & Time - and the user can't disable it. The system updates the device's time zone only - when the device can determine its location using a cellular connection or Wi-Fi - with location services enabled. -- key: forceBypassScreenCaptureAlert - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '15.1' - allowmanualinstall: false - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, then the system bypasses the presentation of a screen capture - alert. -- key: forceClassroomAutomaticallyJoinClasses - supportedOS: - iOS: - introduced: '11.0' - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: 10.14.4 - supervised: true - allowmanualinstall: false - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, the system automatically gives permission to the teacher's requests - without prompting the student. -- key: forceClassroomRequestPermissionToLeaveClasses - supportedOS: - iOS: - introduced: '11.3' - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: 10.14.4 - supervised: true - allowmanualinstall: false - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, a student enrolled in an unmanaged course through Classroom - needs to request permission from the teacher to leave the course. -- key: forceClassroomUnpromptedAppAndDeviceLock - supportedOS: - iOS: - introduced: '11.0' - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: 10.14.4 - supervised: true - allowmanualinstall: false - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, the system allows the teacher to lock apps or the device without - prompting the student. -- key: forceClassroomUnpromptedScreenObservation - supportedOS: - iOS: - introduced: '11.0' - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: 10.14.4 - supervised: true - allowmanualinstall: false - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true` and `ScreenObservationPermissionModificationAllowed` is also - `true` in the Education payload, a student enrolled in a managed course through - the Classroom app automatically gives permission to that course teacher's requests - to observe the student's screen without prompting the student. -- key: forceDelayedAppSoftwareUpdates - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '11.0' - deprecated: '26.0' - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, the system delays user visibility of non-OS software updates. - Control visibility of operating system updates through `forceDelayedSoftwareUpdates`. - The delay is 30 days unless you set `enforcedSoftwareUpdateDelay` to another value. -- key: forceDelayedMajorSoftwareUpdates - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '11.3' - deprecated: '26.0' - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, the system delays user visibility of major OS updates. -- key: forceDelayedSoftwareUpdates - supportedOS: - iOS: - introduced: '11.3' - deprecated: '26.0' - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: '10.13' - deprecated: '26.0' - userenrollment: - mode: forbidden - tvOS: - introduced: '12.2' - deprecated: '26.0' - supervised: true - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, the system delays user visibility of software updates. In macOS, - the system allows seed build updates without delay. The delay is 30 days unless - you set `enforcedSoftwareUpdateDelay` to another value. -- key: forceEncryptedBackup - title: Force Encrypted Backups - supportedOS: - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, the system encrypts all backups. -- key: forceITunesStorePasswordEntry - title: Require iTunes password for all purchases - supportedOS: - iOS: - introduced: '6.0' - deprecated: '17.0' - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, the system forces the user to enter their iTunes password for - each transaction. -- key: forceLimitAdTracking - supportedOS: - iOS: - introduced: '7.0' - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, the system limits ad tracking. Additionally, it disables app - tracking and the Allow Apps to Request to Track setting. -- key: forceOnDeviceOnlyDictation - supportedOS: - iOS: - introduced: '14.5' - macOS: - introduced: '14.0' - tvOS: - introduced: n/a - visionOS: - introduced: '2.0' - type: - presence: optional - default: false - content: If `true`, the system disables connections to Siri servers for the purposes - of dictation. -- key: forceOnDeviceOnlyTranslation - supportedOS: - iOS: - introduced: '15.0' - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, the device can't connect to Siri servers for the purposes of - translation. -- key: forcePreserveESIMOnErase - title: Force Preserve ESIM on Erase - supportedOS: - iOS: - introduced: '17.2' - supervised: true - sharedipad: - mode: forbidden - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: false - content: |- - If `true`, the system preserves eSIM when it erases the device due to too many failed password attempts or the Erase All Content and Settings option in Settings > General > Reset. - - > Note: - > The system doesn't preserve eSIM if Find My initiates erasing the device. -- key: forceWatchWristDetection - title: Force Apple Watch Wrist Detection - supportedOS: - iOS: - introduced: '8.2' - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, the system forces a paired Apple Watch to use Wrist Detection. -- key: forceWiFiPowerOn - title: Disallow Wi-Fi from being turned off - supportedOS: - iOS: - introduced: '13.0' - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, the system prevents turning off Wi-Fi in Settings or Control - Center, even by entering or leaving Airplane Mode. It doesn't prevent selecting - which Wi-Fi network to use. and later. -- key: forceWiFiToAllowedNetworksOnly - supportedOS: - iOS: - introduced: '14.5' - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: '2.0' - supervised: true - userenrollment: - mode: forbidden - watchOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, the system limits the device to only join Wi-Fi networks set - up through a configuration profile. -- key: forceWiFiWhitelisting - title: Only join Wi-Fi networks installed by profiles - supportedOS: - iOS: - introduced: '10.3' - deprecated: '14.5' - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: false - content: Use `forceWiFiToAllowedNetworksOnly` instead. -- key: ratingApps - title: Apps Ranking Number - supportedOS: - iOS: - userenrollment: - mode: forbidden - macOS: - introduced: '15.0' - userenrollment: - mode: forbidden - tvOS: - introduced: '11.3' - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - range: - min: 0 - max: 1000 - default: 1000 - content: |- - The maximum level of app content allowed on the device. Preinstalled (first-party) apps ignore this restriction. - - Possible values, with the U.S. description of the rating level: - - - `1000`: All - - `600`: 17+ - - `300`: 12+ - - `200`: 9+ - - `100`: 4+ - - `0`: None - - Age bands and the number of discrete age values vary by region, but the values are consistent across regions. For example, in a region that defines rating level 14+, its value is guaranteed to be larger than 300 (12+) and smaller than 600 (17+). Also, the value of rating level 15+ is guaranteed to be larger than the assigned value of rating level 14+. For more information about age ratings, see [Age ratings values and definitions](https://developer.apple.com/help/app-store-connect/reference/age-ratings-values-and-definitions). - - Examples of values in other regions include: - - - `1000`: All - - `621`: 21+ - - `620`: 20+ - - `619`: 19+ - - `618`: 18+ - - `600`: 17+ - - `416`: 16+ - - `415`: 15+ - - `314`: 14+ - - `313`: 13+ - - `300`: 12+ - - `211`: 11+ - - `210`: 10+ - - `200`: 9+ - - `108`: 8+ - - `107`: 7+ - - `106`: 6+ - - `105`: 5+ - - `100`: 4+ - - `3`: 3+ - - `2`: 2+ - - `1`: 1+ - - `0`: None - - This restriction will require supervision in a future release. -- key: ratingAppsExemptedBundleIDs - title: Apps Exempted from Rating Restrictions - supportedOS: - iOS: - introduced: '26.1' - allowmanualinstall: false - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: If present, the system exempts apps with bundle IDs in the array from age-based - rating restrictions. The system uses intersection combine rules to combine multiple - payloads and any exceptions that parental control apps provide, including ScreenTime. - subkeys: - - key: ratingAppsExemptedBundleID - title: Exempted App - type: -- key: ratingMovies - title: Movies Ranking Number - supportedOS: - iOS: - userenrollment: - mode: forbidden - macOS: - introduced: '15.0' - userenrollment: - mode: forbidden - tvOS: - introduced: '11.3' - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - range: - min: 0 - max: 1000 - default: 1000 - content: |- - The maximum level of movie content allowed on the device. Support for this restriction on unsupervised devices is deprecated. - - Possible values, with the U.S. description of the rating level: - - - `1000`: All - - `500`: NC-17 - - `400`: R - - `300`: PG-13 - - `200`: PG - - `100`: G - - `0`: None -- key: ratingRegion - title: Region Code - supportedOS: - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - rangelist: - - us - - au - - ca - - de - - fr - - ie - - jp - - nz - - gb - content: The two-letter key that profile tools use to display the proper ratings - for the given region. The client doesn't recognize or report this data. -- key: ratingTVShows - title: TV Shows Ranking Number - supportedOS: - iOS: - userenrollment: - mode: forbidden - macOS: - introduced: '15.0' - userenrollment: - mode: forbidden - tvOS: - introduced: '11.3' - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - range: - min: 0 - max: 1000 - default: 1000 - content: |- - The maximum level of TV content allowed on the device. Support for this restriction on unsupervised devices is deprecated. - - Possible values, with the U.S. description of the rating level: - - - `1000`: All - - `600`: TV-MA - - `500`: TV-14 - - `400`: TV-PG - - `300`: TV-G - - `200`: TV-Y7 - - `100`: TV-Y - - `0`: None -- key: requireManagedPasteboard - supportedOS: - iOS: - introduced: '15.0' - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: '2.0' - watchOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, copy-and-paste functionality is limited by the `allowOpenFromManagedToUnmanaged` - and `allowOpenFromUnmanagedToManaged` restrictions. -- key: safariAcceptCookies - title: Accept Cookies in Safari - supportedOS: - iOS: - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - rangelist: - - 0.0 - - 1.0 - - 1.5 - - 2.0 - default: 2.0 - content: |- - Defines the conditions under which the device accepts cookies. The user-facing settings changed in iOS 11, although the possible values remain the same. Support for this restriction on unsupervised devices is deprecated. Allowed values: - - - `0`: Enables Prevent Cross-Site Tracking and Block All Cookies, and the user canʼt disable either setting. - - `1` or `1.5`: Enables Prevent Cross-Site Tracking, and the user canʼt disable it. Doesn't enable Block All Cookies, but the user can enable it. - - `2`: Enables Prevent Cross-Site Tracking, but doesn't enable Block All Cookies. The user can toggle either setting. -- key: safariAllowAutoFill - title: Allow AutoFill in Safari - supportedOS: - iOS: - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: '10.13' - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: '2.0' - supervised: true - userenrollment: - mode: forbidden - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: |- - If `false`, the system disables Safari AutoFill for passwords, contact info, and credit cards, and also prevents using the Keychain for AutoFill. Requires a supervised device in iOS 13 and later. - - > Note: - > The system still allows third-party password managers, and apps can use AutoFill. -- key: safariAllowJavaScript - title: Allow JavaScript - supportedOS: - iOS: - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, Safari doesn't execute JavaScript. This restriction will require - supervision in a future release. -- key: safariAllowPopups - title: Allow Pop-ups - supportedOS: - iOS: - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, Safari doesn't allow pop-up windows. Support for this restriction - on unsupervised devices is deprecated. -- key: safariForceFraudWarning - title: Enable Fraud Warning - supportedOS: - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, the system enables Safari fraud warning. -- key: whitelistedAppBundleIDs - title: Whitelisted Apps - supportedOS: - iOS: - introduced: '9.3' - deprecated: '15.0' - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: '11.0' - deprecated: '15.0' - supervised: true - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: Use `allowListedAppBundleIDs` instead. - subkeys: - - key: appWhitelistedBundleID - title: Whitelisted App - type: -notes: -- title: '' - content: |- - > Important: - > The system allows multiple Restrictions payloads. However, don't attempt to manage the same restriction in different payloads. Doing so results in unexpected behavior. diff --git a/mdm/profiles/com.apple.appstore.yaml b/mdm/profiles/com.apple.appstore.yaml deleted file mode 100644 index 7d536ee..0000000 --- a/mdm/profiles/com.apple.appstore.yaml +++ /dev/null @@ -1,65 +0,0 @@ -title: App Store -description: The payload that configures macOS App Store restrictions. -payload: - payloadtype: com.apple.appstore - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.9' - multiple: false - devicechannel: true - userchannel: true - supervised: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: Use this payload to set restrictions used by the Mac App Store. -payloadkeys: -- key: restrict-store-require-admin-to-install - supportedOS: - macOS: - introduced: '10.9' - deprecated: '10.14' - type: - presence: optional - default: false - content: If `true`, the system restricts app installations to admin users only. - Deprecated in macOS 10.14. Use the `com.apple.SoftwareUpdate` payload key `restrict-software-update-require-admin-to-install` - instead. -- key: restrict-store-softwareupdate-only - supportedOS: - macOS: - introduced: '10.10' - type: - presence: optional - default: false - content: If `true`, the system prevents App Store from launching. Available in macOS - 10.14 and later. Restricts installations to software updates only in macOS 10.10 - through 10.13. -- key: restrict-store-disable-app-adoption - supportedOS: - macOS: - introduced: '10.10' - type: - presence: optional - default: false - content: If `true`, the system disables app adoption by users. Available in macOS - 10.10 and later. -- key: DisableSoftwareUpdateNotifications - supportedOS: - macOS: - introduced: '10.10' - type: - presence: optional - default: false - content: If `true`, the system disables software update notifications. Available - in macOS 10.10 and later. diff --git a/mdm/profiles/com.apple.asam.yaml b/mdm/profiles/com.apple.asam.yaml deleted file mode 100644 index 255c275..0000000 --- a/mdm/profiles/com.apple.asam.yaml +++ /dev/null @@ -1,62 +0,0 @@ -title: Autonomous Single App Mode -description: The payload that configures Autonomous Single App mode. -payload: - payloadtype: com.apple.asam - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: 10.13.4 - multiple: false - devicechannel: true - userchannel: false - requiresdep: false - userapprovedmdm: true - allowmanualinstall: false - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a -payloadkeys: -- key: AllowedApplications - supportedOS: - macOS: - introduced: 10.13.4 - type: - presence: required - content: An array of dictionaries that specifies the apps that the system grants - access to the Accessibility APIs. - subkeys: - - key: AllowedApplicationsItem - type: - content: A dictionary that specifies an app that can be granted access to the - Accessibilty APIs. - subkeys: - - key: BundleIdentifier - supportedOS: - macOS: - introduced: 10.13.4 - type: - presence: required - content: The unique bundle identifier. If two dictionaries contain the same - `BundleIdentifier` value but a different `TeamIdentifier` value, an error - occurs and the profile won't be installed. - - key: TeamIdentifier - supportedOS: - macOS: - introduced: 10.13.4 - type: - presence: required - content: The developer's team identifier that the system used when it signed - the app. -notes: -- title: '' - content: |- - The system only allows installation of one profile of this type, and it requires installation through a user-approved MDM server. Apps listed in this profile have low-level access to the system, including, but not limited to, key logging and user interface manipulation outside the app's context. - - > Important: - > If two dictionaries contain the same `BundleIdentifier` value but a different `TeamIdentifier` value, an error occurs and the system doesn’t install the profile. diff --git a/mdm/profiles/com.apple.associated-domains.yaml b/mdm/profiles/com.apple.associated-domains.yaml deleted file mode 100644 index 7ee4ec6..0000000 --- a/mdm/profiles/com.apple.associated-domains.yaml +++ /dev/null @@ -1,68 +0,0 @@ -title: Associated Domains -description: The payload that configures associated domains. -payload: - payloadtype: com.apple.associated-domains - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.15' - multiple: true - devicechannel: true - userchannel: true - supervised: false - requiresdep: false - userapprovedmdm: true - allowmanualinstall: false - userenrollment: - mode: allowed - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: Configures Associated Domains to be used with features such as Extensible - AppSSO, universal links and Password AutoFill. Settings are per-user. The effective - settings for a user will be the union of payloads installed for the device and - the user. Users on a system that are not managed by the MDM will not have any - effective settings, not even those from device payloads. -payloadkeys: -- key: Configuration - title: Configuration - type: - presence: required - content: A dictionary that maps apps to their associated domains. - subkeys: - - key: ConfigurationItem - type: - content: A dictionary that maps apps to their associated domains. - subkeys: - - key: ApplicationIdentifier - type: - presence: required - content: The app identifier to associate the domains with. - - key: AssociatedDomains - type: - presence: required - content: The domains to associate with the app. Each string is in the form of - `service:domain`. Use fully qualified hostnames, such as `www.example.com`. - See `Supporting associated domains` for more information. - subkeys: - - key: AssociatedDomain - type: - presence: required - - key: EnableDirectDownloads - supportedOS: - macOS: - introduced: '11.0' - type: - presence: optional - default: false - content: If `true`, the system enables direct download of data for this domain - instead of through a CDN. Set the entitlement value for this domain to `service:domain?mode=managed`; - otherwise, the system ignores this value. Available in macOS 11 and later. -notes: -- title: '' - content: You can use associated domains with features such as Extensible AppSSO, - universal links, and Password AutoFill. diff --git a/mdm/profiles/com.apple.caldav.account.yaml b/mdm/profiles/com.apple.caldav.account.yaml deleted file mode 100644 index d32ea32..0000000 --- a/mdm/profiles/com.apple.caldav.account.yaml +++ /dev/null @@ -1,87 +0,0 @@ -title: CalDAV -description: The payload that configures a Calendar account. -payload: - payloadtype: com.apple.caldav.account - supportedOS: - iOS: - introduced: '4.0' - multiple: true - supervised: false - allowmanualinstall: true - sharedipad: - mode: allowed - devicechannel: false - userchannel: true - userenrollment: - mode: allowed - macOS: - introduced: '10.7' - multiple: true - devicechannel: false - userchannel: true - supervised: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: allowed - tvOS: - introduced: n/a - visionOS: - introduced: '1.1' - multiple: true - supervised: false - allowmanualinstall: true - userenrollment: - mode: allowed - watchOS: - introduced: n/a -payloadkeys: -- key: CalDAVAccountDescription - title: Account Description - type: - presence: optional - content: The description of the account. -- key: CalDAVHostName - title: Account Hostname - type: - presence: required - content: The server's address. -- key: CalDAVUsername - title: Account Username - type: - presence: optional - content: The user name for logins. If this profile is part of a non-interactive - install, the system requires this field. -- key: CalDAVPassword - title: Account Password - type: - presence: optional - content: The user's password. Only use this in encrypted profiles. -- key: CalDAVPrincipalURL - title: Principal URL - type: - presence: optional - content: The base URL to the user's calendar. -- key: CalDAVUseSSL - title: Use SSL - type: - presence: optional - default: true - content: If `true`, the system enables SSL. -- key: CalDAVPort - title: Port Number - type: - presence: optional - content: The server's port. -- key: VPNUUID - title: VPNUUID - supportedOS: - iOS: - introduced: '14.0' - macOS: - introduced: n/a - type: - presence: optional - content: The VPNUUID of the per-app VPN the account uses for network communication. - Available in iOS 14 and later. diff --git a/mdm/profiles/com.apple.carddav.account.yaml b/mdm/profiles/com.apple.carddav.account.yaml deleted file mode 100644 index 971c251..0000000 --- a/mdm/profiles/com.apple.carddav.account.yaml +++ /dev/null @@ -1,140 +0,0 @@ -title: CardDAV -description: The payload that configures a Contacts account. -payload: - payloadtype: com.apple.carddav.account - supportedOS: - iOS: - introduced: '4.0' - multiple: true - supervised: false - allowmanualinstall: true - sharedipad: - mode: allowed - devicechannel: false - userchannel: true - userenrollment: - mode: allowed - macOS: - introduced: '10.7' - multiple: true - devicechannel: false - userchannel: true - supervised: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: allowed - tvOS: - introduced: n/a - visionOS: - introduced: '1.1' - multiple: true - supervised: false - allowmanualinstall: true - userenrollment: - mode: allowed - watchOS: - introduced: n/a -payloadkeys: -- key: CardDAVAccountDescription - title: Account Description - supportedOS: - macOS: - introduced: '10.7' - type: - presence: optional - content: The description of the account. -- key: CardDAVHostName - title: Account Hostname - supportedOS: - macOS: - introduced: '10.7' - type: - presence: required - content: The server's address. -- key: CardDAVUsername - title: Account Username - supportedOS: - macOS: - introduced: '10.7' - type: - presence: optional - content: The user name for logins. -- key: CardDAVPassword - title: Account Password - supportedOS: - macOS: - introduced: '10.7' - type: - presence: optional - content: The user's password. Only use this in encrypted profiles. -- key: CardDAVPrincipalURL - title: Principal URL - supportedOS: - macOS: - introduced: n/a - type: - presence: optional - content: The base URL to the user's address book. -- key: CardDAVUseSSL - title: Use SSL - supportedOS: - macOS: - introduced: '10.7' - type: - presence: optional - default: true - content: If `true`, the system enables SSL. -- key: CardDAVPort - title: Port Number - supportedOS: - macOS: - introduced: '10.7' - type: - presence: optional - content: The server's port. -- key: CommunicationServiceRules - title: Communication Service Rules - supportedOS: - iOS: - introduced: '10.0' - macOS: - introduced: n/a - type: - presence: optional - content: An array of communication service rules for this account. - subkeys: - - key: DefaultServiceHandlers - title: Default Service Handlers - supportedOS: - iOS: - introduced: '10.0' - macOS: - introduced: n/a - type: - presence: optional - content: A dictionary of service handlers for contacts from this account. - subkeys: - - key: AudioCall - title: App for audio calls - supportedOS: - iOS: - introduced: '10.0' - macOS: - introduced: n/a - type: - presence: optional - content: The bundle identifier for the default application that handles audio - calls to contacts from this account. -- key: VPNUUID - title: VPNUUID - supportedOS: - iOS: - introduced: '14.0' - macOS: - introduced: n/a - type: - presence: optional - content: The VPNUUID of the per-app VPN the account uses for network communication. - Available in iOS 14 and later. diff --git a/mdm/profiles/com.apple.cellular.yaml b/mdm/profiles/com.apple.cellular.yaml deleted file mode 100644 index 8cdcd3b..0000000 --- a/mdm/profiles/com.apple.cellular.yaml +++ /dev/null @@ -1,205 +0,0 @@ -title: Cellular -description: The payload that configures cellular settings. -payload: - payloadtype: com.apple.cellular - supportedOS: - iOS: - introduced: '7.0' - multiple: false - supervised: false - allowmanualinstall: true - sharedipad: - mode: allowed - devicechannel: true - userchannel: false - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: '3.2' - multiple: false - allowmanualinstall: true - content: |- - This payload cannot be installed if an APN payload is already installed. - This payload only applies to the preferred data SIM. There is no way to have a cellular payload affect a different SIM. - This payload replaces the com.apple.managedCarrier payload. The latter payload is supported, but deprecated. -payloadkeys: -- key: AttachAPN - title: AttachAPN - type: - presence: optional - content: A configuration dictionary. - subkeys: - - key: Name - title: Name - type: - presence: required - content: The name for this configuration. - - key: AuthenticationType - title: Authentication type - type: - presence: optional - rangelist: - - CHAP - - PAP - default: PAP - content: The authentication type. - - key: Username - title: User name - type: - presence: optional - content: The user name. - - key: Password - title: Password - type: - presence: optional - content: The password for the user. - - key: AllowedProtocolMask - title: Supported IP Versions - supportedOS: - iOS: - introduced: '10.3' - type: - presence: optional - rangelist: - - 1 - - 2 - - 3 - content: |- - The Internet Protocol versions that the system supports. Allowed values: - - - `1`: IPv4 - - `2`: IPv6 - - `3`: Both -- key: APNs - title: APNs - type: - presence: optional - content: An array of access point name (APN) dictionaries. - subkeys: - - key: APNsItem - type: - content: A dictionary that contains details about an access point name (APN) configuration. - subkeys: - - key: Name - title: Name - type: - presence: required - content: The name for this configuration. - - key: AuthenticationType - title: Authentication type - type: - presence: optional - rangelist: - - CHAP - - PAP - default: PAP - content: The authentication type for logging in. - - key: Username - title: User name - type: - presence: optional - content: The user name for the APN. - - key: Password - title: Password - type: - presence: optional - content: The user's password for the APN. - - key: ProxyServer - title: Proxy server - supportedOS: - macOS: - introduced: n/a - type: - presence: optional - content: The proxy server's address. - - key: ProxyPort - title: Proxy port - type: - presence: optional - content: The proxy server's port number. - - key: DefaultProtocolMask - supportedOS: - iOS: - introduced: '10.3' - deprecated: '11.0' - type: - presence: optional - rangelist: - - 1 - - 2 - - 3 - content: |- - The default Internet Protocol versions. Available in iOS 10.3 but no longer used in iOS 11 and later. Allowed values: - - - `1`: IPv4 - - `2`: IPv6 - - `3`: Both - - key: AllowedProtocolMask - title: Supported IP Versions - supportedOS: - iOS: - introduced: '10.3' - type: - presence: optional - rangelist: - - 1 - - 2 - - 3 - content: |- - The Internet Protocol versions that the system supports. Available in iOS 10.3 and later. Allowed values: - - - `1`: IPv4 - - `2`: IPv6 - - `3`: Both - - key: AllowedProtocolMaskInRoaming - title: Supported Roaming IP Versions - supportedOS: - iOS: - introduced: '10.3' - type: - presence: optional - rangelist: - - 1 - - 2 - - 3 - content: |- - The Internet Protocol versions that the system supports while roaming. Available in iOS 10.3 and later. Allowed values: - - - `1`: IPv4 - - `2`: IPv6 - - `3`: Both - - key: AllowedProtocolMaskInDomesticRoaming - title: Supported Roaming IP Versions - supportedOS: - iOS: - introduced: '10.3' - type: - presence: optional - rangelist: - - 1 - - 2 - - 3 - content: |- - The Internet Protocol versions that the system supports while roaming. Available in iOS 10.3 and later. Allowed values: - - - `1`: IPv4 - - `2`: IPv6 - - `3`: Both - - key: EnableXLAT464 - title: Enable XLAT464 - supportedOS: - iOS: - introduced: '16.0' - watchOS: - introduced: '9.0' - type: - presence: optional - default: false - content: If `true`, the system enables XLAT464. Available in iOS 16 and later - and watchOS 9 and later. diff --git a/mdm/profiles/com.apple.cellularprivatenetwork.managed.yaml b/mdm/profiles/com.apple.cellularprivatenetwork.managed.yaml deleted file mode 100644 index 21d7742..0000000 --- a/mdm/profiles/com.apple.cellularprivatenetwork.managed.yaml +++ /dev/null @@ -1,103 +0,0 @@ -title: Cellular Private Network -description: The payload that provides device info on private network deployments, - including geographical location, preference over Wi-Fi, and network deployment type. -payload: - payloadtype: com.apple.cellularprivatenetwork.managed - supportedOS: - iOS: - introduced: '17.0' - multiple: true - supervised: false - allowmanualinstall: true - sharedipad: - mode: allowed - devicechannel: true - userchannel: false - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: Payload can be used to provide device info on private network deployments - including geographical location, preference over Wi-Fi, and network deployment - type. Only five Cellular Private Networks can be configured simultaneously. -payloadkeys: -- key: Geofences - type: - presence: optional - content: A list of up to 1000 geofences for private networks. Geofencing is only - used on iPhone. - subkeys: - - key: GeofenceItem - type: - content: A geofence for a private network. - subkeys: - - key: Longitude - type: - presence: required - range: - min: -180.0 - max: 180.0 - content: The longitude of the geofence. - - key: Latitude - type: - presence: required - range: - min: -90.0 - max: 90.0 - content: The latitude of the geofence. - - key: Radius - type: - presence: required - range: - min: 100.0 - max: 6500.0 - content: Specifies the radius of the geofence in meters. Set this value slightly - greater than the private cellular network coverage area. - - key: GeofenceId - type: - presence: required - content: A geofence identifier that's unique within a list of geofences. -- key: DataSetName - type: - presence: required - content: The name of the private network configuration data set. -- key: VersionNumber - type: - presence: required - content: The version number of this dataset that the system uses to track updates. -- key: CellularDataPreferred - type: - presence: optional - default: false - content: Set to `true` to prefer this private network over Wi-Fi. -- key: EnableNRStandalone - type: - presence: optional - default: false - content: Set to `true` if this private network is NR Standalone. -- key: NetworkIdentifier - supportedOS: - iOS: - introduced: '18.0' - type: - presence: optional - content: |- - A string using the 3GPP "Coordinated NID" (option 1 or option 2) format (defined in 3GPP 31.102, Section 12.7.1). The device uses this value to match a SIM present on the device. - - All combinations of `NetworkIdentifier` and `CsgNetworkIdentifier` must be unique across all profiles installed on the device. -- key: CsgNetworkIdentifier - supportedOS: - iOS: - introduced: '18.0' - type: - presence: optional - content: |- - A string using the 3GPP "CSG_ID" format (defined in 3GPP 23.003, Section 4.7). The device uses this value to match a SIM present on the device. - - All combinations of `NetworkIdentifier` and `CsgNetworkIdentifier` must be unique across all profiles installed on the device. diff --git a/mdm/profiles/com.apple.conferenceroomdisplay.yaml b/mdm/profiles/com.apple.conferenceroomdisplay.yaml deleted file mode 100644 index 72e3f59..0000000 --- a/mdm/profiles/com.apple.conferenceroomdisplay.yaml +++ /dev/null @@ -1,30 +0,0 @@ -title: Conference Room Display -description: The payload that configures Conference Room Display mode for Apple TV. -payload: - payloadtype: com.apple.conferenceroomdisplay - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: n/a - tvOS: - introduced: '10.2' - multiple: false - supervised: true - allowmanualinstall: true - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: Configures an Apple TV to enter Conference Room Display mode, and restrictions - exit from that mode -payloadkeys: -- key: Message - title: Custom message - type: - presence: optional - content: The custom message displayed on the screen in Conference Room Display mode. -notes: -- title: '' - content: Conference Room Display mode locks Apple TV into that mode, to prevent - other types of usage. diff --git a/mdm/profiles/com.apple.configurationprofile.identification.yaml b/mdm/profiles/com.apple.configurationprofile.identification.yaml deleted file mode 100644 index 42efff3..0000000 --- a/mdm/profiles/com.apple.configurationprofile.identification.yaml +++ /dev/null @@ -1,77 +0,0 @@ -title: Identification -description: The payload that configures the names of the account user. -payload: - payloadtype: com.apple.configurationprofile.identification - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.7' - deprecated: '15.4' - multiple: false - devicechannel: true - userchannel: true - supervised: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: allowed - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: |- - This payload can be used on the device or user channel depending on what payload it is paired with. - - Device channel: - *com.apple.MCX.FileVault2 - *com.apple.ADCertificate.managed - *com.apple.DirectoryService.managed - - User channel: - *com.apple.caldav.account - *com.apple.carddav.account - *com.apple.ews.account - *com.apple.ldap.account - *com.apple.mail.managed -payloadkeys: -- key: PayloadIdentification - type: - presence: required - content: The dictionary that contains details about the user. - subkeys: - - key: UserName - type: - presence: required - content: The UNIX user name for the accounts. - - key: FullName - type: - presence: required - content: The full name of the account. - - key: EmailAddress - type: - presence: required - content: The address for the account. - - key: AuthMethod - type: - presence: required - rangelist: - - Password - - UserEnteredPassword - content: The authorization method. Either the profile contains the password or - the user provides it. - - key: Password - type: - presence: required - content: The password for the account. Required when the `AuthMethod` is `Password`. - - key: Prompt - type: - presence: optional - content: The custom instructions for the user, if needed. - - key: PromptMessage - type: - presence: optional - content: The additional descriptive text for the user prompt. diff --git a/mdm/profiles/com.apple.dashboard.yaml b/mdm/profiles/com.apple.dashboard.yaml deleted file mode 100644 index 1f7b3eb..0000000 --- a/mdm/profiles/com.apple.dashboard.yaml +++ /dev/null @@ -1,50 +0,0 @@ -title: 'Parental Controls: Dashboard Widget Restrictions' -description: The payload that configures allowed dashboard widgets. -payload: - payloadtype: com.apple.dashboard - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.7' - deprecated: '10.15' - removed: '10.15' - multiple: false - devicechannel: true - userchannel: true - supervised: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: Widget restrictions. -payloadkeys: -- key: whiteListEnabled - type: - presence: required - content: If `true`, enables the widget allow list. -- key: WhiteList - type: - presence: required - content: An array of widget item dictionaries that are allowed. - subkeys: - - key: WhiteListItem - type: - content: The widget item dictionary. - subkeys: - - key: Type - type: - presence: required - content: The type of allow list item. Set to `bundleID` to use a widget's bundle - ID as its main ID. - - key: ID - type: - presence: required - content: The bundle ID of a widget. diff --git a/mdm/profiles/com.apple.declarations.yaml b/mdm/profiles/com.apple.declarations.yaml deleted file mode 100644 index fa4a17e..0000000 --- a/mdm/profiles/com.apple.declarations.yaml +++ /dev/null @@ -1,63 +0,0 @@ -title: Declarations -description: The payload that applies a set of declarations to the device through - the Settings app. -payload: - payloadtype: com.apple.declarations - supportedOS: - iOS: - introduced: '17.0' - multiple: true - supervised: false - allowmanualinstall: true - sharedipad: - mode: forbidden - userenrollment: - mode: forbidden - macOS: - introduced: '14.0' - multiple: true - devicechannel: true - userchannel: true - supervised: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: forbidden - tvOS: - introduced: '17.0' - multiple: true - supervised: false - allowmanualinstall: true - visionOS: - introduced: '1.0' - multiple: true - supervised: false - allowmanualinstall: true - userenrollment: - mode: forbidden - watchOS: - introduced: '10.0' - multiple: true - supervised: false - allowmanualinstall: true -payloadkeys: -- key: Declarations - title: Declarations - type: - presence: required - content: The set of declarations to apply. The array items are Base64-encoded data - representations of the declaration JSON data. - subkeys: - - key: DeclarationsItem - title: Declarations Content Item - type: - presence: required - content: An item in the declarations list -notes: -- title: '' - content: |- - This profile applies a set of declarations to the device. Users use this profile to install declarations without requiring an MDM enrollment. A device management server can't install a configuration profile containing this payload type. Device management servers need to use declarative device management to install declarations. - - > Important: - > When a user installs the profile, the device only applies configuration declarations that allow a "local" enrollment. Consult the documentation for each configuration type to see if you can use it. diff --git a/mdm/profiles/com.apple.desktop.yaml b/mdm/profiles/com.apple.desktop.yaml deleted file mode 100644 index e5b74fc..0000000 --- a/mdm/profiles/com.apple.desktop.yaml +++ /dev/null @@ -1,38 +0,0 @@ -title: Desktop -description: The payload that configures the desktop wallpaper. -payload: - payloadtype: com.apple.desktop - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.10' - multiple: false - devicechannel: true - userchannel: true - supervised: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a -payloadkeys: -- key: locked - supportedOS: - macOS: - deprecated: '10.13' - type: - presence: optional - default: false - content: If `true`, locks the desktop picture. Replaced with allowWallpaperModification - in macOS 10.13. -- key: override-picture-path - type: - presence: optional - content: The path to the desktop picture. If set, this picture is always locked. diff --git a/mdm/profiles/com.apple.dnsProxy.managed.yaml b/mdm/profiles/com.apple.dnsProxy.managed.yaml deleted file mode 100644 index f18506b..0000000 --- a/mdm/profiles/com.apple.dnsProxy.managed.yaml +++ /dev/null @@ -1,79 +0,0 @@ -title: DNS Proxy -description: The payload that configures DNS proxies. -payload: - payloadtype: com.apple.dnsProxy.managed - supportedOS: - iOS: - introduced: '11.0' - multiple: false - supervised: false - allowmanualinstall: false - sharedipad: - mode: allowed - devicechannel: true - userchannel: false - userenrollment: - mode: allowed - macOS: - introduced: '10.15' - multiple: false - devicechannel: true - userchannel: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: '1.1' - multiple: false - supervised: false - allowmanualinstall: false - userenrollment: - mode: allowed - watchOS: - introduced: n/a - content: As of iOS 15.0 this payload can be installed on unsupervised devices via - MDM and can only be installed via MDM. As of iOS 16.0, this can be installed on - user enrollments via MDM if DNSProxyUUID is specified. -payloadkeys: -- key: AppBundleIdentifier - title: App Bundle Identifier - type: - presence: required - content: The bundle identifier of the app containing the DNS proxy network extension. -- key: ProviderBundleIdentifier - title: Provider Bundle Identifier - type: - presence: optional - content: The bundle identifier of the DNS proxy network extension to use. Declaring - the bundle identifier is useful for apps that contain more than one DNS proxy - extension. -- key: ProviderConfiguration - title: Provider Configuration - type: - presence: optional - content: The dictionary of vendor-specific configuration items. - subkeys: - - key: ANY - type: - presence: optional - content: Key/value pairs. -- key: DNSProxyUUID - title: DNS Proxy UUID - supportedOS: - iOS: - introduced: '16.0' - macOS: - introduced: n/a - type: - presence: optional - content: A globally unique identifier for this DNS proxy configuration. The proxy - processes DNS lookups traffic for managed apps with the same `DNSProxyUUID` in - their app attributes. This key is required for user enrollment. -notes: -- title: '' - content: Beginning with iOS 15, this profile is unsupervised and needs to be installed - through MDM. diff --git a/mdm/profiles/com.apple.dnsSettings.managed.yaml b/mdm/profiles/com.apple.dnsSettings.managed.yaml deleted file mode 100644 index f6e6ba7..0000000 --- a/mdm/profiles/com.apple.dnsSettings.managed.yaml +++ /dev/null @@ -1,243 +0,0 @@ -title: DNS Settings -description: The payload that configures encrypted DNS settings. -payload: - payloadtype: com.apple.dnsSettings.managed - supportedOS: - iOS: - introduced: '14.0' - multiple: true - supervised: false - allowmanualinstall: true - sharedipad: - mode: allowed - devicechannel: true - userchannel: false - userenrollment: - mode: forbidden - macOS: - introduced: '11.0' - multiple: true - devicechannel: true - userchannel: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: '1.0' - multiple: true - supervised: false - allowmanualinstall: true - userenrollment: - mode: forbidden - watchOS: - introduced: n/a -payloadkeys: -- key: DNSSettings - title: DNS Settings - type: - presence: required - content: A dictionary that defines a configuration for an encrypted DNS server. - subkeys: - - key: DNSProtocol - title: DNS Protocol - type: - presence: required - rangelist: - - HTTPS - - TLS - content: The encrypted transport protocol used to communicate with the DNS server. - - key: ServerURL - title: Server URL - type: - presence: optional - content: The URI template of a DNS-over-HTTPS server, as defined in RFC 8484. - This URL needs to use the `https://` scheme, and the system uses the hostname - or address in the URL to validate the server certificate. If no `ServerAddresses` - are provided, the system uses the hostname or address in the URL to determine - the server addresses. Required if `DNSProtocol` is `HTTPS`. - - key: ServerName - title: Server Name - type: - presence: optional - content: The hostname of a DNS-over-TLS server used to validate the server certificate, - as defined in RFC 7858. If no `ServerAddresses` are provided, the system uses - the hostname to determine the server addresses. This key must be present only - if the DNSProtocol is `TLS`. - - key: ServerAddresses - title: DNS Server Addresses - type: - presence: optional - content: An unordered list of DNS server IP address strings. These IP addresses - can be a mixture of IPv4 and IPv6 addresses. - subkeys: - - key: ServerAddressesElement - title: Server Address Element - type: - - key: AllowFailover - title: Allow Failover - supportedOS: - iOS: - introduced: '26.0' - macOS: - introduced: '26.0' - visionOS: - introduced: '26.0' - type: - presence: optional - default: false - content: If `true`, the device allows failover to the default system DNS resolver. - - key: PayloadCertificateUUID - title: Certificate UUID - supportedOS: - iOS: - introduced: '16.0' - macOS: - introduced: '13.0' - type: - presence: optional - format: ^[0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}$ - content: The UUID that points to an identity certificate payload. The system uses - this identity to authenticate the user to the DNS resolver. - - key: SupplementalMatchDomains - title: Supplemental Match Domains - type: - presence: optional - content: |- - A list of domain strings used to determine which DNS queries use the DNS server. If not set, all domains use the DNS server. - - The system supports a single wildcard (`*`) prefix, but it's not required. For example, both `*.example.com` and `example.com` match against `mydomain.example.com` and `your.domain.example.com`, but don't match against `mydomain-example.com`. - subkeys: - - key: SupplementalMatchDomainsElement - title: Supplemental Match Domains Element - type: -- key: OnDemandRules - title: On Demand Rules - type: - presence: optional - content: An array of rules that define the DNS settings. If not set, the system - always applies the DNS settings. These rules are identical to the `OnDemandRules` - array in VPN payloads. - subkeytype: OnDemandRulesElement - subkeys: - - key: OnDemandRulesElement - title: On Demand Rules Element - type: - subkeys: - - key: Action - title: On Demand Action - type: - presence: required - rangelist: - - Connect - - Disconnect - - EvaluateConnection - content: |- - The action to take if this dictionary matches the current network. Allowed values: - - - `Connect`: Apply DNS Settings when the dictionary matches. - - `Disconnect`: Don't apply DNS Settings when the dictionary matches. - - `EvaluateConnection`: Apply DNS Settings with per-domain exceptions when the dictionary matches. - - key: ActionParameters - title: Action Parameters - type: - presence: optional - content: An array of dictionaries that provide per-connection rules. The system - uses this array only for settings where the `Action` value is `EvaluateConnection`. - subkeys: - - key: ActionParameter - title: Action Parameter - type: - presence: optional - content: |- - A dictionary that provides per-connection rules. - The keys allowed in each dictionary are described below. Note: This array is only for dictionaries in which `EvaluateConnection` is the `Action` value. - subkeys: - - key: Domains - title: Domains - type: - presence: required - content: The domains for which this evaluation applies. - subkeys: - - key: DomainsElement - title: Domains Element - type: - - key: DomainAction - title: Domain Action - type: - presence: required - rangelist: - - NeverConnect - - ConnectIfNeeded - content: |- - The DNS settings behavior for the specified domains. Allowed values: - - * 'NeverConnect': Don't use the DNS Settings for the specified domains. - * 'ConnectIfNeeded': Allow using the DNS Settings for the specified domains. - - key: DNSDomainMatch - title: DNS Domain Match - type: - presence: optional - content: |- - An array of domain names. This rule matches if any of the domain names in the specified list matches any domain in the device's search domains list. - - The system supports a single wildcard (`*`) prefix, but it's not required. For example, both `*.example.com` and `example.com` match against `mydomain.example.com` and `your.domain.example.com`, but don't match against `mydomain-example.com`. - subkeys: - - key: DNSDomainMatchElement - title: DNS Domain Match Element - type: - - key: DNSServerAddressMatch - title: DNS Server Address Match - type: - presence: optional - content: |- - An array of IP addresses. This rule matches if any of the network's specified DNS servers match any entry in the array. - - The system supports matching with a single wildcard. For example, `17.*` matches any DNS server in the 17.0.0.0/8 subnet. - subkeys: - - key: DNSServerAddressMatchElement - title: DNS Server Address Match Element - type: - - key: InterfaceTypeMatch - title: Interface Type Match - type: - presence: optional - rangelist: - - Ethernet - - WiFi - - Cellular - content: An interface type. If specified, this rule matches only if the primary - network interface hardware matches the specified type. - - key: SSIDMatch - title: SSID Match - type: - presence: optional - content: An array of SSIDs to match against the current network. If the network - isn't a Wi-Fi network or if the SSID doesn't appear in this array, the match - fails. Omit this key and the corresponding array to match against any SSID. - subkeys: - - key: SSIDMatchElement - title: SSID Match Element - type: - - key: URLStringProbe - title: URL String Probe - type: - presence: optional - content: A URL to probe. This rule matches if this URL is successfully fetched - and returns a 200 HTTP status code without redirection. -- key: ProhibitDisablement - title: Prohibit Disablement - type: - presence: optional - default: false - content: If `true`, the system prohibits users from disabling DNS settings. This - key is only available on supervised devices. -notes: -- title: '' - content: |- - When installed from an MDM, the setting only applies to managed Wi-Fi networks. - - When installed manually, this setting also applies to cellular networks. diff --git a/mdm/profiles/com.apple.dock.yaml b/mdm/profiles/com.apple.dock.yaml deleted file mode 100644 index be01e76..0000000 --- a/mdm/profiles/com.apple.dock.yaml +++ /dev/null @@ -1,297 +0,0 @@ -title: Dock -description: The payload that configures the Dock. -payload: - payloadtype: com.apple.dock - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.7' - multiple: false - devicechannel: true - userchannel: true - supervised: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a -payloadkeys: -- key: tilesize - type: - presence: optional - range: - min: 16 - max: 128 - content: The tile size. Values must be in the range from 16 to 128. -- key: size-immutable - type: - presence: optional - default: false - content: If `true`, locks the size slider. -- key: magnification - type: - presence: optional - default: false - content: If `true`, enables magnification. -- key: magnify-immutable - type: - presence: optional - default: false - content: If `true`, locks magnification. -- key: largesize - type: - presence: optional - range: - min: 16 - max: 128 - content: The size of the largest magnification. -- key: magsize-immutable - type: - presence: optional - default: false - content: If `true`, locks the magnification slider. -- key: orientation - type: - presence: optional - rangelist: - - bottom - - left - - right - content: The orientation of the Dock. -- key: position-immutable - type: - presence: optional - default: false - content: If `true`, locks the position. -- key: mineffect - type: - presence: optional - rangelist: - - genie - - scale - content: The minimize effect. -- key: mineffect-immutable - type: - presence: optional - default: false - content: If `true`, locks "Minimize windows using." -- key: windowtabbing - supportedOS: - macOS: - introduced: '10.15' - type: - presence: optional - rangelist: - - manual - - always - - fullscreen - content: Set the "Prefer tabs when opening documents" to the provided value. -- key: windowtabbing-immutable - supportedOS: - macOS: - introduced: '10.12' - type: - presence: optional - default: false - content: If `true`, disables "Prefer tabs when opening documents" checkbox. -- key: dblclickbehavior - supportedOS: - macOS: - introduced: '10.15' - type: - presence: optional - rangelist: - - minimize - - maximize - - none - content: The behavior when the window's title bar is double-clicked. -- key: dblclickbehavior-immutable - supportedOS: - macOS: - introduced: '10.14' - type: - presence: optional - default: false - content: If `true`, locks "Double-click a window's title bar." -- key: minimize-to-application - type: - presence: optional - default: false - content: If `true`, enables "Minimize windows into application icon." -- key: minintoapp-immutable - supportedOS: - macOS: - introduced: '10.14' - type: - presence: optional - default: false - content: If `true`, disables the "Minimize windows into application icon" checkbox. -- key: launchanim - type: - presence: optional - default: false - content: If `true`, enables "Animate opening applications." -- key: launchanim-immutable - type: - presence: optional - default: false - content: If `true`, locks "Animate opening applications." -- key: autohide - type: - presence: optional - default: false - content: If `true`, enables "Automatically hide and show the Dock." -- key: autohide-immutable - type: - presence: optional - default: false - content: If `true`, locks "Automatically hide." -- key: show-process-indicators - type: - presence: optional - default: false - content: If true, shows the process indicator. -- key: showindicators-immutable - type: - presence: optional - default: false - content: If `true`, locks "Show indicators." -- key: show-recents - supportedOS: - macOS: - introduced: '10.14' - type: - presence: optional - default: false - content: If `true`, enables "Show recent items." -- key: showrecents-immutable - supportedOS: - macOS: - introduced: '10.15' - type: - presence: optional - default: false - content: If `true`, disables "Show recent applications" checkbox. -- key: contents-immutable - type: - presence: optional - default: false - content: If `true`, disables changes to the Dock. -- key: MCXDockSpecialFolders - type: - presence: optional - content: |- - One or more special folders that may be created at user login time and placed in the Dock. - - - - The "My Applications" item is only used for Simple Finder environments. The "Original Network Home" item is only used for mobile account users. - subkeys: - - key: MCXDockSpecialFoldersItems - type: - rangelist: - - AddDockMCXMyApplicationsFolder - - AddDockMCXDocumentsFolder - - AddDockMCXSharedFolder - - AddDockMCXOriginalNetworkHomeFolder -- key: AllowDockFixupOverride - supportedOS: - macOS: - introduced: '10.12' - type: - presence: optional - default: false - content: If `true`, use the file in `/Library/Preferences/com.apple.dockfixup.plist` - when a new user or migrated user logs in. This option has no effect for existing - users. Available in macOS 10.12 and later. Only available on the device channel. -- key: static-only - type: - presence: optional - default: false - content: If `true`, uses the `static-apps` and `static-others` dictionaries for - the Dock and ignores any items in the `persistent-apps` and `persistent-others` - dictionaries. If `false`, the contents are merged with the static items listed - first. -- key: static-others - type: - presence: optional - content: An array of items located on the Documents side of the Dock and cannot - be removed from that location. - subkeytype: StaticItem - subkeys: &id001 - - key: StaticItem - type: - content: Items that are located on the Documents side of the Dock and cannot be - removed from that location. - subkeys: - - key: tile-data - type: - presence: required - content: The information about the Dock item. - subkeys: - - key: label - type: - presence: required - content: The label of the Dock item. - - key: url - type: - presence: optional - content: The URL string. - - key: file-type - type: - presence: required - rangelist: - - 0 - - 1 - - 3 - content: |- - The type of tile: - - - `0`: URL - - `1`: File - - `3`: Directory - - key: file-data - type: - presence: optional - content: The data in a file. For Apple use only. - subkeys: - - key: ANY - type: - presence: optional - content: For Apple use only. - - key: tile-type - type: - presence: required - rangelist: - - file-tile - - directory-tile - - url-tile - content: The type of tile. -- key: static-apps - type: - presence: optional - content: An array of items located on the Applications side of the Dock and cannot - be removed from that location. - subkeytype: StaticItem - subkeys: *id001 -- key: persistent-apps - type: - presence: optional - content: An array of items located on the Applications side of the Dock that can - be removed from the Dock. - subkeytype: StaticItem - subkeys: *id001 -- key: persistent-others - type: - presence: optional - content: An array of items located on the Documents side of the Dock that can be - removed from the Dock. - subkeytype: StaticItem - subkeys: *id001 diff --git a/mdm/profiles/com.apple.domains.yaml b/mdm/profiles/com.apple.domains.yaml deleted file mode 100644 index b13ffc2..0000000 --- a/mdm/profiles/com.apple.domains.yaml +++ /dev/null @@ -1,151 +0,0 @@ -title: Domains -description: The payload that configures the domains under an organization's management. -payload: - payloadtype: com.apple.domains - supportedOS: - iOS: - introduced: '8.0' - multiple: false - supervised: false - allowmanualinstall: true - sharedipad: - mode: allowed - devicechannel: true - userchannel: true - userenrollment: - mode: forbidden - macOS: - introduced: '10.10' - multiple: false - devicechannel: true - userchannel: true - supervised: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: '2.0' - multiple: false - supervised: false - allowmanualinstall: true - userenrollment: - mode: forbidden - watchOS: - introduced: n/a - content: This payload defines web domains that are under an enterprise's management. -payloadkeys: -- key: EmailDomains - title: Email Domains - supportedOS: - visionOS: - introduced: n/a - type: - presence: optional - content: |- - An array of domains. Mail marks in red all email addresses that lack a suffix matching any of these strings. - - Available in iOS 8 and later and macOS 10.10 and later. - subkeys: - - key: EmailDomainsItem - type: - presence: required - content: An email address. -- key: WebDomains - title: Web Domains - supportedOS: - macOS: - introduced: n/a - type: - presence: optional - content: |- - An array of domains. The system considers URLs matching the patterns listed in this property managed. - - Available in iOS 9.3 and later. - subkeys: - - key: WebDomainsItem - type: -- key: SafariPasswordAutoFillDomains - title: Password Autofill Domains - supportedOS: - iOS: - introduced: '9.3' - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: n/a - type: - presence: optional - content: |- - An array of domains. Users can only save passwords in Safari from URLs matching the patterns listed here. This property doesn't disable the autofill feature itself. - - Supervised devices or Shared iPads need this property to enable saving passwords in Safari. - - Available in iOS 9.3 and later. - subkeys: - - key: SafariPasswordAutoFillDomainsItem - type: -- key: CrossSiteTrackingPreventionRelaxedDomains - title: Cross-Site Tracking Prevention Relaxed Domains - supportedOS: - iOS: - introduced: '16.2' - supervised: true - allowmanualinstall: false - userenrollment: - mode: forbidden - macOS: - introduced: '13.1' - allowmanualinstall: false - type: - presence: optional - content: |- - An array of up to 10 strings. URLs matching the patterns listed here have relaxed enforcement of cross-site tracking prevention. - - Available in iOS 16.2 and later and macOS 13.1 and later. - subkeys: - - key: CrossSiteTrackingPreventionRelaxedDomainItem - type: -- key: CrossSiteTrackingPreventionRelaxedApps - title: Cross-Site Tracking Prevention Relaxed Apps - supportedOS: - iOS: - introduced: '18.0' - supervised: true - allowmanualinstall: false - userenrollment: - mode: forbidden - macOS: - introduced: '15.0' - allowmanualinstall: false - type: - presence: optional - content: |- - An array of up to 10 strings representing app bundle-ids. Apps matching the bundle-ids listed here have relaxed enforcement of cross-site tracking prevention for the domains listed in `CrossSiteTrackingPreventionRelaxedDomains`. - - Available in iOS 18 and later and macOS 15 and later. - subkeys: - - key: CrossSiteTrackingPreventionRelaxedAppsItem - type: -notes: -- title: '' - content: |- - The `WebDomains`, `SafariPasswordAutoFillDomains`, and `CrossSiteTrackingPreventionRelaxedDomains` keys are arrays containing strings that use the following matching patterns: - - - `example.com`: Any path under `example.com` matches, but not `site.example.com`. - - `foo.example.com`: Any path under `foo.example.com` matches, but not `example.com` or `bar.example.com`. - - `\*.example.com`: Any path under `foo.example.com` or `bar.example.com` matches, but not `example.com`. - - `example.com/sub`: `example.com/sub` and any path under it matches, but not `example.com`. - - `foo.example.com/sub`: Any path under `foo.example.com/sub` matches, but not `example.com`, `example.com/sub`, `foo.example.com/`, or `bar.example.com/sub`. - - `\*.example.com/sub`: Any path under `foo.example.com/sub` or `bar.example.com/sub` matches, but not `example.com` or `foo.example.com/`. - - `\*.co`: Any path under `example.co` or `betterbag.co` matches, but not `example.co.uk` or `example.com`. - - A URL that begins with the prefix `www.` is treated as though it doesn't contain that prefix during matching. For example, `http://www.example.com/store` is matched as `http://example.com/store`. - - Trailing slashes are ignored. - - If a domain string contains a port number, the system considers only addresses that specify that port number managed. Otherwise, the system matches the domain without regard to the port number specified. For example, the pattern `*.example.com:8080` matches `http://site.example.com:8080/page.html` but not `http://site.example.com/page.html`, while the pattern `*.example.com` matches both URLs. diff --git a/mdm/profiles/com.apple.eas.account.yaml b/mdm/profiles/com.apple.eas.account.yaml deleted file mode 100644 index dcc217d..0000000 --- a/mdm/profiles/com.apple.eas.account.yaml +++ /dev/null @@ -1,461 +0,0 @@ -title: Exchange ActiveSync -description: The payload that configures Exchange ActiveSync accounts. -payload: - payloadtype: com.apple.eas.account - supportedOS: - iOS: - introduced: '4.0' - multiple: true - supervised: false - allowmanualinstall: true - sharedipad: - mode: allowed - devicechannel: false - userchannel: true - userenrollment: - mode: allowed - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: '1.1' - multiple: true - supervised: false - allowmanualinstall: true - userenrollment: - mode: allowed - watchOS: - introduced: n/a - content: |- - This payload configures an Exchange Active Sync account on an iOS device for Mail, Contacts, Calendars, Reminders, and Notes. - Updating this payload overrides any settings that the user customized, such as EnableMail/Contacts/Calendars/Reminders/Notes and MailNumberOfPastDaysToSync. -payloadkeys: -- key: EmailAddress - title: Email Address - type: - presence: optional - content: The full email address for the account. If not present in the payload, - the device prompts for this string during profile installation. -- key: Host - title: Exchange ActiveSync Host - type: - presence: optional - content: The Exchange server host name or IP address. -- key: SSL - title: Use SSL - type: - presence: optional - default: false - content: If `true`, the system enables SSL for authentication. -- key: OAuth - title: Use OAuth - supportedOS: - iOS: - introduced: '12.0' - type: - presence: optional - default: false - content: |- - If `true`, enables OAuth for authentication. If enabled, don't specify a password. - - Available only in iOS 12.0 and above. -- key: UserName - title: User - type: - presence: optional - content: This user name for this Exchange account. Required for noninteractive installations - like MDM in iOS. -- key: Password - title: Password - type: - presence: optional - content: The password of the account. Use only with encrypted profiles. -- key: Certificate - title: Authentication Credential - supportedOS: - iOS: - introduced: '7.0' - type: - presence: optional - content: The `.p12` identity certificate in NSData blob format, for accounts that - allow authentication via certificate. -- key: CertificateName - title: Authentication Credential Name - supportedOS: - iOS: - introduced: '7.0' - type: - presence: optional - content: The name or description of the certificate. -- key: CertificatePassword - title: Authentication Credential Password - type: - presence: optional - content: The password necessary for the `.p12` identity certificate. Used with mandatory - encryption of profiles. -- key: PreventMove - title: Prevent Move - supportedOS: - iOS: - introduced: '5.0' - type: - presence: optional - default: false - content: If `true`, the system prevents moving messages from out of this email account - into another account. This setting also prevents forwarding or replying from an - account other than the recipient of the message. -- key: PreventAppSheet - title: Prevent App Sheet - supportedOS: - iOS: - introduced: '5.0' - type: - presence: optional - default: false - content: If `true`, prevents this account from sending mail in any app other than - the Apple Mail app. -- key: PayloadCertificateUUID - title: Payload Certificate UUID - type: - presence: optional - format: ^[0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}$ - content: The UUID of the certificate payload within the same profile to use for - the identity credential. If this field is present, the Certificate field isn't - used. -- key: SMIMEEnabled - title: S/MIME Enabled - supportedOS: - iOS: - introduced: '5.0' - deprecated: '10.0' - visionOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, the system enables S/MIME encryption. In iOS 10.0 and later, - this key is ignored. Use `SMIMESigningEnabled` instead. -- key: SMIMESigningEnabled - title: S/MIME Signing Enabled - supportedOS: - iOS: - introduced: '10.3' - type: - presence: optional - default: false - content: If `true`, the system enables S/MIME signing for this account. Available - in iOS 10.0 and later. -- key: SMIMESigningCertificateUUID - title: S/MIME Signing Certificate - supportedOS: - iOS: - introduced: '5.0' - type: - presence: optional - format: ^[0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}$ - content: The UUID of the identity certificate used to sign messages sent from this - account. -- key: SMIMEEncryptionEnabled - title: S/MIME Encryption Enabled - supportedOS: - iOS: - introduced: '10.3' - deprecated: '12.0' - visionOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, the system enables S/MIME encryption for this account. Available - in iOS 10.0 and later. As of iOS 12.0, this key is deprecated. Use `SMIMEEncryptByDefault` - instead. -- key: SMIMEEncryptionCertificateUUID - title: S/MIME Encryption Certificate - supportedOS: - iOS: - introduced: '5.0' - type: - presence: optional - format: ^[0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}$ - content: The payload UUID of the identity certificate used to decrypt messages sent - to this account. The system attaches the public certificate to outgoing mail to - allow the user to receive encrypted mail. When the user sends encrypted mail, - the system uses the public certificate to encrypt the copy of the mail in the - user's Sent mailbox. -- key: SMIMEEnablePerMessageSwitch - title: S/MIME Enable Per-Message Switch - supportedOS: - iOS: - introduced: '8.0' - deprecated: '12.0' - visionOS: - introduced: n/a - type: - presence: optional - default: false - content: |- - If `true`, the system displays the per-message encryption switch in the Mail Compose UI. - - Available in iOS 8.0 and later. As of iOS 12.0, this key is deprecated. Use `SMIMEEnableEncryptionPerMessageSwitch` instead. -- key: disableMailRecentsSyncing - title: Disable Mail Recents Syncing - type: - presence: optional - default: false - content: If `true`, the system excludes this account from Recent Addresses syncing. -- key: MailNumberOfPastDaysToSync - title: Past Days of Mail to Sync - type: - presence: optional - rangelist: - - 0 - - 1 - - 3 - - 7 - - 14 - - 31 - default: 7 - content: |- - The number of days in the past to sync mail on the device. - - For no limit, use the value `0`. -- key: HeaderMagic - supportedOS: - iOS: - deprecated: '7.0' - visionOS: - introduced: n/a - type: - presence: optional - content: The value of the `X-Apple-Config-Magic` header in each EAS HTTP request. -- key: CommunicationServiceRules - title: Communication Service Rules - supportedOS: - iOS: - introduced: '10.0' - type: - presence: optional - content: The communication service handler rules for this account. - subkeys: - - key: DefaultServiceHandlers - title: Default Service Handlers - supportedOS: - iOS: - introduced: '10.0' - type: - presence: optional - content: The default handlers to use for contacts from this account. - subkeys: - - key: AudioCall - title: App for audio calls - supportedOS: - iOS: - introduced: '10.0' - type: - presence: optional - content: The bundle identifier of the default application to use for audio calls - made to contacts from this account. -- key: allowMailDrop - title: Allow Mail Drop - supportedOS: - iOS: - introduced: '9.2' - type: - presence: optional - default: false - content: If `true`, the system enables this account to use Mail Drop. -- key: SMIMESigningUserOverrideable - supportedOS: - iOS: - introduced: '12.0' - type: - presence: optional - default: false - content: If `true`, the user can turn S/MIME signing on or off in Settings. Available - in iOS 12.0 and later. -- key: SMIMESigningCertificateUUIDUserOverrideable - supportedOS: - iOS: - introduced: '12.0' - type: - presence: optional - default: false - content: If `true`, the user can select the signing identity. Available in iOS 12.0 - and later. -- key: SMIMEEncryptByDefault - supportedOS: - iOS: - introduced: '12.0' - type: - presence: optional - default: false - content: If `true`, the system enables S/MIME encryption by default. If `SMIMEEnableEncryptionPerMessageSwitch` - is `false`, the user can't change this default. Available in iOS 12.0 and later. -- key: SMIMEEncryptByDefaultUserOverrideable - supportedOS: - iOS: - introduced: '12.0' - type: - presence: optional - default: false - content: If `true`, the system enables encryption by default and the user can't - change it. Available in iOS 12.0 and later. -- key: SMIMEEncryptionCertificateUUIDUserOverrideable - supportedOS: - iOS: - introduced: '12.0' - type: - presence: optional - default: false - content: If `true`, the user can select the S/MIME encryption identity, and encryption - is on.Available in iOS 12.0 and later. -- key: SMIMEEnableEncryptionPerMessageSwitch - supportedOS: - iOS: - introduced: '12.0' - type: - presence: optional - default: false - content: If `true`, the system displays the per-message encryption switch in the - Mail Compose UI. Available in iOS 12.0 and later. -- key: EnableMail - supportedOS: - iOS: - introduced: '13.0' - type: - presence: optional - default: true - content: |- - If `false`, the system disables the Mail service for this account. The user can reenable Mail service in Settings unless `EnableMailUserOverridable` is `false`. - - > Note: - > At least of the following fields needs to be `true`: `EnableMail`, `EnableContacts`, `EnableCalendars`, `EnableReminders`, and `EnableNotes`. -- key: EnableContacts - supportedOS: - iOS: - introduced: '13.0' - type: - presence: optional - default: true - content: |- - If `false`, the system disables the Contacts service for this account. The user can reenable Contacts service in Settings unless `EnableContactsUserOverridable` is `false`. - - > Note: - > At least of the following fields needs to be `true`: `EnableMail`, `EnableContacts`, `EnableCalendars`, `EnableReminders`, and `EnableNotes`. -- key: EnableCalendars - supportedOS: - iOS: - introduced: '13.0' - type: - presence: optional - default: true - content: |- - If `false`, the system disables the Calendars service for this account. The user can reenable Calendars service in Settings unless `EnableCalendarsUserOverridable` is `false`. - - > Note: - > At least of the following fields needs to be `true`: `EnableMail`, `EnableContacts`, `EnableCalendars`, `EnableReminders`, and `EnableNotes`. -- key: EnableReminders - supportedOS: - iOS: - introduced: '13.0' - type: - presence: optional - default: true - content: |- - If `false`, the system disables the Reminders service for this account. The user can reenable Reminders service in Settings unless `EnableRemindersUserOverridable` is `false`. - - > Note: - > At least of the following fields needs to be `true`: `EnableMail`, `EnableContacts`, `EnableCalendars`, `EnableReminders`, and `EnableNotes`. -- key: EnableNotes - supportedOS: - iOS: - introduced: '13.0' - type: - presence: optional - default: true - content: |- - If `false`, the system disables the Notes service for this account. The user can reenable Notes service in Settings unless `EnableNotesUserOverridable` is `false`. - - > Note: - > At least of the following fields needs to be `true`: `EnableMail`, `EnableContacts`, `EnableCalendars`, `EnableReminders`, and `EnableNotes`. -- key: EnableMailUserOverridable - supportedOS: - iOS: - introduced: '13.0' - type: - presence: optional - default: true - content: If `false`, the system prevents the user from changing the state of the - Mail service for this account in Settings. -- key: EnableContactsUserOverridable - supportedOS: - iOS: - introduced: '13.0' - type: - presence: optional - default: true - content: If `false`, the system prevents the user from changing the state of the - Contacts service for this account in Settings. -- key: EnableCalendarsUserOverridable - supportedOS: - iOS: - introduced: '13.0' - type: - presence: optional - default: true - content: If `false`, the system prevents the user from changing the state of the - Calendars service for this account in Settings. -- key: EnableRemindersUserOverridable - supportedOS: - iOS: - introduced: '13.0' - type: - presence: optional - default: true - content: If `false`, the system prevents the user from changing the state of the - Reminders service for this account in Settings. -- key: EnableNotesUserOverridable - supportedOS: - iOS: - introduced: '13.0' - type: - presence: optional - default: true - content: If `false`, prevents the user from changing the state of the Notes service - for this account in Settings. -- key: OAuthSignInURL - supportedOS: - iOS: - introduced: '13.0' - type: - presence: optional - content: The URL that this account should use for signing in through OAuth. Ignored - unless `OAuth` is `true`. If you specify this URL, auto-discovery isn't used for - this account, so you need to also specify a host. -- key: OAuthTokenRequestURL - supportedOS: - iOS: - introduced: '13.0' - type: - presence: optional - content: The URL that this account should use for token requests through OAuth. - Ignored unless `OAuth` is `true`. -- key: OverridePreviousPassword - supportedOS: - iOS: - introduced: '14.0' - type: - presence: optional - default: false - content: If `true`, the system overrides the previous user/EAS password with the - new EAS password in the payload. Available in iOS 14 and later. -- key: VPNUUID - title: VPNUUID - supportedOS: - iOS: - introduced: '14.0' - type: - presence: optional - content: The VPNUUID of the per-app VPN the account uses for network communication. - Available in iOS 14 and later. diff --git a/mdm/profiles/com.apple.education.yaml b/mdm/profiles/com.apple.education.yaml deleted file mode 100644 index 03c1ac5..0000000 --- a/mdm/profiles/com.apple.education.yaml +++ /dev/null @@ -1,322 +0,0 @@ -title: Education Configuration -description: The payload that configures the users, groups, and departments within - an educational organization. -payload: - payloadtype: com.apple.education - supportedOS: - iOS: - introduced: '9.3' - multiple: false - supervised: false - allowmanualinstall: true - sharedipad: - mode: allowed - devicechannel: true - userchannel: false - userenrollment: - mode: allowed - macOS: - introduced: '10.14' - multiple: false - devicechannel: false - userchannel: true - supervised: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: allowed - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: This payload is used to configure Classroom students, Classroom instructors, - and the Shared iPad login screen. These do not necessarily require the same set - of keys to be present in their payloads, so make sure to include all keys that - are required for the education product you are configuring. -payloadkeys: -- key: OrganizationUUID - type: - presence: required - content: The organization's UUID identifier. This identifier can be any valid UUID. - All teacher and student devices that need to communicate with one another must - have the same organization UUID, particularly if they originated from different - Device Enrollment Programs. -- key: OrganizationName - type: - presence: required - content: The organization's display name. The system displays this name in the iOS - login screen. -- key: PayloadCertificateUUID - type: - presence: optional - content: |- - The UUID of an identity certificate payload within the same profile to use for performing client authentication with other devices. This property supports PKCS12 certificates. - - Required to configure Classroom. Has no effect on the configuration of the Shared iPad login screen. -- key: LeaderPayloadCertificateAnchorUUID - type: - presence: optional - content: |- - The array of UUIDs referring to certificate payloads within the same profile that the system uses to authorize leader peer certificate identities. This array needs to contain all necessary certificates to validate the entire chain of trust. Leader certificates needs to have the common name prefix leader, which is case insensitive. - - This property doesn't support identity payloads or PKCS12 certificates. - - Required when configuring a student device for Classroom, and ignored when configuring an instructor device. Has no effect on the configuration of the Shared iPad login screen. - subkeys: - - key: LeaderPayloadCertificateAnchorUUIDItem - type: - presence: required - content: A certificate payload UUID. -- key: MemberPayloadCertificateAnchorUUID - type: - presence: optional - content: |- - The array of UUIDs referring to certificate payloads within the same profile that the system uses to authorize group member peer certificate identities. This array must contain all certificates needed to validate the entire chain of trust. Member certificates must have the common name prefix member (case insensitive). - - This property doesn't support identity payloads or PKCS12 certificates. - - Required when configuring a student device for Classroom, and ignored when configuring an instructor device. Has no effect on the configuration of the Shared iPad login screen. - subkeys: - - key: MemberPayloadCertificateAnchorUUIDItem - type: - presence: required - content: A certificate payload UUID. -- key: ResourcePayloadCertificateUUID - type: - presence: optional - content: |- - The UUID of an identity certificate payload within the same profile that the system uses to perform client authentication when fetching additional resources, such as student images. - - If set, the system uses this key to configure both Classroom and the Shared iPad login screen. If not set, the system uses MDM client identity. -- key: UserIdentifier - type: - presence: required - content: |- - The unique string that identifies the user of this device within the organization. - - Don't set this value in payloads intended to configure the Shared iPad login screen. -- key: Departments - type: - presence: optional - content: _For Shared iPad profiles:_ The array of dictionaries that defines which - departments the system displays in the Shared iPad login screen. If set, the system - uses this key to configure both Classroom and the Shared iPad login screen. - subkeys: - - key: DepartmentsItem - type: - content: A department in the organization. - subkeys: - - key: Name - type: - presence: required - content: The display name of the department. - - key: GroupBeaconIDs - type: - presence: required - content: The group beacon identifiers that are members of this department. - subkeys: - - key: GroupBeaconIDsItem - type: - presence: required - content: A group beacon identifier. -- key: Groups - type: - presence: required - content: |- - _For Shared iPad profiles:_ The array of dictionaries that defines which groups the user can select in the Login Window. - - _For leader/teacher profiles:_ The array of dictionaries that defines the groups that the user can control. - - _For member/student profiles:_ The array of dictionaries that defines the groups where the user is a member. - subkeys: - - key: GroupsItem - type: - content: An array of dictionaries defining groups. - subkeys: - - key: BeaconID - type: - presence: required - content: An unsigned 16 bit integer specifying this group's unique beacon ID. - - key: Name - type: - presence: required - content: The display name of the group. - - key: Description - type: - presence: optional - content: The description of the group. - - key: ImageURL - supportedOS: - iOS: - deprecated: 9.3.1 - macOS: - introduced: n/a - type: - presence: optional - content: Deprecated in iOS 9.3.1 and later. The URL of an image for the group. - - key: ConfigurationSource - type: - presence: optional - content: The source that provided this group, such as SIS, or MDM. - - key: LeaderIdentifiers - type: - presence: optional - content: The user identifiers that are leaders of this group. - subkeys: - - key: LeaderIdentifiersItem - type: - presence: required - content: A user identifier. - - key: MemberIdentifiers - type: - presence: required - content: The entries in the Users array that are members of the group. - subkeys: - - key: MemberIdentifiersItem - type: - presence: required - content: A member identifier. - - key: DeviceGroupIdentifiers - type: - presence: optional - content: |- - The identifiers that refer to entries in the `DeviceGroups` array to which the instructor can assign users from this class. - - Has no effect on the configuration of the Shared iPad login screen. - subkeys: - - key: DeviceGroupIdentifiersItem - type: - presence: required - content: A device group identifier. -- key: Users - type: - presence: required - content: |- - For Shared iPad profiles: The array of dictionaries that define the users that the system displays in the iOS Login Window. - - _For leader/teacher profiles:_ The array of dictionaries that define users that are members of the teacher's groups. - - _For member/student profiles:_ The array of dictionaries that needs to contain the definition of the user specified in the `UserIdentifier` key. With one-to-one member devices, this key should include only the device user and the teacher but not other class members. - subkeys: - - key: UsersItem - type: - content: A user in the organization. - subkeys: - - key: Identifier - type: - presence: required - content: The unique identifier for a user in the organization. - - key: Name - type: - presence: required - content: The name of the user. - - key: GivenName - type: - presence: optional - content: The given name of the user. - - key: FamilyName - type: - presence: optional - content: The family name of the user. - - key: PhoneticGivenName - type: - presence: optional - content: The user's phonetic given name. The system uses this name to sort users - in the Classroom app and the Shared iPad Login Screen. - - key: PhoneticFamilyName - type: - presence: optional - content: The user's phonetic family name. The system uses this name to sort - users in the Classroom app and the Shared iPad login screen. - - key: ImageURL - type: - presence: optional - content: A string that contains a URL pointing to an image of the user. The - system displays this image in the iOS login screen and in the Classroom app. - The recommended resolution is 256 x 256 pixels (512 x 512 pixels on a 2x device). - The recommended formats are JPEG, PNG, and TIFF. The system uses the `ResourcePayloadCertificateUUID` - identity certificate or the MDM client identity to perform authentication - when fetching the image. - - key: FullScreenImageURL - supportedOS: - iOS: - deprecated: 9.3.1 - macOS: - introduced: n/a - type: - presence: optional - content: Deprecated in iOS 9.3.1 and later. The URL pointing to an image of - the user. The system uses the `ResourcePayloadCertificateUUID` identity certificate - or the MDM client identity to perform authentication when fetching the specified - resource. - - key: AppleID - type: - presence: optional - content: |- - The Managed Apple Account for this user. - - Not required to configure Classroom, but if set the system uses it. - - Required to configure the Shared iPad login screen. - - key: PasscodeType - type: - presence: optional - rangelist: - - complex - - four - - six - content: The type of passcode UI to show when the user is at the Login Window. -- key: DeviceGroups - type: - presence: optional - content: _For leader/teacher profiles:_ The array of dictionaries that defines which - device groups the leader can assign devices to. Not included in member payloads. - subkeys: - - key: DeviceGroupsItem - type: - content: A device group in the organization. - subkeys: - - key: Identifier - type: - presence: required - content: The unique identifier for the device group in the organization. - - key: Name - type: - presence: required - content: The name of the device group, which must be unique in the organization. - - key: SerialNumbers - type: - presence: required - content: The serial numbers of the devices in the group. - subkeys: - - key: SerialNumbersItem - type: - presence: required - content: A serial number. -- key: ScreenObservationPermissionModificationAllowed - supportedOS: - iOS: - introduced: '10.3' - type: - presence: optional - default: false - content: If `true`, the system allows students enrolled in managed classes to modify - their teacher's permissions for screen observation on their device. -notes: -- title: '' - content: |- - In iOS, send this payload over the device channel. Additionally, the system requires supervision unless the payload only specifies as teacher configuration. - - In macOS, send this payload over the user channel. The system supports student payloads in macOS 10.14.4 and later. - - Additionally, configure: - - - All identities as both SSL clients and servers - - All certificates with a key size of at least 2048 bits - - All certificates to use a hashing algorithm of SHA256 or stronger - - Leader certificates to have the common name prefix leader, which is case-insensitive - - Member certificates to have the common name prefix member, which is case-insensitive - - TLS server certificates issued on or after September 1, 2020 00:00 GMT/UTC to have a validity period greater than 398 days; see [About Upcoming Limits on Trusted Certificates](https://support.apple.com/en-us/HT211025) for more information. diff --git a/mdm/profiles/com.apple.ews.account.yaml b/mdm/profiles/com.apple.ews.account.yaml deleted file mode 100644 index 18fddb9..0000000 --- a/mdm/profiles/com.apple.ews.account.yaml +++ /dev/null @@ -1,124 +0,0 @@ -title: Exchange Web Services -description: The payload that configures an Exchange Web Services accounts. -payload: - payloadtype: com.apple.ews.account - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.7' - multiple: true - devicechannel: false - userchannel: true - supervised: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: allowed - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: For macOS 10.9 and higher, an Exchange Web services (EWS) account is configured - with support for Mail, Contacts, Calendar, Notes and Reminders. macOS 10.7-10.8 - only supported Contacts. -payloadkeys: -- key: EmailAddress - type: - presence: optional - content: The full email address for the account. If the email address string isn't - present in the payload, the device prompts for it during profile installation. -- key: Host - type: - presence: optional - content: The Exchange server host name or IP address. Ignored if using OAuth. -- key: SSL - type: - presence: optional - default: true - content: If `true`, the system enables SSL. -- key: OAuth - title: Use OAuth - supportedOS: - macOS: - introduced: '10.14' - type: - presence: optional - default: false - content: If `true`, the system enables OAuth for authentication. Don't specify a - password if `OAuth` is `true`. Available in macOS 10.14 and later -- key: OAuthSignInURL - title: URL for OAuth sign-in - supportedOS: - macOS: - introduced: '10.14' - type: - presence: optional - content: The URL to load into a web view for authentication through OAuth when autodiscovery - isn't used. This setting requires a `Host` value. -- key: UserName - type: - presence: optional - content: The user name for this Exchange account. Required for noninteractive installation, - such as through MDM. If missing, the system prompts the user for it during interactive - profile installation. -- key: Password - type: - presence: optional - content: The password of the account. Use only with encrypted profiles. -- key: PayloadCertificateUUID - title: Payload Certificate UUID - supportedOS: - macOS: - introduced: '10.12' - type: - presence: optional - format: ^[0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}$ - content: The UUID of the certificate payload within the same profile to use for - the identity credential. Supported on macOS 10.12 or later. -- key: AuthenticationCertificateUUID - supportedOS: - macOS: - introduced: '10.11' - type: - presence: optional - content: The UUID of the certificate payload within the same profile to use for - the identity credential. Supported on macOS 10.11 or later. On macOS 10.12 or - later use the PayloadCertificateUUID. -- key: allowMailDrop - title: Allow Mail Drop - supportedOS: - macOS: - introduced: '10.12' - type: - presence: optional - default: false - content: If `true`, the system enables Mail Drop. -- key: Path - type: - presence: optional - content: The server path. -- key: Port - type: - presence: optional - content: The server port number. -- key: ExternalHost - type: - presence: optional - content: The external server address. -- key: ExternalSSL - type: - presence: optional - default: true - content: If `true`, the system enables SSL for connections to the external server. -- key: ExternalPath - type: - presence: optional - content: The external server path. -- key: ExternalPort - type: - presence: optional - content: The external server port number. diff --git a/mdm/profiles/com.apple.extensiblesso(kerberos).yaml b/mdm/profiles/com.apple.extensiblesso(kerberos).yaml deleted file mode 100644 index 51adf7e..0000000 --- a/mdm/profiles/com.apple.extensiblesso(kerberos).yaml +++ /dev/null @@ -1,523 +0,0 @@ -title: Extensible Single Sign-On (Kerberos) -description: The payload that configures an app extension that performs single sign-on - with the Kerberos extension. -payload: - payloadtype: com.apple.extensiblesso - supportedOS: - iOS: - introduced: '13.0' - multiple: true - supervised: false - allowmanualinstall: false - sharedipad: - mode: allowed - devicechannel: false - userchannel: true - userenrollment: - mode: allowed - macOS: - introduced: '10.15' - multiple: true - devicechannel: true - userchannel: true - supervised: false - requiresdep: false - userapprovedmdm: true - allowmanualinstall: false - userenrollment: - mode: allowed - tvOS: - introduced: n/a - visionOS: - introduced: '1.1' - multiple: true - supervised: false - allowmanualinstall: false - userenrollment: - mode: allowed - watchOS: - introduced: n/a - content: Configures the included Kerberos extension that performs SSO on behalf - of specified hosts. User channel support was added in macOS 11.0. -payloadkeys: -- key: ExtensionIdentifier - type: - presence: required - rangelist: - - com.apple.AppSSOKerberos.KerberosExtension - content: Set this to `com.apple.AppSSOKerberos.KerberosExtension` for this extension. -- key: TeamIdentifier - type: - presence: required - rangelist: - - apple - content: Set this to `apple` for this extension. -- key: Type - type: - presence: required - rangelist: - - Credential - content: Set this to `Credential` for this extension. -- key: Realm - type: - presence: required - content: The Kerberos realm. Use proper capitalization for this value. If in an - Active Directory forest, this is the realm where the user logs in. -- key: ExtensionData - type: - presence: optional - content: This is the dictionary used by the Apple built-in Kerberos extension. - subkeys: - - key: cacheName - supportedOS: - iOS: - deprecated: '15.0' - macOS: - deprecated: '12.0' - type: - presence: optional - content: The GSS name of the Kerberos cache to use. Rarely set by an administrator. - - key: principalName - type: - presence: optional - content: The principal (username) to use. You don't need to include the realm. - - key: siteCode - type: - presence: optional - content: The name of the Active Directory site the Kerberos extension should use. - Most administrators don't need to modify this value, as the Kerberos extension - can normally find the site automatically. - - key: certificateUUID - type: - presence: optional - content: The PayloadUUID of a PKINIT certificate. - - key: useSiteAutoDiscovery - type: - presence: optional - default: true - content: If `false`, the Kerberos extension doesn't automatically use LDAP and - DNS to determine its AD site name. - - key: credentialBundleIdACL - type: - presence: optional - content: A list of bundle IDs allowed to access the ticket-granting ticket (TGT). - subkeys: - - key: credentialBundleIdACLItem - type: - presence: optional - content: Bundle IDs allowed to access the TGT. These values are case sensitive. - - key: includeManagedAppsInBundleIdACL - supportedOS: - iOS: - introduced: '14.0' - macOS: - introduced: '12.0' - type: - presence: optional - default: false - content: If `true`, the Kerberos extension allows only managed apps to access - and use the credential. This is in addition to the `credentialBundleIDACL`, - if you specify that value. Available in iOS 14 and later, and macOS 12 and later. - - key: includeKerberosAppsInBundleIdACL - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '12.0' - visionOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, the Kerberos extension allows the standard Kerberos utilities - including `TicketViewer` and `klist` to access and use the credential. This - is in addition to `includeManagedAppsInBundleIdACL` or the `credentialBundleIdACL`, - if you specify those values. Available in macOS 12 and later. - - key: domainRealmMapping - type: - presence: optional - content: A custom domain-realm mapping for Kerberos. The system uses this when - the DNS name of hosts doesn't match the realm name. Most administrators don't - need to customize this. - subkeys: - - key: Realm - type: - presence: optional - content: The key should be the name of the realm, and the value is an array - of DNS suffixes that map to the realm. - subkeys: - - key: RealmItem - type: - presence: optional - content: Domains to map to the realm - - key: isDefaultRealm - type: - presence: optional - default: false - content: Specifies whether this is the default realm if there's more than one - Kerberos extension configuration. - - key: customUsernameLabel - supportedOS: - iOS: - introduced: '14.0' - macOS: - introduced: '11.0' - type: - presence: optional - content: The custom user name label used in the Kerberos extension instead of - "Username," such as "Company ID". Available in macOS 11 and later. - - key: helpText - supportedOS: - iOS: - introduced: '14.0' - macOS: - introduced: '11.0' - type: - presence: optional - content: The text to display to the user at the bottom of the Kerberos Login Window. - You can also use this to display help information or disclaimer text. Available - in iOS 14 and later, and macOS 11 and later. - - key: allowPasswordChange - supportedOS: - iOS: - introduced: n/a - visionOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system disables password changes. Available in macOS - 10.15 and later. - - key: allowAutomaticLogin - type: - presence: optional - default: true - content: If `false`, the system doesn't allow saving passwords in the keychain. - - key: requireUserPresence - type: - presence: optional - default: false - content: If `true`, the system requires the user to provide Touch ID, Face ID - or their passcode to access the keychain entry. - - key: pwExpireOverride - supportedOS: - iOS: - introduced: n/a - macOS: - deprecated: '12.0' - visionOS: - introduced: n/a - type: - presence: optional - content: The number of days that the system allows using passwords on this domain. - For most domains, this calculation is automatic. Available in macOS 10.15 and - later. - - key: pwNotificationDays - supportedOS: - iOS: - introduced: n/a - visionOS: - introduced: n/a - type: - presence: optional - default: 15 - content: The number of days prior to password expiration when the system sends - a notification of password expiration to the user. Available in macOS 10.15 - and later. - - key: pwReqLength - supportedOS: - iOS: - introduced: n/a - visionOS: - introduced: n/a - type: - presence: optional - content: The minimum length of passwords on the domain.Available in macOS 10.15 - and later. - - key: pwReqComplexity - supportedOS: - iOS: - introduced: n/a - visionOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, the system requires passwords to meet Active Directory's definition - of "complex". Available in macOS 10.15 and later. - - key: pwReqMinAge - supportedOS: - iOS: - introduced: n/a - visionOS: - introduced: n/a - type: - presence: optional - content: The minimum age of passwords before the system allows changing them on - this domain. Available in macOS 10.15 and later. - - key: pwReqHistory - supportedOS: - iOS: - introduced: n/a - visionOS: - introduced: n/a - type: - presence: optional - content: The number of prior passwords that the system disallows reuse on this - domain. Available in macOS 10.15 and later. - - key: pwReqText - supportedOS: - iOS: - introduced: n/a - visionOS: - introduced: n/a - type: - presence: optional - content: The text version of the domain's password requirements. Only for use - if `pwReqComplexity` or `pwReqLength` aren't specified. Available in macOS 10.15 - and later. - - key: pwReqRTFData - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '15.0' - visionOS: - introduced: n/a - type: - presence: optional - content: The RTF file formatted version of the domain's password requirements. - Only for use if `pwReqComplexity` or `pwReqLength` aren't specified. Available - in macOS 15 and later. - - key: pwChangeURL - supportedOS: - iOS: - introduced: n/a - visionOS: - introduced: n/a - type: - presence: optional - content: This URL will launch in the user's default web browser when they initiate - a password change. Available in macOS 10.15 and later. - - key: syncLocalPassword - supportedOS: - iOS: - introduced: n/a - visionOS: - introduced: n/a - type: - presence: optional - default: false - content: If `false`, the system disables password sync. Note that this will not - work if the user is logged in with a mobile account. Available in macOS 10.15 - and later. - - key: replicationTime - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '11.0' - deprecated: '12.0' - visionOS: - introduced: n/a - type: - presence: optional - default: 900 - content: The time, in seconds, required to replicate changes in the Active Directory - domain. The Kerberos extension uses this when checking password age after a - change. Available in macOS 11 and later. - - key: delayUserSetup - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '11.0' - visionOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, the system doesn't prompt the user to setup the Kerberos extension - until either the administrator enables it with the `app-sso` tool or the system - receives a Kerberos challenge. Available in macOS 11 and later. - - key: monitorCredentialsCache - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '11.0' - visionOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system requests the credential on the next matching Kerberos - challenge or network state change. If the credential is expired or missing, - the system creates a new one. Available in macOS 11 and later. - - key: requireTLSForLDAP - supportedOS: - iOS: - introduced: '14.0' - macOS: - introduced: '11.0' - type: - presence: optional - default: false - content: Require that LDAP connections use TLS. Available in macOS 11 and later. - - key: credentialUseMode - supportedOS: - iOS: - introduced: '14.0' - macOS: - introduced: '11.0' - type: - presence: optional - rangelist: - - always - - whenNotSpecified - - kerberosDefault - default: always - content: |- - This setting affects how other processes use the Kerberos Extension credential. Allowed values: - - - `always`: The system always uses the credential if the SPN matches the Kerberos Extension `Hosts` array and the caller hasn't specified another credential. However, the system won't use the credential if the calling app isn't in the `credentialBundleIDACL`. - - `whenNotSpecified`: The system only uses the extension credential if the SPN matches the Kerberos Extension `Hosts` array. However, the system won't use the credential if the calling app isn't in the `credentialBundleIDACL`. - - `kerberosDefault`: The system uses the default Kerberos processes to select credentials, and normally uses the default Kerberos credential. This is the same as turning off this capability. - - Available in macOS 11 and later. - - key: preferredKDCs - supportedOS: - iOS: - introduced: '15.0' - macOS: - introduced: '12.0' - type: - presence: optional - content: |- - The ordered list of preferred Key Distribution Centers (KDCs) to use for Kerberos traffic. Use this if the servers aren't discoverable through DNS. If the servers are specified, then the system uses them for both connectivity checks and attempts to use them first for Kerberos traffic. If the servers don't respond, the device falls back to DNS discovery. Format each entry the same as it would be in a `krb5.conf` file, for example: - - - `adserver1.example.com` - - `tcp/adserver1.example.com:88` - - `kkdcp://kerberosproxy.example.com:443/kkdcp` - subkeys: - - key: preferredKDC - type: - presence: required - content: A host or domain name in the format of [protocol/]hostname[:port][/path] - - key: usePlatformSSOTGT - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '13.0' - visionOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, the system requires this configuration uses a TGT from Platform - SSO instead of requesting a new one. Available in macOS 13 and later. - - key: allowPlatformSSOAuthFallback - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '13.0' - visionOS: - introduced: n/a - type: - presence: optional - default: true - content: If `true` and `usePlatformSSOTGT` is `true`, the system allows the user - to manually sign in. Available in macOS 13 and later. - - key: performKerberosOnly - supportedOS: - iOS: - introduced: '16.0' - macOS: - introduced: '13.0' - type: - presence: optional - default: false - content: If `true`, the Kerberos Extension handles Kerberos requests only. It - doesn't check for password expiration, show the password expiration in the menu, - check for external password changes, perform password sync, or retrieve the - home directory. Available in macOS 13 and later. - - key: identityIssuerAutoSelectFilter - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '15.0' - visionOS: - introduced: n/a - type: - presence: optional - content: A string with wildcards that can use used to filter the list of available - SmartCards by issuer. e.g "\*My CA2\*". If there is one remaining, it will be - auto-selected. If there more than one remaining, then the list is shorter. Available - in macOS 15 and later. - - key: allowSmartCard - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '15.0' - visionOS: - introduced: n/a - type: - presence: optional - default: true - content: If `true`, allow the user to switch the user interface to SmartCard mode. - Available in macOS 15 and later. - - key: allowPassword - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '15.0' - visionOS: - introduced: n/a - type: - presence: optional - default: true - content: If `true`, allow the user to switch the user interface to Password mode. - Available in macOS 15 and later. - - key: startInSmartCardMode - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '15.0' - visionOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, the user interface will start in SmartCard mode. Available - in macOS 15 and later. -- key: Hosts - type: - presence: optional - content: |- - One or more host or domain names for which the app extension performs SSO. - - The system: - - - Matches host or domain names case-insensitively - - Requires that all the host and domain names of all installed Extensible SSO payloads are unique - - > Note: - > Host names that begin with a "." are wildcard suffixes that match all subdomains; otherwise the host name needs be an exact match. - subkeys: - - key: hostname - type: - presence: required - content: A host or domain name. Values that begin with a "." will be used as domain - names. -notes: -- title: '' - content: |- - This is a version of the profile that defines the specific keys and values needed for the Kerberos extension. - - The system supports user channel installation in macOS 11 and later. diff --git a/mdm/profiles/com.apple.extensiblesso.yaml b/mdm/profiles/com.apple.extensiblesso.yaml deleted file mode 100644 index aafe57b..0000000 --- a/mdm/profiles/com.apple.extensiblesso.yaml +++ /dev/null @@ -1,573 +0,0 @@ -title: Extensible Single Sign-On -description: The payload that configures an app extension that performs single sign-on - (SSO). -payload: - payloadtype: com.apple.extensiblesso - supportedOS: - iOS: - introduced: '13.0' - multiple: true - supervised: false - allowmanualinstall: false - sharedipad: - mode: allowed - devicechannel: false - userchannel: true - userenrollment: - mode: allowed - macOS: - introduced: '10.15' - multiple: true - devicechannel: true - userchannel: true - supervised: false - requiresdep: false - userapprovedmdm: true - allowmanualinstall: false - userenrollment: - mode: allowed - tvOS: - introduced: n/a - visionOS: - introduced: '1.1' - multiple: true - supervised: false - allowmanualinstall: false - userenrollment: - mode: allowed - watchOS: - introduced: n/a - content: Configures an app extension that performs SSO on behalf of certain URLs. - User channel support was added in macOS 11.0. -payloadkeys: -- key: ExtensionIdentifier - type: - presence: required - content: The bundle identifier of the app extension that performs SSO for the specified - URLs. -- key: TeamIdentifier - supportedOS: - iOS: - introduced: n/a - visionOS: - introduced: n/a - type: - presence: optional - content: The team identifier of the app extension. This key is required on macOS - and ignored elsewhere. -- key: Type - type: - presence: required - rangelist: - - Credential - - Redirect - content: The type of SSO. -- key: Realm - type: - presence: optional - content: The realm name for `Credential` payloads. Use proper capitalization for - this value. Ignored for `Redirect` payloads. -- key: ExtensionData - type: - presence: optional - content: A dictionary of arbitrary data passed through to the app extension. - subkeys: - - key: ANY - type: - presence: optional - content: Keys and values to pass to the app extension. -- key: URLs - type: - presence: optional - content: |- - An array of URL prefixes of identity providers where the app extension performs SSO. - - Required for `Redirect` payloads. Ignored for `Credential` payloads. - - The URLs need to begin with `http://` or `https://`. - - The system: - - - Matches scheme and host name case-insensitively - - Doesn't allow query parameters and URL fragments - - Requires that the URLs of all installed Extensible SSO payloads are unique - subkeys: - - key: URL - type: - presence: required - content: An http or https URL prefix. -- key: Hosts - type: - presence: optional - content: |- - An array of host or domain names that apps can authenticate through the app extension. - - Required for `Credential` payloads. Ignored for `Redirect` payloads. - - The system: - - - Matches host or domain names case-insensitively - - Requires that all the host and domain names of all installed Extensible SSO payloads are unique - - > Note: - > Host names that begin with a "." are wildcard suffixes that match all subdomains; otherwise the host name needs be an exact match. - subkeys: - - key: hostname - type: - presence: required - content: A host or domain name, with or without a leading dot. -- key: ScreenLockedBehavior - supportedOS: - iOS: - introduced: '15.0' - macOS: - introduced: '12.0' - type: - presence: optional - rangelist: - - Cancel - - DoNotHandle - default: Cancel - content: If set to `Cancel`, the system cancels authentication requests when the - screen is locked. If set to `DoNotHandle`, the request continues without SSO instead. - This doesn't apply to requests where `userInterfaceEnabled` is `false`, or for - background `URLSession` requests. Available in iOS 15 and later, and macOS 12 - and later. -- key: DeniedBundleIdentifiers - supportedOS: - iOS: - introduced: '15.0' - macOS: - introduced: '12.0' - type: - presence: optional - content: An array of bundle identifiers of apps that don't use SSO provided by this - extension. Available in iOS 15 and later, and macOS 12 and later. - subkeys: - - key: bundleIdentifier - type: - presence: required - content: The bundle identifier of the app. -- key: AuthenticationMethod - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '13.0' - deprecated: '14.0' - visionOS: - introduced: n/a - type: - presence: optional - rangelist: - - Password - - UserSecureEnclaveKey - content: The Platform SSO authentication method the extension uses. Requires that - the SSO Extension also supports the method. Available in macOS 13 and later, and - deprecated in macOS 14. -- key: RegistrationToken - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '13.0' - visionOS: - introduced: n/a - type: - presence: optional - content: The token this device uses for registration with Platform SSO. Use it for - silent registration with the Identity Provider. Requires that `AuthenticationMethod` - in `PlatformSSO` isn't empty. Available in macOS 13 and later. -- key: PlatformSSO - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '14.0' - visionOS: - introduced: n/a - type: - presence: optional - content: The dictionary to configure Platform SSO. Requires `Type` to be set to - `Redirect`. - subkeys: - - key: AuthenticationMethod - type: - presence: optional - rangelist: - - Password - - UserSecureEnclaveKey - - SmartCard - content: The Platform SSO authentication method to use with the extension. Requires - that the SSO Extension also support the method. - - key: UseSharedDeviceKeys - supportedOS: - macOS: - userchannel: false - type: - presence: optional - default: false - content: If `true`, the system uses the same signing and encryption keys for all - users. Only supported on the device channel. - - key: AccountDisplayName - type: - presence: optional - content: The display name for the account in notifications and authentication - requests. - - key: LoginFrequency - type: - presence: optional - range: - min: 3600 - default: 64800 - content: The duration, in seconds, until the system requires a full login instead - of a refresh. The default value is 64,800 (18 hours). The minimum value is 3600 - (1 hour). - - key: EnableCreateUserAtLogin - type: - presence: optional - default: false - content: Enables creating users at the Login Window with an `AuthenticationMethod` - of either `Password` or `SmartCard`. Requires that `UseSharedDeviceKeys` is - `true`. - - key: EnableCreateFirstUserDuringSetup - supportedOS: - macOS: - introduced: '26.0' - type: - presence: optional - default: true - content: If `true`, the device uses Platform SSO to create the first user account - on the Mac during `Setup Assistant`. - - key: EnableAuthorization - type: - presence: optional - default: false - content: Enables using identity provider accounts at authorization prompts. Requires - that `UseSharedDeviceKeys` is `true`. The system assigns groups using `AdministratorGroups`, - `AdditionalGroups`, or `AuthorizationGroups`. - - key: TokenToUserMapping - type: - presence: optional - content: The attribute mapping to use when creating users, or for authorization. - subkeys: - - key: AccountName - type: - presence: optional - content: The claim name to use for the user's account name. - - key: FullName - type: - presence: optional - content: The claim name to use for the user's full name. - - key: NewUserAuthenticationMethods - supportedOS: - macOS: - introduced: '26.0' - type: - presence: optional - content: The set of authentication methods to use for newly created accounts at - login or during `Setup Assistant`. The system uses `Password` and `SmartCard` - if this key isn't present. - subkeys: - - key: NewUserAuthenticationMethod - type: - presence: optional - rangelist: - - Password - - SmartCard - - AccessKey - content: |- - An authentication method to use for newly created accounts at login or during `Setup Assistant`. Allowed values: - - - `Password`: The account uses a password for authentication. - - `SmartCard`: The account uses a smart card for authentication. - - `AccessKey`: The account uses an access key for authentication. - - key: NewUserAuthorizationMode - type: - presence: optional - rangelist: - - Standard - - Admin - - Groups - - Temporary - content: |- - The permission to apply to newly created accounts at login. Allowed values: - - - `Standard`: The account is a standard user. - - `Admin`: The system adds the account to the local administrators group. - - `Groups`: The system assigns groups to the account using `AdministratorGroups`, `AdditionalGroups`, or `AuthorizationGroups`. - - `Temporary`: The system uses a temporary session configuration for newly created accounts at login. - - key: UserAuthorizationMode - type: - presence: optional - rangelist: - - Standard - - Admin - - Groups - content: |- - The permission to apply to an account each time the user authenticates. Allowed values: - - - `Standard`: The account is a standard user. - - `Admin`: The system adds the account to the local administrators group. - - `Groups`: The system assigns group to the account using `AdministratorGroups`, `AdditionalGroups`, or `AuthorizationGroups`. - - key: AdministratorGroups - type: - presence: optional - content: The list of groups to use for administrator access. The system requests - membership during authentication. - subkeys: - - key: Group - type: - presence: optional - content: The group name. - - key: AdditionalGroups - type: - presence: optional - content: The list of created groups that don't have administrator access. - subkeys: - - key: Group - type: - presence: optional - content: The group name. - - key: AuthorizationGroups - type: - presence: optional - content: The pairing of Authorization Rights to group names. When using this, - the system updates the Authorization Right to use the group. - subkeys: - - key: ANY - type: - presence: optional - content: The key is an access right value, the value is the group to be associated - with that access right. - - key: AccessKeyReaderGroupIdentifier - supportedOS: - macOS: - introduced: '26.0' - type: - presence: optional - content: The reader group identifier for use with the `AccessKey`. The value needs - to match the configured access key. Required if `NewUserAuthenticationMethods` - contains `AccessKey`. - - key: AccessKeyTerminalIdentityUUID - supportedOS: - macOS: - introduced: '26.0' - type: - presence: optional - content: |- - The `PayloadUUID` of an identity payload to use as the `Terminal` identity of the access key. The identity needs to be trusted by the access key. Required if `NewUserAuthenticationMethods` includes `AccessKey`. Allowed identity payload types: - - - `com.apple.security.pkcs12` - - `com.apple.security.acme` - - `com.apple.security.scep` - - key: AccessKeyReaderIssuerCertificateUUID - supportedOS: - macOS: - introduced: '26.2' - type: - presence: optional - content: The `PayloadUUID` of a certificate payload for the issuer certificate - of the `Terminal` identity of the access key. Other specifications refer to - the key as the "Reader CA Public Key". The key must be an elliptic curve key. - Required if `NewUserAuthenticationMethods` includes `AccessKey`. The issuer - of the Terminal identity of the access key needs to match this certificate, - otherwise the device fails the authentication. - - key: AllowAccessKeyExpressMode - supportedOS: - macOS: - introduced: '26.0' - type: - presence: optional - default: false - content: If `true`, the system uses the access key in express mode, and doesn't - require authentication before use. - - key: FileVaultPolicy - supportedOS: - macOS: - introduced: '15.0' - type: - presence: optional - content: The policy to apply when using Platform SSO at FileVault unlock on a - Mac with Apple silicon. Applies when `AuthenticationMethod` is `Password`. Available - in macOS 15 and later. - subkeys: - - key: policy - type: - presence: required - rangelist: - - AttemptAuthentication - - RequireAuthentication - - AllowOfflineGracePeriod - - AllowAuthenticationGracePeriod - content: |- - * AttemptAuthentication - Platform SSO authentication is attempted before proceeding. If offline, unlock will continue - if the local account password matches. If online and the credential is incorrect, then a - successful Platform SSO authentication is required to proceed, even if taken offline. - * RequireAuthentication - Platform SSO authentication is required before proceeding. If the device is offline and - `AllowOfflineGracePeriod` is enabled, then the offline `OfflineGracePeriod` is used to determine - if the user can proceed or not. If online and the credential is incorrect, then a valid Platform - SSO authentication is required to proceed regardless of the `OfflineGracePeriod`. If the account - is not registered for Platform SSO and `AllowAuthenticationGracePeriod` is enabled, then the - `AuthenticationGracePeriod` is used to determine if the user can proceed or not. - * AllowOfflineGracePeriod - Allow the use of the `OfflineGracePeriod` when `RequireAuthentication` is enabled. If - `AllowOfflineGracePeriod` is not set, then offline access is denied. - * AllowAuthenticationGracePeriod - Allow the use of the `AuthenticationGracePeriod` for other local accounts when `RequireAuthentication` - is enabled. The `AuthenticationGracePeriod` starts when any of the policies have been updated. If - `AllowAuthenticationGracePeriod` is not set, then unregistered account access is denied. - - key: LoginPolicy - supportedOS: - macOS: - introduced: '15.0' - type: - presence: optional - content: The policy to apply when using Platform SSO at the Login Window. Applies - when `AuthenticationMethod` is `Password`. Available in macOS 15 and later. - subkeys: - - key: policy - type: - presence: required - rangelist: - - AttemptAuthentication - - RequireAuthentication - - AllowOfflineGracePeriod - - AllowAuthenticationGracePeriod - content: |- - * AttemptAuthentication - Platform SSO authentication is attempted before proceeding. If offline, unlock will continue - if the local account password matches. If online and the credential is incorrect, then a - successful Platform SSO authentication is required to proceed, even if taken offline. - * RequireAuthentication - Platform SSO authentication is required before proceeding. If the device is offline and - `AllowOfflineGracePeriod` is enabled, then the offline `OfflineGracePeriod` is used to determine - if the user can proceed or not. If online and the credential is incorrect, then a valid Platform - SSO authentication is required to proceed regardless of the `OfflineGracePeriod`. If the account - is not registered for Platform SSO and `AllowAuthenticationGracePeriod` is enabled, then the - `AuthenticationGracePeriod` is used to determine if the user can proceed or not. - * AllowOfflineGracePeriod - Allow the use of the `OfflineGracePeriod` when `RequireAuthentication` is enabled. If - `AllowOfflineGracePeriod` is not set, then offline access is denied. - * AllowAuthenticationGracePeriod - Allow the use of the `AuthenticationGracePeriod` for other local accounts when `RequireAuthentication` - is enabled. The `AuthenticationGracePeriod` starts when any of the policies have been updated. If - `AllowAuthenticationGracePeriod` is not set, then unregistered account access is denied. - - key: UnlockPolicy - supportedOS: - macOS: - introduced: '15.0' - type: - presence: optional - content: The policy to apply when using Platform SSO at screensaver unlock. Applies - when `AuthenticationMethod` is `Password`. Available in macOS 15 and later. - subkeys: - - key: policy - type: - presence: required - rangelist: - - AttemptAuthentication - - RequireAuthentication - - AllowOfflineGracePeriod - - AllowAuthenticationGracePeriod - - AllowTouchIDOrWatchForUnlock - content: |- - * AttemptAuthentication - Platform SSO authentication is attempted before proceeding. If offline, unlock will continue - if the local account password matches. If online and the credential is incorrect, then a - successful Platform SSO authentication is required to proceed, even if taken offline. - * RequireAuthentication - Platform SSO authentication is required before proceeding. If the device is offline and - `AllowOfflineGracePeriod` is enabled, then the offline `OfflineGracePeriod` is used to determine - if the user can proceed or not. If online and the credential is incorrect, then a valid Platform - SSO authentication is required to proceed regardless of the `OfflineGracePeriod`. If the account - is not registered for Platform SSO and `AllowAuthenticationGracePeriod` is enabled, then the - `AuthenticationGracePeriod` is used to determine if the user can proceed or not. - * AllowOfflineGracePeriod - Allow the use of the `OfflineGracePeriod` when `RequireAuthentication` is enabled. If - `AllowOfflineGracePeriod` is not set, then offline access is denied. - * AllowAuthenticationGracePeriod - Allow the use of the `AuthenticationGracePeriod` for other local accounts when `RequireAuthentication` - is enabled. The `AuthenticationGracePeriod` starts when any of the policies have been updated. If - `AllowAuthenticationGracePeriod` is not set, then unregistered account access is denied. - * AllowTouchIDOrWatchForUnlock - Allow TouchID or Watch to unlock the screensaver instead of Platform SSO authentication when - `RequireAuthentication` is enabled. - - key: OfflineGracePeriod - supportedOS: - macOS: - introduced: '15.0' - type: - presence: optional - content: The amount of time after the last successful Platform SSO login for using - a local account password offline. Required when setting `AllowOfflineGracePeriod`. - Available in macOS 15 and later. - - key: AuthenticationGracePeriod - supportedOS: - macOS: - introduced: '15.0' - type: - presence: optional - content: The amount of time after receiving or updating a `FileVaultPolicy`, `LoginPolicy`, - or `UnlockPolicy` that the system can use unregistered local accounts. Required - when `AllowAuthenticationGracePeriod` is set. Available in macOS 15 and later. - - key: NonPlatformSSOAccounts - supportedOS: - macOS: - introduced: '15.0' - type: - presence: optional - content: The list of local accounts that aren't subject to the `FileVaultPolicy`, - `LoginPolicy`, or `UnlockPolicy`. The accounts don't receive a prompt to register - for Platform SSO. Available in macOS 15 and later. - subkeys: - - key: username - type: - presence: required - content: A local account username. - - key: AllowDeviceIdentifiersInAttestation - supportedOS: - macOS: - introduced: '15.4' - type: - presence: optional - default: false - content: If `true`, the system includes the device UDID and serial number in Platform - SSO attestations. - - key: SynchronizeProfilePicture - supportedOS: - macOS: - introduced: '26.0' - type: - presence: optional - default: false - content: If `true`, the system requests the user's profile picture from the SSO - extension. - - key: TemporarySessionQuickLogin - supportedOS: - macOS: - introduced: '26.0' - type: - presence: optional - default: false - content: If `true`, the system uses a quicker Authenticated Guest Mode login to - Mac behavior. The system erases user data from only select locations in the - user home directory after each session completes. Once every eight hours the - system erases the full user home directory after a session completes. Turn this - on for shared environments that have a high frequency of short sessions. - - key: EnableRegistrationDuringSetup - supportedOS: - macOS: - introduced: '26.0' - type: - presence: optional - default: false - content: If `true`, the system enables the PlatformSSO registration process during - Setup Assistant on devices running macOS 26 and later. Set this key to `true` - when configuring PlatformSSO before enrollment using the `com.apple.psso.required` - error response. -notes: -- title: '' - content: The system supports user channel installation in macOS 11 and later. diff --git a/mdm/profiles/com.apple.familycontrols.contentfilter.yaml b/mdm/profiles/com.apple.familycontrols.contentfilter.yaml deleted file mode 100644 index fa4e316..0000000 --- a/mdm/profiles/com.apple.familycontrols.contentfilter.yaml +++ /dev/null @@ -1,144 +0,0 @@ -title: 'Parental Controls: Content Filter' -description: The payload that configures the parental control web content filters. -payload: - payloadtype: com.apple.familycontrols.contentfilter - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.7' - multiple: false - devicechannel: true - userchannel: true - supervised: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: Parental controls web filter. -payloadkeys: -- key: restrictWeb - type: - presence: required - content: If `true`, enables web content filters. -- key: useContentFilter - type: - presence: optional - default: false - content: If `true`, filters content automatically. -- key: allowlistEnabled - supportedOS: - macOS: - introduced: '15.2' - type: - presence: optional - default: false - content: If `true`, enables web content filters. -- key: whitelistEnabled - supportedOS: - macOS: - deprecated: '15.2' - type: - presence: optional - default: false - content: Use `allowlistEnabled` instead. -- key: siteAllowlist - supportedOS: - macOS: - introduced: '15.2' - type: - presence: optional - content: |- - An array of sites that defines an allow list. If specified, this defines additional allowed sites besides those in the automated allow list and deny list, including disallowed adult sites. - - This key is required if `allowlistEnabled` is `true`. - subkeys: - - key: siteAllowlistItem - type: - content: A dictionary defining a site for the allow list. - subkeys: - - key: address - type: - presence: required - content: The site prefix, including the `http(s)` scheme. - - key: pageTitle - type: - presence: optional - content: The site page title. -- key: siteWhitelist - supportedOS: - macOS: - deprecated: '15.2' - type: - presence: optional - content: Use `siteAllowlist` instead. - subkeys: - - key: siteWhitelistItem - type: - content: A dictionary defining a site for the allow list. - subkeys: - - key: address - type: - presence: required - content: The site prefix, including http(s) scheme. - - key: pageTitle - type: - presence: optional - content: The site page title. -- key: filterAllowlist - supportedOS: - macOS: - introduced: '15.2' - type: - presence: optional - content: The array of URLs that defines an allow list. When `restrictWeb` and `useContentFilter` - are enabled, only URLs in the allow list are available to the user. - subkeys: - - key: filterAllowlistItem - type: - presence: required - content: An allowed site. -- key: filterWhitelist - supportedOS: - macOS: - deprecated: '15.2' - type: - presence: optional - content: Use `filterAllowlist` instead. - subkeys: - - key: filterWhitelistItem - type: - presence: required - content: An allowed site. -- key: filterDenylist - supportedOS: - macOS: - introduced: '15.2' - type: - presence: optional - content: The array of URLs that defines a deny list. When `restrictWeb` and `useContentFilter` - are enabled, no URLs in the deny list are available to the user. - subkeys: - - key: filterDenylistItem - type: - presence: required - content: A disallowed site. -- key: filterBlacklist - supportedOS: - macOS: - deprecated: '15.2' - type: - presence: optional - content: Use `filterDenylist` instead. - subkeys: - - key: filterBlacklistItem - type: - presence: required - content: A disallowed site. diff --git a/mdm/profiles/com.apple.familycontrols.timelimits.v2.yaml b/mdm/profiles/com.apple.familycontrols.timelimits.v2.yaml deleted file mode 100644 index 4c3b03a..0000000 --- a/mdm/profiles/com.apple.familycontrols.timelimits.v2.yaml +++ /dev/null @@ -1,86 +0,0 @@ -title: 'Parental Controls: Time Limits' -description: The payload that configures parental control time limits. -payload: - payloadtype: com.apple.familycontrols.timelimits.v2 - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.7' - multiple: false - devicechannel: true - userchannel: true - supervised: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: Parental controls time limits. -payloadkeys: -- key: familyControlsEnabled - type: - presence: required - content: If `true`, enables time limits. -- key: time-limits - type: - presence: optional - content: The time limits to enforce if `familyControlsEnabled` is enabled. - subkeys: - - key: weekday-allowance - type: - presence: optional - content: The weekday allowance settings. - subkeytype: Allowance - subkeys: &id001 - - key: enabled - type: - presence: required - content: If `true`, enable these settings. - - key: rangeType - type: - presence: required - rangelist: - - 0 - - 1 - content: |- - The type of day range, which has the following possible values: - - - `0`: Weekday - - `1`: Weekend - - key: start - type: - presence: optional - content: The curfew start time, in the format '%d:%d:%d'. - - key: end - type: - presence: optional - content: The curfew end time, in the format `%d:%d:%d`. - - key: secondsPerDay - type: - presence: optional - content: The allowance for that day, in seconds. - - key: weekday-curfew - type: - presence: optional - content: The weekday curfew settings. - subkeytype: Allowance - subkeys: *id001 - - key: weekend-allowance - type: - presence: optional - content: The weekend allowance settings. - subkeytype: Allowance - subkeys: *id001 - - key: weekend-curfew - type: - presence: optional - content: The weekend curfew settings. - subkeytype: Allowance - subkeys: *id001 diff --git a/mdm/profiles/com.apple.fileproviderd.yaml b/mdm/profiles/com.apple.fileproviderd.yaml deleted file mode 100644 index da8b3ea..0000000 --- a/mdm/profiles/com.apple.fileproviderd.yaml +++ /dev/null @@ -1,65 +0,0 @@ -title: File Provider -description: The payload that configures file provider settings. -payload: - payloadtype: com.apple.fileproviderd - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '11.0' - multiple: false - devicechannel: true - userchannel: true - supervised: false - requiresdep: false - userapprovedmdm: true - allowmanualinstall: false - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a -payloadkeys: -- key: AllowManagedFileProvidersToRequestAttribution - type: - presence: optional - default: false - content: If `true`, enables file providers access to the path of the requesting - process. -- key: ManagementAllowsKnownFolderSyncing - supportedOS: - macOS: - introduced: '15.2' - devicechannel: true - userchannel: false - type: - presence: optional - default: true - content: If `false`, the device prevents the File Provider extension from using - desktop and documents synchronization in any app. This does not impact the ability - for apps to utilize the File Provider extension for file and folder syncing with - remote storage. -- key: ManagementKnownFolderSyncingAllowList - supportedOS: - macOS: - introduced: '15.2' - devicechannel: true - userchannel: false - type: - presence: optional - content: An array of strings representing the composed identifiers of apps. The - device allows the corresponding apps to use File Provider extension desktop and - documents synchronization. If present, and `ManagementAllowsKnownFolderSyncing` - is set to `true`, the device allows only the apps in this list to use desktop - and documents synchronization. This key is ignored if `ManagementAllowsKnownFolderSyncing` - is set to `false`. This setting does not impact the ability for apps to use File - Provider extension volume access. The format of the app identifiers is "Bundle-ID - (Team-ID)", for example `com.example.app (ABCD1234)`. - subkeys: - - key: AllowListItem - type: - presence: required - content: A composed app identifier. The format is "Bundle.Identifier (TeamIdentifier)". diff --git a/mdm/profiles/com.apple.finder.yaml b/mdm/profiles/com.apple.finder.yaml deleted file mode 100644 index 2c5f682..0000000 --- a/mdm/profiles/com.apple.finder.yaml +++ /dev/null @@ -1,80 +0,0 @@ -title: Finder -description: The payload that configures Finder settings. -payload: - payloadtype: com.apple.finder - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.7' - multiple: false - devicechannel: true - userchannel: true - supervised: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a -payloadkeys: -- key: ProhibitBurn - type: - presence: optional - default: false - content: If `true`, the system disables the Finder's burn support. -- key: InterfaceLevel - supportedOS: - macOS: - removed: '10.15' - type: - presence: optional - rangelist: - - Simple - - Full - content: Specifies whether Finder should operate in Simple or Full mode. -- key: ProhibitConnectTo - type: - presence: optional - default: false - content: If `true`, the system disables Connect to Server. -- key: ProhibitEject - type: - presence: optional - default: false - content: If `true`, the system disables Eject. -- key: ProhibitGoToFolder - type: - presence: optional - default: false - content: If `true`, the system disables Go to Folder. -- key: ShowExternalHardDrivesOnDesktop - type: - presence: optional - default: true - content: If `false`, the system doesn't show external hard drives on the Desktop. -- key: ShowHardDrivesOnDesktop - type: - presence: optional - default: false - content: If `false`, the system doesn't show internal hard drives on the Desktop. -- key: ShowMountedServersOnDesktop - type: - presence: optional - default: false - content: If `false`, the system doesn't show mounted file servers on the Desktop. -- key: ShowRemovableMediaOnDesktop - type: - presence: optional - default: true - content: If `false`, the system doesn't show removable media items on the Desktop. -- key: WarnOnEmptyTrash - type: - presence: optional - default: true - content: If `false`, the system doesn't warn the user before emptying the trash. diff --git a/mdm/profiles/com.apple.firstactiveethernet.managed.yaml b/mdm/profiles/com.apple.firstactiveethernet.managed.yaml deleted file mode 100644 index fe6147e..0000000 --- a/mdm/profiles/com.apple.firstactiveethernet.managed.yaml +++ /dev/null @@ -1,41 +0,0 @@ -title: '802.1X: First Active Ethernet' -description: The payload that configures the first wired, active Ethernet interface. -payload: - payloadtype: com.apple.firstactiveethernet.managed - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.7' - multiple: false - devicechannel: true - userchannel: true - supervised: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: allowed - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a -payloadkeys: -- key: ANY - type: - presence: optional - content: Keys relevant to 802.1x configuration. User enrollment payloads do not - support the various proxy keys including ProxyType, ProxyServer, ProxyServerPort, - ProxyUsername, ProxyPassword,, ProxyPACURL and ProxyPACFallbackAllowed. -notes: -- title: '' - content: |- - This payload's contents contain these profile-specific keys: - - - Interface (String): This payload uses the value `FirstActiveEthernet`. - - EAPClientConfiguration (`EAPClientConfiguration`): The dictionary that defines the enterprise profile for the network. - - SetupModes (String): The type of connection mode, which is either "System" or "Loginwindow." "System" is the default. - - Payloads with `active` in their name apply to Ethernet interfaces that are working at the time of profile installation. If there's no active Ethernet interface working, this payload configures the interface with the highest service-order priority. diff --git a/mdm/profiles/com.apple.firstethernet.managed.yaml b/mdm/profiles/com.apple.firstethernet.managed.yaml deleted file mode 100644 index 5342d8a..0000000 --- a/mdm/profiles/com.apple.firstethernet.managed.yaml +++ /dev/null @@ -1,41 +0,0 @@ -title: '802.1X: First Ethernet' -description: The payload that configures the first wired Ethernet interface. -payload: - payloadtype: com.apple.firstethernet.managed - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.7' - multiple: false - devicechannel: true - userchannel: true - supervised: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: allowed - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a -payloadkeys: -- key: ANY - type: - presence: optional - content: Keys relevant to 802.1x configuration. User enrollment payloads do not - support the various proxy keys including ProxyType, ProxyServer, ProxyServerPort, - ProxyUsername, ProxyPassword,, ProxyPACURL and ProxyPACFallbackAllowed. -notes: -- title: '' - content: |- - This payload's contents contain these profile-specific keys: - - - Interface (String): This payload uses the value `FirstEthernet`. - - EAPClientConfiguration (`EAPClientConfiguration`): The dictionary that defines the enterprise profile for the network. - - SetupModes (String): The type of connection mode, which is either "System" or "Loginwindow." "System" is the default. - - This payload applies to Ethernet interfaces according to service order, regardless of whether the interface is working. diff --git a/mdm/profiles/com.apple.font.yaml b/mdm/profiles/com.apple.font.yaml deleted file mode 100644 index 70cf25d..0000000 --- a/mdm/profiles/com.apple.font.yaml +++ /dev/null @@ -1,61 +0,0 @@ -title: Font -description: The payload that configures fonts. -payload: - payloadtype: com.apple.font - supportedOS: - iOS: - introduced: '7.0' - multiple: true - supervised: false - allowmanualinstall: true - sharedipad: - mode: allowed - devicechannel: false - userchannel: true - userenrollment: - mode: allowed - macOS: - introduced: '10.9' - multiple: true - devicechannel: true - userchannel: true - supervised: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: allowed - tvOS: - introduced: n/a - visionOS: - introduced: '2.0' - multiple: true - supervised: false - allowmanualinstall: true - userenrollment: - mode: allowed - watchOS: - introduced: n/a - content: |- - Each payload may contain one font file. Font files may be in TrueType (.ttf) or OpenType (.otf) file format. Collection types (.ttc or .otc) formats are not supported. - Fonts are uniquely identified internally by their embedded PostScript name. Two fonts with the same PostScript name will be considered the same font, even if their contents differ. Installing two different fonts with the same PostScript name is not supported, and it is undefined which font will remain installed. - Supported on the Shared iPad user channel as of iPadOS 18.0. Earlier versions of iPadOS erroneously accepted the Font payload on the device channel but installed it for the currently logged in user. -payloadkeys: -- key: Name - title: Font Name - type: - presence: optional - default: '' - content: |- - The user-visible name for the font. This field is replaced by the actual name of the font after installation. Each payload must contain exactly one font file in trueType (.ttf) or OpenType (.otf) format. Collection formats (.ttc or .otc) are not supported. - - Fonts are identified by their embedded PostScript names. Two fonts with the same PostScript name are considered to be the same font even if their contents differ. Installing two different fonts with the same PostScript name isn't supported, and the resulting behavior is undefined. -- key: Font - title: Font - type: - presence: required - content: The contents of the font file. -notes: -- title: '' - content: In iPadOS 18 and later, the font profile is available on the user channel - for Shared iPads. diff --git a/mdm/profiles/com.apple.gamed.yaml b/mdm/profiles/com.apple.gamed.yaml deleted file mode 100644 index f4c0dcb..0000000 --- a/mdm/profiles/com.apple.gamed.yaml +++ /dev/null @@ -1,55 +0,0 @@ -title: 'Parental Controls: Game Center' -description: The payload that configures Game Center parental controls. -payload: - payloadtype: com.apple.gamed - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.9' - multiple: false - devicechannel: true - userchannel: true - supervised: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: Parental controls Game Center restrictions. -payloadkeys: -- key: GKFeatureGameCenterAllowed - supportedOS: - macOS: - deprecated: '10.13' - type: - presence: optional - default: true - content: If `true`, enables Game Center. -- key: GKFeatureAccountModificationAllowed - type: - presence: optional - default: true - content: If `true`, allows account modifications. -- key: GKFeatureAddingGameCenterFriendsAllowed - supportedOS: - macOS: - deprecated: '10.13' - type: - presence: optional - default: true - content: If `true`, allows adding Game Center friends. -- key: GKFeatureMultiplayerGamingAllowed - supportedOS: - macOS: - deprecated: '10.13' - type: - presence: optional - default: true - content: If `true`, allows multiplayer gaming. diff --git a/mdm/profiles/com.apple.globalethernet.managed.yaml b/mdm/profiles/com.apple.globalethernet.managed.yaml deleted file mode 100644 index d1f4233..0000000 --- a/mdm/profiles/com.apple.globalethernet.managed.yaml +++ /dev/null @@ -1,51 +0,0 @@ -title: '802.1X: Global Ethernet' -description: The payload that configures the default fallback global Ethernet interface. -payload: - payloadtype: com.apple.globalethernet.managed - supportedOS: - iOS: - introduced: '17.0' - multiple: false - supervised: false - allowmanualinstall: true - sharedipad: - mode: allowed - devicechannel: true - userchannel: false - userenrollment: - mode: allowed - macOS: - introduced: '10.13' - multiple: false - devicechannel: true - userchannel: true - supervised: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: allowed - tvOS: - introduced: '17.0' - multiple: false - supervised: false - allowmanualinstall: true - visionOS: - introduced: n/a - watchOS: - introduced: n/a -payloadkeys: -- key: ANY - type: - presence: optional - content: Keys relevant to 802.1X configuration. User enrollment payloads don't support - the various proxy keys, including `ProxyType`, `ProxyServer`, `ProxyServerPort`, - `ProxyUsername`, `ProxyPassword`, `ProxyPACURL` and `ProxyPACFallbackAllowed`. -notes: -- title: '' - content: |- - This payload's contents contain these profile-specific keys: - - - Interface (String): This payload uses the value `GlobalEthernet`. - - EAPClientConfiguration (`EAPClientConfiguration`): The dictionary that defines the enterprise profile for the network. - - SetupModes (String): The type of connection mode, which is either `System` or `Loginwindow`. `System` is the default. diff --git a/mdm/profiles/com.apple.google-oauth.yaml b/mdm/profiles/com.apple.google-oauth.yaml deleted file mode 100644 index 0f85500..0000000 --- a/mdm/profiles/com.apple.google-oauth.yaml +++ /dev/null @@ -1,103 +0,0 @@ -title: Google Account -description: The payload that configures a Google account. -payload: - payloadtype: com.apple.google-oauth - supportedOS: - iOS: - introduced: '9.3' - multiple: true - supervised: false - allowmanualinstall: true - sharedipad: - mode: allowed - devicechannel: false - userchannel: true - userenrollment: - mode: allowed - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: '1.1' - multiple: true - supervised: false - allowmanualinstall: true - userenrollment: - mode: allowed - watchOS: - introduced: n/a - content: A Google account payload sets up a Google email address as well as any - other Google services the user enables after authentication. Google accounts must - be installed via MDM or by Apple Configurator 2 (if the device is supervised). - The payload never contains credentials and the user will be prompted to enter - their credentials shortly after the payload successfully installs. On Shared iPads, - this payload can only be installed on the MDM user channel. -payloadkeys: -- key: AccountDescription - title: Account Description - type: - presence: optional - content: A user-visible description of the Google account, shown in the Mail and - Settings apps. -- key: AccountName - title: Account Name - type: - presence: optional - content: The user's full name for the Google account. This name appears in sent - messages. -- key: EmailAddress - title: Email Address - type: - presence: required - content: The full Google email address for the account. -- key: CommunicationServiceRules - title: Communication Service Rules - supportedOS: - iOS: - introduced: '10.0' - type: - presence: optional - content: The communication service handler rules for this account. - subkeys: - - key: DefaultServiceHandlers - title: Default Service Handlers - supportedOS: - iOS: - introduced: '10.0' - macOS: - introduced: n/a - type: - presence: optional - content: A dictionary that defines which app to use for audio calls from this - account. - subkeys: - - key: AudioCall - title: App for audio calls - supportedOS: - iOS: - introduced: '10.0' - macOS: - introduced: n/a - type: - presence: optional - content: The bundle identifier for the default application that handles audio - calls to contacts from this account. -- key: VPNUUID - title: VPNUUID - supportedOS: - iOS: - introduced: '14.0' - type: - presence: optional - content: The VPNUUID of the per-app VPN the account uses for network communication. - Available in iOS 14 and later. -notes: -- title: '' - content: |- - You can install multiple Google payloads. Each sets up a Google email address and any other Google services the user enables after authentication. - - > Note: - > For supervised devices, the system requires installation of Google accounts through MDM or Apple Configurator 2. - - The payload never contains credentials; the system prompts the user to enter credentials shortly after installation of the payload. diff --git a/mdm/profiles/com.apple.homescreenlayout.yaml b/mdm/profiles/com.apple.homescreenlayout.yaml deleted file mode 100644 index f3c2c9b..0000000 --- a/mdm/profiles/com.apple.homescreenlayout.yaml +++ /dev/null @@ -1,95 +0,0 @@ -title: Home Screen Layout -description: The payload that configures the Home Screen layout. -payload: - payloadtype: com.apple.homescreenlayout - supportedOS: - iOS: - introduced: '9.3' - multiple: false - supervised: true - allowmanualinstall: true - sharedipad: - mode: allowed - devicechannel: true - userchannel: true - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: '11.0' - multiple: false - supervised: true - allowmanualinstall: true - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: The payload defines a layout of apps, folders, & web clips for the Home - screen. -payloadkeys: -- key: Dock - type: - presence: optional - content: An array of dictionaries, each of which must conform to the icon dictionary - format. If this key isn't present, the user's Dock is empty. - subkeytype: IconItem - subkeys: &id001 - - key: IconItem - type: - content: An array of dictionaries that conform to the icon dictionary format. - subkeys: - - key: Type - type: - presence: required - rangelist: - - Application - - Folder - - WebClip - content: The type of the Dock item. - - key: DisplayName - type: - presence: optional - content: The human-readable string shown to the user. This setting is valid - only if the type is `Folder`. - - key: BundleID - type: - presence: optional - content: The bundle identifier of the app. This setting is required if the type - is `Application`. - - key: Pages - type: - presence: optional - content: An array of arrays of dictionaries, each conforming to the icon dictionary - format. This setting is valid only if the type is `Folder`. - subkeytype: PagesItem - subkeys: &id002 - - key: PagesItem - type: - subkeytype: IconItem - subkeys: *id001 - - key: URL - supportedOS: - iOS: - introduced: '11.3' - type: - presence: optional - content: |- - The URL of the existing web clip for this item. This setting is required if `type` is `WebClip`. If more than one web clip exists with the same URL, the behavior is undefined. - - Specifying a web clip in this payload doesn't create the web clip. Use the `WebClip` payload to create a web clip. -- key: Pages - type: - presence: required - content: An array of arrays of dictionaries, each of which must conform to the icon - dictionary format. - subkeytype: PagesItem - subkeys: *id002 -notes: -- title: '' - content: |- - This payload defines a layout of apps, folders, and web clips for the Home Screen. This layout is locked and can't be modified by the user. - - If a Home Screen layout puts more than four items in the iPhone Dock the location of the fifth and succeeding items may be undefined but they will not be omitted. - - To disable deletion of apps, set `allowAppRemoval` to `false` with `Restrictions`. diff --git a/mdm/profiles/com.apple.ironwood.support.yaml b/mdm/profiles/com.apple.ironwood.support.yaml deleted file mode 100644 index 530ca71..0000000 --- a/mdm/profiles/com.apple.ironwood.support.yaml +++ /dev/null @@ -1,37 +0,0 @@ -title: 'Parental Control: Dictation and Profanity' -description: The payload that configures parental control for dictation and profanity. -payload: - payloadtype: com.apple.ironwood.support - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.9' - deprecated: '10.13' - multiple: false - devicechannel: true - userchannel: true - supervised: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a -payloadkeys: -- key: Profanity Allowed - type: - presence: optional - default: true - content: If `false`, suppresses profanity. Use `forceAssistantProfanityFilter` in - Restrictions instead. -- key: Ironwood Allowed - type: - presence: optional - default: true - content: If `false`, disables dictation. Use `allowDictation` in Restrictions instead. diff --git a/mdm/profiles/com.apple.jabber.account.yaml b/mdm/profiles/com.apple.jabber.account.yaml deleted file mode 100644 index b06b82c..0000000 --- a/mdm/profiles/com.apple.jabber.account.yaml +++ /dev/null @@ -1,70 +0,0 @@ -title: Jabber Account -description: The payload that configures a Jabber account. -payload: - payloadtype: com.apple.jabber.account - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.7' - deprecated: '10.14' - removed: '10.14' - multiple: true - devicechannel: false - userchannel: true - supervised: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: A Jabber payload creates a Jabber account on the device. -payloadkeys: -- key: JabberAccountDescription - title: Account Description - type: - presence: optional - content: The description of the account. -- key: JabberHostName - title: Account Hostname - type: - presence: required - content: The server's address. -- key: JabberUserName - title: Account Username - type: - presence: optional - content: The user's user name. -- key: JabberPassword - title: Account Password - type: - presence: optional - content: The user's password. -- key: JabberUseSSL - title: Use SSL - type: - presence: optional - default: false - content: If `true`, enables SSL. -- key: JabberPort - title: Port Number - type: - presence: optional - range: - min: 0 - max: 65535 - default: 5222 - content: The server's port. -- key: JabberAuthentication - title: Jabber Authentication - type: - presence: required - rangelist: - - JabberAuthPassword - content: The authentication method for the account. diff --git a/mdm/profiles/com.apple.ldap.account.yaml b/mdm/profiles/com.apple.ldap.account.yaml deleted file mode 100644 index 5efbf36..0000000 --- a/mdm/profiles/com.apple.ldap.account.yaml +++ /dev/null @@ -1,112 +0,0 @@ -title: LDAP -description: The payload that configures a Lightweight Directory Access Protocol (LDAP) - account. -payload: - payloadtype: com.apple.ldap.account - supportedOS: - iOS: - introduced: '4.0' - multiple: true - supervised: false - allowmanualinstall: true - sharedipad: - mode: allowed - devicechannel: false - userchannel: true - userenrollment: - mode: allowed - macOS: - introduced: '10.7' - multiple: true - devicechannel: false - userchannel: true - supervised: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: allowed - tvOS: - introduced: n/a - visionOS: - introduced: '1.1' - multiple: true - supervised: false - allowmanualinstall: true - userenrollment: - mode: allowed - watchOS: - introduced: n/a -payloadkeys: -- key: LDAPAccountDescription - title: Account Description - type: - presence: optional - content: The description of the account. -- key: LDAPAccountHostName - title: Account Hostname - type: - presence: required - content: The server's address. -- key: LDAPAccountUserName - title: Account Username - type: - presence: optional - content: The user's user name. -- key: LDAPAccountPassword - title: Account Password - type: - presence: optional - content: The user's password. Only use this in encrypted profiles. -- key: LDAPAccountUseSSL - title: Use SSL - type: - presence: optional - default: true - content: If `true`, the system enables SSL. -- key: LDAPSearchSettings - title: Search Settings - type: - presence: optional - content: An array of search settings dictionaries. - subkeys: - - key: LDAPSearchSettingsItem - title: An LDAP Search Setting - type: - subkeys: - - key: LDAPSearchSettingDescription - title: Description - type: - presence: optional - content: The description of this search setting. - - key: LDAPSearchSettingSearchBase - title: Search Setting Search Base - type: - presence: required - content: The path to the node where a search should start. - - key: LDAPSearchSettingScope - title: Search Setting Scope - type: - presence: optional - rangelist: - - LDAPSearchSettingScopeBase - - LDAPSearchSettingScopeOneLevel - - LDAPSearchSettingScopeSubtree - default: LDAPSearchSettingScopeSubtree - content: |- - The type of recursion to use in the search: - - - `LDAPSearchSettingScopeBase`: The search uses only the immediate node that the search base points to. - - `LDAPSearchSettingScopeOneLevel`: The search uses the node plus its immediate children. - - `LDAPSearchSettingScopeSubtree`: The search uses the node plus all children, regardless of depth. -- key: VPNUUID - title: VPNUUID - supportedOS: - iOS: - introduced: '14.0' - macOS: - introduced: n/a - type: - presence: optional - content: The VPNUUID of the per-app VPN the account uses for network communication. - Available in iOS 14 and later. diff --git a/mdm/profiles/com.apple.loginitems.managed.yaml b/mdm/profiles/com.apple.loginitems.managed.yaml deleted file mode 100644 index c3a58e4..0000000 --- a/mdm/profiles/com.apple.loginitems.managed.yaml +++ /dev/null @@ -1,46 +0,0 @@ -title: 'Login Items: Managed Items' -description: The payload that configures a device's login items. -payload: - payloadtype: com.apple.loginitems.managed - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.13' - multiple: true - devicechannel: true - userchannel: true - supervised: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: allowed - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: This payload handles login items usage on macOS. -payloadkeys: -- key: AutoLaunchedApplicationDictionary-managed - type: - presence: required - content: An array of login item dictionaries. - subkeys: - - key: LoginItem - type: - presence: required - content: A login item. - subkeys: - - key: Path - type: - presence: required - content: The URL or path string to the item's location. - - key: Hide - type: - presence: optional - default: false - content: If `true`, the system hides this item in the Users & Groups login items - list. diff --git a/mdm/profiles/com.apple.loginwindow.yaml b/mdm/profiles/com.apple.loginwindow.yaml deleted file mode 100644 index 92fc2c1..0000000 --- a/mdm/profiles/com.apple.loginwindow.yaml +++ /dev/null @@ -1,187 +0,0 @@ -title: Login Window -description: The payload that configures Login Window behavior. -payload: - payloadtype: com.apple.loginwindow - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.7' - multiple: true - devicechannel: true - userchannel: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: The com.apple.loginwindow payload creates managed preferences on macOS - for system/device profiles. -payloadkeys: -- key: SHOWFULLNAME - type: - presence: optional - default: false - content: If `true`, the system shows the name and password dialog. If `false`, the - system displays a list of users. -- key: HideLocalUsers - type: - presence: optional - default: false - content: If `true`, the system shows only network and system users when showing - a user list. -- key: IncludeNetworkUser - type: - presence: optional - default: false - content: If `true`, the system shows network users when showing a user list. -- key: HideAdminUsers - type: - presence: optional - default: false - content: If `true`, the system hides administrator users when showing a user list. -- key: SHOWOTHERUSERS_MANAGED - type: - presence: optional - default: false - content: If `true`, the system displays "Other..." when it shows a list of users. -- key: AdminHostInfo - type: - presence: optional - rangelist: - - HostName - - SystemVersion - - IPAddress - content: The admin host info. If present in the payload, the system displays its - value in the Login Window as additional computer information. Before macOS 10.10, - this string could only contain host name, system version, or IP address. After - macOS 10.10, setting this key to any value allows the user to click the time area - of the menu bar to toggle through various computer information values. -- key: AllowList - type: - presence: optional - content: The list of user GUIDs or group GUIDs of users that the system allows to - log in. An asterisk (`*`) string specifies all users or groups. This only applies - to network accounts and mobile accounts. - subkeys: - - key: AllowListItem - type: - presence: required - content: A user or group GUID. -- key: DenyList - type: - presence: optional - content: The list of user GUIDs or group GUIDs of users that the system disallows - to log in. This list takes priority over the list in the `AllowList` key. This - only applies to network accounts and mobile accounts. - subkeys: - - key: DenyListItem - type: - presence: required - content: A user or group GUID. -- key: HideMobileAccounts - type: - presence: optional - default: false - content: If `true`, the system hides mobile account users in a user list. In some - cases, mobile users show up as network users. -- key: ShutDownDisabled - type: - presence: optional - default: false - content: If `true`, the system disables the Shut Down button. -- key: RestartDisabled - type: - presence: optional - default: false - content: If `true`, the system disables the Restart item. -- key: SleepDisabled - type: - presence: optional - default: false - content: If `true`, the system disables the Sleep button. -- key: DisableConsoleAccess - type: - presence: optional - default: false - content: If `true`, the system disregards the `>console` special user name, which - provides a command line UI. -- key: LoginwindowText - type: - presence: optional - content: The text to display in the Login Window. -- key: ShutDownDisabledWhileLoggedIn - type: - presence: optional - default: false - content: If `true`, the system disables the Shut Down menu item when the user is - logged in. -- key: RestartDisabledWhileLoggedIn - type: - presence: optional - default: false - content: If `true`, the system disables the Restart menu item when the user is logged - in. -- key: PowerOffDisabledWhileLoggedIn - type: - presence: optional - default: false - content: If `true`, the system disables the Power Off menu item when the user is - logged in. -- key: LogOutDisabledWhileLoggedIn - supportedOS: - macOS: - introduced: '10.13' - type: - presence: optional - default: false - content: If `true`, the system disables the Log Out menu item when the user is logged - in. Available in macOS 10.13 and later. -- key: DisableScreenLockImmediate - supportedOS: - macOS: - introduced: '10.13' - type: - presence: optional - default: false - content: If `true`, the system disables the immediate Screen Lock functions. Available - in macOS 10.13 and later. -- key: showInputMenu - supportedOS: - macOS: - introduced: '10.8' - type: - presence: optional - default: false - content: If `true`, the system shows the Input Menu in the Login Window. -- key: DisableFDEAutoLogin - supportedOS: - macOS: - introduced: '10.9' - type: - presence: optional - default: false - content: If `true`, the system disables the automatic login option when using FileVault. -- key: AutologinUsername - supportedOS: - macOS: - introduced: '14.0' - allowmanualinstall: false - type: - presence: optional - content: The user short name for an existing user to set up auto login. -- key: AutologinPassword - supportedOS: - macOS: - introduced: '14.0' - allowmanualinstall: false - type: - presence: optional - content: An optional user password to set up auto login. This must match the `AutologinUsername` - user's current password. diff --git a/mdm/profiles/com.apple.lom.yaml b/mdm/profiles/com.apple.lom.yaml deleted file mode 100644 index 10d3f5d..0000000 --- a/mdm/profiles/com.apple.lom.yaml +++ /dev/null @@ -1,67 +0,0 @@ -title: Lights Out Management (LOM) -description: The payload that configures lights-out management (LOM) settings. -payload: - payloadtype: com.apple.lom - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '11.0' - multiple: false - devicechannel: true - userchannel: false - requiresdep: false - userapprovedmdm: true - allowmanualinstall: false - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: Configures a computer to send or receive "PowerON". "PowerOFF", "Reset" - requests. -payloadkeys: -- key: DeviceCertificateUUID - title: Device Certificate payload UUID - type: - presence: optional - content: The UUID certificate for the device. This key indicates the device can - receive `PowerON`, `PowerOFF`, and `Reset` requests from a LOM controller. This - certificate must contain the Key Usage attributes of Digital Signature, Key Encipherment - and Data Encipherment. As well as the Extended Key Usage attributes of Server - Authentication and Client Authentication. -- key: ControllerCertificateUUID - title: Controller Certificate payload UUID - type: - presence: optional - content: The UUID certificate for the LOM controller. This key configures the device - to accept the `LOMDeviceRequestCommand` from MDM and then send it to the target - device. -- key: DeviceCACertificateUUIDs - title: CA certificate payload UUIDs - type: - presence: optional - content: An array of payload UUIDs containing CA certificates that controllers use - to evaluate trust of device certificates. - subkeys: - - key: DeviceCACertificateUUIDsItem - type: -- key: ControllerCACertificateUUIDs - title: CA certificate payload UUIDs - type: - presence: optional - content: |- - An array of payload UUIDs containing CA certificates that devices use to evaluate trust of controller certificates. - - This key configures the device to accept the `LOMDeviceRequestCommand` from MDM and then send it to the target device. This certificate must contain the Key Usage attributes of Digital Signature, Key Encipherment and Data Encipherment. As well as the Extended Key Usage attributes of Server Authentication and Client Authentication. - subkeys: - - key: ControllerCACertificateUUIDsItem - type: -notes: -- title: '' - content: You can configure a compatible macOS device to be both a controller and - a device. Include the UUID of the certificate in both `DeviceCertificateUUID` - and `ControllerCertificateUUID` properties. diff --git a/mdm/profiles/com.apple.mail.managed.yaml b/mdm/profiles/com.apple.mail.managed.yaml deleted file mode 100644 index 1b051ba..0000000 --- a/mdm/profiles/com.apple.mail.managed.yaml +++ /dev/null @@ -1,359 +0,0 @@ -title: Mail -description: The payload that configures a Mail account. -payload: - payloadtype: com.apple.mail.managed - supportedOS: - iOS: - introduced: '4.0' - multiple: true - supervised: false - allowmanualinstall: true - sharedipad: - mode: allowed - devicechannel: false - userchannel: true - userenrollment: - mode: allowed - macOS: - introduced: '10.7' - multiple: true - devicechannel: false - userchannel: true - supervised: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: allowed - tvOS: - introduced: n/a - visionOS: - introduced: '1.1' - multiple: true - supervised: false - allowmanualinstall: true - userenrollment: - mode: allowed - watchOS: - introduced: n/a - content: An email payload creates an email account on the device. -payloadkeys: -- key: EmailAccountDescription - title: Account Description - type: - presence: optional - content: A user-visible description of the email account, shown in the Mail and - Settings applications. -- key: EmailAccountName - title: Account Name - type: - presence: optional - content: The full user name for the account. The system displays this name in sent - messages. -- key: EmailAccountType - title: Account Type - type: - presence: required - rangelist: - - EmailTypeIMAP - - EmailTypePOP - content: Defines the protocol to use for the account. -- key: EmailAddress - title: Email Address - type: - presence: optional - content: The full email address for the account. If this string isn't present in - the payload, the device prompts the user for this string during interactive profile - installation in Settings or System Preferences. -- key: IncomingMailServerAuthentication - title: Incoming Mail Server Authentication - type: - presence: required - rangelist: - - EmailAuthNone - - EmailAuthPassword - - EmailAuthCRAMMD5 - - EmailAuthNTLM - - EmailAuthHTTPMD5 - content: The authentication scheme for incoming mail. -- key: IncomingMailServerHostName - title: Mail Server - type: - presence: required - content: The incoming mail server host name. -- key: IncomingMailServerPortNumber - title: Port - type: - presence: optional - content: The incoming mail server port number. If not set, the system uses the default - port for a given protocol. -- key: IncomingMailServerUseSSL - title: Use SSL - type: - presence: optional - default: false - content: If `true`, the system enables SSL for authentication on the incoming mail - server. -- key: IncomingMailServerUsername - title: Username - type: - presence: optional - content: The user name for the email account, usually the same as the email address - up to the "@" character. If not set and the account requires authentication for - incoming email, the device prompts the user for this string during interactive - profile installation in Settings or System Preferences. -- key: IncomingPassword - title: Password - type: - presence: optional - content: The password for the incoming mail server. Only use this in encrypted profiles. -- key: OutgoingPassword - title: Password - type: - presence: optional - content: The password for the outgoing mail server. Only use this in encrypted profiles. -- key: OutgoingPasswordSameAsIncomingPassword - title: Outgoing Password Same As Incoming - type: - presence: optional - default: false - content: |- - If `true`, the system prompts the user only once for the password, which it uses for both outgoing and incoming mail. - - This setting is only supported by interactive profile installations. Not supported by non-interactive installations, such as MDM on iOS. -- key: OutgoingMailServerAuthentication - title: Authentication Type - type: - presence: required - rangelist: - - EmailAuthNone - - EmailAuthPassword - - EmailAuthCRAMMD5 - - EmailAuthNTLM - - EmailAuthHTTPMD5 - content: The authentication scheme for outgoing mail. -- key: OutgoingMailServerHostName - title: Mail Server - type: - presence: required - content: The outgoing mail server host name. -- key: OutgoingMailServerPortNumber - title: Port - type: - presence: optional - content: The outgoing mail server port number. If not set, the system uses ports - 25, 587, and 465, in that order. -- key: OutgoingMailServerUseSSL - title: Use SSL - type: - presence: optional - default: false - content: If `true`, the system enables SSL authentication on the outgoing mail server. -- key: OutgoingMailServerUsername - title: Username - type: - presence: optional - content: The user name for the email account, usually the same as the email address - up to the "@" character. If not set and the account requires authentication for - outgoing email, the device prompts the user for this string during interactive - profile installation in Settings or System Preferences. -- key: PreventMove - title: Prevent Move - supportedOS: - iOS: - introduced: '5.0' - macOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, the system prevents moving messages out of this email account - and into another account. It also prevents forwarding or replying from an account - other than the recipient of the message. -- key: PreventAppSheet - title: Prevent App Sheet - supportedOS: - iOS: - introduced: '5.0' - macOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, the system prevents this account from sending mail in any app - other than the Apple Mail app. -- key: SMIMEEnabled - title: S/MIME Enabled - supportedOS: - iOS: - introduced: '5.0' - macOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, the system enables S/MIME encryption. The system ignores this - key in iOS 10.0 and later. -- key: SMIMESigningEnabled - title: S/MIME Signing Enabled - supportedOS: - iOS: - introduced: '10.0' - macOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, the system enables S/MIME signing for this account. -- key: SMIMESigningCertificateUUID - title: S/MIME Signing Certificate - supportedOS: - iOS: - introduced: '5.0' - macOS: - introduced: n/a - type: - presence: optional - format: ^[0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}$ - content: The payload UUID of the identity certificate used to sign messages sent - from this account. -- key: SMIMEEncryptionEnabled - title: S/MIME Encryption Enabled - supportedOS: - iOS: - introduced: '10.0' - macOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, the system enables S/MIME encryption for this account. -- key: SMIMEEncryptionCertificateUUID - title: S/MIME Encryption Certificate - supportedOS: - iOS: - introduced: '5.0' - macOS: - introduced: n/a - type: - presence: optional - format: ^[0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}$ - content: The UUID of the identity certificate used to decrypt messages sent to this - account. The system attaches the public certificate to outgoing mail to allow - the user to receive encrypted mail. When the user sends encrypted mail, the system - uses the public certificate to encrypt the copy of the mail in their Sent mailbox. -- key: SMIMEEnablePerMessageSwitch - title: S/MIME Enable Per-Message Switch - supportedOS: - iOS: - introduced: '8.0' - deprecated: '10.0' - macOS: - introduced: n/a - visionOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, the system displays the per-message encryption switch in the - Mail Compose UI. Deprecated in iOS 12.0. Use `SMIMEEnableEncryptionPerMessageSwitch` - instead. -- key: disableMailRecentsSyncing - title: Disable Mail Recents Syncing - supportedOS: - iOS: - introduced: '6.0' - type: - presence: optional - default: false - content: If `true`, the system excludes this account from Recent Addresses syncing. -- key: allowMailDrop - title: Allow Mail Drop - supportedOS: - iOS: - introduced: '9.2' - macOS: - introduced: '10.12' - type: - presence: optional - default: false - content: If `true`, the system enables this account to use Mail Drop. -- key: IncomingMailServerIMAPPathPrefix - title: Path Prefix - type: - presence: optional - content: The path prefix for the IMAP mail server. -- key: SMIMESigningUserOverrideable - supportedOS: - iOS: - introduced: '12.0' - macOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, the user can turn S/MIME signing on or off in Settings. -- key: SMIMESigningCertificateUUIDUserOverrideable - supportedOS: - iOS: - introduced: '12.0' - macOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, the user can select the signing identity. -- key: SMIMEEncryptByDefault - supportedOS: - iOS: - introduced: '12.0' - macOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, the system enables S/MIME encryption by default. -- key: SMIMEEncryptByDefaultUserOverrideable - supportedOS: - iOS: - introduced: '12.0' - macOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, the user can turn encryption by default on/off, and encryption - is on. -- key: SMIMEEncryptionCertificateUUIDUserOverrideable - supportedOS: - iOS: - introduced: '12.0' - macOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, the user can select the S/MIME encryption identity, and encryption - is on. -- key: SMIMEEnableEncryptionPerMessageSwitch - supportedOS: - iOS: - introduced: '12.0' - macOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, the system displays the per-message encryption switch in the - Mail Compose UI. -- key: VPNUUID - title: VPNUUID - supportedOS: - iOS: - introduced: '14.0' - macOS: - introduced: n/a - type: - presence: optional - content: The VPNUUID of the per-app VPN the account uses for network communication. - Available in iOS 14 and later. diff --git a/mdm/profiles/com.apple.mcxMenuExtras.yaml b/mdm/profiles/com.apple.mcxMenuExtras.yaml deleted file mode 100644 index 1b8b2f0..0000000 --- a/mdm/profiles/com.apple.mcxMenuExtras.yaml +++ /dev/null @@ -1,145 +0,0 @@ -title: Managed Menu Extras -description: The payload that configures menu extras. -payload: - payloadtype: com.apple.mcxMenuExtras - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.7' - multiple: false - devicechannel: true - userchannel: true - supervised: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: |- - Specified menu extras will be added or removed from the menu bar - after user login. Standard menu extra may be specified by file - name. Non-standard menu extras are specified by full path. -payloadkeys: -- key: delaySeconds - type: - presence: optional - default: 2.5 - content: The number of seconds to delay after login before adding or removing menu - extras. If the delay is too short, the menu extras don't appear, or disappear - from the menu bar. -- key: maxWaitSeconds - type: - presence: optional - default: 20.0 - content: The maximum wait, in seconds, for all menu extras to be added or removed. -- key: AirPort.menu - type: - presence: optional - content: If `true`, enables the AirPort menu extra. -- key: Battery.menu - type: - presence: optional - content: If `true`, enables the Battery menu extra. -- key: Bluetooth.menu - type: - presence: optional - content: If `true`, enables the Bluetooth menu extra. -- key: CPU.menu - type: - presence: optional - content: If `true`, enables the CPU menu extra. -- key: Clock.menu - type: - presence: optional - content: If `true`, enables the Clock menu extra. -- key: Displays.menu - type: - presence: optional - content: If `true`, enables the Displays menu extra. -- key: Eject.menu - type: - presence: optional - content: If `true`, enables the Eject menu extra. -- key: Fax.menu - type: - presence: optional - content: If `true`, enables the Fax menu extra. -- key: HomeSync.menu - type: - presence: optional - content: If `true`, enables the HomeSync menu extra. -- key: iChat.menu - type: - presence: optional - content: If `true`, enables the iChat menu extra. -- key: Ink.menu - type: - presence: optional - content: If `true`, enables the Ink menu extra. -- key: IrDA.menu - type: - presence: optional - content: If `true`, enables the IrDA menu extra. -- key: PCCard.menu - type: - presence: optional - content: If `true`, enables the PCCard menu extra. -- key: PPP.menu - type: - presence: optional - content: If `true`, enables the PPP menu extra. -- key: PPPoE.menu - type: - presence: optional - content: If `true`, enables the PPPoE menu extra. -- key: RemoteDesktop.menu - type: - presence: optional - content: If `true`, enables the Remote Desktop menu extra. -- key: Script Menu.menu - type: - presence: optional - content: If `true`, enables the Script menu extra. -- key: Spaces.menu - type: - presence: optional - content: If `true`, enables the Spaces menu extra. -- key: Sync.menu - type: - presence: optional - content: If `true`, enables the Sync menu extra. -- key: TextInput.menu - type: - presence: optional - content: If `true`, enables the Text Input menu extra. -- key: TimeMachine.menu - type: - presence: optional - content: If `true`, enables the TimeMachine menu extra. -- key: UniversalAccess.menu - type: - presence: optional - content: If `true`, enables the Universal Access menu extra. -- key: User.menu - type: - presence: optional - content: If `true`, enables the User menu extra. -- key: VPN.menu - type: - presence: optional - content: If `true`, enables the VPN menu extra. -- key: Volume.menu - type: - presence: optional - content: If `true`, enables the Volume menu extra. -- key: WWAN.menu - type: - presence: optional - content: If `true`, enables the WWAN menu extra. diff --git a/mdm/profiles/com.apple.mcxloginscripts.yaml b/mdm/profiles/com.apple.mcxloginscripts.yaml deleted file mode 100644 index aed98e8..0000000 --- a/mdm/profiles/com.apple.mcxloginscripts.yaml +++ /dev/null @@ -1,65 +0,0 @@ -title: 'Login Window: Scripts' -description: The payload that configures scripts to run at login and logout. -payload: - payloadtype: com.apple.mcxloginscripts - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.7' - multiple: false - devicechannel: true - userchannel: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: Login and logout managed script handling -payloadkeys: -- key: loginscripts - type: - presence: optional - content: An array of one or more dictionaries of scripts to run at user login time. - subkeytype: ScriptsItems - subkeys: &id001 - - key: ScriptsItems - type: - content: A dictionary of login scripts. - subkeys: - - key: filename - type: - presence: required - content: The filename for display purposes. - - key: filedata - type: - presence: required - content: The UTF-8 encoded data object representing the executable script. -- key: logoutscripts - type: - presence: optional - content: An array of one or more dictionaries of scripts to run at user logout time. - subkeytype: ScriptsItems - subkeys: *id001 -- key: skipLoginHook - type: - presence: optional - default: false - content: If `true`, the system doesn't execute the login scripts during login. -- key: skipLogoutHook - type: - presence: optional - default: false - content: If `true`, the system doesn't execute the logout scripts during logout. -notes: -- title: '' - content: |- - The MCX login and logout managed-scripts payload contains information about executable scripts that can run at user login and logout. To use this payload, set `EnableMCXLoginScripts` to `true` in `/var/root/Library/Preferences/com.apple.loginwindow.plist`; otherwise, the system ignores this payload. - - `Loginwindow` uses the `LoginHook` and `LogoutHook` string keys in `/var/root/Library/Preferences/com.apple.loginwindow.plist` to indicate a path to the executable script files, which run during user login and logout. The system passes the current user name as an argument to the file. diff --git a/mdm/profiles/com.apple.mcxprinting.yaml b/mdm/profiles/com.apple.mcxprinting.yaml deleted file mode 100644 index c0c0fbd..0000000 --- a/mdm/profiles/com.apple.mcxprinting.yaml +++ /dev/null @@ -1,115 +0,0 @@ -title: Printing -description: The payload that configures printers. -payload: - payloadtype: com.apple.mcxprinting - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.7' - multiple: false - devicechannel: true - userchannel: true - supervised: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a -payloadkeys: -- key: RequireAdminToAddPrinters - type: - presence: optional - default: true - content: If `true`, requires an administrator password to add printers. -- key: AllowLocalPrinters - type: - presence: optional - default: true - content: If `true`, allows printers that connect directly to a user's computer. -- key: RequireAdminToPrintLocally - type: - presence: optional - default: false - content: If `true`, requires an administrator password to print locally. -- key: ShowOnlyManagedPrinters - type: - presence: optional - default: false - content: If `true`, shows only managed printers. -- key: PrintFooter - type: - presence: optional - default: false - content: If `true`, prints the page footer (including the user name and date). -- key: PrintMACAddress - type: - presence: optional - default: false - content: If `true`, includes the MAC address. -- key: FooterFontSize - type: - presence: optional - content: The footer font size. -- key: FooterFontName - type: - presence: optional - content: The footer font name. -- key: DefaultPrinter - type: - presence: optional - content: The default printer for the user. - subkeys: - - key: DeviceURI - type: - presence: optional - content: The device URI. - - key: DisplayName - type: - presence: optional - content: The display name. -- key: UserPrinterList - type: - presence: optional - content: The printers available to a user. - subkeys: - - key: Printer - type: - presence: optional - content: A dictionary of printer details. - subkeys: - - key: DeviceURI - type: - presence: optional - content: The device URI. - - key: DisplayName - type: - presence: optional - content: The display name. - - key: Location - type: - presence: optional - content: The printer's location. - - key: Model - type: - presence: optional - content: The printer's model. - - key: PrinterLocked - type: - presence: optional - default: false - content: If `true`, locks the printer. - - key: PPDURL - type: - presence: optional - content: The printer's PPDURL. -notes: -- title: '' - content: Removing this profile from a device doesn't automatically remove printers - from the device. diff --git a/mdm/profiles/com.apple.mdm.yaml b/mdm/profiles/com.apple.mdm.yaml deleted file mode 100644 index c3163ea..0000000 --- a/mdm/profiles/com.apple.mdm.yaml +++ /dev/null @@ -1,323 +0,0 @@ -title: MDM -description: The payload that configures mobile device management (MDM) settings. -payload: - payloadtype: com.apple.mdm - supportedOS: - iOS: - introduced: '4.0' - multiple: false - supervised: false - allowmanualinstall: true - sharedipad: - mode: allowed - devicechannel: true - userchannel: false - userenrollment: - mode: allowed - macOS: - introduced: '10.7' - multiple: false - devicechannel: true - userchannel: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: allowed - tvOS: - introduced: '9.0' - multiple: false - supervised: false - allowmanualinstall: true - visionOS: - introduced: '1.1' - multiple: false - supervised: false - allowmanualinstall: true - userenrollment: - mode: allowed - watchOS: - introduced: '10.0' - multiple: false - supervised: true - allowmanualinstall: false -payloadkeys: -- key: IdentityCertificateUUID - title: Identity Certificate UUID - type: - presence: required - format: ^[0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}$ - content: The UUID of the certificate payload for the device's identity. It may also - point to a SCEP payload. -- key: Topic - title: Topic - type: - presence: required - content: |- - The topic that MDM listens to for push notifications. The certificate that the server uses to send push notifications must have the same topic in its subject. The topic must begin with the 'com.apple.mgmt.' prefix. - - > Note: - > When updating the payload, the value of this key must not change. Any change is an error, and the update is rejected. -- key: ServerURL - title: Server URL - type: - presence: required - format: ^https://.*$ - content: |- - The URL that the device contacts to retrieve device management instructions. The URL must begin with the `https://` URL scheme, and may contain a port number - (`:1234`, for example). - - > Note: - > When updating the payload, the value of this key must not change. Any change is an error, and the update is rejected. -- key: CheckInURL - title: Check In URL - type: - presence: optional - format: ^https://.*$ - content: |- - The URL that the device should use to check in during installation. The URL must begin with the `https://` URL scheme and may contain a port number (`:1234`, for example). If not set, the system uses `ServerURL`. - - > Note: - > When updating the payload, the value of this key must not change. Any change is an error, and the update is rejected. -- key: SignMessage - title: Sign Message - type: - presence: optional - default: false - content: If 'true', each message coming from the device carries the additional 'Mdm-Signature' - HTTP header. -- key: AccessRights - title: Access Rights - supportedOS: - iOS: - userenrollment: - mode: ignored - macOS: - userenrollment: - mode: ignored - visionOS: - userenrollment: - mode: ignored - type: - presence: optional - content: |- - Logical OR of the following bit flags: - - - `1`: Allow inspection of installed configuration profiles. - - `2`: Allow installation and removal of configuration profiles. - - `4`: Allow device lock and passcode removal. - - `8`: Allow device erase. - - `16`: Allow query of device information (device capacity, serial number). - - `32`: Allow query of network information (phone/SIM numbers, MAC addresses). - - `64`: Allow inspection of installed provisioning profiles. - - `128`: Allow installation and removal of provisioning profiles. - - `256`: Allow inspection of installed applications. - - `512`: Allow restriction-related queries. - - `1024`: Allow security-related queries. - - `2048`: Allow manipulation of settings. - - `4096`: Allow app management. - - Don't set to `0`. Specify `1` if you specify `2`. Specify `64` if you specify `128`. Ignored if you set a value for `ManagedAppleID`. - - > Note: - > When updating the payload, the addition of any access right is an error, and the update is rejected. -- key: UseDevelopmentAPNS - title: Use Development APNS - type: - presence: optional - default: false - content: |- - If 'true', the device uses the development APNS servers. Otherwise, the device uses the production servers. - Set to 'false' if your Apple Push Notification Service certificate was issued by the Apple Push Certificate Portal ('https://identity.apple.com/pushcert'). That portal only issues certificates for the production push environment. -- key: ManagedAppleID - title: Managed Apple Account - supportedOS: - iOS: - introduced: '13.1' - deprecated: '17.0' - removed: '18.0' - userenrollment: - mode: required - macOS: - introduced: '10.15' - deprecated: '14.0' - removed: '15.0' - userenrollment: - mode: required - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: |- - The Managed Apple Account of the user. Previously required for profile-driven user enrollment. - Removed as of iOS 18 and macOS 15. -- key: AssignedManagedAppleID - title: Assigned Managed Apple Account - supportedOS: - iOS: - introduced: '15.0' - macOS: - introduced: '14.0' - tvOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: |- - The Managed Apple Account pre-assigned to the authenticated user. Required for account-driven enrollments. Available in iOS 15 and later, and macOS 14 and later. - - > Note: - > When updating the payload, the value of this key must not change. Any change is an error, and the update is rejected. -- key: EnrollmentMode - title: Enrollment Mode - supportedOS: - iOS: - introduced: '15.0' - macOS: - introduced: '14.0' - tvOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - rangelist: - - BYOD - - ADDE - content: |- - The enrollment mode the server indicates to use when enrolling. Required for account-driven enrollment. Available in iOS 15 and macOS 14, and later. - - > Note: - > When updating the payload, the value of this key must not change. Any change is an error, and the update is rejected. -- key: ServerURLPinningCertificateUUIDs - supportedOS: - iOS: - introduced: '13.4' - macOS: - introduced: '10.13' - tvOS: - introduced: '13.4' - type: - presence: optional - content: An array of strings, each containing the UUID of a certificate to use when - evaluating trust to the '.../connect/' URLs of MDM servers. - subkeys: - - key: ServerURLPinningCertificateUUIDsItem - type: - presence: required - content: A certificate payload UUID. -- key: CheckInURLPinningCertificateUUIDs - supportedOS: - iOS: - introduced: '13.4' - macOS: - introduced: '10.13' - tvOS: - introduced: '13.4' - type: - presence: optional - content: An array of strings, each containing the payload UUID of a certificate - to use when evaluating trust to the '.../checkin/' URLs of MDM servers. - subkeys: - - key: CheckInURLPinningCertificateUUIDsItem - type: - presence: required - content: A certificate payload UUID. -- key: PinningRevocationCheckRequired - supportedOS: - iOS: - introduced: '13.4' - macOS: - introduced: '10.13' - tvOS: - introduced: '13.4' - type: - presence: optional - default: false - content: |- - If 'true', the system fails the connection attempt unless it obtains a verified positive response during certificate revocation checks. - If 'false', the system performs revocation checks on a best-attempt basis, where failure to reach the server isn't considered fatal. -- key: ServerCapabilities - type: - presence: optional - content: |- - A unique array of strings indicating server capabilities: - - - `com.apple.mdm.per-user-connections`: Indicates that the server supports both device and user connections. This must be present when managing Shared iPad or macOS devices. - - `com.apple.mdm.bootstraptoken`: Indicates that the server supports escrowing the bootstrap token. This must be present for the device to create a bootstrap token and send it to the server. Available in iOS 26 and later, macOS 11 and later, and visionOS 26 and later. - - `com.apple.mdm.token`: Indicates that the server supports the `Get-Token` CheckIn message type. This must be present for the device to use `Get-Token` CheckIn message when appropriate. - - > Note: - > When updating the payload, the `com.apple.mdm.per-user-connections` capability must not be added or removed. Any such change is an error, and the update is rejected. - subkeys: - - key: ServerCapabilitiesItems - type: - rangelist: - - com.apple.mdm.per-user-connections - - com.apple.mdm.bootstraptoken - - com.apple.mdm.token -- key: CheckOutWhenRemoved - type: - presence: optional - default: false - content: If 'true', the device attempts to send a `Check-Out` message to the 'CheckInURL' - when the profile is removed. -- key: RequiredAppIDForMDM - supportedOS: - iOS: - introduced: '15.1' - macOS: - introduced: n/a - tvOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: |- - This property specifies an iTunes Store ID for an app the system can install with the InstallApplicationCommand, without any approval from the user. The MDM vendor or managing organization generally provides this app, which enhances the management experience for the user. The device shows the user details about this app in the account-driven enrollment process prior to installing the MDM profile. Use this property with account-driven MDM enrollments that normally require user approval for app installs through MDM. - Only account-driven enrollments support this property and other enrollment types ignore it. - Available in iOS 15.1 and later. - - > Note: - > When updating the payload, the value of this key must not change. Any change is an error, and the update is rejected. -- key: PromptUserToAllowBootstrapTokenForAuthentication - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '11.0' - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: false - content: |- - If 'true', the system warns the user that they need to reboot into RecoveryOS and allow the MDM to use the bootstrap token for authentication for certain sensitive operations such as enabling kernel extensions or installing some types of software updates. If the MDM doesn't need to perform these operations, it can leave this key set to 'false', and the user isn't notified. - The SettingsCommand.Command.Settings.MDMOptions.MDMOptions command overrides this default value. - This setting only applies to devices that have 'BootstrapTokenRequiredForSoftwareUpdate' or 'BootstrapTokenRequiredForKernelExtensionApproval' set to 'true' in their SecurityInfoResponse.SecurityInfo. - DEP-enrolled devices are automatically allowed to use the bootstrap token for authentication. - Available in macOS 11 and later. -notes: -- title: '' - content: |- - Also define the following four standard payload values in your MDM payload: - - - `PayloadIdentifier`: The reverse-DNS style identifier that identifies the profile; for example, `com.example.myprofile`. The system uses this value to determine whether to replace an existing profile or add a new one. - - `PayloadUUID`: A globally unique identifier for the profile. In macOS, you can use `uuidgen` to generate this value. - - `PayloadType`: The payload type. Set to `com.apple.mdm` to designate that this payload is an MDM payload. - - `PayloadVersion`: The version number of the profile format, which describes the version of the configuration profile as a whole, not of the individual profiles within it. Set this value to `1`. - - - - > Note: - > MDM reserves profile payload dictionary keys with the _Payload_ prefix. Don't treat them as managed preferences. diff --git a/mdm/profiles/com.apple.mobiledevice.passwordpolicy.yaml b/mdm/profiles/com.apple.mobiledevice.passwordpolicy.yaml deleted file mode 100644 index 1e67996..0000000 --- a/mdm/profiles/com.apple.mobiledevice.passwordpolicy.yaml +++ /dev/null @@ -1,293 +0,0 @@ -title: Passcode -description: The payload that configures a passcode policy. -payload: - payloadtype: com.apple.mobiledevice.passwordpolicy - supportedOS: - iOS: - introduced: '4.0' - multiple: true - supervised: false - allowmanualinstall: true - sharedipad: - mode: forbidden - userenrollment: - mode: allowed - macOS: - introduced: '10.7' - multiple: true - devicechannel: true - userchannel: true - supervised: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: '2.0' - multiple: true - supervised: false - allowmanualinstall: true - userenrollment: - mode: allowed - watchOS: - introduced: '10.0' - multiple: true - supervised: false - allowmanualinstall: true -payloadkeys: -- key: allowSimple - title: Allow Simple Value - supportedOS: - iOS: - userenrollment: - mode: ignored - visionOS: - userenrollment: - mode: ignored - type: - presence: optional - default: true - content: If `false`, the system prevents use of a simple passcode. A simple passcode - contains repeated characters, or increasing or decreasing characters, such as - `123` or `CBA`. -- key: forcePIN - title: Require Passcode on Device - supportedOS: - iOS: - userenrollment: - mode: ignored - visionOS: - userenrollment: - mode: ignored - type: - presence: optional - default: false - content: If `true`, the system forces the user to enter a PIN. -- key: maxFailedAttempts - title: Maximum Number of Failed Attempts - supportedOS: - iOS: - userenrollment: - mode: ignored - visionOS: - userenrollment: - mode: ignored - type: - presence: optional - range: - min: 2 - max: 11 - default: 11 - content: |- - The number of failed passcode attempts that the system allows the user before it erases or locks the device. After six failed attempts, the device imposes a time delay before the user can enter a passcode again. The time delay increases with each failed attempt. On macOS, set `minutesUntilFailedLoginReset` to define the time delay. The time delay begins after the sixth attempt, so if `MaximumFailedAttempts` is six or lower, the system has no time delay and triggers the erase or lock as soon as the user exceeds the limit. - - After the final failed attempt, the system locks a macOS device, or securely erases all data and settings from an iOS, visionOS, or watchOS device. -- key: maxInactivity - title: Auto-Lock - supportedOS: - iOS: - userenrollment: - mode: ignored - visionOS: - userenrollment: - mode: ignored - type: - presence: optional - range: - min: 0 - max: 15 - content: |- - The maximum number of minutes for which the device can be idle without the user unlocking it, before the system locks it. When this limit is reached, the system locks the device and the passcode is required to unlock it. The user can edit this setting, but the value can't exceed the `maxInactivity` value. - - On macOS, the system translates this inactivity value to screen-saver settings. The maximum value for macOS is `60`. - - Setting this key removes the `never` option in the Settings UI on user enrolled devices. -- key: maxPINAgeInDays - title: Maximum Passcode Age - supportedOS: - iOS: - userenrollment: - mode: ignored - visionOS: - userenrollment: - mode: ignored - type: - presence: optional - range: - min: 1 - max: 730 - content: The number of days for which the passcode can remain unchanged. After this - number of days, the system forces the user to change the passcode before it unlocks - the device. -- key: minComplexChars - title: Minimum Number of Complex Characters - supportedOS: - iOS: - userenrollment: - mode: ignored - visionOS: - userenrollment: - mode: ignored - watchOS: - introduced: n/a - type: - presence: optional - range: - min: 0 - max: 4 - default: 0 - content: |- - The minimum number of complex characters that a passcode needs to contain. A _complex_ character is a character other than a number or a letter, such as `&`, `%`, `$`, and `#`. - - The system ignores this property for user enrollments. -- key: minLength - title: Minimum Passcode Length - supportedOS: - iOS: - userenrollment: - mode: ignored - visionOS: - userenrollment: - mode: ignored - type: - presence: optional - range: - min: 0 - max: 16 - default: 0 - content: The minimum overall length of the passcode. This value is independent of - the value for `minComplexChars`. -- key: requireAlphanumeric - title: Require Alphabetic Value - supportedOS: - iOS: - userenrollment: - mode: ignored - visionOS: - userenrollment: - mode: ignored - watchOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, the system requires alphabetic characters instead of only numeric - characters. -- key: pinHistory - title: Passcode History - supportedOS: - iOS: - userenrollment: - mode: ignored - visionOS: - userenrollment: - mode: ignored - type: - presence: optional - range: - min: 1 - max: 50 - content: This value defines _N_, where the new passcode must be unique within the - last _N_ entries in the passcode history. -- key: maxGracePeriod - title: Grace Period for Device Lock - supportedOS: - iOS: - userenrollment: - mode: ignored - visionOS: - userenrollment: - mode: ignored - type: - presence: optional - default: 0 - content: The maximum grace period, in minutes, to unlock the phone without entering - a passcode. The default is `0`, which is no grace period and requires a passcode - immediately. On macOS, the system translates this grace period value to screen-saver - settings. -- key: minutesUntilFailedLoginReset - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.10' - userenrollment: - mode: ignored - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: The number of minutes before the system resets the login after the maximum - number of unsuccessful login attempts is reached. This key requires setting `maxFailedAttempts`. - Available in macOS 10.10 and later. -- key: changeAtNextAuth - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.13' - userenrollment: - mode: ignored - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, the system causes a password reset to occur the next time the - user tries to authenticate. If this key is set in a device profile, the setting - takes effect for all users, and admin authentications may fail until the admin - user password is also reset. Available in macOS 10.13 and later. -- key: customRegex - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '14.0' - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: |- - Specifies a regular expression, and its description, used to enforce password compliance. Use the simpler passcode restrictions whenever possible, and rely on regular expression matching only when necessary. Mistakes in regular expressions can lead to frustrating user experiences, such as unsatisfiable passcode policies, or policy descriptions that don't match the enforced policy. - - Available in macOS 14 and later. - subkeys: - - key: passwordContentRegex - type: - presence: required - content: A regular expression string that the system matches against the password - to determine whether it complies with a policy. The regular expression uses - the ICU syntax ([https://unicode-org.github.io/icu/userguide/strings/regexp.html](https://unicode-org.github.io/icu/userguide/strings/regexp.html)). - The string must not exceed 2048 characters in length. - - key: passwordContentDescription - type: - presence: optional - content: Contains a dictionary of keys for supported OS language IDs (for example, - "en-US"), and whose values represent a localized description of the policy enforced - by the regular expression. Use the special `default` key can for languages that - aren't contained in the dictionary. - subkeys: - - key: ANY - type: - presence: optional - content: A localized description. -notes: -- title: '' - content: |- - The presence of this payload type causes the device to present the user with a passcode entry mechanism. The payload controls the complexity of the passcode. - - For user enrollments, the system allows this payload type, but ignores most of the keys. Instead, the presence of the payload forces only these settings: - - - `allowSimple`: always set to `false` - - `forcePIN`: always set to `true` - - `minLength`: always set to `6` - - `maxInactivity`: if this key is present its value is ignored, but the `never` option is removed in the Settings UI. diff --git a/mdm/profiles/com.apple.networkusagerules.yaml b/mdm/profiles/com.apple.networkusagerules.yaml deleted file mode 100644 index 634ff6e..0000000 --- a/mdm/profiles/com.apple.networkusagerules.yaml +++ /dev/null @@ -1,103 +0,0 @@ -title: Network Usage Rules -description: The payload that configures network-usage rules. -payload: - payloadtype: com.apple.networkusagerules - supportedOS: - iOS: - introduced: '9.0' - multiple: false - supervised: false - allowmanualinstall: false - sharedipad: - mode: allowed - devicechannel: true - userchannel: false - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: Network Usage Rules allow enterprises to specify how devices use networks, - such as cellular data networks. iOS 9-12 support only ApplicationRules. In iOS - 13, ApplicationRules, SIMRules, or both must be present. -payloadkeys: -- key: ApplicationRules - type: - presence: optional - content: An array of application rules, that apply to only managed apps. - subkeys: - - key: ApplicationRulesItem - type: - content: The application rules dictionary. - subkeys: - - key: AppIdentifierMatches - type: - presence: optional - content: |- - A list of managed app identifiers, as strings, that must follow the associated rules. If this key is missing, the rules apply to all managed apps on the device. - - - - Each string in the `AppIdentifierMatches` array may either be an exact app identifier match (for example, `com.mycompany.myapp`) or it may specify a prefix match for the bundle ID by using the \* wildcard character. If used, this character must appear after a period (.) and may only appear once, at the end of the string; for example, `com.mycompany.*`. - subkeys: - - key: AppIdentifierMatchesItem - type: - presence: required - content: A managed app identifier. - - key: AllowRoamingCellularData - type: - presence: optional - default: true - content: If `false`, disables cellular data while roaming for all matching managed - apps. - - key: AllowCellularData - type: - presence: optional - default: true - content: If `false`, disables cellular data for all matching managed apps. -- key: SIMRules - supportedOS: - iOS: - introduced: '13.0' - type: - presence: optional - content: An array of SIM rules, that apply to all apps. - subkeys: - - key: SIMRulesItem - type: - content: The policy for individual SIM cards. - subkeys: - - key: ICCIDs - type: - presence: required - content: One or more ICCIDs of SIM cards for which the `WiFiAssistPolicy` applies. - All ICCIDs in all installed Network Usage Rules payloads must be unique. An - example ICCID is `89310410106543789301`. - subkeys: - - key: ICCID - type: - presence: required - content: An ICCID. - - key: WiFiAssistPolicy - type: - presence: required - rangelist: - - 2 - - 3 - content: |- - The Wi-Fi Assist policy to apply to the SIM cards specified in the ICCIDs. Allowed values: - - - `2`: Use the default system policy for the specified SIM card(s). - - `3`: Make Wi-Fi Assist switch more aggressively from a poor Wi-Fi connection to cellular data for the specified SIM card(s). This setting may increase cellular data use and may impact battery life. - - For more information, see [About Wi-Fi Assist](https://support.apple.com/en-us/HT205296). -notes: -- title: '' - content: Network usage rules allow enterprises to specify how devices use networks, - such as cellular data networks. iOS 9-12 require the application rules. In iOS - 13, application rules, SIM rules, or both must be present. diff --git a/mdm/profiles/com.apple.notificationsettings.yaml b/mdm/profiles/com.apple.notificationsettings.yaml deleted file mode 100644 index 62da340..0000000 --- a/mdm/profiles/com.apple.notificationsettings.yaml +++ /dev/null @@ -1,183 +0,0 @@ -title: Notifications -description: The payload that configures notifications. -payload: - payloadtype: com.apple.notificationsettings - supportedOS: - iOS: - introduced: '9.3' - multiple: false - supervised: true - allowmanualinstall: true - sharedipad: - mode: allowed - devicechannel: true - userchannel: true - userenrollment: - mode: forbidden - macOS: - introduced: '10.15' - multiple: true - devicechannel: true - userchannel: true - supervised: false - requiresdep: false - allowmanualinstall: true - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: A notification settings payload specifies the restriction enforced notification - settings for apps using their bundle identifier. The profile specifies notification - settings by bundle identifier (even for apps that aren’t installed on the device - yet), and those settings will always be enforced. -payloadkeys: -- key: NotificationSettings - title: Notification Settings - type: - presence: required - content: An array of notification settings dictionaries. - subkeys: - - key: NotificationSettingsItem - title: Notification Setting - type: - subkeys: - - key: BundleIdentifier - title: App Bundle Identifier - type: - presence: required - content: |- - The bundle identifier of the app to which to apply these notification settings. - - Available in iOS 9.3 and later and macOS 10.15 and later. - - key: NotificationsEnabled - title: Enable Notifications - type: - presence: optional - default: true - content: |- - If `true`, enables notifications for this app. - - Available in iOS 9.3 and later and macOS 10.15 and later. - - key: ShowInNotificationCenter - title: Show in Notification Center - type: - presence: optional - default: true - content: |- - If `true`, enables notifications in the notification center for this app. - - Available in iOS 9.3 and later and macOS 10.15 and later. - - key: ShowInLockScreen - title: Show in Lock Screen - type: - presence: optional - default: true - content: |- - If `true`, enables notifications on the Lock Screen for this app. - - Available in iOS 9.3 and later and macOS 10.15 and later. - - key: AlertType - title: Alert Type - type: - presence: optional - rangelist: - - 0 - - 1 - - 2 - default: 1 - content: |- - The type of alert for notifications for this app: - - - `0`: None - - `1`: Temporary Banner - - `2`: Persistent Banner - - Available in iOS 9.3 and later and macOS 10.15 and later. - - key: BadgesEnabled - title: Badges Enabled - type: - presence: optional - default: true - content: |- - If `true`, enables badges for this app. - - Available in iOS 9.3 and later and macOS 10.15 and later. - - key: SoundsEnabled - title: Sounds Enabled - type: - presence: optional - default: true - content: If `true`, enables sounds for this app. - - key: ShowInCarPlay - title: Show in CarPlay - supportedOS: - iOS: - introduced: '12.0' - macOS: - introduced: n/a - type: - presence: optional - default: true - content: |- - If `true`, enables notifications in CarPlay for this app. - - Available in iOS 12 and later. - - key: CriticalAlertEnabled - title: Critical Alert Enabled - supportedOS: - iOS: - introduced: '12.0' - type: - presence: optional - default: false - content: |- - If `true`, enables critical alerts that can ignore Do Not Disturb and ringer settings for this app. - - Available in iOS 12 and later and macOS 10.15 and later. - - key: GroupingType - title: Grouping Type - supportedOS: - iOS: - introduced: '12.0' - macOS: - introduced: n/a - type: - presence: optional - rangelist: - - 0 - - 1 - - 2 - default: 0 - content: |- - The type of grouping for notifications for this app: - - - `0`: Automatic: Group notifications into app-specified groups. - - `1`: By app: Group notifications into one group. - - `2`: Off: Don't group notifications. - - Available in iOS 12 and later. - - key: PreviewType - title: Preview Type - supportedOS: - iOS: - introduced: '14.0' - macOS: - introduced: n/a - type: - presence: optional - rangelist: - - 0 - - 1 - - 2 - content: |- - The type previews for notifications. This key overrides the value at Settings>Notifications>Show Previews. - - - `0` - Always: Previews will be shown when the device is locked and unlocked - - `1` - When Unlocked: Previews will only be shown when the device is unlocked - - `2` - Never: Previews will never be shown - - Available in iOS 14 and later. diff --git a/mdm/profiles/com.apple.osxserver.account.yaml b/mdm/profiles/com.apple.osxserver.account.yaml deleted file mode 100644 index 875fd28..0000000 --- a/mdm/profiles/com.apple.osxserver.account.yaml +++ /dev/null @@ -1,69 +0,0 @@ -title: macOS Server Account -description: The payload that configures a macOS Server account. -payload: - payloadtype: com.apple.osxserver.account - supportedOS: - iOS: - introduced: '9.0' - deprecated: '12.0' - removed: '12.0' - multiple: true - supervised: false - allowmanualinstall: true - sharedipad: - mode: forbidden - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a -payloadkeys: -- key: HostName - title: Account Hostname - type: - presence: required - content: The server's address. -- key: UserName - title: Account Username - type: - presence: required - content: The user's user name. -- key: Password - title: Account Password - type: - presence: optional - content: The user's password. -- key: AccountDescription - title: Account Description - type: - presence: optional - content: The description of the account. -- key: ConfiguredAccounts - title: Configured Accounts - type: - presence: required - content: An array of dictionaries containing configured account types and relevant - settings - subkeys: - - key: ConfiguredAccountsItem - title: Configured Account - type: - subkeys: - - key: Type - title: Account Type - type: - presence: required - rangelist: - - com.apple.osxserver.documents - content: com.apple.osxserver.documents (the Documents account type). - - key: Port - title: Port Number - type: - presence: optional - content: Designates the port number to use when contacting the server. If no - port number is specified, the default port is used. diff --git a/mdm/profiles/com.apple.preference.security.yaml b/mdm/profiles/com.apple.preference.security.yaml deleted file mode 100644 index 664592c..0000000 --- a/mdm/profiles/com.apple.preference.security.yaml +++ /dev/null @@ -1,40 +0,0 @@ -title: Security Preferences -description: The payload that configures security preferences. -payload: - payloadtype: com.apple.preference.security - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.10' - multiple: false - devicechannel: true - userchannel: true - supervised: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a -payloadkeys: -- key: dontAllowPasswordResetUI - type: - presence: optional - default: false - content: If `true`, disables user changes to the password. -- key: dontAllowLockMessageUI - type: - presence: optional - default: false - content: If `true`, disables user changes to the lock message. -- key: dontAllowFireWallUI - type: - presence: optional - default: false - content: If `true`, disables user changes to the firewall settings. diff --git a/mdm/profiles/com.apple.preferences.users.yaml b/mdm/profiles/com.apple.preferences.users.yaml deleted file mode 100644 index 79bec6c..0000000 --- a/mdm/profiles/com.apple.preferences.users.yaml +++ /dev/null @@ -1,30 +0,0 @@ -title: User Preferences -description: The payload that configures iCloud password preferences. -payload: - payloadtype: com.apple.preference.users - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.12' - multiple: false - devicechannel: true - userchannel: true - supervised: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: allowed - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a -payloadkeys: -- key: DisableUsingiCloudPassword - type: - presence: optional - default: false - content: If `true`, disables the iCloud password for local accounts. diff --git a/mdm/profiles/com.apple.profileRemovalPassword.yaml b/mdm/profiles/com.apple.profileRemovalPassword.yaml deleted file mode 100644 index 6ec99f0..0000000 --- a/mdm/profiles/com.apple.profileRemovalPassword.yaml +++ /dev/null @@ -1,46 +0,0 @@ -title: Profile Removal Password -description: The payload that configures profile removal. -payload: - payloadtype: com.apple.profileRemovalPassword - supportedOS: - iOS: - introduced: '4.0' - multiple: false - supervised: true - allowmanualinstall: true - sharedipad: - mode: forbidden - userenrollment: - mode: forbidden - macOS: - introduced: '10.7' - multiple: false - devicechannel: true - userchannel: true - supervised: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: forbidden - tvOS: - introduced: '9.0' - multiple: false - supervised: true - allowmanualinstall: true - visionOS: - introduced: n/a - watchOS: - introduced: n/a -payloadkeys: -- key: RemovalPassword - title: Removal Password - type: - presence: optional - content: The password to allow removing the profile. -notes: -- title: '' - content: This payload provides a password to allow users to remove a locked configuration - profile from the device. If this payload is present and has a password value set, - the device asks for the password when the user taps a profile's Remove button. - This system encrypts the payload with the rest of the profile. diff --git a/mdm/profiles/com.apple.proxy.http.global.yaml b/mdm/profiles/com.apple.proxy.http.global.yaml deleted file mode 100644 index db9febe..0000000 --- a/mdm/profiles/com.apple.proxy.http.global.yaml +++ /dev/null @@ -1,111 +0,0 @@ -title: Global HTTP Proxy -description: The payload that configures a global HTTP proxy. -payload: - payloadtype: com.apple.proxy.http.global - supportedOS: - iOS: - introduced: '6.0' - multiple: false - supervised: true - allowmanualinstall: true - sharedipad: - mode: allowed - devicechannel: true - userchannel: false - userenrollment: - mode: forbidden - macOS: - introduced: '10.9' - multiple: false - devicechannel: true - userchannel: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: forbidden - tvOS: - introduced: '9.0' - multiple: false - supervised: true - allowmanualinstall: true - visionOS: - introduced: '2.0' - multiple: false - supervised: true - allowmanualinstall: true - userenrollment: - mode: forbidden - watchOS: - introduced: n/a - content: PEM-encoded cer -payloadkeys: -- key: ProxyType - title: Proxy Type - type: - presence: optional - rangelist: - - Manual - - Auto - default: Manual - content: The proxy type. For a manual proxy type, the profile contains the proxy - server address, including its port, and optionally a user name and password. For - an auto proxy type, you can enter a PAC URL. -- key: ProxyServer - title: Proxy Server - type: - subtype: - presence: optional - content: The proxy server's network address. The device requires this if `ProxyType` - is set to `Manual`, and ignores it if `ProxyType` is set to `Automatic`. -- key: ProxyServerPort - title: Proxy Server Port - type: - presence: optional - content: The proxy server's port number. The device requires this if `ProxyType` - is set to `Manual`, and ignores this if `ProxyType` is set to `Automatic`. -- key: ProxyUsername - title: Proxy Username - type: - presence: optional - content: The user name used to authenticate to the proxy server. The device only - uses this if `ProxyType` is set to `Manual`, and ignores it if `ProxyType` is - set to `Automatic`. -- key: ProxyPassword - title: Proxy Password - type: - presence: optional - content: The password used to authenticate to the proxy server. The device only - uses this if `ProxyType` is set to `Manual`, and ignores it if `ProxyType` is - set to `Automatic`. -- key: ProxyPACURL - title: Proxy PAC URL - type: - presence: optional - content: The URL of the PAC file that defines the proxy configuration. Starting - in iOS 13 and macOS 10.15, only URLs that begin with `http://` or `https://` are - allowed. This is only used if `ProxyType` is set to `Automatic`, and is ignored - if `ProxyType` is set to `Manual`. -- key: ProxyPACFallbackAllowed - title: Proxy PAC Fallback Allowed - supportedOS: - iOS: - introduced: '7.0' - type: - presence: optional - default: false - content: If `true`, allows connecting directly to the destination if the proxy autoconfiguration - (PAC) file is unreachable. -- key: ProxyCaptiveLoginAllowed - title: Proxy Bypass Allowed - supportedOS: - iOS: - introduced: '7.0' - type: - presence: optional - default: false - content: If `true`, allows the device to bypass the proxy server to display the - login page for captive networks. -notes: -- title: '' - content: There can only be one payload of this type on the device at any time. diff --git a/mdm/profiles/com.apple.relay.managed.yaml b/mdm/profiles/com.apple.relay.managed.yaml deleted file mode 100644 index fcd882d..0000000 --- a/mdm/profiles/com.apple.relay.managed.yaml +++ /dev/null @@ -1,207 +0,0 @@ -title: Relay -description: The payload that configures relay settings. -payload: - payloadtype: com.apple.relay.managed - supportedOS: - iOS: - introduced: '17.0' - multiple: true - supervised: false - allowmanualinstall: true - sharedipad: - mode: allowed - devicechannel: true - userchannel: false - userenrollment: - mode: allowed - macOS: - introduced: '14.0' - multiple: true - devicechannel: true - userchannel: true - supervised: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: forbidden - tvOS: - introduced: '17.0' - multiple: true - supervised: false - allowmanualinstall: true - visionOS: - introduced: '1.0' - multiple: true - supervised: false - allowmanualinstall: true - userenrollment: - mode: allowed - watchOS: - introduced: n/a -payloadkeys: -- key: Relays - title: Relays - type: - presence: required - content: An array of dictionaries that describe one or more relay servers that the - system can chain together. - subkeys: - - key: Relay - title: Network Relay - type: - subkeys: - - key: HTTP3RelayURL - title: HTTP/3 Relay URL - type: - presence: optional - content: |- - The URL or URI template, as defined in RFC 9298, of a relay server that's reachable using HTTP/3 and supports proxying TCP and UDP using the CONNECT method. - - Each relay needs to include either `HTTP2RelayURL` or `HTTP3RelayURL`, or it can include both. - - key: HTTP2RelayURL - title: HTTP/2 Relay URL - type: - presence: optional - content: |- - The URL or URI template, as defined in RFC 9298, of a relay server that's reachable using HTTP/2 and supports proxying TCP and UDP using the CONNECT method. - - Each relay needs to include either `HTTP2RelayURL` or `HTTP3RelayURL`, or it can include both. - - key: AdditionalHTTPHeaderFields - title: Additional HTTP Header Fields - type: - presence: optional - content: A dictionary that contains custom HTTP header keys and values to add - to each request. The dictionary key name represents the HTTP header field - name to use, and the dictionary value is the string to use as the HTTP header - field value. - subkeys: - - key: ANY - type: - presence: required - content: The HTTP header field value for the corresponding header field name. - - key: PayloadCertificateUUID - title: Certificate UUID - type: - presence: optional - format: ^[0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}$ - content: The UUID that points to an identity certificate payload, which the - system uses to authenticate the user to the relay server. - - key: RawPublicKeys - title: Raw Public Keys - type: - presence: optional - content: |- - An array of DER-encoded raw public keys that the system uses to authenticate the server during a TLS handshake. The server needs to use one of the keys in the handshake to authenticate. - - If this array is empty, the system uses the default TLS trust evaluation. - subkeys: - - key: RawPublicKeysElement - title: Raw Public Key Element - type: -- key: MatchDomains - title: Match Domains - type: - presence: optional - content: |- - A list of domain strings that the system uses to determine which connection to route through the servers in `Relays`. - - Any connection that matches a domain in the list exactly or is a subdomain of the listed domain uses the relay servers, unless it matches a domain in `ExcludedDomains`. - - If this list and `MatchFQDNs` are empty, the system routes traffic to all domains to the relay servers, except those that match an excluded domain or excluded FQDN. - subkeys: - - key: MatchDomainsElement - title: Match Domains Element - type: -- key: ExcludedDomains - title: Excluded Domains - type: - presence: optional - content: A list of domain strings to exclude from routing through the servers in - `Relays`. Any connection that matches a domain in the list exactly or is a subdomain - of the listed domain won't use the relay server. - subkeys: - - key: ExcludedDomainsElement - title: Excluded Domains Element - type: -- key: MatchFQDNs - title: Match FQDNs - supportedOS: - iOS: - introduced: '18.4' - macOS: - introduced: '15.4' - tvOS: - introduced: '18.4' - visionOS: - introduced: '2.4' - type: - presence: optional - content: A list of Fully Qualified Domain Names (FQDNs) to be routed through the - servers contained in `Relays`. Any connection that matches an FQDN in the list - exactly uses the relay servers. If this list and `MatchDomains` are empty, the - system routes traffic to all domains to the relay servers, except those that match - an excluded domain or excluded FQDN. - subkeys: - - key: MatchFQDNsElement - title: Match FQDNs Element - type: -- key: ExcludedFQDNs - title: Excluded FQDNs - supportedOS: - iOS: - introduced: '18.4' - macOS: - introduced: '15.4' - tvOS: - introduced: '18.4' - visionOS: - introduced: '2.4' - type: - presence: optional - content: A list of Fully Qualified Domain Names (FQDNs) to exclude from routing - through the servers contained in `Relays`. Any connection that matches an FQDN - in the list exactly won't use the relay server. When `MatchDomains` is also present, - any FQDN listed in the list should be a subdomain of at least one `MatchDomain` - value, otherwise it will not have any effect. - subkeys: - - key: ExcludedFQDNsElement - title: Excluded FQDNs Element - type: -- key: RelayUUID - type: - presence: optional - content: A globally unique identifier for this relay configuration. The system uses - this UUID to route managed apps through the servers in `Relays`. This key is required - for user enrollment. -- key: UIToggleEnabled - title: UI Toggle Enabled - supportedOS: - iOS: - introduced: '26.0' - macOS: - introduced: '26.0' - tvOS: - introduced: '26.0' - visionOS: - introduced: '26.0' - type: - presence: optional - default: true - content: If `true`, the device allows the user to disable this network relay configuration. -- key: AllowDNSFailover - title: Allow DNS Failover - supportedOS: - iOS: - introduced: '26.0' - macOS: - introduced: '26.0' - tvOS: - introduced: '26.0' - visionOS: - introduced: '26.0' - type: - presence: optional - default: false - content: If `true`, the device allows the relay to failover to the default system - DNS resolver. diff --git a/mdm/profiles/com.apple.screensaver.user.yaml b/mdm/profiles/com.apple.screensaver.user.yaml deleted file mode 100644 index 506bcd6..0000000 --- a/mdm/profiles/com.apple.screensaver.user.yaml +++ /dev/null @@ -1,40 +0,0 @@ -title: Screensaver User -description: The payload that configures a user's screen saver settings. -payload: - payloadtype: com.apple.screensaver.user - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.11' - multiple: false - devicechannel: false - userchannel: true - supervised: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: Specifies *user* screen saver settings. (Settings for Login Window screen - saver use a different payload) -payloadkeys: -- key: moduleName - type: - presence: required - content: The name of the screen saver module. -- key: modulePath - type: - presence: optional - content: A full path to the screen saver module to use. -- key: idleTime - type: - presence: optional - content: The number of seconds of inactivity before the screen saver activates (`0` - = Never activate). diff --git a/mdm/profiles/com.apple.screensaver.yaml b/mdm/profiles/com.apple.screensaver.yaml deleted file mode 100644 index 8ec71d1..0000000 --- a/mdm/profiles/com.apple.screensaver.yaml +++ /dev/null @@ -1,58 +0,0 @@ -title: Screensaver -description: The payload that configures the screen saver. -payload: - payloadtype: com.apple.screensaver - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.11' - multiple: false - devicechannel: true - userchannel: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: Specifies grace period for screensaver locking -payloadkeys: -- key: askForPassword - supportedOS: - macOS: - introduced: '10.13' - type: - presence: optional - default: false - content: If `true`, the user is prompted for a password when the screen saver is - unlocked or stopped. When you use this prompt, you must also provide `askForPasswordDelay`. - Available in macOS 10.13 and later. -- key: askForPasswordDelay - supportedOS: - macOS: - introduced: '10.13' - type: - presence: optional - content: The number of seconds to delay before the password will be required to - unlock or stop the screen saver (the grace period). A value of `2147483647` (for - example, `0x7FFFFFFF`) disables this requirement. To use this option, you must - set `askForPassword` to `true`. Available in macOS 10.13 and later. -- key: idleTime - type: - presence: optional - content: The number of seconds of inactivity before the screen saver activates (0 - = Never activate). -- key: loginWindowModulePath - type: - presence: optional - content: The full path to the screen-saver module to use. -- key: moduleName - type: - presence: required - content: The name of the screen saver module. diff --git a/mdm/profiles/com.apple.secondactiveethernet.managed.yaml b/mdm/profiles/com.apple.secondactiveethernet.managed.yaml deleted file mode 100644 index b3a304a..0000000 --- a/mdm/profiles/com.apple.secondactiveethernet.managed.yaml +++ /dev/null @@ -1,41 +0,0 @@ -title: '802.1X: Second Active Ethernet' -description: The payload that configures the second wired, active Ethernet interface. -payload: - payloadtype: com.apple.secondactiveethernet.managed - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.7' - multiple: false - devicechannel: true - userchannel: true - supervised: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: allowed - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a -payloadkeys: -- key: ANY - type: - presence: optional - content: Keys relevant to 802.1x configuration. User enrollment payloads do not - support the various proxy keys including ProxyType, ProxyServer, ProxyServerPort, - ProxyUsername, ProxyPassword,, ProxyPACURL and ProxyPACFallbackAllowed. -notes: -- title: '' - content: |- - This payload's contents contain these profile-specific keys: - - - Interface (String): This payload uses the value `SecondActiveEthernet`. - - EAPClientConfiguration (`EAPClientConfiguration`): The dictionary that defines the enterprise profile for the network. - - SetupModes (String): The type of connection mode, which is either "System" or "Loginwindow." "System" is the default. - - Payloads with `active` in their name apply to Ethernet interfaces that are working at the time of profile installation. If there's no active Ethernet interface working, this payload configures the interface with the highest service-order priority. diff --git a/mdm/profiles/com.apple.secondethernet.managed.yaml b/mdm/profiles/com.apple.secondethernet.managed.yaml deleted file mode 100644 index dee1ddf..0000000 --- a/mdm/profiles/com.apple.secondethernet.managed.yaml +++ /dev/null @@ -1,41 +0,0 @@ -title: '802.1X: Second Ethernet' -description: The payload that configures the second wired Ethernet interface. -payload: - payloadtype: com.apple.secondethernet.managed - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.7' - multiple: false - devicechannel: true - userchannel: true - supervised: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: allowed - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a -payloadkeys: -- key: ANY - type: - presence: optional - content: Keys relevant to 802.1x configuration. User enrollment payloads do not - support the various proxy keys including ProxyType, ProxyServer, ProxyServerPort, - ProxyUsername, ProxyPassword,, ProxyPACURL and ProxyPACFallbackAllowed. -notes: -- title: '' - content: |- - This payload's contents contain these profile-specific keys: - - - Interface (String): This payload uses the value `SecondEthernet`. - - EAPClientConfiguration (`EAPClientConfiguration`): The dictionary that defines the enterprise profile for the network. - - SetupModes (String): The type of connection mode, which is either "System" or "Loginwindow." "System" is the default. - - This payload applies to Ethernet interfaces according to service order, regardless of whether the interface is working. diff --git a/mdm/profiles/com.apple.security.FDERecoveryKeyEscrow.yaml b/mdm/profiles/com.apple.security.FDERecoveryKeyEscrow.yaml deleted file mode 100644 index 96704de..0000000 --- a/mdm/profiles/com.apple.security.FDERecoveryKeyEscrow.yaml +++ /dev/null @@ -1,70 +0,0 @@ -title: FDE Recovery Key Escrow -description: The payload that configures FileVault recovery key escrow. -payload: - payloadtype: com.apple.security.FDERecoveryKeyEscrow - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.13' - multiple: false - devicechannel: true - userchannel: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: |- - If FileVault is enabled after this payload is installed on the system, the FileVault PRK will be encrypted with the specified certificate, wrapped with a CMS envelope and stored at: - /var/db/FileVaultPRK.dat - The encrypted data will be made available to the MDM server as part of the SecurityInfo command. Alternatively, if a site uses their own administration software, they can extract the PRK from the above location at any time. As the PRK will be encrypted using the certificate provided in the profile, only the author of the profile can extract the data. - Notes: - * The payload must exist in a "system" scoped profile. - * It will be an error to install more than one payload of this type per machine. - * The old payload ("com.apple.security.FDERecoveryRedirect") will no longer be supported. It will still be allowed to be installed, but will be ignored. (This is so servers can send out the same profile to old and new clients). - * If only an old-style redirection payload is installed at the time FileVault is turned on (via Security Pref pane), an error will be displayed and FileVault will not be allowed to be enabled. - * No warning/error will be provided if FileVault is already enabled and an old-style payload is installed. In this case, it's assumed the recovery key has already been escrowed with the server. -payloadkeys: -- key: Location - type: - presence: required - content: The description of the location where the system escrows the recovery key. - The system inserts this text into the message the user sees when it enables FileVault. -- key: EncryptCertPayloadUUID - type: - presence: required - content: The UUID of a payload within the same profile that contains the certificate - that the system uses to encrypt the recovery key. The referenced payload must - be of type `com.apple.security.pkcs1`. -- key: DeviceKey - type: - presence: optional - content: |- - The string that's included in help text if the user appears to have forgotten the password. Site admins can use this key to look up the escrowed key for the particular computer. - - This key replaces the `RecordNumber` key used in the previous escrow mechanism. If the key is missing, the system uses the device serial number instead. -notes: -- title: '' - content: |- - FileVault Full Disk Encryption (FDE) recovery keys are, by default, sent to Apple if the user requests them. Only one payload of this type is allowed per system. - - If FileVault is enabled after the system installs this payload, the system encrypts the FileVault PRK with the specified certificate, wrapped with a CMS envelope and stored at `/var/db/FileVaultPRK.dat`. The `SecurityInfo` command makes this encrypted data available to the MDM server. - - Alternatively, if a site uses its own administration software, it can extract the PRK from the foregoing location at any time. Because the PRK is encrypted using the certificate provided in the profile, only the author of the profile can extract the data. - - Note these cautions: - - - The payload needs to exist in a system-scoped profile. - - Installing more than one payload of this type per computer results in an error. - - The previous payload (`com.apple.security.FDERecoveryRedirect`) is no longer supported. You can still install the previous payload but the system ignores it, so servers can send out the same profile to old and new clients. - - If only an old-style redirection payload is installed at the time FileVault is turned on through the Security Preferences pane, the system displays an error and doesn't enable FileVault. - - The system doesn't provide a warning or error if FileVault is already enabled and an old-style payload is installed. In this case, it's assumed that the recovery key has already been escrowed with the server. - - Although the system no longer supports the previous FDE Recovery payload in macOS 10.13 and later, it's still supported in macOS 10.9 through 10.12. Designate that payload by specifying `com.apple.security.FDERecoveryRedirect` as the payload type. diff --git a/mdm/profiles/com.apple.security.FDERecoveryRedirect.yaml b/mdm/profiles/com.apple.security.FDERecoveryRedirect.yaml deleted file mode 100644 index 70bff75..0000000 --- a/mdm/profiles/com.apple.security.FDERecoveryRedirect.yaml +++ /dev/null @@ -1,52 +0,0 @@ -title: FDE Recovery Key Redirection -description: The payload that configures FileVault recovery key redirection. -payload: - payloadtype: com.apple.security.FDERecoveryRedirect - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.9' - deprecated: '10.13' - multiple: false - devicechannel: true - userchannel: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: |- - *** This payload will be ignored on macOS 10.13 and later. See "com.apple.security.FDERecoveryKeyEscrow" payload. *** - Old notes: - Once installed, this payload will cause any FDE (Full Disk Encryption) recovery keys to be redirected to the specified URL instead of being sent to Apple. This will require sites to implement their own HTTPS server that will receive the recovery keys via a POST request. Details of the data sent to the server will be provided in a different document. - Notes: - * The payload must exist in a "system" scoped profile. - * It will be an error to install more than one payload of this type per machine. -payloadkeys: -- key: RedirectURL - type: - presence: required - content: The URL to which FDE recovery keys should be sent instead of to Apple. - The URL must begin with https://. -- key: EncryptCertPayloadUUID - type: - presence: required - content: The UUID of a payload within the same profile that contains a certificate - used to encrypt the recovery key when it's sent to the redirected URL. The referenced - payload must be of type \`com.apple.security.pkcs1\`. -notes: -- title: '' - content: |- - Although the previous FDE Recovery payload is no longer supported in macOS 10.13 and later, it's still supported in macOS 10.9 through 10.12. When installed, this payload causes any FDE recovery keys to be redirected to the specified URL instead of being sent to Apple. This requires sites to implement their own HTTPS server to receive the recovery keys through a POST request. - - Note these cautions: - - - The payload must exist in a system-scoped profile. - - Installing more than one payload of this type per machine results in an error. diff --git a/mdm/profiles/com.apple.security.acme.yaml b/mdm/profiles/com.apple.security.acme.yaml deleted file mode 100644 index 672beb8..0000000 --- a/mdm/profiles/com.apple.security.acme.yaml +++ /dev/null @@ -1,234 +0,0 @@ -title: ACME Certificate -description: The payload that configures Automated Certificate Management Environment - (ACME) settings. -payload: - payloadtype: com.apple.security.acme - supportedOS: - iOS: - introduced: '16.0' - multiple: true - supervised: false - allowmanualinstall: true - sharedipad: - mode: allowed - devicechannel: true - userchannel: false - userenrollment: - mode: allowed - macOS: - introduced: '13.1' - multiple: true - devicechannel: true - userchannel: true - supervised: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: allowed - tvOS: - introduced: '16.0' - multiple: true - supervised: false - allowmanualinstall: true - visionOS: - introduced: '1.0' - multiple: true - supervised: false - allowmanualinstall: true - userenrollment: - mode: allowed - watchOS: - introduced: '9.0' - multiple: true - supervised: false - allowmanualinstall: true -payloadkeys: -- key: DirectoryURL - title: ACME directory URL - type: - presence: required - content: The directory URL of the ACME server. The URL must use the https scheme. -- key: ClientIdentifier - title: Client identifier - type: - presence: required - content: A unique string identifying a specific device. The server may use this - as an anti-replay code to prevent issuing multiple certificates. This identifier - also indicates to the ACME server that the device has access to a valid client - identifier issued by the enterprise infrastructure. This can help the ACME server - determine whether to trust the device. Though this is a relatively weak indication - because of the risk that an attacker can intercept the client identifier. -- key: KeySize - title: Key Size - type: - presence: required - content: The valid values for `KeySize` depend on the values of `KeyType` and `HardwareBound`. - See those keys for specific requirements. -- key: KeyType - title: Key Type - type: - presence: required - rangelist: - - RSA - - ECSECPrimeRandom - content: |- - The type of key pair to generate. Allowed values: - - - `RSA`: Specifies an RSA key pair. RSA key pairs need to have a `KeySize` that's a multiple of 8 in the range of 1024 through 4096 (inclusive), and `HardwareBound` needs to be `false`. - - `ECSECPrimeRandom`: Specifies a key pair on the P-192, P-256, P-384, or P-521 curves as defined in FIPS Pub 186-4. `KeySize` defines the particular curve, which needs to be `192`, `256`, `384`, or `521`. Hardware bound keys only support values of `256` and `384`. - - > Note: - > The key size is `521`, not `512`, even though the other key sizes are multiples of 64. -- key: HardwareBound - title: Hardware Bound - type: - presence: required - content: |- - If `false`, the private key isn't bound to the device. - - If `true`, the private key is bound to the device. The Secure Enclave generates the key pair, and the private key is cryptographically entangled with a system key. This prevents the system from exporting the private key. - - If `true`, `KeyType` must be `ECSECPrimeRandom` and `KeySize` must be 256 or 384. - - Setting this key to `true` is supported as of macOS 14 on Apple Silicon and Intel devices that have a T2 chip. Older macOS versions or other Mac devices require this key but it must have a value of `false`. -- key: Subject - title: Subject - type: - presence: required - content: |- - The device requests this subject for the certificate that the ACME server issues. The ACME server may override or ignore this field in the certificate it issues. - - The representation of a X.500 name represented as an array of OID and value. For example, `/C=US/O=Apple Inc./CN=foo/1.2.5.3=bar` corresponds to: - - `[ [ ["C", "US"] ], [ ["O", "Apple Inc."] ], ..., [ [ "1.2.5.3", "bar" ] ] ]` - - Dotted numbers can represent OIDs , with shortcuts for country (C), locality (L), state (ST), organization (O), organizational unit (OU), and common name (CN). - subkeys: - - key: ACMESubjectArrayInnerArray - title: Array Inside ACME Subject Array - type: - subkeys: - - key: ACMESubjectArrayPair - title: Subject Array Pair - type: - subkeys: - - key: ACMESubjectArrayPairItem - title: ACME Subject Array Pair Item - type: - repetition: - min: 2 - max: 2 -- key: SubjectAltName - title: Subject Alt Name - type: - presence: optional - content: The Subject Alt Name that the device requests for the certificate that - the ACME server issues. The ACME server may override or ignore this field in the - certificate it issues. - subkeys: - - key: rfc822Name - title: RFC 822 Name - type: - presence: optional - content: The RFC 822 (email address) string. - - key: dNSName - title: DNS Name - type: - presence: optional - content: The DNS name. - - key: uniformResourceIdentifier - title: URI - type: - presence: optional - content: The Uniform Resource Identifier. - - key: ntPrincipalName - title: NT Principal Name - type: - presence: optional - content: The NT principal name. Use an other name OID set to `1.3.6.1.4.1.311.20.2.3`. -- key: UsageFlags - title: Key Usage - type: - presence: optional - content: |- - This value is a bit field. - - - Bit `0x01` indicates digital signature. - - Bit `0x04` indicates encryption. - - The device requests this key for the certificate that the ACME server issues. The ACME server may override or ignore this field in the certificate it issues. -- key: ExtendedKeyUsage - title: Extended Key Usage - type: - presence: optional - content: |- - The value is an array of strings. Each string is an OID in dotted notation. For instance, `["1.3.6.1.5.5.7.3.2", "1.3.6.1.5.5.7.3.4"]` indicates client authentication and email protection. - - The device requests this field for the certificate that the ACME server issues. The ACME server may override or ignore this field in the certificate it issues. - subkeys: - - key: OID - type: - presence: optional -- key: Attest - title: Attest - supportedOS: - watchOS: - introduced: '10.0' - type: - presence: optional - default: false - content: |- - If `true`, the device provides attestations that describe the device and the generated key to the ACME server. The server can use the attestations as strong evidence that the key is bound to the device, and that the device has properties listed in the attestation. The server can use that as part of a trust score to decide whether to issue the requested certificate. - - When `Attest` is `true`, `HardwareBound` also needs to be `true`. - - Setting this key to `true` is supported as of macOS 14. Older macOS versions require this key but it must have a value of `false`. See below for hardware requirements. -- key: KeyIsExtractable - supportedOS: - iOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `true`, the private key of the identity obtained through Automated Certificate - Management Environment (ACME) needs to be tagged as "non-extractable" in the keychain. -- key: AllowAllAppsAccess - title: Allow All Apps Access - supportedOS: - iOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, all apps have access to the private key. -notes: -- title: '' - content: |- - Use this payload to specify how the device requests a client certificate from an Automated Certificate Management Environment (ACME) server. Other payloads can reference the resulting client identity by the payload's `PayloadUUID`. - - First the device generates an asymmetric key pair based upon the `KeyType`, `KeySize`, and `HardwareBound` fields. Then the device communicates with the ACME server. It requests a new order using the `ClientIdentifier` as the `permanent-identifier`. The ACME server responds with a challenge type of `device-attest-01`. If `Attest` is `true` the device requests an attestation of the key and device properties. Then it replies to the challenge with a WebAuthn attestation statement, and this contains the attestation if the device obtained one. The device submits a certificate signing request matching the key and containing the `ClientIdentifier`, `Subject`, `SubjectAltName`, `UsageFlags`, and `ExtendedKeyUsage` fields. The ACME server issues a certificate, and the device stores the resulting identity. - - For details on the content of the attestation provided to the ACME server, see the documentation of the `DevicePropertiesAttestation` key in the `QueryResponses`response. In the attestation certificate the value of the freshness code OID is the SHA-256 hash of the `token` from the `device-attest-01` challenge. -- title: ACME attestation hardware support - content: |- - The following table indicates which System on Chips (SoCs) support ACME attestation. - If the Attest key is false or ignored, the ACME server does not receive an attestation. - - | Attest key support | iPhone, iPad | Mac | Apple TV | Apple Watch | Vision Pro | - |--------------------|--------------------------------------|----------------|-------------------------|----------------|------------| - | Must be false | none | T1 and earlier | none | none | none | - | Ignored | A10x Fusion and earlier | T2 | A10x Fusion and earlier | S3 and earlier | none | - | Supported | A11 Bionic and later
All M series | Apple Silicon | A12 Bionic and later | S4 and later | All | diff --git a/mdm/profiles/com.apple.security.certificatepreference.yaml b/mdm/profiles/com.apple.security.certificatepreference.yaml deleted file mode 100644 index 671c5cc..0000000 --- a/mdm/profiles/com.apple.security.certificatepreference.yaml +++ /dev/null @@ -1,45 +0,0 @@ -title: Certificate Preference -description: The payload that configures a certificate preference. -payload: - payloadtype: com.apple.security.certificatepreference - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.12' - multiple: true - devicechannel: false - userchannel: true - supervised: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: allowed - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: Defines a Certificate Preference item in the user's keychain that references - a certificate payload included in the same profile. Can only appear in a user - profile (not a device profile). See also "com.apple.security.identitypreference" - for setting up identity preferences. -payloadkeys: -- key: Name - type: - presence: required - content: An email address (in RFC 822 format) or other name for which a preferred - certificate is requested. -- key: PayloadCertificateUUID - type: - presence: required - content: The UUID of the certificate payload within the same profile to use for - the identity credential. -notes: -- title: '' - content: |- - A `CertificatePreference` payload lets you identify a certificate preference item in the user's keychain that references a certificate payload included in the same profile. It can only appear in a user profile, not a device profile. You can include multiple `CertificatePreference` payloads as needed. - - See also `IdentityPreference` for information about setting up identity preferences. diff --git a/mdm/profiles/com.apple.security.certificaterevocation.yaml b/mdm/profiles/com.apple.security.certificaterevocation.yaml deleted file mode 100644 index 69a86a6..0000000 --- a/mdm/profiles/com.apple.security.certificaterevocation.yaml +++ /dev/null @@ -1,59 +0,0 @@ -title: Certificate Revocation -description: The payload that configures certificate revocation checking. -payload: - payloadtype: com.apple.security.certificaterevocation - supportedOS: - iOS: - introduced: '14.2' - multiple: true - supervised: false - allowmanualinstall: true - sharedipad: - mode: allowed - devicechannel: true - userchannel: false - userenrollment: - mode: allowed - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: '1.1' - multiple: true - supervised: false - allowmanualinstall: true - userenrollment: - mode: allowed - watchOS: - introduced: n/a - content: Policies that affect system-wide certificate revocation checking. -payloadkeys: -- key: EnabledForCerts - title: Enabled Certs - type: - presence: optional - content: |- - An array of certificates that the system checks for revocation. - - Specifying a certificate authority (CA) enables revocation checking for all certificates chaining up to that CA. - - It's not necessary to specify trusted root certificates because they're implicitly specified. See [https://support.apple.com/en-us/HT209143](https://support.apple.com/en-us/HT209143) for the available trusted root certificates for Apple operating systems. - subkeys: - - key: SubjectPublicKeyInfoHashDict - type: - content: A dictionary of hashed public keys. - subkeys: - - key: Algorithm - type: - presence: required - rangelist: - - sha256 - content: The algorithm must be `sha256`. - - key: Hash - type: - presence: required - content: |- - The hash of the DER-encoding of the certificate's `subjectPublicKeyInfo`. - - The hash field requires the data (`subjectPublicKeyInfo` hash) in a specific format: a Base64 encoded (binary) SHA-256 hash of the certificate's public key. diff --git a/mdm/profiles/com.apple.security.certificatetransparency.yaml b/mdm/profiles/com.apple.security.certificatetransparency.yaml deleted file mode 100644 index 17b5d61..0000000 --- a/mdm/profiles/com.apple.security.certificatetransparency.yaml +++ /dev/null @@ -1,84 +0,0 @@ -title: Certificate Transparency -description: The payload that configures certificate transparency enforcement. -payload: - payloadtype: com.apple.security.certificatetransparency - supportedOS: - iOS: - introduced: 12.1.1 - multiple: true - supervised: false - allowmanualinstall: true - sharedipad: - mode: allowed - devicechannel: true - userchannel: false - userenrollment: - mode: allowed - macOS: - introduced: 10.14.2 - multiple: true - devicechannel: true - userchannel: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: allowed - tvOS: - introduced: 12.1.1 - multiple: true - supervised: false - allowmanualinstall: true - visionOS: - introduced: '1.0' - multiple: true - supervised: false - allowmanualinstall: true - userenrollment: - mode: allowed - watchOS: - introduced: 5.1.1 - multiple: true - supervised: false - allowmanualinstall: true - content: Policies that affect system-wide certificate transparency enforcement. -payloadkeys: -- key: DisabledForCerts - title: Disabled Certs - type: - presence: optional - content: |- - An array of certificates for which certificate transparency is disabled. One of the following conditions needs to be met to disable certificate transparency enforcement when this policy is set: - - - The hash is of the server certificate's `subjectPublicKeyInfo`. - - The hash is of a `subjectPublicKeyInfo` that appears in a CA certificate in the certificate chain; the CA certificate is constrained through the X.509v3 `nameConstraints` extension. One or more `directoryName` `nameConstraints` are present in the `permittedSubtrees`, and the `directoryName` contains an `organizationName` attribute. - - The hash is of a `subjectPublicKeyInfo` that appears in a CA certificate in the certificate chain. The CA certificate has one or more `organizationName` attributes in the certificate `Subject`, and the server's certificate contains the same number of `organizationName` attributes, in the same order, and with byte-for-byte identical values. - subkeys: - - key: SubjectPublicKeyInfoHashDict - type: - content: A dictionary of hashed public keys. - subkeys: - - key: Algorithm - type: - presence: required - rangelist: - - sha256 - content: The algorithm must be `sha256`. - - key: Hash - type: - presence: required - content: |- - The hash of the DER-encoding of the certificate's `subjectPublicKeyInfo`. - - The hash field requires the data (`subjectPublicKeyInfo` hash) in a specific format: a Base64 encoded (binary) SHA-256 hash of the certificate's public key. -- key: DisabledForDomains - title: Disabled domains - type: - presence: optional - content: An array of strings that represent the domains to exclude from certificate - transparency enforcement. The system supports using a leading period (`.`) to - signify subdomains. However, the system doesn't support wildcards. If you include - a leading period, the domain can't be a top-level domain, such as `.com` and `.co.uk`. - subkeys: - - key: domain - type: diff --git a/mdm/profiles/com.apple.security.firewall.yaml b/mdm/profiles/com.apple.security.firewall.yaml deleted file mode 100644 index fe1d045..0000000 --- a/mdm/profiles/com.apple.security.firewall.yaml +++ /dev/null @@ -1,113 +0,0 @@ -title: Firewall -description: The payload that configures the firewall. -payload: - payloadtype: com.apple.security.firewall - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.12' - multiple: true - devicechannel: true - userchannel: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: |- - Manages the Application Firewall settings (e.g. Security pref pane -> Firewall). - Notes: - * The payload must exist in a "system" scoped profile. - * If more than one profile contains this payload, the most restrictive union of settings will be used. -payloadkeys: -- key: EnableFirewall - type: - presence: required - content: If `true`, the system enables the firewall. -- key: BlockAllIncoming - type: - presence: optional - content: If `true`, the system enables blocking all incoming connections. -- key: EnableStealthMode - type: - presence: optional - content: If `true`, the system enables stealth mode. -- key: Applications - type: - presence: optional - content: The list of apps with connections that the firewall controls. - subkeys: - - key: ApplicationsItem - title: Applications - type: - subkeys: - - key: BundleID - title: Application Identifier - type: - presence: required - content: The bundle identifier for the app. - - key: Allowed - title: Allow connections - type: - presence: required - content: If `true`, the system allows connections for the app. -- key: EnableLogging - supportedOS: - macOS: - introduced: '12.0' - deprecated: '15.0' - removed: '15.0' - type: - presence: optional - content: If `true`, the system enables logging. Available in macOS 12 through macOS - 14.6. -- key: LoggingOption - supportedOS: - macOS: - introduced: '12.0' - deprecated: '15.0' - removed: '15.0' - type: - presence: optional - rangelist: - - throttled - - brief - - detail - content: The type of logging. Available in macOS 12 and through macOS 14.6. -- key: AllowSigned - supportedOS: - macOS: - introduced: '12.3' - type: - presence: optional - default: true - content: |- - If `true`, the system allows built-in software to receive incoming connections. Available in macOS 12.3 and later. - - > Note: - > The system ensures that `AllowSigned` always has a value. If missing from the payload, the system sets it to `true`. -- key: AllowSignedApp - supportedOS: - macOS: - introduced: '12.3' - type: - presence: optional - default: true - content: |- - If `true`, the system allows downloaded signed software to receive incoming connections. Available in macOS 12.3 and later. - - > Note: - > The system ensures that `AllowSignedApp` always has a value. If missing from the payload, the system sets it to `true`. -notes: -- title: '' - content: |- - The payload needs to exist in a system-scoped profile. - - If more than one profile contains this payload, the system uses the most restrictive union of settings. diff --git a/mdm/profiles/com.apple.security.identitypreference.yaml b/mdm/profiles/com.apple.security.identitypreference.yaml deleted file mode 100644 index c173a19..0000000 --- a/mdm/profiles/com.apple.security.identitypreference.yaml +++ /dev/null @@ -1,47 +0,0 @@ -title: Identity Preference -description: The payload that configures the user's identity on the device. -payload: - payloadtype: com.apple.security.identitypreference - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.12' - multiple: true - devicechannel: false - userchannel: true - supervised: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: allowed - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: Defines an Identity Preference item in the user's keychain that references - a identity payload included in the same profile. Can only appear in a user profile - (not a device profile). See also "com.apple.security.certificatepreference" for - setting up certificate preferences. -payloadkeys: -- key: Name - type: - presence: required - content: The email address (in RFC 822 format), DNS host name, or other name that - uniquely identifies a service requiring this identity. -- key: PayloadCertificateUUID - type: - presence: required - content: The UUID of the certificate payload within the same profile to use for - the identity credential. -notes: -- title: '' - content: |- - This payload specifies an `IdentityPreference` item in the user's keychain that references an identity payload included in the same profile. It can only appear in a user profile, not in a device profile. - - You can include multiple `IdentityPreference` payloads as needed. - - See also `CertificatePreference` for setting up certificate preferences. diff --git a/mdm/profiles/com.apple.security.pem.yaml b/mdm/profiles/com.apple.security.pem.yaml deleted file mode 100644 index 6524b35..0000000 --- a/mdm/profiles/com.apple.security.pem.yaml +++ /dev/null @@ -1,55 +0,0 @@ -title: Certificate (PEM) -description: The payload that configures a PEM-formatted certificate. -payload: - payloadtype: com.apple.security.pem - supportedOS: - iOS: - introduced: '4.0' - multiple: true - supervised: false - allowmanualinstall: true - sharedipad: - mode: allowed - devicechannel: true - userchannel: false - userenrollment: - mode: allowed - macOS: - introduced: '10.7' - multiple: true - devicechannel: true - userchannel: true - supervised: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: allowed - tvOS: - introduced: '9.0' - multiple: true - supervised: false - allowmanualinstall: true - visionOS: - introduced: '1.0' - multiple: true - supervised: false - allowmanualinstall: true - userenrollment: - mode: allowed - watchOS: - introduced: '3.0' - multiple: true - allowmanualinstall: true - content: PEM-encoded certificate without private key. May contain root certificates. -payloadkeys: -- key: PayloadCertificateFileName - title: Payload Certificate Filename - type: - presence: optional - content: The file name of the enclosed certificate. -- key: PayloadContent - title: Payload Certificate Data - type: - presence: required - content: The binary representation of the payload, encoded in Base64. diff --git a/mdm/profiles/com.apple.security.pkcs1.yaml b/mdm/profiles/com.apple.security.pkcs1.yaml deleted file mode 100644 index 744aa66..0000000 --- a/mdm/profiles/com.apple.security.pkcs1.yaml +++ /dev/null @@ -1,55 +0,0 @@ -title: 'Certificate (PKCS #1)' -description: 'The payload that configures a PKCS #1-formatted certificate.' -payload: - payloadtype: com.apple.security.pkcs1 - supportedOS: - iOS: - introduced: '4.0' - multiple: true - supervised: false - allowmanualinstall: true - sharedipad: - mode: allowed - devicechannel: true - userchannel: false - userenrollment: - mode: allowed - macOS: - introduced: '10.7' - multiple: true - devicechannel: true - userchannel: true - supervised: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: allowed - tvOS: - introduced: '9.0' - multiple: true - supervised: false - allowmanualinstall: true - visionOS: - introduced: '1.0' - multiple: true - supervised: false - allowmanualinstall: true - userenrollment: - mode: allowed - watchOS: - introduced: '3.0' - multiple: true - allowmanualinstall: true - content: DER-encoded certificate without private key. May contain root certificates. -payloadkeys: -- key: PayloadCertificateFileName - title: Payload Certificate Filename - type: - presence: optional - content: The file name of the enclosed certificate. -- key: PayloadContent - title: Payload Certificate Data - type: - presence: required - content: The binary representation of the payload, encoded in Base64. diff --git a/mdm/profiles/com.apple.security.pkcs12.yaml b/mdm/profiles/com.apple.security.pkcs12.yaml deleted file mode 100644 index 320b7b4..0000000 --- a/mdm/profiles/com.apple.security.pkcs12.yaml +++ /dev/null @@ -1,106 +0,0 @@ -title: 'Certificate (PKCS #12)' -description: 'The payload that configures a PKCS #12-formatted certificate.' -payload: - payloadtype: com.apple.security.pkcs12 - supportedOS: - iOS: - introduced: '4.0' - multiple: true - supervised: false - allowmanualinstall: true - sharedipad: - mode: allowed - devicechannel: true - userchannel: false - userenrollment: - mode: allowed - macOS: - introduced: '10.7' - multiple: true - devicechannel: true - userchannel: true - supervised: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: allowed - tvOS: - introduced: '9.0' - multiple: true - supervised: false - allowmanualinstall: true - visionOS: - introduced: '1.0' - multiple: true - supervised: false - allowmanualinstall: true - userenrollment: - mode: allowed - watchOS: - introduced: '3.0' - multiple: true - allowmanualinstall: true - content: Password-protected identity certificate. Only one certificate may be included. -payloadkeys: -- key: PayloadCertificateFileName - title: Payload Certificate Filename - type: - presence: optional - content: The file name of the enclosed certificate. -- key: PayloadContent - title: Payload Certificate Data - type: - presence: required - content: The binary representation of the payload, encoded in Base64. -- key: Password - title: Password - type: - presence: optional - content: The password to the identity. -- key: AllowAllAppsAccess - title: Allow All Apps Access - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.10' - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, the system allows apps access to the private key. Available - in macOS 10.10 and later. -- key: KeyIsExtractable - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.15' - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - default: true - content: If `false`, the system doesn't tag the private key data as extractable - in the keychain. -notes: -- title: '' - content: |- - > Warning: - > The system obfuscates the profile but doesn't encrypt it, so it's possible to intercept the profile and extract the password and identity. - - It's recommended to omit the password in the profile, or do one of the following instead: - - - Securely deliver the profile to authorized users only, such as through MDM. - - Encrypt the profile so that only authorized devices can decrypt it. - - Use `SCEP` or `ACMECertificate` to provision the identity. diff --git a/mdm/profiles/com.apple.security.root.yaml b/mdm/profiles/com.apple.security.root.yaml deleted file mode 100644 index e095bff..0000000 --- a/mdm/profiles/com.apple.security.root.yaml +++ /dev/null @@ -1,55 +0,0 @@ -title: Certificate (Root) -description: The payload that configures a root certificate. -payload: - payloadtype: com.apple.security.root - supportedOS: - iOS: - introduced: '4.0' - multiple: true - supervised: false - allowmanualinstall: true - sharedipad: - mode: allowed - devicechannel: true - userchannel: false - userenrollment: - mode: allowed - macOS: - introduced: '10.7' - multiple: true - devicechannel: true - userchannel: true - supervised: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: allowed - tvOS: - introduced: '9.0' - multiple: true - supervised: false - allowmanualinstall: true - visionOS: - introduced: '1.0' - multiple: true - supervised: false - allowmanualinstall: true - userenrollment: - mode: allowed - watchOS: - introduced: '3.0' - multiple: true - allowmanualinstall: true - content: Alias for com.apple.security.pkcs1. -payloadkeys: -- key: PayloadCertificateFileName - title: Payload Certificate Filename - type: - presence: optional - content: The file name of the enclosed certificate. -- key: PayloadContent - title: Payload Certificate Data - type: - presence: required - content: The binary representation of the payload encoded in base64. diff --git a/mdm/profiles/com.apple.security.scep.yaml b/mdm/profiles/com.apple.security.scep.yaml deleted file mode 100644 index fcf973a..0000000 --- a/mdm/profiles/com.apple.security.scep.yaml +++ /dev/null @@ -1,206 +0,0 @@ -title: SCEP -description: The payload that configures Simple Certificate Enrollment Protocol (SCEP) - settings. -payload: - payloadtype: com.apple.security.scep - supportedOS: - iOS: - introduced: '4.0' - multiple: true - supervised: false - allowmanualinstall: true - sharedipad: - mode: allowed - devicechannel: true - userchannel: false - userenrollment: - mode: allowed - macOS: - introduced: '10.7' - multiple: true - devicechannel: true - userchannel: true - supervised: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: allowed - tvOS: - introduced: '9.0' - multiple: true - supervised: false - allowmanualinstall: true - visionOS: - introduced: '1.0' - multiple: true - supervised: false - allowmanualinstall: true - userenrollment: - mode: allowed - watchOS: - introduced: '3.0' - multiple: true - supervised: false - allowmanualinstall: true -payloadkeys: -- key: PayloadContent - title: Payload Content - type: - presence: required - content: A dictionary containing the SCEP information. - subkeys: - - key: URL - title: URL - supportedOS: - macOS: - introduced: '10.7' - type: - presence: required - content: The SCEP URL. See Over-the-Air Profile Delivery and Configuration for - more information about SCEP. - - key: Name - title: Name - type: - presence: optional - content: A string that's understood by the SCEP server; for example, a domain - name like example.org. If a certificate authority has multiple CA certificates, - this field can be used to distinguish which is required. - - key: Subject - title: Subject - type: - presence: optional - content: |- - The representation of an X.500 name as an array of OID and value. - - For example, `/C=US/O=Apple Inc./CN=foo/1.2.5.3=bar` translates to `[ [ ["C", "US"] ], [ ["O", "Apple Inc."] ], …, [ [ "1.2.5.3", "bar" ] ] ]`. - - OIDs can be represented as dotted numbers, with shortcuts for country (C), locality (L), state (ST), organization (O), organizational unit (OU), and common name (CN). - subkeys: - - key: SCEPSubjectArrayInnerArray - title: Array Inside SCEP Subject Array - type: - subkeys: - - key: SCEPSubjectArrayPair - title: Subject Array Pair - type: - subkeys: - - key: SCEPSubjectArrayPairItem - title: SCEP Subject Array Pair Item - type: - repetition: - min: 2 - max: 2 - - key: Challenge - title: Challenge - type: - presence: optional - content: A preshared secret. - - key: Keysize - title: Key Size - type: - presence: optional - rangelist: - - 1024 - - 2048 - - 4096 - default: 1024 - content: The key size, in bits. - - key: Key Type - title: Key Type - type: - presence: optional - default: RSA - content: Always `RSA`. - - key: Key Usage - title: Key Usage - supportedOS: - macOS: - introduced: '10.11' - type: - presence: optional - default: 0 - content: |- - A bitmask indicating the use of the key. Possible values: - - - `1`: Signing - - `4`: Encryption - - Some certificate authorities, such as Windows CA, support only encryption or signing, but not both at the same time. - - key: CAFingerprint - title: Fingerprint - type: - presence: optional - content: The fingerprint of the Certificate Authority certificate. - - key: Retries - title: Retries - supportedOS: - macOS: - introduced: '10.10' - type: - presence: optional - default: 3 - content: The number of times the device should retry if the server sends a PENDING - response. - - key: RetryDelay - title: Retry Delay - supportedOS: - macOS: - introduced: '10.10' - type: - presence: optional - default: 10 - content: The number of seconds to wait between subsequent retries. The first retry - is attempted without this delay. - - key: SubjectAltName - title: Subject Alt Name - type: - presence: optional - content: The SCEP payload can specify an optional `SubjectAltName` dictionary - that provides values required by the CA for issuing a certificate. You can specify - a single string or an array of strings for each key. The values you specify - depend on the CA you're using, but might include DNS name, URL, or email values. - For an example, see Sample Configuration Profile or Over-the-Air Profile Delivery - and Configuration. - subkeys: - - key: rfc822Name - title: RFC 822 Name - type: - presence: optional - content: The RFC 822 (email address) string. - - key: dNSName - title: DNS Name - type: - presence: optional - content: The DNS name. - - key: uniformResourceIdentifier - title: URI - type: - presence: optional - content: The Uniform Resource Identifier. - - key: ntPrincipalName - title: NT Principal Name - type: - presence: optional - content: The NT principal name. Use an other name OID set to `1.3.6.1.4.1.311.20.2.3`. - - key: KeyIsExtractable - supportedOS: - macOS: - introduced: 10.13.4 - type: - presence: optional - default: true - content: If `false`, the system disables exporting the private key from the keychain. - - key: AllowAllAppsAccess - title: Allow All Apps Access - supportedOS: - macOS: - introduced: '10.10' - type: - presence: optional - default: false - content: If `true`, all apps have access to the private key. -notes: -- title: '' - content: A SCEP payload automates the request of a client certificate from a SCEP - server, as described in [Over-the-Air Profile Delivery and Configuration](https://developer.apple.com/library/archive/documentation/NetworkingInternet/Conceptual/iPhoneOTAConfiguration/Introduction/Introduction.html). diff --git a/mdm/profiles/com.apple.security.smartcard.yaml b/mdm/profiles/com.apple.security.smartcard.yaml deleted file mode 100644 index 817c55a..0000000 --- a/mdm/profiles/com.apple.security.smartcard.yaml +++ /dev/null @@ -1,82 +0,0 @@ -title: SmartCard -description: The payload that configures a smart card. -payload: - payloadtype: com.apple.security.smartcard - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: 10.12.4 - multiple: false - devicechannel: true - userchannel: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: Restrictions and settings for smart card pairing on macOS -payloadkeys: -- key: UserPairing - type: - presence: optional - default: true - content: If `false`, users don't get the pairing dialog, although existing pairings - still work. -- key: allowSmartCard - type: - presence: optional - default: true - content: If `false`, the system disables smart cards for logins, authorizations, - and screen saver unlocking. It is still allowed for other functions, such as signing - emails and accessing the web. A restart is required for a setting change to take - effect. -- key: checkCertificateTrust - type: - presence: optional - rangelist: - - 0 - - 1 - - 2 - - 3 - default: 0 - content: |- - Configures the certificate trust check and has one of the following possible values: - - - `0`: Turns off certificate trust check. - - `1`: Turns on certificate trust check. A standard validity check is performed but doesn't include additional revocation checks. - - `2`: Turns on certificate trust check. A soft revocation check is also performed. Until the certificate is explicitly rejected by CRL/OCSP, it's considered valid. This setting means that unavailable or unreachable CRL/OCSP allow this check to succeed. - - `3`: Turns on certificate trust check. A hard revocation check is also performed. Unless CRL/OCSP explicitly says "This certificate is OK," it's considered invalid. This option is the most secure. -- key: oneCardPerUser - type: - presence: optional - default: false - content: If `true`, a user can pair with only one smart card, although existing - pairings are allowed if already set up. -- key: tokenRemovalAction - supportedOS: - macOS: - introduced: 10.13.4 - type: - presence: optional - rangelist: - - 0 - - 1 - default: 0 - content: If `1`, the system enables the screen saver when the smart card is removed. - Available in macOS 10.13.4 and later. -- key: enforceSmartCard - supportedOS: - macOS: - introduced: 10.13.2 - type: - presence: optional - default: false - content: If `true`, a user can only log in or authenticate with a smart card. Available - in macOS 10.13.2 and later. diff --git a/mdm/profiles/com.apple.servicemanagement.yaml b/mdm/profiles/com.apple.servicemanagement.yaml deleted file mode 100644 index 037c905..0000000 --- a/mdm/profiles/com.apple.servicemanagement.yaml +++ /dev/null @@ -1,67 +0,0 @@ -title: Service Management - Managed Login Items -description: This payload that configures managed login items, which auto-enables - and auto-allows matched items. -payload: - payloadtype: com.apple.servicemanagement - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '13.0' - multiple: true - devicechannel: true - userchannel: false - requiresdep: false - userapprovedmdm: true - allowmanualinstall: false - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: This payload defines rules for tagging login items as managed, which will - auto-enable and auto-allow matched items. -payloadkeys: -- key: Rules - title: Rules - type: - presence: required - content: An array of service management rules. - subkeys: - - key: Rule - title: Rule - type: - presence: required - content: A specification for matching one or more login items. - subkeys: - - key: RuleType - title: Rule Type - type: - presence: required - rangelist: - - BundleIdentifier - - BundleIdentifierPrefix - - Label - - LabelPrefix - - TeamIdentifier - content: The type of comparison to make. - - key: RuleValue - title: Rule Value - type: - presence: required - content: The value to compare with each login item's value, to determine if - this rule is a match. - - key: Comment - title: Comment - type: - presence: optional - content: An optional description of the rule. - - key: TeamIdentifier - title: Team Identifier - type: - presence: optional - content: An additional constraint to limit the scope of the rule that the system - tests after matching the `RuleType` and `RuleValue`. diff --git a/mdm/profiles/com.apple.shareddeviceconfiguration.yaml b/mdm/profiles/com.apple.shareddeviceconfiguration.yaml deleted file mode 100644 index 88409d0..0000000 --- a/mdm/profiles/com.apple.shareddeviceconfiguration.yaml +++ /dev/null @@ -1,54 +0,0 @@ -title: Lock Screen Message -description: The payload that configures a Lock Screen message. -payload: - payloadtype: com.apple.shareddeviceconfiguration - supportedOS: - iOS: - introduced: '9.3' - multiple: false - supervised: true - allowmanualinstall: true - sharedipad: - mode: allowed - devicechannel: true - userchannel: false - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: Allows admins to specify optional text displayed on the Login Window and - Lock Screen (i.e. a footnote and Asset Tag Information). -payloadkeys: -- key: AssetTagInformation - title: Asset Tag - type: - presence: optional - content: The asset tag information for the device, displayed in the Login Window - and Lock Screen. -- key: IfLostReturnToMessage - title: If Lost message - supportedOS: - iOS: - introduced: '9.3' - deprecated: 9.3.1 - type: - presence: optional - content: Deprecated. Use `LockScreenFootnote` instead. -- key: LockScreenFootnote - supportedOS: - iOS: - introduced: 9.3.1 - type: - presence: optional - content: The footnote displayed in the Login Window and Lock Screen. -notes: -- title: '' - content: This payload allows administrators to specify optional text displayed in - the Login Window and Lock Screen (for example, an "If Lost, Return To" message - and asset tag information). There can only be one Lock Screen payload. diff --git a/mdm/profiles/com.apple.sso.yaml b/mdm/profiles/com.apple.sso.yaml deleted file mode 100644 index dbcddfc..0000000 --- a/mdm/profiles/com.apple.sso.yaml +++ /dev/null @@ -1,80 +0,0 @@ -title: Single Sign-On -description: The payload that configures single sign-on (SSO). -payload: - payloadtype: com.apple.sso - supportedOS: - iOS: - introduced: '7.0' - deprecated: '26.0' - multiple: false - supervised: false - allowmanualinstall: true - sharedipad: - mode: forbidden - userenrollment: - mode: allowed - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a -payloadkeys: -- key: Name - type: - presence: required - content: The human-readable name for the account. -- key: Kerberos - type: - presence: optional - content: The Kerberos dictionary. - subkeys: - - key: PrincipalName - type: - presence: optional - content: The principal name. If not provided, the system prompts the user for - one during profile installation. Required for MDM installation. - - key: PayloadCertificateUUID - supportedOS: - iOS: - introduced: '8.0' - type: - presence: optional - content: The `PayloadUUID` of an identity certificate payload that the system - can use to renew the Kerberos credential without user interaction. Set the payload - type to either `com.apple.security.pkcs12` or `com.apple.security.scep` in the - certificate payload. The configuration file needs to contain both the SSO payload - and the identity certificate payload. - - key: Realm - type: - presence: required - content: The properly capitalized realm name. - - key: URLPrefixMatches - type: - presence: optional - content: |- - The list of URL prefixes to match in order to use this account for Kerberos authentication over HTTP. If this key is missing, the system makes the account eligible to match all `http://` and `https://` URLs. - - Begin the URL matching patterns with either `http://` or `https://`. The system performs a simple string match, so the URL prefix `http://www.apple.com/` doesn't match `http://www.apple.com:80/`. However, if a matching pattern doesn't end in `/`, the system automatically append a `/` to it. - subkeys: - - key: URLPrefixMatchesItem - type: - presence: required - content: A URL prefix. - - key: AppIdentifierMatches - type: - presence: optional - content: |- - The list of app identifiers that the system allows to use this login. If this field missing, the system matches all app identifiers with this login. - - Don't set an empty array. The array needs to contain strings that match App Bundle IDs. These strings can be exact matches such as `com.mycompany.myapp`, or they may specify a prefix match on the Bundle ID by using the `*` wildcard character. The wildcard character needs to appear after a period (`.`), and may only appear once, at the end of the string, for example, `com.mycompany.*`. When you provide a wildcard, the system grants access to the account to any app with a Bundle ID that begins with the prefix. - subkeys: - - key: AppIdentifierMatchesItem - type: - presence: required - content: An app identifier. -notes: -- title: '' - content: Deprecated in iOS 26. Use the `ExtensibleSingleSignOn` payload instead. diff --git a/mdm/profiles/com.apple.subscribedcalendar.account.yaml b/mdm/profiles/com.apple.subscribedcalendar.account.yaml deleted file mode 100644 index bfaca24..0000000 --- a/mdm/profiles/com.apple.subscribedcalendar.account.yaml +++ /dev/null @@ -1,65 +0,0 @@ -title: Subscribed Calendars -description: The payload that configures subscribed calendars. -payload: - payloadtype: com.apple.subscribedcalendar.account - supportedOS: - iOS: - introduced: '4.0' - multiple: true - supervised: false - allowmanualinstall: true - sharedipad: - mode: allowed - devicechannel: false - userchannel: true - userenrollment: - mode: allowed - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: '1.1' - multiple: true - supervised: false - allowmanualinstall: true - userenrollment: - mode: allowed - watchOS: - introduced: n/a -payloadkeys: -- key: SubCalAccountDescription - title: Description - type: - presence: optional - content: The description of the account. -- key: SubCalAccountHostName - title: URL - type: - presence: required - content: The server's address. -- key: SubCalAccountUsername - title: Username - type: - presence: optional - content: The user's user name. -- key: SubCalAccountPassword - title: Password - type: - presence: optional - content: The user's password. -- key: SubCalAccountUseSSL - title: Use SSL - type: - presence: optional - default: false - content: If `true`, the system enables SSL. -- key: VPNUUID - title: VPNUUID - supportedOS: - iOS: - introduced: '14.0' - type: - presence: optional - content: The VPNUUID of the per-app VPN the account uses for network communication. - Available in iOS 14 and later. diff --git a/mdm/profiles/com.apple.syspolicy.kernel-extension-policy.yaml b/mdm/profiles/com.apple.syspolicy.kernel-extension-policy.yaml deleted file mode 100644 index 029b3da..0000000 --- a/mdm/profiles/com.apple.syspolicy.kernel-extension-policy.yaml +++ /dev/null @@ -1,69 +0,0 @@ -title: System Policy - Kernel Extensions -description: The payload that configures the kernel extension policies. -payload: - payloadtype: com.apple.syspolicy.kernel-extension-policy - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: 10.13.2 - multiple: true - devicechannel: true - userchannel: false - requiresdep: false - userapprovedmdm: true - allowmanualinstall: false - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: Provides a way of enabling a set of team identifiers or specific kernel - extensions for loading without user approval. Also provides a way to block users - from approving additional kernel extensions. Payload must be user-approved only. -payloadkeys: -- key: AllowNonAdminUserApprovals - supportedOS: - macOS: - introduced: '11.0' - type: - presence: optional - default: false - content: |- - If `true`, nonadministrative users can approve additional kernel extensions in the Security & Privacy preferences. - - Available in macOS 11 and later. -- key: AllowUserOverrides - type: - presence: optional - default: false - content: If `true`, users can approve additional kernel extensions that configuration - profiles don't explicitly allow. -- key: AllowedTeamIdentifiers - type: - presence: optional - content: The array of team identifiers that define which validly signed kernel extensions - can load. - subkeys: - - key: AllowedTeamIdentifiersItem - title: Identifier - type: -- key: AllowedKernelExtensions - type: - presence: optional - content: The dictionary that represents a set of kernel extensions that the system - always allows to load on the computer. The dictionary maps team identifiers (keys) - to arrays of bundle identifiers. - subkeys: - - key: ANY - type: - presence: optional - content: The kernel extension data. - subkeys: - - key: AllowedKernelExtensionsItems - type: - presence: required - content: Kernel extension data. diff --git a/mdm/profiles/com.apple.system-extension-policy.yaml b/mdm/profiles/com.apple.system-extension-policy.yaml deleted file mode 100644 index 323f12f..0000000 --- a/mdm/profiles/com.apple.system-extension-policy.yaml +++ /dev/null @@ -1,163 +0,0 @@ -title: System Extensions -description: The payload that configures system extensions. -payload: - payloadtype: com.apple.system-extension-policy - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.15' - multiple: true - devicechannel: true - userchannel: false - requiresdep: false - userapprovedmdm: true - allowmanualinstall: false - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: Provides a way of enabling a set of team identifiers or specific system - extensions for loading without user approval. Also provides a way to block users - from approving additional system extensions. Payload must be user-approved only. - Starting in macOS 11.3, installing or removing this payload can change the state - of system extensions on the machine. If a system extension has been activated - by its containing application but is still in a pending state, installing a payload - which specifies that extension is Allowed will complete the activation process. - If a system extension is active, removing a payload which specified that extension - was Allowed will deactivate the extension. -payloadkeys: -- key: AllowUserOverrides - type: - presence: optional - default: true - content: If `false`, restricts users from approving additional system extensions - that configuration profiles don't explicitly allow. -- key: AllowedTeamIdentifiers - type: - presence: optional - content: |- - An array of team identifiers that defines valid, signed system extensions that are allowable to load. Approved system extensions are those signed with any of the specified team identifiers. - - To avoid requiring an administrator to authorize the operation, you can activate system extensions that this key specifies using `OSSystemExtensionActivationRequest API`. - - It's an error for the same team identifier to appear in both this array and as a key in the `AllowedSystemExtensions` dictionary. - subkeys: - - key: AllowedTeamIdentifiersItem - title: Identifier - type: -- key: AllowedSystemExtensionTypes - type: - presence: optional - content: |- - A dictionary that maps a team identifier to an array of strings, where each string is a type of system extension that you can install for that team identifier. The allowed extension types are `DriverExtension`, `NetworkExtension`, and `EndpointSecurityExtension`. - - If there's no entry for a specified team identifier in the dictionary, the system allows all extension types. - subkeys: - - key: ANY - type: - presence: optional - content: The mapping of team identifier to an array of strings, where each string - is a type of system extension that may be installed for that team identifier. - subkeys: - - key: AllowedSystemExtensionTypesItems - type: - presence: required - content: Permitted System Extension Type -- key: AllowedSystemExtensions - type: - presence: optional - content: |- - A dictionary of approved system extensions on the computer. The dictionary maps the team identifiers (keys) to arrays of bundle identifiers, where the bundle identifier defines the system extension to install. - - To avoid requiring an administrator to authorize the operation, you can activate system extensions that this key specifies using `OSSystemExtensionActivationRequest API`. - - It's an error for the same team identifier to appear in both the `AllowedTeamIdentifiers` array and as a key in this dictionary. - subkeys: - - key: ANY - type: - presence: optional - content: The mapping of team identifiers to arrays of bundle identifiers, where - the bundle identifier is that of the system extension to be installed. - subkeys: - - key: AllowedSystemExtensionsItems - type: - presence: required - content: Allowed system extension bundle ID -- key: RemovableSystemExtensions - supportedOS: - macOS: - introduced: '12.0' - type: - presence: optional - content: |- - A dictionary of system extensions that are allowed to remove themselves from the machine. The dictionary maps team identifiers (keys) to arrays of bundle identifiers, where the bundle identifier defines the system extension. An application using the `OSSystemExtensionDeactivationRequest` API can deactivate the specified system extensions without requiring an administrator to authorize the operation. - - Available in macOS 12 and later. - subkeys: - - key: ANY - type: - presence: optional - content: The dictionary maps team identifiers (keys) to arrays of bundle identifiers, - where the bundle identifier defines the system extension. - subkeys: - - key: RemovableSystemExtensionsItems - type: - presence: required - content: Removed system extension bundle ID -- key: NonRemovableSystemExtensions - supportedOS: - macOS: - introduced: '15.0' - type: - presence: optional - content: A dictionary of system extensions on the computer. The dictionary maps - the team identifiers (keys) to arrays of bundle identifiers, where the bundle - identifier defines the system extension which can't be disabled or uninstalled - when SIP is enabled. It's an error for the same mapping to appear in the dictionary - values corresponding to `RemovableSystemExtensions` and `NonRemovableSystemExtensions` - keys. - subkeys: - - key: ANY - type: - presence: optional - content: System extension bundle identifiers - subkeys: - - key: NonRemovableSystemExtensionsItems - type: - presence: required - content: Non Removable system extension bundle ID -- key: NonRemovableFromUISystemExtensions - supportedOS: - macOS: - introduced: '15.0' - type: - presence: optional - content: A dictionary of system extensions on the computer. The dictionary maps - the team identifiers (keys) to arrays of bundle identifiers, where the bundle - identifier defines the system extension which can't be disabled or uninstalled - from System Settings or Finder. The set of system extensions between `RemovableSystemExtensions` - and `NonRemovableFromUISystemExtensions` can to overlap. - subkeys: - - key: ANY - type: - presence: optional - content: System extension bundle identifiers - subkeys: - - key: NonRemovableFromUISystemExtensionsItems - type: - presence: required - content: Non Removable from UI system extension bundle ID -notes: -- title: '' - content: |- - When there are multiple installed profiles, the keys combine as follows: - - - `AllowUserOverrides` is `false` if any profile sets it to `false`. - - All the other values combine together. - - Beginning in macOS 11.3, installing or removing this payload can change the state of system extensions on the computer. If a containing application activates a system extension, and the system extension is in a pending state, installing a payload that allows the extension completes the activation process. If a system extension is active, removing a payload that allows the extension deactivates that extension. diff --git a/mdm/profiles/com.apple.system.logging.yaml b/mdm/profiles/com.apple.system.logging.yaml deleted file mode 100644 index a1346ae..0000000 --- a/mdm/profiles/com.apple.system.logging.yaml +++ /dev/null @@ -1,58 +0,0 @@ -title: System Logging -description: The payload that configures system logging. -payload: - payloadtype: com.apple.system.logging - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.12' - multiple: true - devicechannel: true - userchannel: true - supervised: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a -payloadkeys: -- key: Processes - supportedOS: - macOS: - introduced: n/a - type: - presence: optional - content: Not to be used. - subkeytype: Item - subkeys: &id001 - - key: ANY - type: - presence: optional - content: TBD -- key: Subsystems - supportedOS: - macOS: - introduced: n/a - type: - presence: optional - content: A dictionary enabling the logging level for subsystems. See `Customizing - Logging Behavior While Debugging` for more details about the format of the dictionary. - subkeytype: Item - subkeys: *id001 -- key: System - supportedOS: - macOS: - introduced: n/a - type: - presence: optional - content: This dictionary has one key, `Enable-Private-Data`. Setting that value - to `true` enables private data logging for the entire system. - subkeytype: Item - subkeys: *id001 diff --git a/mdm/profiles/com.apple.systemmigration.yaml b/mdm/profiles/com.apple.systemmigration.yaml deleted file mode 100644 index 518b994..0000000 --- a/mdm/profiles/com.apple.systemmigration.yaml +++ /dev/null @@ -1,63 +0,0 @@ -title: System Migration -description: The payload that configures system migration. -payload: - payloadtype: com.apple.systemmigration - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: 10.12.4 - multiple: false - devicechannel: true - userchannel: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: Provides a way of customizing items migrated during System Migration. -payloadkeys: -- key: CustomBehavior - type: - presence: optional - content: The list of custom behavior dictionaries. - subkeys: - - key: CustomBehaviorItem - type: - content: The custom behavior dictionary. - subkeys: - - key: Context - type: - presence: required - content: The context that custom paths apply to. - - key: Paths - type: - presence: required - content: The list of custom behavior path dictionaries. - subkeys: - - key: PathsItem - type: - content: The custom behavior path dictionary. - subkeys: - - key: SourcePath - type: - presence: required - content: The path to the migrating file or directory on the source system. - - key: SourcePathInUserHome - type: - presence: required - content: If `true`, the source path is located within a user home directory. - - key: TargetPath - type: - presence: required - content: The path to the destination file or directory on the target system. - - key: TargetPathInUserHome - type: - presence: required - content: If `true`, the target path is located within a user home directory. diff --git a/mdm/profiles/com.apple.systempolicy.control.yaml b/mdm/profiles/com.apple.systempolicy.control.yaml deleted file mode 100644 index ed6d973..0000000 --- a/mdm/profiles/com.apple.systempolicy.control.yaml +++ /dev/null @@ -1,47 +0,0 @@ -title: System Policy Control -description: The payload that configures the system policy for assessments. -payload: - payloadtype: com.apple.systempolicy.control - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.8' - multiple: true - devicechannel: true - userchannel: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: Provides a way of enabling System Policy assessment processing. This corresponds - to the Gatekeeper UI in the Security pref pane. -payloadkeys: -- key: EnableAssessment - type: - presence: optional - content: If `true`, enables Gatekeeper. If `false`, disables Gatekeeper. -- key: AllowIdentifiedDevelopers - type: - presence: optional - content: |- - If `true`, enables Gatekeeper's "Mac App Store and identified developers" option. - - If `false`, enables Gatekeeper's "Mac App Store" option. - - If the value of `EnableAssessment` isn't set to `true`, this key has no effect. -- key: EnableXProtectMalwareUpload - supportedOS: - macOS: - introduced: '15.0' - type: - presence: optional - content: If `false`, prevents Gatekeeper from prompting the user to upload blocked - malware to Apple for purposes of improving malware detection. diff --git a/mdm/profiles/com.apple.systempolicy.managed.yaml b/mdm/profiles/com.apple.systempolicy.managed.yaml deleted file mode 100644 index 298eb31..0000000 --- a/mdm/profiles/com.apple.systempolicy.managed.yaml +++ /dev/null @@ -1,33 +0,0 @@ -title: System Policy Managed -description: The payload that configures the Finder's contextual menu to bypass the - system policy. -payload: - payloadtype: com.apple.systempolicy.managed - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.8' - multiple: true - devicechannel: true - userchannel: true - supervised: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: Provides a way of disabling the Finder's contextual menu that allows bypass - of System Policy restrictions. -payloadkeys: -- key: DisableOverride - type: - presence: optional - default: false - content: If `true`, disables the Finder's contextual menu item. diff --git a/mdm/profiles/com.apple.systempolicy.rule.yaml b/mdm/profiles/com.apple.systempolicy.rule.yaml deleted file mode 100644 index b9e2984..0000000 --- a/mdm/profiles/com.apple.systempolicy.rule.yaml +++ /dev/null @@ -1,65 +0,0 @@ -title: System Policy Rule -description: The payload that configures the system policy. -payload: - payloadtype: com.apple.systempolicy.rule - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.8' - multiple: true - devicechannel: true - userchannel: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: This payload allows control over Gatekeeper's system policy rules. The - keys and functionality are tightly related to the spctl command line tool. For - more information, see the manual page for spctl. -payloadkeys: -- key: Requirement - type: - presence: optional - content: The policy requirement. This key must follow the syntax described in [Code - Signing Requirement Language](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/RequirementLang/RequirementLang.html#//apple_ref/doc/uid/TP40005929-CH5). -- key: Comment - type: - presence: optional - content: This string appears in the System Policy UI. If it's missing, `PayloadDisplayName` - or `PayloadDescription` is entered into this field before the rule is added to - the System Policy database. -- key: Priority - type: - presence: optional - content: The rule's priority. -- key: Expiration - type: - presence: optional - content: The expiration date for rules being processed. -- key: OperationType - type: - presence: optional - rangelist: - - operation:execute - - operation:install - - operation:lsopen - default: operation:execute - content: The type of operation. -- key: LeafCertificate - type: - presence: optional - content: The single leaf certificate for the app that is in the allow list. -notes: -- title: '' - content: |- - This payload allows control over Gatekeeper's system policy rules. The keys and functionality are tightly related to the `spctl` command line tool. For more information, see the manual page for `spctl`. - - This payload can only exist in a device profile. If the payload is present in a user profile, an error occurs during installation and the profile installation fails. diff --git a/mdm/profiles/com.apple.systempreferences.yaml b/mdm/profiles/com.apple.systempreferences.yaml deleted file mode 100644 index 601a6ba..0000000 --- a/mdm/profiles/com.apple.systempreferences.yaml +++ /dev/null @@ -1,153 +0,0 @@ -title: System Preferences -description: The payload that configures the preference panes. -payload: - payloadtype: com.apple.systempreferences - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.7' - deprecated: '13.0' - multiple: false - devicechannel: true - userchannel: true - supervised: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: |- - Hide and show individual System Preferences panes. - The following preference pane items are no longer supported on macOS 10.14: - • com.apple.preferences.appstore - The following preference pane items are no longer supported on macOS 10.15: - • com.apple.preference.ink - • com.apple.preferences.icloud - • com.apple.preferences.parentalcontrols - This payload is deprecated as of macOS 13. When new restrictions become available to control functionality exposed through System Settings, those restrictions should be used instead of disabling the entire preference pane. This allows for user transparency even when the user's control has been disabled by a restriction. - macOS 13 introduces a new DisabledSystemSettings key for controlling macOS 13 and newer System Settings extensions. However, note that System Settings extensions within the Privacy & Security section cannot be disabled. If DisabledSystemSettings is not provided, the system will attempt to honor the EnabledPreferencePanes and DisabledPreferencePanes by mapping the old preference pane value to one or more new settings extension values whose content was wholly contained in the old preference pane value. -payloadkeys: -- key: EnabledPreferencePanes - type: - presence: optional - content: The list of enabled System Preferences panes. - subkeys: &id001 - - key: PreferencePanes - type: - presence: optional - rangelist: - - com.apple.ClassroomSettings - - com.apple.Localization - - com.apple.preference.datetime - - com.apple.preference.desktopscreeneffect - - com.apple.preference.digihub.discs - - com.apple.preference.displays - - com.apple.preference.dock - - com.apple.preference.energysaver - - com.apple.preference.expose - - com.apple.preference.general - - com.apple.preference.ink - - com.apple.preference.keyboard - - com.apple.preference.mouse - - com.apple.preference.network - - com.apple.preference.notifications - - com.apple.preference.printfax - - com.apple.preference.screentime - - com.apple.preference.security - - com.apple.preference.sidecar - - com.apple.preference.sound - - com.apple.preference.speech - - com.apple.preference.spotlight - - com.apple.preference.startupdisk - - com.apple.preference.trackpad - - com.apple.preference.universalaccess - - com.apple.preferences.AppleIDPrefPane - - com.apple.preferences.appstore - - com.apple.preferences.Bluetooth - - com.apple.preferences.configurationprofiles - - com.apple.preferences.extensions - - com.apple.preferences.FamilySharingPrefPane - - com.apple.preferences.icloud - - com.apple.preferences.internetaccounts - - com.apple.preferences.parentalcontrols - - com.apple.preferences.password - - com.apple.preferences.sharing - - com.apple.preferences.softwareupdate - - com.apple.preferences.users - - com.apple.preferences.wallet - - com.apple.prefpanel.fibrechannel - - com.apple.prefs.backup - - com.apple.Xsan -- key: DisabledPreferencePanes - type: - presence: optional - content: The list of disabled System Preferences panes. - subkeys: *id001 -- key: DisabledSystemSettings - supportedOS: - macOS: - introduced: '13.0' - type: - presence: optional - content: |- - The list of disabled System Settings extensions. All other items will be enabled. When `DisabledSystemSettings` is specified, the device ignores `DisabledPreferencePanes` and `EnabledPreferencePanes`. - - > Note: - > A given System Settings extension can supply more than one section in System Settings; disabling such an extension disables all sections it supplies. - subkeys: - - key: SettingsExtensions - type: - presence: optional - rangelist: - - com.apple.Accessibility-Settings.extension - - com.apple.AirDrop-Handoff-Settings.extension - - com.apple.Battery-Settings.extension - - com.apple.BluetoothSettings - - com.apple.CD-DVD-Settings.extension - - com.apple.ClassKit-Settings.extension - - com.apple.Classroom-Settings.extension - - com.apple.ControlCenter-Settings.extension - - com.apple.Date-Time-Settings.extension - - com.apple.Desktop-Settings.extension - - com.apple.Displays-Settings.extension - - com.apple.ExtensionsPreferences - - com.apple.Family-Settings.extension - - com.apple.Focus-Settings.extension - - com.apple.Game-Center-Settings.extension - - com.apple.Game-Controller-Settings.extension - - com.apple.HeadphoneSettings - - com.apple.Internet-Accounts-Settings.extension - - com.apple.Keyboard-Settings.extension - - com.apple.Localization-Settings.extension - - com.apple.Lock-Screen-Settings.extension - - com.apple.LoginItems-Settings.extension - - com.apple.Mouse-Settings.extension - - com.apple.Network-Settings.extension - - com.apple.NetworkExtensionSettingsUI.NESettingsUIExtension - - com.apple.Notifications-Settings.extension - - com.apple.Passwords-Settings.extension - - com.apple.Print-Scan-Settings.extension - - com.apple.Screen-Time-Settings.extension - - com.apple.ScreenSaver-Settings.extension - - com.apple.Sharing-Settings.extension - - com.apple.Siri-Settings.extension - - com.apple.Software-Update-Settings.extension - - com.apple.Sound-Settings.extension - - com.apple.Startup-Disk-Settings.extension - - com.apple.Time-Machine-Settings.extension - - com.apple.Touch-ID-Settings.extension - - com.apple.Trackpad-Settings.extension - - com.apple.Transfer-Reset-Settings.extension - - com.apple.Users-Groups-Settings.extension - - com.apple.WalletSettingsExtension - - com.apple.Wallpaper-Settings.extension - - com.apple.settings.Storage - - com.apple.systempreferences.AppleIDSettings - - com.apple.wifi-settings-extension diff --git a/mdm/profiles/com.apple.systemuiserver.yaml b/mdm/profiles/com.apple.systemuiserver.yaml deleted file mode 100644 index 3974d8d..0000000 --- a/mdm/profiles/com.apple.systemuiserver.yaml +++ /dev/null @@ -1,135 +0,0 @@ -title: 'Media Management: Allowed Media' -description: The payload that configures media management. -payload: - payloadtype: com.apple.systemuiserver - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.7' - deprecated: '11.0' - multiple: false - devicechannel: true - userchannel: true - supervised: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a -payloadkeys: -- key: logout-eject - type: - presence: optional - content: The media type dictionary that defines volumes to eject when the user logs - out. - subkeytype: MediaItems - subkeys: &id002 - - key: all-media - type: - presence: optional - content: Unused; set to an empty string. - - key: cd - type: - presence: optional - content: A media action string or an array of media action strings. - subkeytype: ActionStringItem - subkeys: &id001 - - key: ActionStringItem - type: - presence: optional - rangelist: - - authenticate - - read-only - - deny - - eject - content: |- - One of the following values: - * authenticate - User will be authenticated before media is mounted - * read-only - The media will be mounted read-only. Not valid for unmount-controls. - * deny - The media will not be mounted. - * eject - The media will not be mounted and it will be ejected if possible. Note that some volumes are not defined as ejectable, so using the deny key may be the best solution. Not valid for unmount-controls. - - key: dvd - type: - presence: optional - content: A media action string or an array of media action strings. - subkeytype: ActionStringItem - subkeys: *id001 - - key: bd - type: - presence: optional - content: A media action string or an array of media action strings. - subkeytype: ActionStringItem - subkeys: *id001 - - key: blankcd - type: - presence: optional - content: A media action string or an array of media action strings. - subkeytype: ActionStringItem - subkeys: *id001 - - key: blankdvd - type: - presence: optional - content: A media action string or an array of media action strings. - subkeytype: ActionStringItem - subkeys: *id001 - - key: blankbd - type: - presence: optional - content: A media action string or an array of media action strings. - subkeytype: ActionStringItem - subkeys: *id001 - - key: dvdram - type: - presence: optional - content: A media action string or an array of media action strings. - subkeytype: ActionStringItem - subkeys: *id001 - - key: disk-image - type: - presence: optional - content: A media action string or an array of media action strings. - subkeytype: ActionStringItem - subkeys: *id001 - - key: harddisk-internal - type: - presence: optional - content: A media action string or an array of media action strings. - subkeytype: ActionStringItem - subkeys: *id001 - - key: harddisk-external - type: - presence: optional - content: |- - A string or an array of media action strings. Internally installed SD cards and USB flash drives are included in the hard disk-external category. - - This key is the default for media types that don't fall into other categories. - subkeytype: ActionStringItem - subkeys: *id001 - - key: networkdisk - type: - presence: optional - content: A media action string or an array of media action strings. - subkeytype: ActionStringItem - subkeys: *id001 -- key: mount-controls - type: - presence: optional - content: The media type dictionary that controls volume mounting. - subkeytype: MediaItems - subkeys: *id002 -- key: unmount-controls - type: - presence: optional - content: The media type dictionary that controls volume unmounting. - subkeytype: MediaItems - subkeys: *id002 -notes: -- title: '' - content: This payload is deprecated as of macOS 11. diff --git a/mdm/profiles/com.apple.thirdactiveethernet.managed.yaml b/mdm/profiles/com.apple.thirdactiveethernet.managed.yaml deleted file mode 100644 index 49eee58..0000000 --- a/mdm/profiles/com.apple.thirdactiveethernet.managed.yaml +++ /dev/null @@ -1,41 +0,0 @@ -title: '802.1X: Third Active Ethernet' -description: The payload that configures the third wired, active Ethernet interface. -payload: - payloadtype: com.apple.thirdactiveethernet.managed - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.7' - multiple: false - devicechannel: true - userchannel: true - supervised: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: allowed - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a -payloadkeys: -- key: ANY - type: - presence: optional - content: Keys relevant to 802.1x configuration. User enrollment payloads do not - support the various proxy keys including ProxyType, ProxyServer, ProxyServerPort, - ProxyUsername, ProxyPassword,, ProxyPACURL and ProxyPACFallbackAllowed. -notes: -- title: '' - content: |- - This payload's contents contain these profile-specific keys: - - - Interface (String): This payload uses the value `ThirdActiveEthernet`. - - EAPClientConfiguration (`EAPClientConfiguration`): The dictionary that defines the enterprise profile for the network. - - SetupModes (String): The type of connection mode, which is either "System" or "Loginwindow." "System" is the default. - - Payloads with `active` in their name apply to Ethernet interfaces that are working at the time of profile installation. If there's no active Ethernet interface working, this payload configures the interface with the highest service-order priority. diff --git a/mdm/profiles/com.apple.thirdethernet.managed.yaml b/mdm/profiles/com.apple.thirdethernet.managed.yaml deleted file mode 100644 index ea4c4c4..0000000 --- a/mdm/profiles/com.apple.thirdethernet.managed.yaml +++ /dev/null @@ -1,41 +0,0 @@ -title: '802.1X: Third Ethernet' -description: The payload that configures the third wired Ethernet interface. -payload: - payloadtype: com.apple.thirdethernet.managed - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.7' - multiple: false - devicechannel: true - userchannel: true - supervised: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: allowed - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a -payloadkeys: -- key: ANY - type: - presence: optional - content: Keys relevant to 802.1x configuration. User enrollment payloads do not - support the various proxy keys including ProxyType, ProxyServer, ProxyServerPort, - ProxyUsername, ProxyPassword,, ProxyPACURL and ProxyPACFallbackAllowed. -notes: -- title: '' - content: |- - This payload's contents contain these profile-specific keys: - - - Interface (String): This payload uses the value `ThirdEthernet`. - - EAPClientConfiguration (`EAPClientConfiguration`): The dictionary that defines the enterprise profile for the network. - - SetupModes (String): The type of connection mode, which is either "System" or "Loginwindow." "System" is the default. - - This payload applies to Ethernet interfaces according to service order, regardless of whether the interface is working. diff --git a/mdm/profiles/com.apple.tvremote.yaml b/mdm/profiles/com.apple.tvremote.yaml deleted file mode 100644 index 0ed2cd3..0000000 --- a/mdm/profiles/com.apple.tvremote.yaml +++ /dev/null @@ -1,70 +0,0 @@ -title: TV Remote -description: The payload that configures the Apple TV remote. -payload: - payloadtype: com.apple.tvremote - supportedOS: - iOS: - introduced: '11.3' - multiple: false - supervised: true - allowmanualinstall: true - sharedipad: - mode: allowed - devicechannel: true - userchannel: true - userenrollment: - mode: forbidden - macOS: - introduced: n/a - tvOS: - introduced: '11.3' - multiple: false - supervised: true - allowmanualinstall: true - visionOS: - introduced: n/a - watchOS: - introduced: n/a -payloadkeys: -- key: AllowedRemotes - supportedOS: - iOS: - introduced: n/a - type: - presence: optional - content: The array of valid devices that Apple TV can connect to. - subkeys: - - key: AllowedRemotesItem - type: - content: The array of valid devices that Apple TV can connect to. - subkeys: - - key: RemoteDeviceID - type: - presence: required - content: The MAC address of a permitted iOS device that can control this Apple - TV. Use the format `xx:xx:xx:xx:xx:xx`, which isn't case-sensitive. -- key: AllowedTVs - supportedOS: - tvOS: - introduced: n/a - type: - presence: optional - content: The array of valid Apple TV identifiers that the remote can connect to. - subkeys: - - key: AllowedTVsItem - type: - content: The array of valid Apple TV identifiers that the remote can connect to. - subkeys: - - key: TVDeviceID - type: - presence: required - content: The MAC address of an Apple TV device that the system permits this - iOS device to control. Use the format `xx:xx:xx:xx:xx:xx`, which isn't case-sensitive. - - key: TVDeviceName - supportedOS: - iOS: - introduced: '15.0' - type: - presence: optional - content: The name of an Apple TV device that the system permits this iOS device - to control. diff --git a/mdm/profiles/com.apple.universalaccess.yaml b/mdm/profiles/com.apple.universalaccess.yaml deleted file mode 100644 index fcf40e5..0000000 --- a/mdm/profiles/com.apple.universalaccess.yaml +++ /dev/null @@ -1,147 +0,0 @@ -title: Accessibility -description: The payload that configures the accessibility features of the device. -payload: - payloadtype: com.apple.universalaccess - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.9' - multiple: false - devicechannel: true - userchannel: true - supervised: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a -payloadkeys: -- key: closeViewFarPoint - type: - presence: optional - content: The minimum zoom level in the Zoom options. -- key: closeViewHotkeysEnabled - type: - presence: optional - default: false - content: If `true`, enables "Use keyboard shortcuts" in the Zoom options. -- key: closeViewNearPoint - type: - presence: optional - content: The maximum zoom level in the Zoom options. -- key: closeViewScrollWheelToggle - type: - presence: optional - default: false - content: If `true`, enables "Use scroll gesture" in the Zoom options. -- key: closeViewShowPreview - supportedOS: - macOS: - introduced: '10.9' - deprecated: '10.15' - type: - presence: optional - default: false - content: If `true`, enables "Show preview rectangle" in the Zoom options. Only available - in macOS 10.15 and earlier. -- key: closeViewSmoothImages - type: - presence: optional - default: false - content: If `true`, enables "Smooth images" in the Zoom options. -- key: contrast - type: - presence: optional - range: - min: 0.0 - max: 1.0 - content: The contrast value in the Display options. -- key: flashScreen - type: - presence: optional - default: false - content: If `true`, enables "Flash the screen" in the Audio options. -- key: grayscale - supportedOS: - macOS: - deprecated: '11.0' - type: - presence: optional - default: false - content: |- - If `true`, enables "Use grayscale" in the Display options. - - This option is deprecated in macOS 11. -- key: mouseDriver - type: - presence: optional - default: false - content: If `true`, enables Mouse Keys in the Mouse & Trackpad options. -- key: mouseDriverCursorSize - type: - presence: optional - content: The size of the cursor. -- key: mouseDriverIgnoreTrackpad - type: - presence: optional - default: false - content: If `true`, ignores the built-in trackpad. -- key: mouseDriverInitialDelay - type: - presence: optional - content: The initial delay before moving the mouse with Mouse Keys. -- key: mouseDriverMaxSpeed - type: - presence: optional - content: The maximum speed for the cursor when using Mouse Keys. -- key: slowKey - type: - presence: optional - default: false - content: If `true`, enables "Slow Keys" in the Keyboard options. -- key: slowKeyBeepOn - type: - presence: optional - default: false - content: If `true`, enables "click key sounds" for Slow Keys. -- key: slowKeyDelay - type: - presence: optional - content: The acceptance delay, in milliseconds, for Slow Keys. -- key: stereoAsMono - type: - presence: optional - default: false - content: If `true`, plays stereo audio as mono. -- key: stickyKey - type: - presence: optional - default: false - content: If `true`, enables Sticky Keys in the Keyboard options. -- key: stickyKeyBeepOnModifier - type: - presence: optional - default: false - content: If `true`, enables the beep when a modifier key is set for Sticky Keys. -- key: stickyKeyShowWindow - type: - presence: optional - default: false - content: If `true`, enables "Display pressed keys on screen" for Sticky Keys. -- key: voiceOverOnOffKey - type: - presence: optional - default: false - content: If `true`, enables Voice Over. -- key: whiteOnBlack - type: - presence: optional - default: false - content: If `true`, enables Invert Colors in Display Accommodations. diff --git a/mdm/profiles/com.apple.vpn.managed.applayer.yaml b/mdm/profiles/com.apple.vpn.managed.applayer.yaml deleted file mode 100644 index 4ad0f76..0000000 --- a/mdm/profiles/com.apple.vpn.managed.applayer.yaml +++ /dev/null @@ -1,209 +0,0 @@ -title: App-Layer VPN -description: The payload that configures a per-app VPN. -payload: - payloadtype: com.apple.vpn.managed.applayer - supportedOS: - iOS: - introduced: '7.0' - multiple: true - supervised: false - allowmanualinstall: true - sharedipad: - mode: allowed - devicechannel: true - userchannel: false - userenrollment: - mode: allowed - macOS: - introduced: '10.9' - multiple: true - devicechannel: true - userchannel: true - supervised: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: allowed - tvOS: - introduced: n/a - visionOS: - introduced: '1.1' - multiple: true - supervised: false - allowmanualinstall: true - userenrollment: - mode: allowed - watchOS: - introduced: '10.0' - multiple: true - supervised: true - allowmanualinstall: false - content: The fields in this payload are the same as the VPN payload, with the addition - of the fields shown below. On watchOS, only the IKEv2 VPN type is supported. -payloadkeys: -- key: VPNUUID - type: - presence: required - content: A globally unique identifier for this VPN configuration. -- key: CellularSliceUUID - title: Cellular Slice UUID - supportedOS: - iOS: - introduced: '18.0' - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: n/a - type: - presence: optional - content: A string representing the data network name (DNN) or app category identifying - a Cellular Slice. The device forces the VPN tunnel to use the specified Cellular - Slice. -- key: SafariDomains - supportedOS: - watchOS: - introduced: n/a - type: - presence: optional - content: An array with entries that must each specify a domain that triggers the - VPN connection in Safari. Each entry is in the format `www.apple.com`. - subkeys: - - key: SafariDomainsItem - type: - presence: required - content: A domain. -- key: MailDomains - supportedOS: - iOS: - introduced: '13.0' - deprecated: '13.4' - macOS: - introduced: '10.15' - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: |- - An array with entries that must each specify a domain that triggers this VPN connection in Mail. Each entry is in the format `www.apple.com`. - - This property is deprecated in iOS 13.4 and later; use the `VPNUUID` property of the `Mail` or `ExchangeActiveSync` payload instead. - subkeys: - - key: MailDomainsItem - type: - presence: required - content: A domain. -- key: CalendarDomains - supportedOS: - iOS: - introduced: '13.0' - deprecated: '13.4' - macOS: - introduced: '10.15' - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: |- - An array with entries that must each specify a domain that triggers this VPN connection in Calendar. Each entry is in the format `www.apple.com`. - - This property is deprecated in iOS 13.4 and later; use the `VPNUUID` property of the `CalDAV` payload instead. - subkeys: - - key: CalendarDomainsItem - type: - presence: required - content: A domain. -- key: ContactsDomains - supportedOS: - iOS: - introduced: '13.0' - deprecated: '13.4' - macOS: - introduced: '10.15' - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: |- - An array with entries that must each specify a domain that triggers this VPN connection in Contacts. Each entry is in the format `www.apple.com`. - - This property is deprecated in iOS 13.4 and later; use the `VPNUUID` property of the `CardDAV` payload instead. - subkeys: - - key: ContactsDomainsItem - type: - presence: required - content: A domain. -- key: AssociatedDomains - supportedOS: - iOS: - introduced: '14.0' - macOS: - introduced: '11.0' - type: - presence: optional - content: |- - An array with entries that must each specify a domain that triggers this VPN. The domains must also be part of the `apple-app-site-association` file, as described in `Supporting associated domains`. - - Available in iOS 14 and later, and macOS 11 and later. - subkeys: - - key: AssociatedDomainsItem - type: - presence: required - content: A domain. -- key: ExcludedDomains - supportedOS: - iOS: - introduced: '14.0' - macOS: - introduced: '11.0' - type: - presence: optional - content: |- - An array with entries that each specify a domain that doesn't trigger this VPN for connections to the domain. - - Available in iOS 14 and later, and macOS 11 and later. - subkeys: - - key: ExcludedDomainsItem - type: - presence: required - content: A domain. -- key: OnDemandMatchAppEnabled - type: - presence: optional - content: If `true`, automatically connects the VPN when associated apps for this - per-app VPN service initiate network communication. Otherwise, the user must initiate - the connection manually before those apps can initiate network communication. - If this key isn't present, the value of the `OnDemandEnabled` key determines the - status of per-app VPN On Demand. -- key: SMBDomains - supportedOS: - iOS: - introduced: '13.0' - macOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: |- - An array of SMB domains that's accessible through this VPN connection. - - Available in iOS 13 and later. - subkeys: - - key: SMBDomainsItem - type: - presence: required - content: An SMB domain. -notes: -- title: '' - content: This profile defines per-app VPN behavior and applies only to VPN services - of type `VPN`, `IPsec`, and `IKEv2`. All the properties of VPN apply to the top - level of this profile as well. diff --git a/mdm/profiles/com.apple.vpn.managed.appmapping.yaml b/mdm/profiles/com.apple.vpn.managed.appmapping.yaml deleted file mode 100644 index 1bbf67b..0000000 --- a/mdm/profiles/com.apple.vpn.managed.appmapping.yaml +++ /dev/null @@ -1,108 +0,0 @@ -title: App-to-App-Layer VPN Mapping -description: The payload that configures per-app VPN settings. -payload: - payloadtype: com.apple.vpn.managed.appmapping - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.9' - multiple: false - devicechannel: true - userchannel: true - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: allowed - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: This payload is only valid on macOS. -payloadkeys: -- key: AppLayerVPNMapping - type: - presence: required - content: The array of VPN mapping dictionaries. - subkeys: - - key: AppLayerVPNMappingItem - type: - content: A dictionary defining a per-app VPN relationship. - subkeys: - - key: Identifier - type: - presence: required - content: The bundle identifier of the app using the per-app VPN. - - key: VPNUUID - type: - presence: required - content: The identifier of the per-app VPN payload, which defines the per-app - VPN that the app uses. See the `VPNUUID` key of the `AppLayerVPN` payload. - - key: DesignatedRequirement - supportedOS: - macOS: - introduced: '10.10' - type: - presence: required - content: The code signature designated requirement of the app using the per-app - VPN. - - key: SigningIdentifier - supportedOS: - macOS: - introduced: '10.10' - type: - presence: required - content: The code signature signing identifier of the app using the per-app - VPN. - - key: Path - supportedOS: - macOS: - introduced: '10.15' - type: - presence: optional - content: The file-system path of the executable using the per-app VPN. - - key: MatchTools - supportedOS: - macOS: - introduced: 10.15.4 - type: - presence: optional - content: |- - An array of dictionaries. Each dictionary specifies a per-app VPN rule. Use this property to restrict this per-app VPN rule to only match the app's spawned _helper tool_ network traffic. - - For example, to match network traffic that the `curl` command generates when run from the Terminal.app, create an app mapping payload for Terminal.app and set the payload's `MatchTools` key to an array that contains a dictionary that matches the `curl` command-line tool. - - If you don't specify the `MatchTools` key, this per-app VPN rule matches all network traffic that the matching app and its spawned helper tools generate. - subkeys: - - key: MatchToolsItem - type: - content: Specifies a per-app VPN rule to match network traffic that the app's - spawned command-line tool generates. - subkeys: - - key: DesignatedRequirement - supportedOS: - macOS: - introduced: 10.15.4 - type: - presence: required - content: The code signature designated requirement of the command-line tool - using the per-app VPN. - - key: SigningIdentifier - supportedOS: - macOS: - introduced: 10.15.4 - type: - presence: required - content: The code signature signing identifier of the command-line tool - using the per-app VPN. - - key: Path - supportedOS: - macOS: - introduced: 10.15.4 - type: - presence: optional - content: The file-system path of the command-line tool using the per-app - VPN. diff --git a/mdm/profiles/com.apple.vpn.managed.yaml b/mdm/profiles/com.apple.vpn.managed.yaml deleted file mode 100644 index cb6b294..0000000 --- a/mdm/profiles/com.apple.vpn.managed.yaml +++ /dev/null @@ -1,2025 +0,0 @@ -title: VPN -description: The payload that configures a VPN. -payload: - payloadtype: com.apple.vpn.managed - supportedOS: - iOS: - introduced: '4.0' - multiple: true - supervised: false - allowmanualinstall: true - sharedipad: - mode: allowed - devicechannel: true - userchannel: false - userenrollment: - mode: forbidden - macOS: - introduced: '10.7' - multiple: true - devicechannel: true - userchannel: true - supervised: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: forbidden - tvOS: - introduced: '17.0' - multiple: true - supervised: false - allowmanualinstall: true - visionOS: - introduced: '1.0' - multiple: true - supervised: false - allowmanualinstall: true - userenrollment: - mode: forbidden - watchOS: - introduced: n/a -payloadkeys: -- key: VPNType - title: Type - type: - presence: required - rangelist: - - VPN - - L2TP - - IPSec - - IKEv2 - - AlwaysOn - - TransparentProxy - content: |- - The type of the VPN, which defines which settings are appropriate for this VPN payload. - - If the type is `VPN` or `TransparentProxy`, then the system requires a value for `VPNSubType`. - - `TransparentProxy` is only available in macOS. `L2TP` and `IPSec` aren't available in tvOS. `AlwaysOn` is only available on iOS and Apple Watch pairing isn't supported with `AlwaysOn`. For a previously paired Apple Watch, all phone-watch communications cease when `AlwaysOn` is enabled. Not available in watchOS. -- key: VPNSubType - title: VPN Subtype - type: - presence: optional - content: |- - An identifier for a vendor-specified configuration dictionary when the value for `VPNType` is `VPN`. - - If `VPNType` is `VPN`, the system requires this field. If the configuration targets a VPN solution that uses a VPN plugin, then this field contains the bundle identifier of the plugin. Here are some examples: - - - Cisco AnyConnect: `com.cisco.anyconnect.applevpn.plugin` - - Juniper SSL: `net.juniper.sslvpn` - - F5 SSL: `com.f5.F5-Edge-Client.vpnplugin` - - SonicWALL Mobile Connect: `com.sonicwall.SonicWALL-SSLVPN.vpnplugin` - - ``Aruba VIA: `com.arubanetworks.aruba-via.vpnplugin` - - If the configuration targets a VPN solution that uses a network extension provider, then this field contains the bundle identifier of the app that contains the provider. Contact the VPN solution vendor for the value of the identifier. - - If `VPNType` is `IKEv2`, then the `VPNSubType` field is optional and reserved for future use. If it's specified, it needs to contain an empty string. - - Not available in watchOS. -- key: UserDefinedName - title: User Defined Name - type: - presence: required - content: The description of the VPN connection that the system displays on the device. - Not available in watchOS. -- key: VendorConfig - title: Vendor Configuration Dictionary - type: - presence: optional - content: The vendor-specific configuration dictionary, which the system reads only - when `VPNSubType` has a value. Not available in watchOS. - subkeys: - - key: Realm - title: Realm - type: - presence: optional - content: The Kerberos realm name, which needs to be properly capitalized. Valid - only for Juniper SSL and Pulse Secure. Not available in watchOS. - - key: Role - title: Role - type: - presence: optional - content: The role to select when connecting to the server. Valid only for Juniper - SSL and Pulse Secure. Not available in watchOS. - - key: Group - title: Group - type: - presence: optional - content: The group to connect to on the head end. Valid for Cisco AnyConnect and - Cisco Legacy AnyConnect. Not available in watchOS. - - key: LoginGroupOrDomain - title: Login Group or Domain - type: - presence: optional - content: The login group or domain. Valid only for SonicWALL Mobile Connect. Not - available in watchOS. -- key: VPN - title: VPN - type: - presence: optional - content: The dictionary to use when `VPNType` is `VPN`. - subkeys: - - key: AuthName - title: Account Username - type: - presence: optional - content: The VPN account username. - - key: AuthPassword - title: Account Password - type: - presence: optional - content: The VPN account password. Only use this if `AuthenticationMethod` is - set to `Password`. - - key: RemoteAddress - title: RemoteAddress - type: - presence: required - content: The IP address or hostname of the VPN server. - - key: AuthenticationMethod - title: Authentication Method - type: - presence: optional - rangelist: - - Password - - Certificate - - Password+Certificate - default: Password - content: The authentication method to use. - - key: PayloadCertificateUUID - title: Certificate UUID - type: - presence: optional - content: The UUID of the certificate payload within the same profile to use for - account credentials. - - key: ProviderBundleIdentifier - title: Provider Bundle Identifier - type: - presence: optional - content: The bundle identifier for the VPN provider. Not available in watchOS. - - key: ProviderDesignatedRequirement - title: Provider Designated Requirement - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.15' - visionOS: - introduced: n/a - type: - presence: optional - content: If the VPN provider is implemented as a system extension, this field - is required. Not available in watchOS. - - key: DisconnectOnIdle - title: Enable Disconnect on Idle - type: - presence: optional - rangelist: - - 0 - - 1 - default: 0 - content: If `1`, disconnects after an on-demand connection idles. - - key: DisconnectOnIdleTimer - title: Disconnect on Idle time - type: - presence: optional - content: The length of time to wait, in seconds, before disconnecting an on-demand - connection. In watchOS, the maximum allowed value is `15`. - - key: ProviderType - type: - presence: optional - rangelist: - - packet-tunnel - - app-proxy - default: packet-tunnel - content: The type of VPN service. If the value is `app-proxy`, the service tunnels - traffic at the app level. If the value is `packet-tunnel`, the service tunnels - traffic at the IP layer. Not available in watchOS. - - key: IncludeAllNetworks - title: Include All Networks - supportedOS: - iOS: - introduced: '14.0' - macOS: - introduced: '10.15' - tvOS: - introduced: n/a - type: - presence: optional - rangelist: - - 0 - - 1 - default: 0 - content: |- - If `1``, routes all traffic through the VPN, with some exclusions. Several of the exclusions can be controlled with the `ExcludeLocalNetworks`, `ExcludeCellularServices`, `ExcludeAPNs` and `ExcludeDeviceCommunication` properties. The following traffic is always excluded from the tunnel: - - - Traffic necessary for connecting and maintaining the device's network connection, such as DHCP. - - Traffic necessary for connecting to captive networks. - - Certain cellular services traffic that is not routable over the internet and is instead directly routed to the cellular network. See the ExcludeCellularServices property for more details. - - Network communication with a companion device such as a watchOS device. - - Not available in watchOS. - - key: EnforceRoutes - title: Enforce Routes - supportedOS: - iOS: - introduced: '14.2' - macOS: - introduced: '11.0' - type: - presence: optional - rangelist: - - 0 - - 1 - default: 0 - content: |- - If `1`, all the VPN's non-default routes take precedence over any locally defined routes. - - If `IncludeAllNetworks` is `1`, the system ignores the value of `EnforceRoutes`. - - Available in iOS 14.2 and later, and macOS 11 and later. Not available in watchOS. - - key: ExcludeLocalNetworks - title: Exclude Local Networks - supportedOS: - iOS: - introduced: '14.2' - macOS: - introduced: '10.15' - tvOS: - introduced: n/a - type: - presence: optional - rangelist: - - 0 - - 1 - content: If `1` and `IncludeAllNetworks` is `1`, routes all local network traffic - outside the VPN. Not available in watchOS. - - key: ExcludeCellularServices - title: Exclude Cellular Services - supportedOS: - iOS: - introduced: '16.4' - macOS: - introduced: '13.3' - tvOS: - introduced: n/a - type: - presence: optional - rangelist: - - 0 - - 1 - default: 1 - content: If `1` and `IncludeAllNetworks` is `1`, then the system excludes internet-routable - network traffic for cellular services (VoLTE, Wi-Fi Calling, IMS, MMS, Visual - Voicemail, etc.) from the tunnel. Note that some cellular carriers route cellular - services traffic directly to the carrier network, bypassing the internet. Such - cellular services traffic is always excluded from the tunnel. Not available - in watchOS. - - key: ExcludeAPNs - title: Exclude APNs - supportedOS: - iOS: - introduced: '16.4' - macOS: - introduced: '13.3' - tvOS: - introduced: n/a - type: - presence: optional - rangelist: - - 0 - - 1 - default: 1 - content: If `1` and `IncludeAllNetworks` is `1`, then the system excludes the - network traffic for the Apple Push Notification service (APNs) from the tunnel. - Not available in watchOS. - - key: ExcludeDeviceCommunication - title: Exclude Device Communication - supportedOS: - iOS: - introduced: '17.4' - macOS: - introduced: '14.4' - tvOS: - introduced: n/a - visionOS: - introduced: '1.1' - type: - presence: optional - rangelist: - - 0 - - 1 - default: 1 - content: If set to `1` and `IncludeAllNetworks` is set to `1`, the device excludes - network traffic used for communicating with devices connected via USB or Wi-Fi - from the tunnel. - - key: OnDemandEnabled - title: Enable VPN On Demand - type: - presence: optional - rangelist: - - 0 - - 1 - default: 0 - content: If `1`, enables VPN On Demand. - - key: OnDemandUserOverrideDisabled - title: Prevent users from toggling VPN On Demand - supportedOS: - iOS: - introduced: '14.0' - macOS: - introduced: n/a - type: - presence: optional - rangelist: - - 0 - - 1 - default: 0 - content: If `1`, the Connect On Demand toggle in Settings is disabled for this - configuration. Available in iOS 14 and later. Not available in watchOS. - - key: OnDemandMatchDomainsAlways - title: On Demand Match Domains Always - supportedOS: - iOS: - deprecated: '7.0' - type: - presence: optional - content: |- - A list of domain names. The system treats associated domain names as though they're associated with the `OnDemandMatchDomainsOnRetry` key. This behavior can be overridden by `OnDemandRules`. - - In iOS 7 and later, this key is deprecated (but still supported) in favor of `EvaluateConnection` actions in the `OnDemandRules` dictionaries. - - Not available in watchOS. - subkeytype: MatchDomainAlwaysElement - subkeys: &id001 - - key: MatchDomainAlwaysElement - title: Match Domain Always Element - type: - - key: OnDemandMatchDomainsNever - title: On Demand Match Domains Never - supportedOS: - iOS: - deprecated: '7.0' - type: - presence: optional - content: |- - A list of domain names. If the host name ends with one of these domain names, the system doesn't start the VPN automatically. The system uses this value to exclude a subdomain within an included domain. - - In iOS 7 and later, this key is deprecated (but still supported) in favor of `EvaluateConnection` actions in the `OnDemandRules` dictionaries. - - Not available in watchOS. - subkeytype: MatchDomainNeverElement - subkeys: &id002 - - key: MatchDomainNeverElement - title: Match Domain Never Element - type: - - key: OnDemandMatchDomainsOnRetry - title: On Demand Match Domains On Retry - supportedOS: - iOS: - deprecated: '7.0' - type: - presence: optional - content: |- - A list of domain names. If the host name ends with one of these domain names and a DNS query for that domain name fails, the system starts the VPN automatically. - - In iOS 7 and later, this key is deprecated (but still supported) in favor of `EvaluateConnection` actions in the `OnDemandRules` dictionaries. - - Not available in watchOS. - subkeytype: MatchDomainOnRetryElement - subkeys: &id003 - - key: MatchDomainOnRetryElement - title: Match Domain On Retry Element - type: - - key: OnDemandRules - title: On Demand Rules - type: - presence: optional - content: An array of dictionaries defining On Demand Rules. - subkeytype: OnDemandRulesElement - subkeys: &id004 - - key: OnDemandRulesElement - title: On Demand Rules Element - type: - subkeys: - - key: Action - title: On Demand Action - type: - presence: required - rangelist: - - Allow - - Connect - - Disconnect - - EvaluateConnection - - Ignore - content: |- - The action to take if this dictionary matches the current network. Possible values are: - - `Allow`: Deprecated. Allow VPN On Demand to connect if triggered. - - `Connect`: Unconditionally initiate a VPN connection on the next network attempt. - - `Disconnect`: Tear down the VPN connection and don't reconnect on demand as long as this dictionary matches. - - `EvaluateConnection`: Evaluate the ActionParameters array for each connection attempt. - - `Ignore`: Leave any existing VPN connection up, but don't reconnect on demand as long as this dictionary matches. - Only the `Disconnect` action is available on watchOS 10 and later. - - key: ActionParameters - title: Action Parameters - type: - presence: optional - content: An array of dictionaries that provides rules similar to the `OnDemandRules` - dictionary, but evaluated on each connection instead of when the network - changes. This value is only for use with dictionaries in which the `Action` - value is `EvaluateConnection`. The system evaluates these dictionaries in - order and the first dictionary that matches determines the behavior. Not - available in watchOS. - subkeys: - - key: ActionParameter - title: Action Parameter - type: - presence: optional - content: |- - A dictionary that provides rules similar to the OnDemandRules dictionary, but evaluated on each connection instead of when the network changes. These dictionaries are evaluated in order, and the behavior is determined by the first dictionary that matches. - The keys allowed in each dictionary are described below. Note: This array is used only for dictionaries in which EvaluateConnection is the Action value. - subkeys: - - key: Domains - title: Domains - type: - presence: required - content: The domains to apply this evaluation. - subkeys: - - key: DomainsElement - title: Domains Element - type: - - key: DomainAction - title: Domain Action - type: - presence: required - rangelist: - - ConnectIfNeeded - - NeverConnect - content: |- - Defines the VPN behavior for the specified domains. Allowed values are: - * 'ConnectIfNeeded': The specified domains should trigger a VPN connection attempt if domain name resolution fails, such as when the DNS server indicates that it can't resolve the domain, responds with a redirection to a different server, or fails to respond (timeout). - * 'NeverConnect': The specified domains should never trigger a VPN connection attempt. - - key: RequiredDNSServers - title: Required DNS Servers - type: - presence: optional - content: |- - An array of IP addresses of DNS servers to use for resolving the specified domains. These servers don't need to be part of the device's current network configuration. If these DNS servers aren't reachable, the system establishes a VPN connection. These DNS servers need to be either internal DNS servers or trusted external DNS servers. - This key is valid only if the value of 'DomainAction' is 'ConnectIfNeeded'. - subkeys: - - key: RequiredDNSServersElement - title: Required DNS Servers Element - type: - - key: RequiredURLStringProbe - title: Required URL String Probe - type: - presence: optional - content: |- - An HTTP or HTTPS (preferred) URL to probe, using a GET request. If the URL's hostname can't be resolved, if the server is unreachable, or if the server doesn't respond with a 200 HTTP status code, a VPN connection is established in response. - This key is valid only if the value of 'DomainAction' is 'ConnectIfNeeded'. - - key: DNSDomainMatch - title: DNS Domain Match - type: - presence: optional - content: |- - An array of domain names. This rule matches if any of the domain names in the specified list matches any domain in the device's search domains list. - The system supports a wildcard (`*`) prefix. For example, `*.example.com` matches against either `mydomain.example.com` or `yourdomain.example.com`. - subkeys: - - key: DNSDomainMatchElement - title: DNS Domain Match Element - type: - - key: DNSServerAddressMatch - title: DNS Server Address Match - type: - presence: optional - content: |- - An array of IP addresses. This rule matches if any of the network's specified DNS servers match any entry in the array. - The system supports matching with a single wildcard. For example, `17.*` matches any DNS server in the `17.0.0.0/8` subnet. - subkeys: - - key: DNSServerAddressMatchElement - title: DNS Server Address Match Element - type: - - key: InterfaceTypeMatch - title: Interface Type Match - type: - presence: optional - rangelist: - - Ethernet - - WiFi - - Cellular - content: An interface type. If specified, this rule matches only if the primary - network interface hardware matches the specified type. - - key: SSIDMatch - title: SSID Match - type: - presence: optional - content: |- - An array of SSIDs to match against the current network. If the network isn't a Wi-Fi network or if the SSID doesn't appear in this array, the match fails. - Omit this key and the corresponding array to match against any SSID. - subkeys: - - key: SSIDMatchElement - title: SSID Match Element - type: - - key: URLStringProbe - title: URL String Probe - type: - presence: optional - content: A URL to probe. This rule matches when this URL is successfully fetched - (returns a `200` HTTP status code) without redirection. Not available in - watchOS. -- key: IPv4 - title: IPv4 Settings - supportedOS: - tvOS: - introduced: n/a - type: - presence: optional - content: The dictionary that contains IPv4 settings. Not available in watchOS. - subkeys: - - key: OverridePrimary - title: Override Primary Connection - type: - presence: optional - rangelist: - - 0 - - 1 - default: 0 - content: If `1`, the system sends all network traffic over VPN. Only applies to - Cisco IPsec and L2TP VPN types. -- key: PPP - title: PPP - supportedOS: - tvOS: - introduced: n/a - type: - presence: optional - content: The dictionary to use when `VPNType` is `L2TP` or `PTPP`. Not available - in watchOS. - subkeys: - - key: AuthName - title: Account Username - type: - presence: optional - content: The VPN account user name. This key is for use with L2TP and PPTP networks. - - key: AuthPassword - title: Account Password - type: - presence: optional - content: If `TokenCard` is `1`, use this password for authentication. This key - is for use with L2TP and PPTP networks. - - key: TokenCard - title: Use Token Card - type: - presence: optional - rangelist: - - 0 - - 1 - default: 0 - content: If `1`, uses a token card such as an RSA SecurID card for connecting. - This key is for use with L2TP networks. - - key: CommRemoteAddress - title: Remote Address - type: - presence: optional - content: The IP address or host name of VPN server. This key is for use with L2TP - and PPTP networks. - - key: AuthEAPPlugins - title: EAP Plugins - type: - presence: optional - content: 'An array of authentication plugins. For use of RSA SecurID, this array - should only have one value: `EAP-RSA`. This key is for use with L2TP and PPTP - networks.' - subkeys: - - key: EAPPluginElement - title: EAP Plugin - type: - rangelist: - - EAP-RSA - - EAP-TLS - - EAP-KRB - repetition: - min: 1 - max: 1 - - key: AuthProtocol - title: Protocol - type: - presence: optional - content: An array of authentication protocols. For use of RSA SecurID, this array - should have one value, `EAP`. This key is for use with L2TP and PPTP networks. - subkeys: - - key: AuthProtocolElement - title: Auth Protocol - type: - rangelist: - - EAP - repetition: - min: 1 - max: 1 - - key: CCPMPPE40Enabled - title: Enable CCPMPPE40 - type: - presence: optional - rangelist: - - 0 - - 1 - content: If `1` and `CCPEnabled` is also `1`, enables CCPMPPE128 encryption. - - key: CCPMPPE128Enabled - title: Enable CCPMPPE128 - type: - presence: optional - rangelist: - - 0 - - 1 - content: If `1` and `CCPEnabled` is also `1`, enables CCPMPPE40 encryption. - - key: CCPEnabled - title: Enable CCP - type: - presence: optional - rangelist: - - 0 - - 1 - content: If `1`, enables encryption on the connection. This key is for use with - PPTP networks. - - key: DisconnectOnIdle - title: Enable Disconnect on Idle - type: - presence: optional - rangelist: - - 0 - - 1 - default: 0 - content: If `1`, disconnects after an on demand connection idles. - - key: DisconnectOnIdleTimer - title: Disconnect on Idle time - type: - presence: optional - content: The length of time to wait before disconnecting an on demand connection -- key: IPSec - title: IPSec Settings - supportedOS: - tvOS: - introduced: n/a - type: - presence: optional - content: The dictionary that contains IPSec settings. Not available in watchOS. - subkeys: - - key: RemoteAddress - title: Remote Address - type: - presence: optional - content: The IP address or host name of the VPN server. - - key: AuthenticationMethod - title: Authentication Method - type: - presence: optional - rangelist: - - SharedSecret - - Certificate - default: SharedSecret - content: The authentication method for L2TP and Cisco IPSec. - - key: XAuthName - title: Username - type: - presence: optional - content: The user name for the VPN account for Cisco IPSec. - - key: XAuthPassword - title: Password - type: - presence: optional - content: The VPN account password for Cisco IPSec. - - key: XAuthEnabled - title: XAUTH Enabled - type: - presence: optional - rangelist: - - 0 - - 1 - content: If `1`, enables Xauth for Cisco IPSec VPNs. - - key: XAuthPasswordEncryption - title: XAUTH Password Encryption - type: - presence: optional - rangelist: - - Prompt - content: A string that either has the value "Prompt" or isn't present. - - key: LocalIdentifier - title: Local Identifier - type: - presence: optional - content: |- - The name of the group. For hybrid authentication, the string needs to end with "hybrid". - - Present only for Cisco IPSec if `AuthenticationMethod` is `SharedSecret`. - - key: LocalIdentifierType - title: Local Identifier Type - type: - presence: optional - rangelist: - - KeyID - default: KeyID - content: Present only if `AuthenticationMethod` is `SharedSecret`. The value is - `KeyID`. The system uses this value for L2TP and Cisco IPSec VPNs. - - key: SharedSecret - title: Shared Secret - type: - presence: optional - content: |- - The shared secret for this VPN account. - - Only use this with L2TP and Cisco IPSec VPNs and if the `AuthenticationMethod` key is to `SharedSecret`. - - key: PayloadCertificateUUID - title: Certificate UUID - type: - presence: optional - content: |- - The UUID of the certificate payload within the same profile to use for the account credentials. - - Only use this with Cisco IPSec VPNs and if the `AuthenticationMethod` key is to `Certificate`. - - key: PromptForVPNPIN - title: Prompt for PIN - type: - presence: optional - default: false - content: If `true`, prompts for a PIN when connecting to Cisco IPSec VPNs. - - key: DisconnectOnIdle - title: Enable Disconnect on Idle - type: - presence: optional - rangelist: - - 0 - - 1 - default: 0 - content: If `1`, disconnect after an on-demand connection idles. - - key: DisconnectOnIdleTimer - title: Disconnect on Idle time - type: - presence: optional - content: The length of time to wait before disconnecting an on-demand connection. - - key: OnDemandEnabled - title: Enable VPN On Demand - type: - presence: optional - rangelist: - - 0 - - 1 - default: 0 - content: If `1`, enables bringing the VPN connection up on demand. - - key: OnDemandMatchDomainsAlways - title: On Demand Match Domains Always - supportedOS: - iOS: - deprecated: '7.0' - type: - presence: optional - content: Deprecated. A list of domain names. In iOS 7 and later, if this key is - present, the system treats associated domain names as though they're associated - with the `OnDemandMatchDomainsOnRetry` key. This behavior can be overridden - by `OnDemandRules`. - subkeytype: MatchDomainAlwaysElement - subkeys: *id001 - - key: OnDemandMatchDomainsNever - title: On Demand Match Domains Never - supportedOS: - iOS: - deprecated: '7.0' - type: - presence: optional - content: Deprecated. A list of domain names. In iOS 7 and later, this key is deprecated - (but still supported) in favor of `EvaluateConnection` actions in the `OnDemandRules` - dictionaries. - subkeytype: MatchDomainNeverElement - subkeys: *id002 - - key: OnDemandMatchDomainsOnRetry - title: On Demand Match Domains On Retry - supportedOS: - iOS: - deprecated: '7.0' - type: - presence: optional - content: Deprecated. A list of domain names. In iOS 7 and later, this field is - deprecated (but still supported) in favor of `EvaluateConnection` actions in - the `OnDemandRules` dictionaries. - subkeytype: MatchDomainOnRetryElement - subkeys: *id003 - - key: OnDemandRules - title: On Demand Rules - type: - presence: optional - content: The on-demand rules dictionary. - subkeytype: OnDemandRulesElement - subkeys: *id004 -- key: IKEv2 - title: IKEv2 - supportedOS: - watchOS: - introduced: '10.0' - type: - presence: optional - content: The dictionary to use when `VPNType` is `IKEv2`. - subkeys: - - key: RemoteAddress - title: RemoteAddress - type: - presence: required - content: The IP address or host name of the VPN server. - - key: LocalIdentifier - title: LocalIdentifier - type: - presence: required - content: Identifier of the IKEv2 client. - - key: RemoteIdentifier - title: RemoteIdentifier - type: - presence: required - content: The remote identifier. - - key: AuthenticationMethod - title: AuthenticationMethod - type: - presence: required - rangelist: - - None - - SharedSecret - - Certificate - content: |- - The type of authentication method for the VPN. - - To enable EAP-only authentication, set this to `None` and `ExtendedAuthEnabled` to `1`. If this is `None` and the `ExtendedAuthEnabled` key isn't set, the authentication configuration defaults to `SharedSecret`. - - key: CertificateType - title: Certificate Type - type: - presence: optional - rangelist: - - RSA - - ECDSA256 - - ECDSA384 - - ECDSA521 - - RSA-PSS - default: RSA - content: The type of `PayloadCertificateUUID` to use for IKEv2 machine authentication. - If this key is included, the system requires a value for `ServerCertificateIssuerCommonName`. - - key: PayloadCertificateUUID - title: PayloadCertificateUUID - type: - presence: optional - content: The UUID of the certificate payload within the same profile to use as - the account credential. If the value of `AuthenticationMethod` is `Certificate`, - the system sends this certificate out for IKEv2 machine authentication. If extended - authentication (EAP) is used, the system sends this certificate out for EAP-TLS - authentication. - - key: Password - title: Account Password - type: - presence: optional - content: The password to use for the account credentials. Only used if `AuthenticationMethod` - is `Password`. - - key: ProviderBundleIdentifier - title: Provider Bundle Identifier - type: - presence: optional - content: If the VPNSubType field contains the bundle identifier of an app that - contains multiple VPN providers of the same type (app-proxy or packet-tunnel), - then the system uses this field to choose which provider to use for this configuration. - If the VPN provider is implemented as a System Extension, then this field is - required. - - key: ProviderDesignatedRequirement - title: Provider Designated Requirement - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.15' - visionOS: - introduced: n/a - type: - presence: optional - content: If the VPN provider is implemented as a System Extension, then this field - is required. Available in macOS 10.15 and later, tvOS 17 and later, and watchOS - 10 and later. - - key: SharedSecret - title: SharedSecret - type: - presence: optional - content: If `AuthenticationMethod` is `SharedSecret`, this value is used for IKE - authentication. - - key: ExtendedAuthEnabled - title: ExtendedAuthEnabled - type: - presence: optional - rangelist: - - 0 - - 1 - default: 0 - content: If `1`, enables EAP-only authentication. - - key: AuthName - title: AuthName - type: - presence: optional - content: The user name to use for authentication. - - key: AuthPassword - title: AuthPassword - type: - presence: optional - content: The password to use for authentication. - - key: OnDemandEnabled - title: Enable VPN On Demand - type: - presence: optional - rangelist: - - 0 - - 1 - default: 0 - content: If `1`, enables VPN up on demand. - - key: OnDemandUserOverrideDisabled - title: Prevent users from toggling VPN On Demand - supportedOS: - iOS: - introduced: '14.0' - macOS: - introduced: n/a - type: - presence: optional - rangelist: - - 0 - - 1 - default: 0 - content: If `1`, the system disables the Connect On Demand toggle in Settings - for this configuration. - - key: OnDemandRules - title: On Demand Rules - type: - presence: optional - content: A list of rules that determine when and how to use an OnDemand VPN. - subkeytype: OnDemandRulesElement - subkeys: *id004 - - key: DeadPeerDetectionRate - title: Dead Peer Detection Rate - supportedOS: - watchOS: - introduced: n/a - type: - presence: optional - rangelist: - - None - - Low - - Medium - - High - default: Medium - content: |- - One of the following: - - - `None`: No keepalive. - - `Low`: Send keepalive every 30 minutes. - - `Medium`: Send keepalive every 10 minutes. - - `High`: Send keepalive every 1 minute. - - Not available in watchOS. - - key: ServerCertificateIssuerCommonName - title: ServerCertificateIssuerCommonName - type: - presence: optional - content: Common Name of the server certificate issuer. If set, this field causes - IKE to send a certificate request based on this certificate issuer to the server. - This key is required if the `CertificateType` key is included and the `ExtendedAuthEnabled` - key is `1`. - - key: ServerCertificateCommonName - title: ServerCertificateCommonName - type: - presence: optional - content: The common name of the server certificate. The system uses this name - to validate the certificate sent by the IKE server. If not set, the system uses - the remote identifier to validate the certificate. - - key: TLSMinimumVersion - title: TLS Minimum Version - supportedOS: - iOS: - introduced: '11.0' - macOS: - introduced: '10.13' - type: - presence: optional - rangelist: - - '1.0' - - '1.1' - - '1.2' - default: '1.0' - content: The minimum TLS version to use with EAP-TLS authentication. - - key: TLSMaximumVersion - title: TLS Maximum Version - supportedOS: - iOS: - introduced: '11.0' - macOS: - introduced: '10.13' - type: - presence: optional - rangelist: - - '1.0' - - '1.1' - - '1.2' - default: '1.2' - content: The maximum TLS version to use with EAP-TLS authentication. - - key: UseConfigurationAttributeInternalIPSubnet - title: Use IPv4 / IPv6 Internal Subnet Attributes - supportedOS: - iOS: - introduced: '9.0' - type: - presence: optional - rangelist: - - 0 - - 1 - default: 0 - content: If `1`, negotiations should use IKEv2 Configuration Attribute `INTERNAL_IP4_SUBNET` - and `INTERNAL_IP6_SUBNET`. - - key: DisableMOBIKE - title: Disable Mobility and Multihoming - supportedOS: - iOS: - introduced: '9.0' - type: - presence: optional - rangelist: - - 0 - - 1 - default: 0 - content: If `1`, the system disables MOBIKE. - - key: DisableRedirect - title: Disable Redirect - supportedOS: - iOS: - introduced: '9.0' - type: - presence: optional - rangelist: - - 0 - - 1 - default: 0 - content: If `1`, the system disables IKEv2 redirect. If not set, the system redirects - an IKEv2 connection when it receives a redirect request from the server. - - key: DisconnectOnIdle - title: Enable Disconnect on Idle - type: - presence: optional - rangelist: - - 0 - - 1 - default: 0 - content: If `1`, the VPN disconnects automatically after a period defined by `DisconnectOnIdleTimer`. - - key: DisconnectOnIdleTimer - title: Disconnect on Idle time - type: - presence: optional - content: Only used if `DisconnectOnIdle` is `1`. The number of seconds before - the VPN disconnects. On watchOS, maximum allowed value is 15 seconds - - key: NATKeepAliveOffloadEnable - title: NAT Keep Alive Offload Enable - supportedOS: - iOS: - introduced: '9.0' - type: - presence: optional - rangelist: - - 0 - - 1 - default: 1 - content: |- - If `1`, enables NAT keepalive offload for Always On VPN IKEv2 connections. The device sends keepalive packets to maintain NAT mappings for IKEv2 connections that have a NAT on the path. It sends keepalive packets at regular intervals when the device is awake. If `NATKeepAliveOffloadEnable` is `1`, the system offloads keepalive packets to hardware while the device is asleep. - - NAT keepalive offload has an impact on the battery life due to the extra workload during sleep. The default interval for the keepalive offload packets is 20 seconds over Wi-Fi and 110 seconds over Cellular interface. The default NAT keepalive works well on networks with small NAT mapping timeouts but imposes a potential battery impact. If a network has larger NAT mapping timeouts, larger keepalive intervals may be safely used to minimize battery impact. Modify the keepalive interval through the `NATKeepAliveInterval` key. - - key: NATKeepAliveInterval - title: NAT Keepalive Interval - supportedOS: - iOS: - introduced: '9.0' - type: - presence: optional - default: 20 - content: The NAT Keepalive interval for Always On VPN IKEv2 connections. This - value controls the interval that the device sends keepalive offload packets. - The minimum value is 20 seconds. If no key is specified, the default is 20 seconds - over Wi-Fi and 110 seconds over a cellular interface. - - key: EnablePFS - title: Enable perfect forward secrecy - supportedOS: - iOS: - introduced: '9.0' - type: - presence: optional - rangelist: - - 0 - - 1 - default: 0 - content: If `1`, enables Perfect Forward Secrecy (PFS) for IKEv2 Connections. - - key: EnableCertificateRevocationCheck - title: Enable certificate revocation check - supportedOS: - iOS: - introduced: '9.0' - type: - presence: optional - rangelist: - - 0 - - 1 - default: 0 - content: If `1`, the system performs a certificate revocation check for IKEv2 - connections. This is a best-effort revocation check and server response timeouts - won't cause it to fail. - - key: EnableFallback - title: Enable fallback - supportedOS: - iOS: - introduced: '13.0' - macOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - rangelist: - - 0 - - 1 - default: 0 - content: |- - If `1`, the system enables a tunnel over cellular data to carry traffic that's eligible for Wi-Fi Assist and also requires VPN. - - Enabling fallback requires that the server support multiple tunnels for a single user. - - This field is available in iOS 13 and later, and tvOS 17 and later. Not available in watchOS. - - key: MTU - title: Maximum Transmission Unit - supportedOS: - iOS: - introduced: '14.0' - macOS: - introduced: '11.0' - type: - presence: optional - range: - min: 1280 - max: 1400 - default: 1280 - content: The Maximum Transmission Unit (MTU) specifies the maximum size in bytes - of each packet that the system sends over the IKEv2 VPN interface. Available - in iOS 14 and later, and macOS 11 and later. - - key: ProviderType - type: - presence: optional - rangelist: - - packet-tunnel - - app-proxy - default: packet-tunnel - content: If the value of this key is `app-proxy`, the VPN service tunnels traffic - at the application layer. If the value of this key is `packet-tunnel`, the VPN - service tunnels traffic at the IP layer. - - key: IncludeAllNetworks - title: Include All Networks - supportedOS: - iOS: - introduced: '14.0' - macOS: - introduced: '10.15' - tvOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - rangelist: - - 0 - - 1 - default: 0 - content: |- - If `1`, then the system routes all network traffic through the VPN, with some controllable exclusions, such as `ExcludeLocalNetworks`, `ExcludeCellularServices`, and `ExcludeAPNs` properties. The system always excludes the following traffic from the tunnel: - - - Traffic necessary for connecting and maintaining the device's network connection, such as DHCP. - - Traffic necessary for connecting to captive networks. - - Certain cellular services traffic that's not routable over the internet and is instead directly routed to the cellular network. See the `ExcludeCellularServices` field for more information. - - Network communication with a companion device such as a watchOS device. - - key: EnforceRoutes - title: Enforce Routes - supportedOS: - iOS: - introduced: '14.2' - macOS: - introduced: '11.0' - watchOS: - introduced: n/a - type: - presence: optional - rangelist: - - 0 - - 1 - default: 0 - content: If `1`, all the VPN's non-default routes take precedence over any locally-defined - routes. If `IncludeAllNetworks` is `1`, the system ignores `EnforceRoutes`. - - key: ExcludeLocalNetworks - title: Exclude Local Networks - supportedOS: - iOS: - introduced: '14.2' - macOS: - introduced: '10.15' - tvOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - rangelist: - - 0 - - 1 - content: If `1` and either `IncludeAllNetworks` or `EnforceRoutes` are `1`, then - the system routes local network traffic outside of the VPN. The default for - this value is `0` on macOS and `1` on iOS. - - key: ExcludeCellularServices - title: Exclude Cellular Services - supportedOS: - iOS: - introduced: '16.4' - macOS: - introduced: '13.3' - tvOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - rangelist: - - 0 - - 1 - default: 1 - content: If `1` and `IncludeAllNetworks` is `1`, the system excludes internet-routable - network traffic for cellular services (VoLTE, Wi-Fi Calling, IMS, MMS, Visual - Voicemail, etc.) from the tunnel. Note that some cellular carriers route cellular - services traffic directly to the carrier network, bypassing the internet. Such - cellular services traffic is always excluded from the tunnel. - - key: ExcludeAPNs - title: Exclude APNs - supportedOS: - iOS: - introduced: '16.4' - macOS: - introduced: '13.3' - tvOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - rangelist: - - 0 - - 1 - default: 1 - content: If `1` and `IncludeAllNetworks` is `1`, the system excludes network traffic - for the Apple Push Notification service (APNs) from the tunnel. - - key: ExcludeDeviceCommunication - title: Exclude Device Communication - supportedOS: - iOS: - introduced: '17.4' - macOS: - introduced: '14.4' - tvOS: - introduced: n/a - visionOS: - introduced: '1.1' - watchOS: - introduced: n/a - type: - presence: optional - rangelist: - - 0 - - 1 - default: 1 - content: If set to `1` and `IncludeAllNetworks` is set to `1`, the device excludes - network traffic used for communicating with devices connected via USB or Wi-Fi - from the tunnel. - - key: PPK - title: Post-quantum Pre-shared Key - supportedOS: - iOS: - introduced: '18.0' - macOS: - introduced: '15.0' - tvOS: - introduced: '18.0' - visionOS: - introduced: '2.0' - watchOS: - introduced: '11.0' - type: - presence: optional - content: The Post-quantum Pre-shared key (PPK) the device uses for this VPN. This - key is is used with VPN servers that support RFC 8784. If this key is present - `PPKIdentifier` must also be present. - - key: PPKIdentifier - title: Post-quantum Pre-shared Key Identifier - supportedOS: - iOS: - introduced: '18.0' - macOS: - introduced: '15.0' - tvOS: - introduced: '18.0' - visionOS: - introduced: '2.0' - watchOS: - introduced: '11.0' - type: - presence: optional - content: The identifier for the Post-quantum Pre-shared key (PPK) the device uses - for this VPN. This key is is used with VPN servers that support RFC 8784. If - this key is present `PPK` must also be present. - - key: PPKMandatory - title: Post-quantum Pre-shared Key Mandatory - supportedOS: - iOS: - introduced: '18.0' - macOS: - introduced: '15.0' - tvOS: - introduced: '18.0' - visionOS: - introduced: '2.0' - watchOS: - introduced: '11.0' - type: - presence: optional - rangelist: - - 0 - - 1 - default: 1 - content: If set to `1`, the VPN doesn't establish a connection if the server doesn't - support RFC 8784 or doesn't accept the PPK identifier specified in `PPKIdentifier`. - The device ignores this key if `PPK` and `PPKIdentifier` are not present. - - key: AllowPostQuantumKeyExchangeFallback - title: Allow Post-quantum Key Exchange Fallback - supportedOS: - iOS: - introduced: '26.0' - macOS: - introduced: '26.0' - tvOS: - introduced: '26.0' - visionOS: - introduced: '26.0' - watchOS: - introduced: '26.0' - type: - presence: optional - rangelist: - - 0 - - 1 - default: 0 - content: If set to `0`, the VPN doesn't establish a connection if the server does - not support or doesn't allow post-quantum key exchanges. Thd device ignores - this key if `PostQuantumKeyExchangeMethods` is not present in `IKESecurityAssociationParameters` - or `ChildSecurityAssociationParameters`. - - key: EnforceStrictAlgorithmSelection - title: Enforce Strict Algorithm Selection - supportedOS: - iOS: - introduced: '18.5' - macOS: - introduced: '15.5' - tvOS: - introduced: '18.5' - visionOS: - introduced: '2.5' - watchOS: - introduced: '11.5' - type: - presence: optional - rangelist: - - 0 - - 1 - default: 0 - content: If set to `1`, the device doesn't allow DES, 3DES, and Diffie-Hellman - groups less than 14. Also the device requires the encryption algorithm specified - for the IKE SA to be at least as cryptographically strong as the algorithm specified - for the child SA. The device rejects this profile payload if these requirements - are not met. - - key: IKESecurityAssociationParameters - title: IKESecurityAssociationParameters - type: - presence: optional - content: These parameters apply to Child Security Association unless `ChildSecurityAssociationParameters` - is specified. - subkeytype: SecurityAssociationParameters - subkeys: &id005 - - key: EncryptionAlgorithm - title: EncryptionAlgorithm - type: - presence: optional - rangelist: - - DES - - 3DES - - AES-128 - - AES-256 - - AES-128-GCM - - AES-256-GCM - - ChaCha20Poly1305 - default: AES-256 - content: |- - The encryption algorithm. - - In watchOS and tvOS, the default value is `AES-256-GCM`. - `DES` and `3DES` are available only in iOS, macOS, and visionOS prior to iOS 26, macOS 26, and visionOS 26. - - key: IntegrityAlgorithm - title: IntegrityAlgorithm - type: - presence: optional - rangelist: - - SHA1-96 - - SHA1-160 - - SHA2-256 - - SHA2-384 - - SHA2-512 - default: SHA2-256 - content: |- - The integrity algorithm. - - `SHA1-96` and `SHA1-160` are available only in iOS, macOS, and visionOS prior to iOS 26, macOS 26, and visionOS 26. - - key: DiffieHellmanGroup - title: DiffieHellmanGroup - type: - presence: optional - rangelist: - - 1 - - 2 - - 5 - - 14 - - 15 - - 16 - - 17 - - 18 - - 19 - - 20 - - 21 - - 31 - - 32 - default: 14 - content: |- - The Diffie-Hellman group. - - For `AlwaysOn` VPN in iOS 14.2 and later, the minimum allowed value is `14`. - - `1`, `2`, and `5` are available only in iOS, macOS, and visionOS prior to iOS 26, macOS 26, and visionOS 26. - - key: PostQuantumKeyExchangeMethods - title: Post-quantum Key Exchange Methods - supportedOS: - iOS: - introduced: '26.0' - macOS: - introduced: '26.0' - tvOS: - introduced: '16.0' - visionOS: - introduced: '26.0' - watchOS: - introduced: '26.0' - type: - presence: optional - content: An array of strings representing postquantum key exchange methods the - device uses during SA establishment and rekey. You can specify up to seven - items, which correspond to ADDKE1 - ADDKE7 from RFC 9370. - subkeys: - - key: PostQuantumKeyExchangeMethod - title: Post-quantum Key Exchange Method - type: - rangelist: - - 0 - - 36 - - 37 - - key: LifeTimeInMinutes - title: LifeTimeInMinutes - type: - presence: optional - range: - min: 10 - max: 1440 - default: 1440 - content: The SA lifetime (rekey interval) in minutes. - - key: ChildSecurityAssociationParameters - title: ChildSecurityAssociationParameters - type: - presence: optional - content: The `ChildSecurityAssociationParameters` dictionaries. - subkeytype: SecurityAssociationParameters - subkeys: *id005 -- key: DNS - title: DNS - supportedOS: - watchOS: - introduced: '10.0' - type: - presence: optional - content: A dictionary to use for all VPN types. - subkeys: - - key: DNSProtocol - title: DNS Protocol - supportedOS: - iOS: - introduced: '14.0' - macOS: - introduced: '11.0' - type: - presence: required - rangelist: - - Cleartext - - HTTPS - - TLS - content: The transport protocol to communicate with the DNS server. - - key: ServerURL - title: Server URL - supportedOS: - iOS: - introduced: '14.0' - macOS: - introduced: '11.0' - type: - presence: optional - content: The URI template of a DNS-over-HTTPS server, as defined in RFC 8484, - which needs to use the `https://` scheme. The system uses the hostname or address - in the URL to validate the server certificate. If `ServerAddresses` isn't specified, - the system uses the hostname or address in the URL to determine the server addresses. - This key is required if the `DNSProtocol` is `HTTPS`. - - key: ServerName - title: Server Name - supportedOS: - iOS: - introduced: '14.0' - macOS: - introduced: '11.0' - type: - presence: optional - content: The hostname of a DNS-over-TLS server to validate the server certificate, - as defined in RFC 7858. If `ServerAddresses` isn't specified, the system uses - the hostname to determine the server addresses. This key is required if the - `DNSProtocol` is `TLS`. - - key: ServerAddresses - title: DNS Server Addresses - supportedOS: - iOS: - introduced: '10.0' - macOS: - introduced: '10.12' - type: - presence: required - content: The array of DNS server IP address strings. These IP addresses can be - a mixture of IPv4 and IPv6 addresses. - subkeys: - - key: ServerAddressesElement - title: Server Address Element - type: - - key: SearchDomains - title: DNS Search Domains - supportedOS: - iOS: - introduced: '10.0' - macOS: - introduced: '10.12' - type: - presence: optional - content: The list of domain strings used to fully qualify single-label host names. - subkeys: - - key: SearchDomainsElement - title: Search Domains Element - type: - - key: DomainName - title: Domain Name - supportedOS: - iOS: - introduced: '10.0' - macOS: - introduced: '10.12' - type: - presence: optional - content: The primary domain of the tunnel. - - key: SupplementalMatchDomains - title: Supplemental Match Domains - supportedOS: - iOS: - introduced: '10.0' - macOS: - introduced: '10.12' - type: - presence: optional - content: |- - The list of domain strings used to determine which DNS queries use the DNS resolver settings in `ServerAddresses`. The system uses this key to create a split DNS configuration where it resolves only hosts in certain domains using the tunnel's DNS resolver. The system uses the default resolver for hosts that aren't in one of the domains in this list. - - If `SupplementalMatchDomains` contains the empty string it becomes the default domain. - - Split-tunnel configurations can direct all DNS queries to the VPN DNS servers before the primary DNS servers. If the VPN tunnel becomes the network's default route, the servers listed in `ServerAddresses` become the default resolver and the system ignores the `SupplementalMatchDomains` list. - subkeys: &id006 - - key: SupplementalMatchDomainsElement - title: Supplemental Match Domains Element - type: - - key: SupplementalMatchDomainsNoSearch - title: Supplemental Match Domains No Search - supportedOS: - iOS: - introduced: '10.0' - macOS: - introduced: '10.12' - type: - presence: optional - rangelist: - - 0 - - 1 - default: 0 - content: If `0`, append the domains in the `SupplementalMatchDomains` list to - the resolver's list of search domains. - - key: PayloadCertificateUUID - title: DNS Certificate UUID - supportedOS: - iOS: - introduced: '16.0' - macOS: - introduced: '13.0' - type: - presence: optional - format: ^[0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}$ - content: That UUID that points to an identity certificate payload. The system - uses this identity to authenticate the user to the DNS resolver. -- key: Proxies - title: Proxies - supportedOS: - watchOS: - introduced: '10.0' - type: - presence: optional - content: The dictionary to use to configure `Proxies` for use with `VPN`. - subkeys: - - key: ProxyAutoConfigEnable - title: Proxy AutoConfig Enable - type: - presence: optional - rangelist: - - 0 - - 1 - content: If `true`, enables automatic proxy configuration. - - key: ProxyAutoDiscoveryEnable - title: Proxy Auto Discovery Enable - type: - presence: optional - rangelist: - - 0 - - 1 - default: 1 - content: If `true`, enables proxy auto discovery. - - key: ProxyAutoConfigURLString - title: Proxy Server URL - type: - presence: optional - content: The URL to the location of the proxy auto-configuration file. Used only - when `ProxyAutoConfigEnable` is `true`. - - key: SupplementalMatchDomains - title: Supplemental Match Domains - type: - presence: optional - content: An array of domains that defines which hosts use proxy settings for hosts. - subkeys: *id006 - - key: HTTPEnable - title: Enable HTTP - type: - presence: optional - rangelist: - - 0 - - 1 - default: 0 - content: If `1`, enables proxy for HTTP traffic. - - key: HTTPProxy - title: HTTP Proxy - type: - presence: optional - content: The host name of the HTTP proxy. - - key: HTTPPort - title: HTTP Port - type: - presence: optional - range: - min: 0 - max: 65535 - content: The port number of the HTTP proxy. This field is required if `HTTPProxy` - is specified. - - key: HTTPProxyUsername - title: HTTP ProxyUsername - type: - presence: optional - content: The user name used for authentication. - - key: HTTPProxyPassword - title: HTTP ProxyPassword - type: - presence: optional - content: The password used for authentication. - - key: HTTPSEnable - title: Enable HTTPS - type: - presence: optional - rangelist: - - 0 - - 1 - default: 0 - content: If `true`, enables proxy for HTTPS traffic. - - key: HTTPSProxy - title: HTTPS Proxy - type: - presence: optional - content: The host name of the HTTPS proxy. - - key: HTTPSPort - title: HTTPS Port - type: - presence: optional - range: - min: 0 - max: 65535 - content: The port number of the HTTPS proxy. This field is required if `HTTPSProxy` - is specified. -- key: AlwaysOn - title: AlwaysOn - supportedOS: - iOS: - introduced: '8.0' - macOS: - introduced: n/a - tvOS: - introduced: n/a - type: - presence: optional - content: The dictionary to use when `VPNType` is `AlwaysOn`. Not available in tvOS - or watchOS. - subkeys: - - key: UIToggleEnabled - title: UI Toggle Enabled - type: - presence: optional - rangelist: - - 0 - - 1 - default: 0 - content: If `1`, allows the user to disable the VPN configuration. - - key: TunnelConfigurations - title: TunnelConfigurations - type: - presence: required - content: An array that contains an arbitrary number of tunnel configurations. - subkeys: - - key: TunnelConfigurationElement - title: A TunnelConfiguration Element - type: - subkeys: - - key: ProtocolType - title: Protocol Type - type: - presence: required - rangelist: - - IKEv2 - content: The type of connection, which needs to be `IKEv2`. - - key: Interfaces - title: Interfaces - type: - presence: optional - content: The interfaces to apply this configuration to. - subkeys: - - key: InterfacesElement - title: Interfaces Element - type: - rangelist: - - Cellular - - WiFi - - key: ServiceExceptions - title: ServiceExceptions - type: - presence: optional - content: An array that contains an arbitrary number of service exceptions. - subkeys: - - key: ServiceExceptionElement - title: A ServiceException Element - type: - subkeys: - - key: ServiceName - title: Service Name - type: - presence: required - rangelist: - - VoiceMail - - AirPrint - - CellularServices - - DeviceCommunication - content: |- - The name of a service that's exempt from Always On VPN. - - `CellularServices` is available in iOS 11.3 and later; it exempts `VoLTE`, `IMS` and `MMS`. WiFiCalling is exempted in iOS 13.4 and later. - - `DeviceCommunication` is available in iOS 17.4 and later; it exempts network traffic used for communicating with devices connected via USB or Wi-Fi. - - key: Action - title: Action - type: - presence: required - rangelist: - - Allow - - Drop - content: The action to take with network connections from the named service. - - key: ApplicationExceptions - title: ApplicationExceptions - supportedOS: - iOS: - introduced: '13.6' - type: - presence: optional - content: An array that contains an arbitrary number of apps whose connections - occur outside the VPN. - subkeys: - - key: ApplicationExceptionElement - title: A ApplicationException Element - type: - subkeys: - - key: BundleIdentifier - title: Bundle Identifier - type: - presence: required - content: The app's bundle identifier. - - key: LimitToProtocols - title: LimitToProtocols - type: - presence: optional - content: Limit the exception to only the specified list of protocols, with - support for `UDP` only. - subkeys: - - key: LimitToProtocolElement - title: LimitToProtocol Element - type: - rangelist: - - UDP - - key: AllowCaptiveWebSheet - title: Allow Captive Web Sheet - type: - presence: optional - rangelist: - - 0 - - 1 - default: 0 - content: If `1`, allows traffic from Captive Web Sheet outside the VPN tunnel. - - key: AllowAllCaptiveNetworkPlugins - title: Allow All Captive Network Plugins - type: - presence: optional - rangelist: - - 0 - - 1 - default: 0 - content: If `1`, allows traffic from all captive networking apps outside the VPN - tunnel to perform captive network handling. - - key: AllowedCaptiveNetworkPlugins - title: AllowedCaptiveNetworkPlugins - type: - presence: optional - content: The array of captive networking apps whose traffic is allowed outside - the VPN tunnel, to perform captive network handling. Used only when `AllowAllCaptiveNetworkPlugins` - is `false`. - subkeys: - - key: AllowedCaptiveNetworkPluginElement - title: An AllowedCaptiveNetworkPlugin Element - type: - subkeys: - - key: BundleIdentifier - title: Bundle Identifier - type: - presence: required - content: The bundle identifier for the app that's allowed on the captive network. -- key: TransparentProxy - title: TransparentProxy - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '14.0' - tvOS: - introduced: n/a - visionOS: - introduced: n/a - type: - presence: optional - content: The dictionary to use when `VPNType` is `TransparentProxy`. Available in - macOS 14 and later. - subkeys: - - key: AuthenticationMethod - title: Authentication Method - type: - presence: optional - rangelist: - - Password - - Certificate - - Password+Certificate - default: Password - content: |- - The type of authentication method to use: `Password`, `Certificate`, or `Password+Certificate`. - - Available in macOS 14 and later. - - key: DisconnectOnIdle - title: Enable Disconnect on Idle - type: - presence: optional - rangelist: - - 0 - - 1 - default: 0 - content: |- - If `1`, the VPN disconnects automatically disconnect after a period defined by `DisconnectOnIdleTimer`. - - Available in macOS 14 and later. - - key: DisconnectOnIdleTimer - title: Disconnect on Idle time - type: - presence: optional - content: |- - The number of seconds before the VPN disconnects. This value is only used if `DisconnectOnIdle` is `1`. - - Available in macOS 14 and later. - - key: EnforceRoutes - title: Enforce Routes - type: - presence: optional - rangelist: - - 0 - - 1 - default: 0 - content: |- - If `1`, then all the VPN's non-default routes take precedence over any locally-defined routes. If `IncludeAllNetworks` is `1`, the system ignores the value of `EnforceRoutes`. - - Available in macOS 14 and later. - - key: OnDemandEnabled - title: Enable VPN On Demand - type: - presence: optional - rangelist: - - 0 - - 1 - default: 0 - content: |- - If `1`, the system brings up the VPN on demand. - - Available in macOS 14 and later. - - key: OnDemandRules - title: On Demand Rules - type: - presence: optional - content: |- - Determines when and how the system uses an OnDemand VPN. - - Available in macOS 14 and later. - subkeytype: OnDemandRulesElement - subkeys: *id004 - - key: PayloadCertificateUUID - title: PayloadCertificateUUID - type: - presence: optional - content: |- - The UUID of the identity certificate as the account credential. If `AuthenticationMethod` is `Certificate`, and extended authentication (EAP) isn't used, this certificate is sent out for IKE client authentication. If extended authentication is used, this certificate can be used for EAP-TLS. - - Available in macOS 14 and later. - - key: Password - title: Account Password - type: - presence: optional - content: |- - The password to use for the account credentials. Only used if `AuthenticationMethod` is `Password`. - - Available in macOS 14 and later. - - key: ProviderBundleIdentifier - title: Provider Bundle Identifier - type: - presence: optional - content: |- - If the VPNSubType field contains the bundle identifier of an app that contains multiple VPN providers of the same type (app-proxy or packet-tunnel), then the system uses this field to choose which provider to use for this configuration. If the VPN provider is implemented as a System Extension, then this field is required. - - Available in macOS 14 and later. - - key: ProviderDesignatedRequirement - title: Provider Designated Requirement - type: - presence: optional - content: |- - If the VPN provider is implemented as a System Extension, then this field is required. - - Available in macOS 14 and later. - - key: ProviderType - type: - presence: optional - rangelist: - - packet-tunnel - - app-proxy - default: packet-tunnel - content: |- - If the value of this key is `app-proxy`, the VPN service tunnels traffic at the application layer. If the value of this key is `packet-tunnel`, the VPN service tunnels traffic at the IP layer. - - Available in macOS 14 and later. - - key: Order - title: Order - type: - presence: optional - content: |- - A positive integer. - - Available in macOS 14 and later. diff --git a/mdm/profiles/com.apple.webClip.managed.yaml b/mdm/profiles/com.apple.webClip.managed.yaml deleted file mode 100644 index 813a3c8..0000000 --- a/mdm/profiles/com.apple.webClip.managed.yaml +++ /dev/null @@ -1,120 +0,0 @@ -title: Web Clip -description: The profile that configures web clips on the device. -payload: - payloadtype: com.apple.webClip.managed - supportedOS: - iOS: - introduced: '4.0' - multiple: true - supervised: false - allowmanualinstall: true - sharedipad: - mode: allowed - devicechannel: false - userchannel: true - userenrollment: - mode: allowed - macOS: - introduced: '10.7' - multiple: true - devicechannel: false - userchannel: true - supervised: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: allowed - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a -payloadkeys: -- key: Precomposed - title: Precomposed Icon - supportedOS: - macOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, the system prevents SpringBoard from adding shine to the icon. -- key: FullScreen - title: Full Screen - supportedOS: - macOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, the system launches the web clip as a full-screen web app. -- key: URL - title: URL - type: - subtype: - presence: required - content: The URL of the web clip. -- key: Icon - title: Icon - type: - presence: optional - content: The PNG icon to show on the Home Screen. If not set, the system displays - a white square. For best results, provide a square image that's no larger than - 400 x 400 pixels and less than 1 MB when uncompressed. The graphics file is automatically - scaled and cropped to fit, if necessary, and converted to PNG format. Web clip - icons are 144 x 144 pixels for iPad devices with a Retina display, and 114 x 114 - pixels for iPhone devices. To prevent the device from adding a shine to the image, - set `Precomposed` to `true`. -- key: IsRemovable - title: Removable - supportedOS: - macOS: - introduced: n/a - type: - presence: optional - default: true - content: If `true`, the system enables removing the web clip. -- key: Label - title: Label - type: - presence: required - content: The name of the web clip that the system displays on the Home Screen. -- key: IgnoreManifestScope - title: Ignore Web Clip manifest scope - supportedOS: - iOS: - introduced: '14.0' - macOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, a full screen web clip can navigate to an external web site - without showing Safari UI. Otherwise, Safari UI appears when navigating away from - the web clip's URL. This key has no effect when `FullScreen` is `false`. Available - in iOS 14 and later. -- key: TargetApplicationBundleIdentifier - title: Target Application Bundle Identifier - supportedOS: - iOS: - introduced: '14.0' - allowmanualinstall: false - macOS: - introduced: n/a - type: - presence: optional - content: The application bundle identifier of the application that opens the URL. - To use this property, install the profile through MDM. Available in iOS 14 and - later. -notes: -- title: '' - content: |- - Use this payload to add web clips to the Home Screen of the user's iOS device or to the Dock on a Mac. Web clips provide fast access to favorite webpages. - - For iOS devices, if you prevent the user from removing the web clip, the only way to remove it is to remove the configuration profile that installed it. Also, for iOS devices it must have a display name and an icon URL for the payload to be valid. - - A full-screen web clip on iOS devices opens the URL as a web app without a browser; there's no URL, search bar, or bookmarks. - - For Shared iPad devices, the system supports this payload on the user channel only. diff --git a/mdm/profiles/com.apple.webcontent-filter.yaml b/mdm/profiles/com.apple.webcontent-filter.yaml deleted file mode 100644 index 1337b00..0000000 --- a/mdm/profiles/com.apple.webcontent-filter.yaml +++ /dev/null @@ -1,471 +0,0 @@ -title: Web Content Filter -description: The payload that configures web content filters. -payload: - payloadtype: com.apple.webcontent-filter - supportedOS: - iOS: - introduced: '7.0' - multiple: true - supervised: false - allowmanualinstall: true - sharedipad: - mode: allowed - devicechannel: true - userchannel: false - userenrollment: - mode: allowed - macOS: - introduced: '10.15' - multiple: true - devicechannel: true - userchannel: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: '1.1' - multiple: true - supervised: false - allowmanualinstall: true - userenrollment: - mode: allowed - watchOS: - introduced: n/a - content: As of iOS 16.0 and visionOS 1.1, this can be installed on unsupervised - devices and user enrollments if ContentFilterUUID is specified. Previously it - could only be installed on supervised devices. -payloadkeys: -- key: FilterType - title: FilterType - supportedOS: - iOS: - introduced: '8.0' - type: - presence: optional - rangelist: - - BuiltIn - - Plugin - default: BuiltIn - content: The type of filter, built-in or plug-in. In macOS, the system only supports - the plug-in value. -- key: SafariHistoryRetentionEnabled - title: SafariHistoryRetentionEnabled - supportedOS: - iOS: - introduced: '26.0' - supervised: true - userenrollment: - mode: forbidden - macOS: - introduced: '26.0' - visionOS: - introduced: '26.0' - supervised: true - userenrollment: - mode: forbidden - type: - presence: optional - default: true - content: If `true`, this payload enforces a policy which requires retention of browsing - history. This causes Safari to disable clearing of browsing history, and prevents - the use of private browsing mode because that mode doesn't keep browsing history. -- key: AutoFilterEnabled - title: Web filter enabled - supportedOS: - macOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, the system enables automatic filtering. Use when `FilterType` - is `BuiltIn`. -- key: PermittedURLs - title: PermittedURLs - supportedOS: - macOS: - introduced: n/a - type: - presence: optional - content: An array or URLs that are accessible whether or not the automatic filter - allows access. Use when `FilterType` is `BuiltIn`. Requires that `AutoFilterEnabled` - is `true`. - subkeys: - - key: PermittedURLItems - title: Permitted url items - type: -- key: BlacklistedURLs - title: BlacklistedURLs - supportedOS: - iOS: - deprecated: '14.5' - macOS: - introduced: n/a - visionOS: - introduced: n/a - type: - presence: optional - content: Use `DenyListURLs` instead. - subkeys: - - key: BlacklistedURLItems - title: Blacklisted url items - type: -- key: DenyListURLs - title: DenyListURLs - supportedOS: - iOS: - introduced: '14.5' - macOS: - introduced: n/a - type: - presence: optional - content: An array of URLs that are inaccessible. Use when `FilterType` is `BuiltIn`. - Limit the number of these URLs to no more than 500. - subkeys: - - key: DenyListURLItems - title: Denylisted url items - type: -- key: HideDenyListURLs - title: HideDenyListURLs - supportedOS: - iOS: - introduced: '18.0' - macOS: - introduced: n/a - visionOS: - introduced: '2.0' - type: - presence: optional - default: false - content: If `true`, the device hides the `DenyListURLs` item in the profiles that - display in Settings > General > VPN & Device Management. -- key: WhitelistedBookmarks - title: White list - supportedOS: - iOS: - deprecated: '14.5' - macOS: - introduced: n/a - visionOS: - introduced: n/a - type: - presence: optional - content: Use `AllowListBookmarks` instead. - subkeys: - - key: WhitelistedBookmarksItem - title: Identifier - type: - subkeys: - - key: URL - title: URL - type: - presence: required - content: The URL of the bookmark in the allow list. - - key: Title - title: Title - type: - presence: required - content: The title of the bookmark. -- key: AllowListBookmarks - title: Allow list - supportedOS: - iOS: - introduced: '14.5' - macOS: - introduced: n/a - type: - presence: optional - content: An array of dictionaries that define the pages that the user can bookmark - or visit. Use when `FilterType` is `BuiltIn`. - subkeys: - - key: AllowListBookmarksItem - title: Identifier - type: - subkeys: - - key: URL - title: URL - type: - presence: required - content: The URL of the bookmark in the allow list. - - key: Title - title: Title - type: - presence: required - content: The title of the bookmark. -- key: UserDefinedName - title: UserDefinedName - type: - presence: optional - content: The display name for this filtering configuration. Required when `FilterType` - is `Plugin`. -- key: PluginBundleID - title: PluginBundleID - type: - presence: optional - content: The bundle ID of the plug-in that provides filtering service. Required - when `FilterType` is `Plugin`. Otherwise, it ignores this value. Consult your - filtering solution vendor to determine what to specify for this value. Required - when `FilterType` is `Plugin`. -- key: ServerAddress - title: ServerAddress - type: - presence: optional - content: The server address, which may be the IP address, hostname, or URL. Use - when `FilterType` is `Plugin`. -- key: UserName - title: Username - type: - presence: optional - content: The user name for the service. Use when `FilterType` is `Plugin`. -- key: Password - title: Password - type: - presence: optional - content: The password for the service. Use when `FilterType` is `Plugin`. -- key: PayloadCertificateUUID - title: Certificate UUID - type: - presence: optional - format: ^[0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}$ - content: The UUID of the certificate payload within the same profile that the system - uses to authenticate the user. Use when `FilterType` is `Plugin`. -- key: Organization - title: Organization - type: - presence: optional - content: The organization string to pass to the third-party plug-in. Use when `FilterType` - is `Plugin`. -- key: VendorConfig - type: - presence: optional - content: The custom dictionary that the filtering service plug-in needs. Use when - `FilterType` is `Plugin`. - subkeys: - - key: ANY - type: - presence: required - content: The custom key/value pairs for the filtering service. -- key: FilterBrowsers - title: FilterBrowsers - supportedOS: - macOS: - introduced: n/a - type: - presence: optional - default: false - content: |- - If `true`, the system enables filtering WebKit traffic. Use when `FilterType` is `Plugin`. - - > Note: - > At least one of `FilterBrowsers` or `FilterSockets` needs to be `true`. -- key: FilterSockets - title: FilterSockets - type: - presence: optional - default: false - content: |- - If `true`, enables the filtering of socket traffic. Use when `FilterType` is `Plugin`. - - > Note: - > At least one of `FilterBrowsers` or `FilterSockets` needs to be `true`. -- key: FilterDataProviderDesignatedRequirement - title: Filter Data Provider Designated Requirement - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.15' - visionOS: - introduced: n/a - type: - presence: optional - content: The designated requirement string that the system embeds in the code signature - of the filter data provider system extension. This string identifies the filter - data provider when the filter starts running. Required if `FilterSockets` is `true`. -- key: FilterDataProviderBundleIdentifier - title: Filter Data Provider Bundle Identifier - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.15' - visionOS: - introduced: n/a - type: - presence: optional - content: The bundle identifier string of the filter data provider system extension. - This string identifies the filter data provider when the filter starts running. - Required if `FilterSockets` is `true`. -- key: FilterPackets - title: Filter Network Packets - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.15' - visionOS: - introduced: n/a - type: - presence: optional - default: false - content: |- - If `true` and `FilterType` is `Plugin`, the system enables filtering network packets. Use when `FilterType` is `Plugin`. - - > Note: - > At least one of `FilterPackets` or `FilterSockets` needs to be `true`. -- key: FilterPacketProviderDesignatedRequirement - title: Filter Packet Provider Designated Requirement - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.15' - visionOS: - introduced: n/a - type: - presence: optional - content: The designated requirement string that the system embeds in the code signature - of the filter packet provider system extension. This string identifies the filter - packet provider when the filter starts running. Required if `FilterPackets` is - `true`. -- key: FilterPacketProviderBundleIdentifier - title: Filter Packet Provider Bundle Identifier - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.15' - visionOS: - introduced: n/a - type: - presence: optional - content: The bundle identifier string of the filter packet provider system extension. - This string identifies the filter packet provider when the filter starts running. - Required if `FilterPackets` is `true`. -- key: FilterGrade - title: Filter Grade - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.15' - visionOS: - introduced: n/a - type: - presence: optional - rangelist: - - firewall - - inspector - default: firewall - content: The system uses this value to derive the relative order of content filters. - Filters with a grade of `firewall` see network traffic before filters with a grade - of `inspector`. However, the system doesn't define the order of filters within - a grade. -- key: ContentFilterUUID - title: Content Filter UUID - supportedOS: - iOS: - introduced: '16.0' - macOS: - introduced: n/a - type: - presence: optional - content: A globally unique identifier for this content filter configuration. The - content filter processes network traffic for managed apps with the same `ContentFilterUUID` - in their app attributes. Use when `FilterType` is `Plugin`.This key must be present - for unsupervised devices and user enrollment. -- key: FilterURLs - title: FilterURLs - supportedOS: - iOS: - introduced: '26.0' - macOS: - introduced: '26.0' - visionOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, the system filters URL requests. Use when `FilterType` is `Plugin`. - Available in iOS 26 and macOS 26, and later. -- key: URLFilterParameters - supportedOS: - iOS: - introduced: '26.0' - macOS: - introduced: '26.0' - visionOS: - introduced: n/a - type: - presence: optional - content: A dictionary containing URL filter parameters. Required when `FilterURLs` - is `true`. Available in iOS 26 and macOS 26 and later. - subkeys: - - key: URLFilterControlProviderDesignatedRequirement - title: URL Filter Control Provider Designated Requirement - type: - presence: optional - content: The designated requirement string in the code signature of the URL filter - control provider app extension. The system uses this string to identify the - URL filter control provider when the filter starts running. Required in macOS. - - key: URLFilterControlProviderBundleIdentifier - title: URL Filter Control Provider Bundle Identifier - type: - presence: required - content: The bundle identifier string of the URL filter control provider app extension. - The system uses this string to identify the URL filter control provider when - the filter starts running. - - key: PIRServerURL - title: Private Information Retrieval server URL - type: - presence: required - content: The URL containing the domain name of the private information retrieval - server. - - key: PIRPrivacyPassIssuerURL - title: Privacy Pass Issuer URL - type: - presence: required - content: The URL containing the domain name of Privacy Pass Issuer. - - key: PIRAuthenticationToken - title: Authentication Token - type: - presence: required - content: The per-user authentication token string, which is an HTTP bearer token - for the person using your app. The system uses this token to attest that it - is a valid user when requesting anonymous authentication tokens for PIR exchanges. - - key: URLFilterFailClosed - title: URLFilterFailClosed - type: - presence: optional - default: false - content: If `true`, the system blocks URLs if the filter is enabled, but it fails - to make any filtering decision; for example, if there's a communication failure - with the PIR server. If `false`, the system allows URLs if the filter is enabled, - but it fails to make any filtering decision. - - key: URLPrefilterFetchFrequency - title: URLPrefilterFetchFrequency - type: - presence: optional - range: - min: 2700 - default: 86400 - content: The time interval in seconds that the system uses to periodically run - the `NEURLFilterControlProvider` app extension. The default value is 86400 seconds - (1 day). The minimum allowed value is 2700 seconds (45 minutes). The system - allows `NEURLFilterControlProvider` implementations to download prefilter Bloom - filter data onto the device periodically at the specified interval. Implementations - need to allow for a slight difference between the scheduled time and the actual - runtime of the task, due to the scheduling mechanism on the system. -notes: -- title: '' - content: |- - The system matches URLs using string-based matching. A URL matches an allow list, deny list, or permitted list pattern if the exact characters of the pattern appear as a substring of the URL requested in the web browser. For example, if the system doesn't allow `test.com/a`, it blocks `test.com/a`, `test.com/apple`, and `test.com/a/b`. - - The system matches list entries that terminate with a `/` character explicitly; if the system blocks or allows `test.com/a/`, it blocks or allows `test.com/a` and `test.com/a/b`. - - Matching discards a `www` subdomain prefix if present, so if the system doesn't allow `www.test.com`, it also blocks `m.test.com`. - - All filtering options are active simultaneously. The system only permits URLs and sites that pass all rules. diff --git a/mdm/profiles/com.apple.wifi.managed.yaml b/mdm/profiles/com.apple.wifi.managed.yaml deleted file mode 100644 index 432e002..0000000 --- a/mdm/profiles/com.apple.wifi.managed.yaml +++ /dev/null @@ -1,711 +0,0 @@ -title: Wi-Fi -description: The payload that configures Wi-Fi settings. -payload: - payloadtype: com.apple.wifi.managed - supportedOS: - iOS: - introduced: '4.0' - multiple: true - supervised: false - allowmanualinstall: true - sharedipad: - mode: allowed - devicechannel: true - userchannel: false - userenrollment: - mode: allowed - macOS: - introduced: '10.7' - multiple: true - devicechannel: true - userchannel: true - supervised: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: allowed - tvOS: - introduced: '9.0' - multiple: true - supervised: false - allowmanualinstall: true - visionOS: - introduced: '1.0' - multiple: true - supervised: false - allowmanualinstall: true - userenrollment: - mode: allowed - watchOS: - introduced: '3.2' - multiple: true - allowmanualinstall: true -payloadkeys: -- key: AutoJoin - title: Auto Join - supportedOS: - iOS: - introduced: '5.0' - type: - presence: optional - default: true - content: |- - If `true`, the device joins the network automatically. - - If `false`, the user must tap the network name to join it. -- key: SSID_STR - title: SSID - supportedOS: - iOS: - introduced: '7.0' - type: - presence: optional - content: The SSID of the Wi-Fi network to use. In iOS 7.0 and later, the SSID is - optional if a value exists for `DomainName` value. -- key: HIDDEN_NETWORK - title: Hidden - type: - presence: optional - default: false - content: If `true`, defines this network as hidden. -- key: ProxyType - title: Proxy Type - supportedOS: - iOS: - userenrollment: - mode: forbidden - visionOS: - userenrollment: - mode: forbidden - type: - presence: optional - rangelist: - - None - - Manual - - Auto - default: None - content: The proxy type, if any, to use. If you choose the manual proxy type, you - need the proxy server address, including its port and optionally a user name and - password into the proxy server. If you choose the auto proxy type, you can enter - a proxy autoconfiguration (PAC) URL. -- key: EncryptionType - title: Encryption Type - type: - presence: optional - rangelist: - - WEP - - WPA - - WPA2 - - WPA3 - - Any - - None - default: Any - content: |- - The encryption type for the network. - - If set to anything except `None`, the payload may contain the following three keys: `Password`, `PayloadCertificateUUID`, or `EAPClientConfiguration`. - - As of iOS 16, tvOS 16, watchOS 9, and macOS 13: - - - `WPA` allows joining WPA or WPA2 networks - - `WPA2` allows joining WPA2 or WPA3 networks - - `WPA3` allows joining WPA3 networks only - - `Any` allows joining WPA, WPA2, WPA3, and WEP networks - - Prior to iOS 16, tvOS 16, and watchOS 9, specifying `WPA`, `WPA2`, and `WPA3` were equivalent and would allow joining any WPA network. - - Prior to macOS 13, the encryption type, if specified explicitly, needed to match the encryption type of the network exactly. -- key: Password - title: Password - type: - presence: optional - content: The password for the access point. -- key: PayloadCertificateUUID - title: Certificate UUID - type: - presence: optional - format: ^[0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}$ - content: The UUID of the certificate payload within the same profile to use for - the client credential. -- key: EAPClientConfiguration - title: EAP Client Configuration - type: - presence: optional - content: The enterprise network configuration. - subkeys: - - key: AcceptEAPTypes - title: Accept EAP Types - type: - presence: required - content: |- - The EAP types that the system accepts. Allowed values: - - - `13`: EAP-TLS - - `17`: LEAP - - `18`: EAP-SIM - - `21`: EAP-TTLS - - `23`: EAP-AKA - - `25`: PEAPv0/v1 - - `43`: EAP-FAST - - For EAP-TLS authentication without a network payload, install the necessary identity certificates and have your users select EAP-TLS mode in the 802.1X credentials dialog that appears when they connect to the network. For other EAP types, a network payload is necessary and must specify the correct settings for the network. - subkeys: - - key: EAPType - title: EAP Type - type: - rangelist: - - 13 - - 17 - - 18 - - 21 - - 23 - - 25 - - 43 - - key: UserName - title: Username - type: - presence: optional - content: The user name for the account. If you don't specify a value, the system - prompts the user during login. - - key: UserPassword - title: Password - type: - presence: optional - content: The user's password. If you don't specify a value, the system prompts - the user during login. - - key: PayloadCertificateAnchorUUID - title: Certificate Anchor UUID - type: - presence: optional - content: An array of the UUID of each certificate payload in the same profile - to trust for authentication. Use this key to prevent the device from asking - the user whether to trust the listed certificates. Dynamic trust (the certificate - dialogue) is in a disabled state if you specify this property without also enabling - 'TLSAllowTrustExceptions'. - subkeys: - - key: CertificateAnchorUUID - title: Individual Certificate Anchor UUID - type: - format: ^[0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}$ - - key: TLSTrustedCertificates - title: TLS Trusted Certificates - type: - presence: optional - content: An array of trusted certificates. Each entry in the array must contain - certificate data that represents an anchor certificate used for verifying the - server certificate. - subkeys: - - key: TLSTrustedCertificatesItem - type: - presence: required - content: A certificate identifier. - - key: TLSTrustedServerNames - title: TLS Trusted Server Names - type: - presence: optional - content: |- - The list of accepted server certificate common names. If a server presents a certificate that isn't in this list, the system doesn't trust it. - If you specify this property, the system disables dynamic trust (the certificate dialog) unless you also specify 'TLSAllowTrustExceptions' with the value 'true'. - If necessary, use wildcards to specify the name, such as 'wpa.*.example.com'. - subkeys: - - key: TLSTrustedServerName - title: Individual Trusted TLS Server Name - type: - - key: TLSAllowTrustExceptions - title: Allow Trust Exceptions - supportedOS: - iOS: - removed: '8.0' - visionOS: - introduced: n/a - type: - presence: optional - default: true - content: |- - If 'true', allows a dynamic trust decision by the user. The dynamic trust is the certificate dialogue that appears when the system doesn't trust a certificate. - If 'false', the authentication fails if the system doesn't already trust the certificate. - As of iOS 8, Apple no longer supports this key. - - key: TLSCertificateIsRequired - supportedOS: - iOS: - introduced: '7.0' - type: - presence: optional - default: false - content: |- - If 'true', allows for two-factor authentication for EAP-TTLS, PEAP, or EAP-FAST. If 'false', allows for zero-factor authentication for EAP-TLS. - If you don't specify a value, the default is 'true' for EAP-TLS, and 'false' for other EAP types. - - key: TTLSInnerAuthentication - title: TTLS Inner Authentication - type: - presence: optional - rangelist: - - PAP - - EAP - - CHAP - - MSCHAP - - MSCHAPv2 - default: MSCHAPv2 - content: The inner authentication that the TTLS module uses. - - key: TLSMinimumVersion - supportedOS: - iOS: - introduced: '11.0' - macOS: - introduced: '10.13' - tvOS: - introduced: '11.0' - type: - presence: optional - rangelist: - - '1.0' - - '1.1' - - '1.2' - - '1.3' - default: '1.0' - content: The minimum TLS version for EAP authentication. - - key: TLSMaximumVersion - supportedOS: - iOS: - introduced: '11.0' - macOS: - introduced: '10.13' - tvOS: - introduced: '11.0' - type: - presence: optional - rangelist: - - '1.0' - - '1.1' - - '1.2' - - '1.3' - default: '1.2' - content: The maximum TLS version for EAP authentication. - - key: OuterIdentity - title: Outer Identity - type: - presence: optional - content: |- - A name that hides the user's true name. The user's actual name appears only inside the encrypted tunnel. For example, you might set this to anonymous or anon, or anon@mycompany.net. It can increase security because an attacker can't see the authenticating user's name in the clear. - This key is only relevant to TTLS, PEAP, and EAP-FAST. - This field is required if 'TLSMinimumVersion' is '1.3'. - - key: EAPFASTUsePAC - title: Use PAC - type: - presence: optional - default: false - content: If 'true', the device uses an existing PAC if it's present. Otherwise, - the server must present its identity using a certificate. - - key: EAPFASTProvisionPAC - title: Provision PAC - type: - presence: optional - default: false - content: |- - If 'true', allows PAC provisioning. - - This value is only applicable if 'EAPFASTUsePAC' is 'true'. This value must be 'true' for EAP-FAST PAC usage to succeed because there's no other way to provision a PAC. - - key: EAPFASTProvisionPACAnonymously - title: Provision PAC Anonymously - type: - presence: optional - default: false - content: If 'true', provisions the device anonymously. Note that there are known - machine-in-the-middle attacks for anonymous provisioning. - - key: EAPSIMNumberOfRANDs - title: Allow Two RANDs - supportedOS: - iOS: - introduced: '8.0' - type: - presence: optional - rangelist: - - 2 - - 3 - default: 3 - content: |- - The minimum number of RAND values to accept from the server. - For use with EAP-SIM only. - - key: SystemModeCredentialsSource - type: - presence: optional - content: |- - Set this string to 'ActiveDirectory' to use the AD computer name and password credentials. - If using this property, you can't use 'SystemModeUseOpenDirectoryCredentials'. - - key: SystemModeUseOpenDirectoryCredentials - type: - presence: optional - default: false - content: |- - If 'true', the system mode connection tries to use the Open Directory credentials. - If using this property, you can't use 'SystemModeCredentialsSource'. - - key: OneTimeUserPassword - title: Per-Connection Password - supportedOS: - iOS: - introduced: '8.0' - macOS: - introduced: '10.8' - tvOS: - introduced: '9.0' - type: - presence: optional - default: false - content: If 'true', the user receives a prompt for a password each time they connect - to the network. -- key: DisplayedOperatorName - title: Displayed Operator Name - supportedOS: - iOS: - introduced: '7.0' - macOS: - introduced: '10.9' - type: - presence: optional - content: The operator name to display when connected to this network. Used only - with Wi-Fi Hotspot 2.0 access points. -- key: DomainName - title: Domain Name - supportedOS: - iOS: - introduced: '7.0' - macOS: - introduced: '10.9' - type: - presence: optional - content: The primary domain of the tunnel. -- key: RoamingConsortiumOIs - title: Roaming OIs - supportedOS: - iOS: - introduced: '7.0' - macOS: - introduced: '10.9' - type: - presence: optional - content: An array of Roaming Consortium Organization Identifiers used for Wi-Fi - Hotspot 2.0 negotiation. - subkeys: - - key: RoamingConsortiumOI - type: - format: ^([0-9A-Za-z]{6})|([0-9A-Za-z]{9})$ -- key: ServiceProviderRoamingEnabled - title: Roaming Enable - supportedOS: - iOS: - introduced: '7.0' - macOS: - introduced: '10.9' - type: - presence: optional - default: false - content: If `true`, allows connection to roaming service providers. -- key: IsHotspot - title: Is Hotspot - supportedOS: - iOS: - introduced: '7.0' - macOS: - introduced: '10.9' - type: - presence: optional - default: false - content: If `true`, the device treats the network as a hotspot. -- key: HESSID - supportedOS: - iOS: - introduced: '7.0' - type: - presence: optional - content: The HESSID used for Wi-Fi Hotspot 2.0 negotiation. -- key: NAIRealmNames - title: Realm Names - supportedOS: - iOS: - introduced: '7.0' - macOS: - introduced: '10.9' - type: - presence: optional - content: An array of Network Access Identifier Realm names used for Wi-Fi Hotspot - 2.0 negotiation. - subkeys: - - key: NAIRealmName - type: -- key: MCCAndMNCs - title: MCC/MNCs - supportedOS: - iOS: - introduced: '7.0' - macOS: - introduced: n/a - type: - presence: optional - content: An array of Mobile Country Code/Mobile Network Code (MCC/MNC) pairs used - for Wi-Fi Hotspot 2.0 negotiation. Each string must contain exactly six digits. - subkeys: - - key: MCCAndMNC - type: - format: ^[0-9]{6}$ -- key: CaptiveBypass - title: Disable Captive Network Detection - supportedOS: - iOS: - introduced: '10.0' - macOS: - introduced: n/a - type: - presence: optional - default: false - content: If `true`, the system bypasses Captive Network detection when the device - connects to the network. -- key: QoSMarkingPolicy - title: QoS Marking Policy - supportedOS: - iOS: - introduced: '10.0' - macOS: - introduced: '10.13' - type: - presence: optional - content: A dictionary that contains the list of apps that the system allows to benefit - from L2 and L3 marking. When this dictionary isn't present, the system allows - all apps to use L2 and L3 marking when the Wi-Fi network supports Cisco QoS fast - lane. - subkeys: - - key: QoSMarkingAllowListAppIdentifiers - title: Allowlisted App Identifiers - supportedOS: - iOS: - introduced: '14.5' - macOS: - introduced: '14.0' - type: - presence: optional - content: An array of app bundle identifiers that defines the allow list for L2 - and L3 marking for traffic that goes to the Wi-Fi network. If the array isn't - present, but the `QoSMarkingPolicy` key is present — even empty — no apps can - use L2 and L3 marking. - subkeys: &id001 - - key: appBundleID - title: Allowlisted App - type: - - key: QoSMarkingWhitelistedAppIdentifiers - title: Whitelisted App Identifiers - supportedOS: - iOS: - deprecated: '14.5' - macOS: - deprecated: '14.0' - visionOS: - introduced: n/a - type: - presence: optional - content: Use `QoSMarkingAllowListAppIdentifiers` instead. - subkeys: *id001 - - key: QoSMarkingAppleAudioVideoCalls - title: QoS marking for audio or video calls - type: - presence: optional - default: true - content: If `true`, adds audio and video traffic of built-in audio or video services, - such as FaceTime and Wi-Fi Calling, to the allow list for L2 and L3 marking - for traffic that goes to the Wi-Fi network. - - key: QoSMarkingEnabled - title: Allow QoS marking - type: - presence: optional - default: true - content: |- - If `true`, disables L3 marking and only uses L2 marking for traffic that goes to the Wi-Fi network. - - - - If `false`, the system behaves as if Wi-Fi doesn't have an association with a Cisco QoS fast lane network. -- key: SetupModes - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.7' - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - type: - presence: optional - content: An array of strings that contain the type of connection mode to attach. - subkeys: - - key: SetupModesItem - type: - presence: required - rangelist: - - System - - Loginwindow - content: A type of connection mode. -- key: EnableIPv6 - type: - presence: optional - default: true - content: If `true`, enables IPv6 on this interface. -- key: TLSCertificateRequired - title: Certificate Required - type: - presence: optional - default: false - content: If `true`, allows for two-factor authentication for EAP-TTLS, PEAP, or - EAP-FAST. If `false`, allows for zero-factor authentication for EAP-TLS. -- key: ProxyServer - title: Proxy Server - supportedOS: - iOS: - userenrollment: - mode: forbidden - macOS: - userenrollment: - mode: forbidden - visionOS: - userenrollment: - mode: forbidden - type: - presence: optional - content: The proxy server's network address. -- key: ProxyServerPort - title: Proxy Server Port - supportedOS: - iOS: - userenrollment: - mode: forbidden - macOS: - userenrollment: - mode: forbidden - visionOS: - userenrollment: - mode: forbidden - type: - presence: optional - range: - min: 0 - max: 65535 - content: The proxy server's port number. -- key: ProxyUsername - title: Proxy Username - supportedOS: - iOS: - userenrollment: - mode: forbidden - macOS: - userenrollment: - mode: forbidden - visionOS: - userenrollment: - mode: forbidden - type: - presence: optional - content: The user name used to authenticate to the proxy server. -- key: ProxyPassword - title: Proxy Password - supportedOS: - iOS: - userenrollment: - mode: forbidden - visionOS: - userenrollment: - mode: forbidden - type: - presence: optional - content: The password used to authenticate to the proxy server. -- key: ProxyPACURL - title: Proxy PAC URL - supportedOS: - iOS: - userenrollment: - mode: forbidden - macOS: - userenrollment: - mode: forbidden - visionOS: - userenrollment: - mode: forbidden - type: - presence: optional - content: The URL of the PAC file that defines the proxy configuration. -- key: ProxyPACFallbackAllowed - title: Proxy PAC Fallback Allowed - supportedOS: - iOS: - userenrollment: - mode: forbidden - macOS: - userenrollment: - mode: forbidden - visionOS: - userenrollment: - mode: forbidden - type: - presence: optional - default: false - content: If `true`, allows connecting directly to the destination if the PAC file - is unreachable. -- key: DisableAssociationMACRandomization - title: Disable MAC address randomization during association - supportedOS: - iOS: - introduced: '14.0' - userenrollment: - mode: forbidden - macOS: - introduced: '15.0' - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - userenrollment: - mode: forbidden - watchOS: - introduced: '7.0' - type: - presence: optional - default: false - content: |- - If `true,` disables MAC address randomization for a Wi-Fi network while associated with that network. This feature also shows a privacy warning in Settings indicating that the network has reduced privacy protections. - - If `false`, then the system enables MAC address randomization on iOS, watchOS, and visionOS. - - This value is only locked when MDM installs the profile. If the profile is manually installed, the system sets the value but the user can change it. -- key: AllowJoinBeforeFirstUnlock - title: Allow Join Before First Unlock - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: n/a - tvOS: - introduced: n/a - visionOS: - introduced: '26.0' - supervised: true - userenrollment: - mode: forbidden - watchOS: - introduced: n/a - type: - presence: optional - default: false - content: |- - If `true`, the device makes this network available for joining before the device is unlocked for the first time following a reboot, on a device configured for return to service. Any network credentials are placed into Class D storage within the keychain, and information about the network is stored on disk in Class D. - - There are several restrictions on the use of this flag: - - - This property is only available in the return to service mode. - - Only one network can be designated as available before first unlock. - - `EAPClientConfiguration` must not be present. - - If `IsHotspot` is present, it must be set to `false`. - - `QoSMarkingPolicy` must not be present. - - If `ProxyType` is present, it must be set to `None`. - - The device fails to install the profile payload if any of these conditions are not met. diff --git a/mdm/profiles/com.apple.xsan.preferences.yaml b/mdm/profiles/com.apple.xsan.preferences.yaml deleted file mode 100644 index 6ef0c5e..0000000 --- a/mdm/profiles/com.apple.xsan.preferences.yaml +++ /dev/null @@ -1,84 +0,0 @@ -title: Xsan Preferences -description: The payload that configures the Xsan preferences that define the volumes - that automatically mount at startup. -payload: - payloadtype: com.apple.xsan.preferences - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.11' - multiple: true - devicechannel: true - userchannel: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: The Xsan preferences payload can be used to configure which volumes automatically - mount at startup. For StorNext volumes this payload also determines whether the - mount uses Fibre Channel or Distributed LAN Client (DLC). -payloadkeys: -- key: onlyMount - type: - presence: optional - content: An array of Xsan or StorNext volume names. The Xsan client attempts to - automatically mount these volumes at startup. The system administrator can mount - additional volumes manually by using the `xsanctl(8)` mount command. - subkeys: - - key: onlyMountItem - type: - presence: required - content: A volume name. -- key: denyMount - type: - presence: optional - content: An array of Xsan or StorNext volume names. If no `onlyMount` array is present, - the Xsan client automatically attempts to mount all SAN volumes except the volumes - in this array. The system administrator can mount those volumes manually by using - the `xsanctl(8)` mount command. - subkeys: - - key: denyMountItem - type: - presence: required - content: A volume name. -- key: denyDLC - type: - presence: optional - content: An array of StorNext volume names. If the Xsan client is attempting to - mount a volume named in this array, the client only mounts the volume if its logical - units (LUNs) are available through Fibre Channel. It doesn't attempt to mount - the volume using Distributed LAN Client (DLC). - subkeys: - - key: denyDLCItem - type: - presence: required - content: A volume name. -- key: preferDLC - type: - presence: optional - content: An array of StorNext volume names. If the Xsan client is attempting to - mount a volume named in this array, the Xsan client attempts to mount the volume - using DLC. If DLC isn't available, the client attempts to mount the volume if - its LUNs are available through Fibre Channel. The volume name must not also appear - in `denyDLC`. - subkeys: - - key: preferDLCItem - type: - presence: required - content: A volume name. -- key: useDLC - type: - presence: optional - default: false - content: If `true`, use the DLC for all volumes. -notes: -- title: '' - content: For more information, see [https://support.apple.com/en-us/HT205333](https://support.apple.com/en-us/HT205333). diff --git a/mdm/profiles/com.apple.xsan.yaml b/mdm/profiles/com.apple.xsan.yaml deleted file mode 100644 index 8954f4c..0000000 --- a/mdm/profiles/com.apple.xsan.yaml +++ /dev/null @@ -1,77 +0,0 @@ -title: Xsan -description: The payload that configures an Xsan client system. -payload: - payloadtype: com.apple.xsan - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.10' - multiple: false - devicechannel: true - userchannel: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: Sets up Xsan clients and controls certain Xsan volume mount behaviors. - The payload should include either sanConfigURLs or fsnameservers, but not both. -payloadkeys: -- key: sanName - type: - presence: required - content: The name of the SAN. This key is required for all Xsan SANs. The name must - exactly match the name of the SAN defined in the metadata server. -- key: sanConfigURLs - type: - presence: optional - content: |- - An array of LDAP URLs where Xsan systems can obtain SAN configuration updates. There should be one entry for each Xsan MDC. - - This key is required for all Xsan SANs. - - Example URL: `ldaps://mdc1.example.com:389`. - subkeys: - - key: sanConfigURLsItem - type: - presence: required - content: A URL. -- key: fsnameservers - type: - presence: optional - content: |- - An array of storage area network (SAN) File System Name Server coordinators. The list should contain the same addresses in the same order as the metadata controller (MDC) `/Library/Preferences/Xsan/fsnameservers` file. - - This key is required for StorNext SANs. - subkeys: - - key: fsnameserversItem - type: - presence: required - content: A name server. -- key: sanAuthMethod - type: - presence: optional - rangelist: - - auth_secret - content: |- - The authentication method for the SAN. This key is required for all Xsan SANs. It's optional for StorNext SANs but should be set if the StorNext SAN uses an `auth_secret` file. - - - - Only one value is accepted: `auth_secret` -- key: sharedSecret - type: - presence: required - content: The shared secret used for Xsan network authentication. This key is required - when the `sanAuthMethod` key is present. The value should equal the content of - the MDC's `/Library/Preferences/Xsan/.auth_secret` file. -notes: -- title: '' - content: For more information, see [https://support.apple.com/en-us/HT205333](https://support.apple.com/en-us/HT205333). diff --git a/mdm/profiles/loginwindow.yaml b/mdm/profiles/loginwindow.yaml deleted file mode 100644 index 65838db..0000000 --- a/mdm/profiles/loginwindow.yaml +++ /dev/null @@ -1,34 +0,0 @@ -title: 'Login Window: Login Items' -description: The payload that configures login behavior. -payload: - payloadtype: loginwindow - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '10.7' - multiple: false - devicechannel: true - userchannel: false - requiresdep: false - userapprovedmdm: false - allowmanualinstall: true - userenrollment: - mode: forbidden - tvOS: - introduced: n/a - visionOS: - introduced: n/a - watchOS: - introduced: n/a - content: This payload handles login items management. -payloadkeys: -- key: DisableLoginItemsSuppression - supportedOS: - macOS: - introduced: all - type: - presence: optional - default: false - content: If `true`, the system prevents the user from disabling login item launches - by using the Shift key.