├── .github └── PULL_REQUEST_TEMPLATE.md ├── .gitignore ├── LICENSE.txt ├── README.md ├── declarative ├── declarations │ ├── activations │ │ └── simple.yaml │ ├── assets │ │ ├── credential.acme.yaml │ │ ├── credential.certificate.yaml │ │ ├── credential.identity.yaml │ │ ├── credential.scep.yaml │ │ ├── credential.userpassword.yaml │ │ ├── credentials │ │ │ ├── acme.yaml │ │ │ ├── identity.yaml │ │ │ ├── scep.yaml │ │ │ └── usernameandpassword.yaml │ │ ├── data.yaml │ │ └── useridentity.yaml │ ├── configurations │ │ ├── account.caldav.yaml │ │ ├── account.carddav.yaml │ │ ├── account.exchange.yaml │ │ ├── account.google.yaml │ │ ├── account.ldap.yaml │ │ ├── account.mail.yaml │ │ ├── account.subscribed-calendar.yaml │ │ ├── app.managed.yaml │ │ ├── diskmanagement.settings.yaml │ │ ├── legacy.interactive.yaml │ │ ├── legacy.yaml │ │ ├── management.status-subscriptions.yaml │ │ ├── management.test.yaml │ │ ├── math.settings.yaml │ │ ├── passcode.settings.yaml │ │ ├── safari.extensions.settings.yaml │ │ ├── screensharing.connection.group.yaml │ │ ├── screensharing.connection.yaml │ │ ├── screensharing.host.settings.yaml │ │ ├── security.certificate.yaml │ │ ├── security.identity.yaml │ │ ├── security.passkey.attestation.yaml │ │ ├── services.background-tasks.yaml │ │ ├── services.configuration-files.yaml │ │ ├── softwareupdate.enforcement.specific.yaml │ │ ├── softwareupdate.settings.yaml │ │ └── watch.enrollment.yaml │ ├── declarationbase.yaml │ └── management │ │ ├── organization-info.yaml │ │ ├── properties.yaml │ │ └── server-capabilities.yaml ├── protocol │ ├── declarationitemsresponse.yaml │ ├── statusreport.yaml │ └── tokensresponse.yaml └── status │ ├── account.list.caldav.yaml │ ├── account.list.carddav.yaml │ ├── account.list.exchange.yaml │ ├── account.list.google.yaml │ ├── account.list.ldap.yaml │ ├── account.list.mail.incoming.yaml │ ├── account.list.mail.outgoing.yaml │ ├── account.list.subscribed-calendar.yaml │ ├── app.managed.list.yaml │ ├── device.identifier.serial-number.yaml │ ├── device.identifier.udid.yaml │ ├── device.model.family.yaml │ ├── device.model.identifier.yaml │ ├── device.model.marketing-name.yaml │ ├── device.model.number.yaml │ ├── device.operating-system.build-version.yaml │ ├── device.operating-system.family.yaml │ ├── device.operating-system.marketing-name.yaml │ ├── device.operating-system.supplemental.build-version.yaml │ ├── device.operating-system.supplemental.extra-version.yaml │ ├── device.operating-system.version.yaml │ ├── device.power.battery-health.yaml │ ├── diskmanagement.filevault.enabled.yaml │ ├── management.client-capabilities.yaml │ ├── management.declarations.yaml │ ├── mdm.app.yaml │ ├── passcode.is-compliant.yaml │ ├── passcode.is-present.yaml │ ├── screensharing.connection.group.unresolved-connection.yaml │ ├── security.certificate.list.yaml │ ├── services.background-task.yaml │ ├── softwareupdate.beta-enrollment.yaml │ ├── softwareupdate.device-id.yaml │ ├── softwareupdate.failure-reason.yaml │ ├── softwareupdate.install-reason.yaml │ ├── softwareupdate.install-state.yaml │ ├── softwareupdate.pending-version.yaml │ ├── statusreason.yaml │ ├── test.array-value.yaml │ ├── test.boolean-value.yaml │ ├── test.dictionary-value.yaml │ ├── test.error-value.yaml │ ├── test.integer-value.yaml │ ├── test.real-value.yaml │ └── test.string-value.yaml ├── docs ├── errata.md ├── schema.md └── schema.yaml ├── mdm ├── checkin │ ├── authenticate.yaml │ ├── checkout.yaml │ ├── declarativemanagement.yaml │ ├── getbootstraptoken.yaml │ ├── gettoken.yaml │ ├── setbootstraptoken.yaml │ ├── tokenupdate.yaml │ └── userauthenticate.yaml ├── commands │ ├── account.configuration.yaml │ ├── application.extensions.listactive.yaml │ ├── application.extensions.mappings.yaml │ ├── application.install.enterprise.yaml │ ├── application.install.yaml │ ├── application.installed.list.yaml │ ├── application.invitetoprogram.yaml │ ├── application.managed.list.yaml │ ├── application.redemptioncode.yaml │ ├── application.remove.yaml │ ├── application.validate.yaml │ ├── certificate.list.yaml │ ├── declarativemanagement.yaml │ ├── device.activationlock.bypasscode.yaml │ ├── device.activationlock.clearbypasscode.yaml │ ├── device.configured.yaml │ ├── device.erase.yaml │ ├── device.esim.yaml │ ├── device.lock.yaml │ ├── device.lostmode.disable.yaml │ ├── device.lostmode.enable.yaml │ ├── device.lostmode.location.yaml │ ├── device.lostmode.playsound.yaml │ ├── device.restart.yaml │ ├── device.restrictions.clearpassword.yaml │ ├── device.restrictions.list.yaml │ ├── device.shutdown.yaml │ ├── information.contentcaching.yaml │ ├── information.device.yaml │ ├── information.security.yaml │ ├── lom.devicerequest.yaml │ ├── lom.setuprequest.yaml │ ├── managed.application.attributes.yaml │ ├── managed.application.configuration.yaml │ ├── managed.application.feedback.yaml │ ├── media.install.yaml │ ├── media.managed.list.yaml │ ├── media.remove.yaml │ ├── mirroring.request.yaml │ ├── mirroring.stop.yaml │ ├── passcode.clear.yaml │ ├── passcode.firmware.set.yaml │ ├── passcode.firmware.verify.yaml │ ├── passcode.recovery.set.yaml │ ├── passcode.recovery.verify.yaml │ ├── passcode.unlocktoken.yaml │ ├── profile.install.yaml │ ├── profile.list.yaml │ ├── profile.provisioning.install.yaml │ ├── profile.provisioning.list.yaml │ ├── profile.provisioning.remove.yaml │ ├── profile.remove.yaml │ ├── remotedesktop.disable.yaml │ ├── remotedesktop.enable.yaml │ ├── rotate.file.vault.key.yaml │ ├── set.auto.admin.password.yaml │ ├── settings.yaml │ ├── system.update.available.yaml │ ├── system.update.scan.yaml │ ├── system.update.schedule.yaml │ ├── system.update.status.yaml │ ├── user.configured.yaml │ ├── user.delete.yaml │ ├── user.list.yaml │ ├── user.logout.yaml │ └── user.unlock.yaml ├── errors │ ├── softwareupdate.required.yaml │ ├── unrecognized.device.yaml │ ├── watch.pairing.token.missing.yaml │ └── well-known.failed.yaml └── profiles │ ├── CommonPayloadKeys.yaml │ ├── GlobalPreferences.yaml │ ├── TopLevel.yaml │ ├── com.apple.ADCertificate.managed.yaml │ ├── com.apple.AIM.account.yaml │ ├── com.apple.AssetCache.managed.yaml │ ├── com.apple.Dictionary.yaml │ ├── com.apple.DirectoryService.managed.yaml │ ├── com.apple.DiscRecording.yaml │ ├── com.apple.MCX(Accounts).yaml │ ├── com.apple.MCX(EnergySaver).yaml │ ├── com.apple.MCX(FileVault2).yaml │ ├── com.apple.MCX(Mobililty).yaml │ ├── com.apple.MCX(TimeServer).yaml │ ├── com.apple.MCX(WiFi).yaml │ ├── com.apple.MCX.FileVault2.yaml │ ├── com.apple.MCX.TimeMachine.yaml │ ├── com.apple.ManagedClient.preferences.yaml │ ├── com.apple.NSExtension.yaml │ ├── com.apple.SetupAssistant.managed.yaml │ ├── com.apple.ShareKitHelper.yaml │ ├── com.apple.SoftwareUpdate.yaml │ ├── com.apple.SystemConfiguration.yaml │ ├── com.apple.TCC.configuration-profile-policy.yaml │ ├── com.apple.airplay.security.yaml │ ├── com.apple.airplay.yaml │ ├── com.apple.airprint.yaml │ ├── com.apple.apn.managed.yaml │ ├── com.apple.app.lock.yaml │ ├── com.apple.applicationaccess.new.yaml │ ├── com.apple.applicationaccess.yaml │ ├── com.apple.appstore.yaml │ ├── com.apple.asam.yaml │ ├── com.apple.associated-domains.yaml │ ├── com.apple.caldav.account.yaml │ ├── com.apple.carddav.account.yaml │ ├── com.apple.cellular.yaml │ ├── com.apple.cellularprivatenetwork.managed.yaml │ ├── com.apple.conferenceroomdisplay.yaml │ ├── com.apple.configurationprofile.identification.yaml │ ├── com.apple.dashboard.yaml │ ├── com.apple.declarations.yaml │ ├── com.apple.desktop.yaml │ ├── com.apple.dnsProxy.managed.yaml │ ├── com.apple.dnsSettings.managed.yaml │ ├── com.apple.dock.yaml │ ├── com.apple.domains.yaml │ ├── com.apple.eas.account.yaml │ ├── com.apple.education.yaml │ ├── com.apple.ews.account.yaml │ ├── com.apple.extensiblesso(kerberos).yaml │ ├── com.apple.extensiblesso.yaml │ ├── com.apple.familycontrols.contentfilter.yaml │ ├── com.apple.familycontrols.timelimits.v2.yaml │ ├── com.apple.fileproviderd.yaml │ ├── com.apple.finder.yaml │ ├── com.apple.firstactiveethernet.managed.yaml │ ├── com.apple.firstethernet.managed.yaml │ ├── com.apple.font.yaml │ ├── com.apple.gamed.yaml │ ├── com.apple.globalethernet.managed.yaml │ ├── com.apple.google-oauth.yaml │ ├── com.apple.homescreenlayout.yaml │ ├── com.apple.ironwood.support.yaml │ ├── com.apple.jabber.account.yaml │ ├── com.apple.ldap.account.yaml │ ├── com.apple.loginitems.managed.yaml │ ├── com.apple.loginwindow.yaml │ ├── com.apple.lom.yaml │ ├── com.apple.mail.managed.yaml │ ├── com.apple.mcxMenuExtras.yaml │ ├── com.apple.mcxloginscripts.yaml │ ├── com.apple.mcxprinting.yaml │ ├── com.apple.mdm.yaml │ ├── com.apple.mobiledevice.passwordpolicy.yaml │ ├── com.apple.networkusagerules.yaml │ ├── com.apple.notificationsettings.yaml │ ├── com.apple.osxserver.account.yaml │ ├── com.apple.preference.security.yaml │ ├── com.apple.preferences.users.yaml │ ├── com.apple.profileRemovalPassword.yaml │ ├── com.apple.proxy.http.global.yaml │ ├── com.apple.relay.managed.yaml │ ├── com.apple.screensaver.user.yaml │ ├── com.apple.screensaver.yaml │ ├── com.apple.secondactiveethernet.managed.yaml │ ├── com.apple.secondethernet.managed.yaml │ ├── com.apple.security.FDERecoveryKeyEscrow.yaml │ ├── com.apple.security.FDERecoveryRedirect.yaml │ ├── com.apple.security.acme.yaml │ ├── com.apple.security.certificatepreference.yaml │ ├── com.apple.security.certificaterevocation.yaml │ ├── com.apple.security.certificatetransparency.yaml │ ├── com.apple.security.firewall.yaml │ ├── com.apple.security.identitypreference.yaml │ ├── com.apple.security.pem.yaml │ ├── com.apple.security.pkcs1.yaml │ ├── com.apple.security.pkcs12.yaml │ ├── com.apple.security.root.yaml │ ├── com.apple.security.scep.yaml │ ├── com.apple.security.smartcard.yaml │ ├── com.apple.security.wapi-identity.yaml │ ├── com.apple.servicemanagement.yaml │ ├── com.apple.shareddeviceconfiguration.yaml │ ├── com.apple.sso.yaml │ ├── com.apple.subscribedcalendar.account.yaml │ ├── com.apple.syspolicy.kernel-extension-policy.yaml │ ├── com.apple.system-extension-policy.yaml │ ├── com.apple.system.logging.yaml │ ├── com.apple.systemmigration.yaml │ ├── com.apple.systempolicy.control.yaml │ ├── com.apple.systempolicy.managed.yaml │ ├── com.apple.systempolicy.rule.yaml │ ├── com.apple.systempreferences.yaml │ ├── com.apple.systemuiserver.yaml │ ├── com.apple.thirdactiveethernet.managed.yaml │ ├── com.apple.thirdethernet.managed.yaml │ ├── com.apple.tvremote.yaml │ ├── com.apple.universalaccess.yaml │ ├── com.apple.vpn.managed.applayer.yaml │ ├── com.apple.vpn.managed.appmapping.yaml │ ├── com.apple.vpn.managed.yaml │ ├── com.apple.webClip.managed.yaml │ ├── com.apple.webcontent-filter.yaml │ ├── com.apple.wifi.managed.yaml │ ├── com.apple.xsan.preferences.yaml │ ├── com.apple.xsan.yaml │ └── loginwindow.yaml └── other ├── esso.yaml ├── machineinfo.yaml ├── manifesturl.yaml ├── passwordhash.yaml └── skipkeys.yaml /.github/PULL_REQUEST_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | This repository does not accept pull requests. 2 | 3 | All feedback on the data in this repository should be made using the `Feedback Assistant` app or website (https://feedbackassistant.apple.com). Select feedback for `Enterprise & Education`, and choose the `Mobile Device Management (MDM)` area. 4 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/apple/device-management/7d4ba1a2bde50a4053fa5a5e0ed6c17388d82ab2/.gitignore -------------------------------------------------------------------------------- /LICENSE.txt: -------------------------------------------------------------------------------- 1 | Copyright © 2022-2025 Apple Inc. 2 | 3 | Permission is hereby granted, free of charge, to any person obtaining a 4 | copy of this software and associated documentation files (the 5 | "Software"), to deal in the Software without restriction, including 6 | without limitation the rights to use, copy, modify, merge, publish, 7 | distribute, sublicense, and/or sell copies of the Software, and to 8 | permit persons to whom the Software is furnished to do so, subject to 9 | the following conditions: 10 | 11 | The above copyright notice and this permission notice shall be included 12 | in all copies or substantial portions of the Software. 13 | 14 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 15 | OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 16 | MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. 17 | IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY 18 | CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, 19 | TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE 20 | SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 21 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Device Management Client Schema 2 | 3 | This repository contains Apple's Device Management Client schema data for the MDM (Mobile Device Management) protocol, and the Declarative Device Management feature. 4 | 5 | ## OS Versions 6 | 7 | This release corresponds to the following OS versions 8 | 9 | | OS | Version | 10 | |----------|---------| 11 | | iOS | 18.4 | 12 | | macOS | 15.4 | 13 | | tvOS | 18.4 | 14 | | visionOS | 2.4 | 15 | | watchOS | 11.4 | 16 | 17 | ## Important Release Notes 18 | 19 | ### Declarative device management related status 20 | 21 | Declarative device management configuration schema now includes a `related-status-items` key to show the relationship between status items and configurations. 22 | 23 | ## What's Available 24 | 25 | The following schema items are available: 26 | 27 | * MDM commands - `mdm/commands` 28 | * MDM check-in requests - `mdm/checkin` 29 | * MDM profiles - `mdm/profiles` 30 | * MDM errors - `mdm/errors` 31 | 32 | * Declarative device management declarations - `declarative/declarations` 33 | * Declarative device management status items - `declarative/status` 34 | * Declarative device management protocol - `declarative/protocol` 35 | 36 | * Other device management data formats 37 | 38 | ## YAML Schema Definition 39 | 40 | See [YAML Schema](docs/schema.md). 41 | 42 | ## Providing Feedback 43 | 44 | All feedback on the data in this repository should be made using the `Feedback Assistant` app or website (https://feedbackassistant.apple.com). Select feedback for `Enterprise & Education`, and choose the `Mobile Device Management (MDM)` area. 45 | 46 | We will NOT be accepting pull requests on this repository - please use `Feedback Assistant` for all requests. 47 | -------------------------------------------------------------------------------- /declarative/declarations/activations/simple.yaml: -------------------------------------------------------------------------------- 1 | title: Activation:Simple 2 | description: An activation used to install a set of configurations. 3 | payload: 4 | declarationtype: com.apple.activation.simple 5 | supportedOS: 6 | iOS: 7 | introduced: '15.0' 8 | macOS: 9 | introduced: '13.0' 10 | tvOS: 11 | introduced: '16.0' 12 | visionOS: 13 | introduced: '1.1' 14 | watchOS: 15 | introduced: '10.0' 16 | payloadkeys: 17 | - key: StandardConfigurations 18 | type: 19 | presence: required 20 | content: An array of strings that specify the identifiers of configurations to install. 21 | A failure to install one of the configurations doesn't prevent other configurations 22 | from installing. 23 | subkeys: 24 | - key: StandardConfigurationsItems 25 | type: 26 | - key: Predicate 27 | type: 28 | presence: optional 29 | content: A predicate format string as Apple's Predicate Programming 30 | describes. The activation only installs when the predicate evaluates to 'true' 31 | or isn't present. 32 | -------------------------------------------------------------------------------- /declarative/declarations/assets/credentials/identity.yaml: -------------------------------------------------------------------------------- 1 | title: Identity Credential 2 | description: 'Data for a PKCS #12 password-protected identity.' 3 | payload: 4 | credentialtype: com.apple.credential.identity 5 | supportedOS: 6 | iOS: 7 | introduced: '17.0' 8 | macOS: 9 | introduced: '14.0' 10 | tvOS: 11 | introduced: '17.0' 12 | visionOS: 13 | introduced: '1.1' 14 | watchOS: 15 | introduced: '10.0' 16 | payloadkeys: 17 | - key: Password 18 | type: 19 | presence: required 20 | content: 'The password required to decrypt the PKCS #12 identity data.' 21 | - key: Identity 22 | type: 23 | presence: required 24 | content: 'The PKCS #12 identity data.' 25 | -------------------------------------------------------------------------------- /declarative/declarations/assets/credentials/usernameandpassword.yaml: -------------------------------------------------------------------------------- 1 | title: User Name and Password Credential 2 | description: Data describing a credential representing a user name and password. 3 | payload: 4 | credentialtype: com.apple.credential.usernameandpassword 5 | supportedOS: 6 | iOS: 7 | introduced: '15.0' 8 | macOS: 9 | introduced: '13.0' 10 | tvOS: 11 | introduced: '16.0' 12 | visionOS: 13 | introduced: '1.1' 14 | watchOS: 15 | introduced: '10.0' 16 | payloadkeys: 17 | - key: UserName 18 | type: 19 | presence: required 20 | content: The user name for this credential. 21 | - key: Password 22 | type: 23 | presence: optional 24 | content: The password for this credential. 25 | -------------------------------------------------------------------------------- /declarative/declarations/assets/data.yaml: -------------------------------------------------------------------------------- 1 | title: Asset:Data 2 | description: A reference to arbitrary data with a specific media type. 3 | payload: 4 | declarationtype: com.apple.asset.data 5 | supportedOS: 6 | iOS: 7 | introduced: '17.0' 8 | macOS: 9 | introduced: '14.0' 10 | tvOS: 11 | introduced: '17.0' 12 | visionOS: 13 | introduced: '1.1' 14 | watchOS: 15 | introduced: '10.0' 16 | payloadkeys: 17 | - key: Reference 18 | type: 19 | presence: required 20 | content: The external reference. 21 | subkeys: 22 | - key: DataURL 23 | type: 24 | presence: required 25 | content: The URL that hosts the credential data. The URL must start with 'https://'. 26 | - key: ContentType 27 | type: 28 | presence: optional 29 | content: The media type that describes the data. 30 | - key: Size 31 | type: 32 | presence: optional 33 | content: The size of the data at the 'DataURL'. Use this value to verify that 34 | the returned data is the expected data. Use this value to detect when the data 35 | changes. 36 | - key: Hash-SHA-256 37 | type: 38 | presence: optional 39 | content: |- 40 | A SHA-256 hash of the data at the 'DataURL'. Use this value to verify that the returned data is the expected data. Use this value to detect when the data changes. 41 | If 'Size' is '0', clients need to ignore this value or set it to an empty string. 42 | - key: Authentication 43 | type: 44 | presence: optional 45 | content: The server authentication details. 46 | subkeys: 47 | - key: Type 48 | type: 49 | presence: required 50 | rangelist: 51 | - MDM 52 | - None 53 | content: |- 54 | Type of authentication: 55 | * MDM - a request using MDM semantics (includes the device identity certificate, and any user authentication). Equivalent to an MDM request made to the CheckInURL or ServerURL. This option can only be used when using declarative device management. 56 | * None - a standard GET request is carried out. 57 | -------------------------------------------------------------------------------- /declarative/declarations/assets/useridentity.yaml: -------------------------------------------------------------------------------- 1 | title: Asset:User Identity 2 | description: User identity data. 3 | payload: 4 | declarationtype: com.apple.asset.useridentity 5 | supportedOS: 6 | iOS: 7 | introduced: '15.0' 8 | macOS: 9 | introduced: '13.0' 10 | tvOS: 11 | introduced: '16.0' 12 | visionOS: 13 | introduced: '1.1' 14 | watchOS: 15 | introduced: '10.0' 16 | payloadkeys: 17 | - key: FullName 18 | title: Full Name 19 | type: 20 | presence: optional 21 | content: The user's full name. 22 | - key: EmailAddress 23 | title: Email Address 24 | type: 25 | presence: optional 26 | content: The email address of the user. 27 | -------------------------------------------------------------------------------- /declarative/declarations/configurations/account.google.yaml: -------------------------------------------------------------------------------- 1 | title: Account:Google 2 | description: Use this configuration to define settings for access to Google services. 3 | payload: 4 | declarationtype: com.apple.configuration.account.google 5 | supportedOS: 6 | iOS: 7 | introduced: '15.0' 8 | allowed-enrollments: 9 | - supervised 10 | - device 11 | - user 12 | - local 13 | allowed-scopes: 14 | - system 15 | sharedipad: 16 | allowed-scopes: 17 | - user 18 | macOS: 19 | introduced: '13.0' 20 | allowed-enrollments: 21 | - supervised 22 | - user 23 | - local 24 | allowed-scopes: 25 | - user 26 | tvOS: 27 | introduced: n/a 28 | visionOS: 29 | introduced: '1.1' 30 | allowed-enrollments: 31 | - supervised 32 | - device 33 | - user 34 | - local 35 | allowed-scopes: 36 | - system 37 | watchOS: 38 | introduced: n/a 39 | apply: multiple 40 | content: A Google configuration defines a Google account for a user. The user will 41 | be prompted to enter their credentials shortly after the configuration successfully 42 | installs. 43 | payloadkeys: 44 | - key: VisibleName 45 | title: Account Name 46 | type: 47 | presence: optional 48 | content: The name that apps show to the user for this Google account. If not present, 49 | the system generates a suitable default. 50 | - key: UserIdentityAssetReference 51 | title: User Identity Asset Reference 52 | type: 53 | assettypes: 54 | - com.apple.asset.useridentity 55 | presence: required 56 | content: The identifier of an asset declaration that contains the user identity 57 | for this Google account. Set the corresponding asset type to 'UserIdentity' and 58 | ensure that it contains an 'EmailAddress' key that specifies the full Google email 59 | address for the account. 60 | related-status-items: 61 | - status-items: 62 | - account.list.google 63 | note: Each configuration will have a corresponding status item. 64 | -------------------------------------------------------------------------------- /declarative/declarations/configurations/diskmanagement.settings.yaml: -------------------------------------------------------------------------------- 1 | title: Disk Management:Settings 2 | description: Use this configuration to install disk management settings on the device. 3 | payload: 4 | declarationtype: com.apple.configuration.diskmanagement.settings 5 | supportedOS: 6 | iOS: 7 | introduced: n/a 8 | macOS: 9 | introduced: '15.0' 10 | allowed-enrollments: 11 | - supervised 12 | - local 13 | allowed-scopes: 14 | - system 15 | tvOS: 16 | introduced: n/a 17 | visionOS: 18 | introduced: n/a 19 | watchOS: 20 | introduced: n/a 21 | apply: combined 22 | payloadkeys: 23 | - key: Restrictions 24 | type: 25 | presence: optional 26 | content: The restrictions for the disk. 27 | subkeys: 28 | - key: ExternalStorage 29 | title: External Storage 30 | type: 31 | presence: optional 32 | rangelist: 33 | - Allowed 34 | - ReadOnly 35 | - Disallowed 36 | combinetype: enum-last 37 | content: |- 38 | Specifies the mount policy for external storage: 39 | * 'Allowed': the system can mount external storage that is read-write or read-only. 40 | * 'ReadOnly': the system can only mount read-only external storage. Note that external storage that is read-write will not be mounted read-only. 41 | * 'Disallowed': The system can't mount any external storage. 42 | - key: NetworkStorage 43 | title: Network Storage 44 | type: 45 | presence: optional 46 | rangelist: 47 | - Allowed 48 | - ReadOnly 49 | - Disallowed 50 | combinetype: enum-last 51 | content: |- 52 | Specifies the mount policy for network storage: 53 | * 'Allowed': the system can mount network storage that is read-write or read-only. 54 | * 'ReadOnly': the system can only mount read-only network storage. Note that network storage that is read-write will not be mounted read-only. 55 | * 'Disallowed': The system can't mount any network storage. 56 | -------------------------------------------------------------------------------- /declarative/declarations/configurations/legacy.interactive.yaml: -------------------------------------------------------------------------------- 1 | title: Legacy Interactive Profile 2 | description: Specifies an MDMv1 profile to present to the user who may choose to download 3 | and install it 4 | payload: 5 | declarationtype: com.apple.configuration.legacy.interactive 6 | supportedOS: 7 | iOS: 8 | introduced: '15.0' 9 | allowed-enrollments: 10 | - supervised 11 | - device 12 | - user 13 | allowed-scopes: 14 | - system 15 | sharedipad: 16 | allowed-scopes: [] 17 | macOS: 18 | introduced: '13.0' 19 | allowed-enrollments: 20 | - supervised 21 | - user 22 | allowed-scopes: 23 | - system 24 | - user 25 | tvOS: 26 | introduced: '16.0' 27 | allowed-enrollments: 28 | - supervised 29 | - device 30 | allowed-scopes: 31 | - system 32 | visionOS: 33 | introduced: '1.1' 34 | allowed-enrollments: 35 | - supervised 36 | - device 37 | - user 38 | allowed-scopes: 39 | - system 40 | watchOS: 41 | introduced: n/a 42 | apply: multiple 43 | payloadkeys: 44 | - key: ProfileURL 45 | title: Profile's URL. 46 | type: 47 | presence: required 48 | content: |- 49 | The URL of the profile to download and install, which needs to start with 'https://', and must be hosted by the MDM server. 50 | If a user enrollment triggers this configuration, the system silently ignores any MDM 1 payloads in macOS where the User Enrollment Mode setting is 'forbidden'. In iOS, the system rejects the entire profile. 51 | - key: VisibleName 52 | title: Configuration Visible Name 53 | type: 54 | presence: required 55 | content: The visible name of the configuration. This name needs to indicate the 56 | nature of the profile. 57 | -------------------------------------------------------------------------------- /declarative/declarations/configurations/legacy.yaml: -------------------------------------------------------------------------------- 1 | title: Legacy Profile 2 | description: Specifies an MDMv1 profile to download and install 3 | payload: 4 | declarationtype: com.apple.configuration.legacy 5 | supportedOS: 6 | iOS: 7 | introduced: '15.0' 8 | allowed-enrollments: 9 | - supervised 10 | - device 11 | - user 12 | - local 13 | allowed-scopes: 14 | - system 15 | sharedipad: 16 | allowed-scopes: 17 | - system 18 | - user 19 | macOS: 20 | introduced: '13.0' 21 | allowed-enrollments: 22 | - supervised 23 | - user 24 | - local 25 | allowed-scopes: 26 | - system 27 | - user 28 | tvOS: 29 | introduced: '16.0' 30 | allowed-enrollments: 31 | - supervised 32 | - device 33 | - local 34 | allowed-scopes: 35 | - system 36 | visionOS: 37 | introduced: '1.1' 38 | allowed-enrollments: 39 | - supervised 40 | - device 41 | - user 42 | - local 43 | allowed-scopes: 44 | - system 45 | watchOS: 46 | introduced: '10.0' 47 | allowed-enrollments: 48 | - supervised 49 | - local 50 | allowed-scopes: 51 | - system 52 | apply: multiple 53 | payloadkeys: 54 | - key: ProfileURL 55 | title: Profile's URL. 56 | type: 57 | presence: required 58 | content: |- 59 | The URL of the profile to download and install, which needs to start with 'https://', and must be hosted by the MDM server. 60 | If a user enrollment triggers this configuration, the system silently ignores any MDM 1 payloads in macOS where the User Enrollment Mode setting is 'forbidden'. In iOS and tvOS, the system rejects the entire profile. 61 | -------------------------------------------------------------------------------- /declarative/declarations/configurations/management.status-subscriptions.yaml: -------------------------------------------------------------------------------- 1 | title: Management:Status Subscriptions 2 | description: Use this configuration to define the status subscriptions that cause 3 | status to be reported by the client. 4 | payload: 5 | declarationtype: com.apple.configuration.management.status-subscriptions 6 | supportedOS: 7 | iOS: 8 | introduced: '15.0' 9 | allowed-enrollments: 10 | - supervised 11 | - device 12 | - user 13 | allowed-scopes: 14 | - system 15 | sharedipad: 16 | allowed-scopes: 17 | - system 18 | - user 19 | macOS: 20 | introduced: '13.0' 21 | allowed-enrollments: 22 | - supervised 23 | - user 24 | allowed-scopes: 25 | - system 26 | - user 27 | tvOS: 28 | introduced: '16.0' 29 | allowed-enrollments: 30 | - supervised 31 | - device 32 | allowed-scopes: 33 | - system 34 | visionOS: 35 | introduced: '1.1' 36 | allowed-enrollments: 37 | - supervised 38 | - device 39 | - user 40 | allowed-scopes: 41 | - system 42 | watchOS: 43 | introduced: '10.0' 44 | allowed-enrollments: 45 | - supervised 46 | allowed-scopes: 47 | - system 48 | apply: combined 49 | payloadkeys: 50 | - key: StatusItems 51 | title: Status Items 52 | type: 53 | presence: required 54 | combinetype: set-union 55 | content: An array of status items that the device notifies subscribers about. 56 | subkeys: 57 | - key: StatusItem 58 | type: 59 | subkeys: 60 | - key: Name 61 | type: 62 | presence: required 63 | content: The name of the status item to send to subscribers. 64 | -------------------------------------------------------------------------------- /declarative/declarations/configurations/screensharing.connection.group.yaml: -------------------------------------------------------------------------------- 1 | title: Screen Sharing:Connection Group 2 | description: Use this configuration to define a group of Screen Sharing connections. 3 | payload: 4 | declarationtype: com.apple.configuration.screensharing.connection.group 5 | supportedOS: 6 | iOS: 7 | introduced: n/a 8 | macOS: 9 | introduced: '14.0' 10 | allowed-enrollments: 11 | - supervised 12 | - user 13 | - local 14 | allowed-scopes: 15 | - system 16 | - user 17 | tvOS: 18 | introduced: n/a 19 | visionOS: 20 | introduced: n/a 21 | watchOS: 22 | introduced: n/a 23 | apply: multiple 24 | payloadkeys: 25 | - key: ConnectionGroupUUID 26 | title: Unique Identifier 27 | type: 28 | presence: required 29 | content: A string which uniquely identifies this connection group. 30 | - key: GroupName 31 | title: Group Name 32 | type: 33 | presence: required 34 | content: The name of the Connection Group. 35 | - key: Members 36 | title: Group Members 37 | type: 38 | presence: required 39 | content: |- 40 | Array of ConnectionUUIDs (matching a connection declared in a 41 | com.apple.configuration.screensharing.connection configuration) of the Connections 42 | that should be members of this group. 43 | subkeys: 44 | - key: ConnectionUUID 45 | type: 46 | related-status-items: 47 | - status-items: 48 | - screensharing.connection.group.unresolved-connection 49 | note: Any unresolved connection groups in the configuration will appear in the corresponding 50 | status item. 51 | -------------------------------------------------------------------------------- /declarative/declarations/configurations/security.certificate.yaml: -------------------------------------------------------------------------------- 1 | title: Security:Certificate 2 | description: Use this configuration to add a certificate to the device. 3 | payload: 4 | declarationtype: com.apple.configuration.security.certificate 5 | supportedOS: 6 | iOS: 7 | introduced: '17.0' 8 | allowed-enrollments: 9 | - supervised 10 | - device 11 | - user 12 | - local 13 | allowed-scopes: 14 | - system 15 | sharedipad: 16 | allowed-scopes: 17 | - system 18 | - user 19 | macOS: 20 | introduced: '14.0' 21 | allowed-enrollments: 22 | - supervised 23 | - user 24 | - local 25 | allowed-scopes: 26 | - system 27 | - user 28 | tvOS: 29 | introduced: '17.0' 30 | allowed-enrollments: 31 | - supervised 32 | - device 33 | - local 34 | allowed-scopes: 35 | - system 36 | visionOS: 37 | introduced: '1.1' 38 | allowed-enrollments: 39 | - supervised 40 | - device 41 | - user 42 | - local 43 | allowed-scopes: 44 | - system 45 | watchOS: 46 | introduced: '10.0' 47 | allowed-enrollments: 48 | - supervised 49 | - local 50 | allowed-scopes: 51 | - system 52 | apply: multiple 53 | payloadkeys: 54 | - key: CredentialAssetReference 55 | title: Credential asset reference 56 | type: 57 | assettypes: 58 | - com.apple.asset.credential.certificate 59 | presence: required 60 | content: The identifier of an asset declaration that contains the certificate to 61 | install. 62 | related-status-items: 63 | - status-items: 64 | - security.certificate.list 65 | note: Each configuration will have a corresponding status item. 66 | -------------------------------------------------------------------------------- /declarative/declarations/configurations/security.passkey.attestation.yaml: -------------------------------------------------------------------------------- 1 | title: Security:Passkey:Attestation 2 | description: Configures the device to allow WebAuthn enterprise attestation for certain 3 | passkeys. 4 | payload: 5 | declarationtype: com.apple.configuration.security.passkey.attestation 6 | supportedOS: 7 | iOS: 8 | introduced: '17.0' 9 | allowed-enrollments: 10 | - supervised 11 | - device 12 | allowed-scopes: 13 | - system 14 | sharedipad: 15 | allowed-scopes: [] 16 | macOS: 17 | introduced: '14.0' 18 | allowed-enrollments: 19 | - supervised 20 | allowed-scopes: 21 | - user 22 | tvOS: 23 | introduced: n/a 24 | visionOS: 25 | introduced: n/a 26 | watchOS: 27 | introduced: n/a 28 | apply: multiple 29 | payloadkeys: 30 | - key: AttestationIdentityAssetReference 31 | title: Attestation identity asset reference. 32 | type: 33 | assettypes: 34 | - com.apple.asset.credential.identity 35 | - com.apple.asset.credential.scep 36 | - com.apple.asset.credential.acme 37 | presence: required 38 | content: The identifier of an asset declaration that contains the identity to install 39 | and use for passkey attestation. 40 | - key: AttestationIdentityKeyIsExtractable 41 | title: Attestation identity key is extractable 42 | supportedOS: 43 | iOS: 44 | introduced: n/a 45 | type: 46 | presence: optional 47 | default: true 48 | content: If 'true', the private key for the attestation identity is extractable 49 | in the keychain. 50 | - key: RelyingParties 51 | title: Relying parties 52 | type: 53 | presence: required 54 | content: An array of the relying parties to allow enterprise attestation. 55 | subkeys: 56 | - key: RelyingParty 57 | title: Relying party 58 | type: 59 | -------------------------------------------------------------------------------- /declarative/declarations/configurations/services.configuration-files.yaml: -------------------------------------------------------------------------------- 1 | title: Services Configuration Files 2 | description: Specifies managed configuration files for services 3 | payload: 4 | declarationtype: com.apple.configuration.services.configuration-files 5 | supportedOS: 6 | iOS: 7 | introduced: n/a 8 | macOS: 9 | introduced: '14.0' 10 | allowed-enrollments: 11 | - supervised 12 | allowed-scopes: 13 | - system 14 | tvOS: 15 | introduced: n/a 16 | visionOS: 17 | introduced: n/a 18 | watchOS: 19 | introduced: n/a 20 | apply: multiple 21 | payloadkeys: 22 | - key: ServiceType 23 | title: Service Type 24 | type: 25 | presence: required 26 | content: |- 27 | The identifier of the system service with managed configuration files. Use a reverse DNS style for this identifier. However, the system reserves 'com.apple.' prefix for built-in services. The available built-in services are: 28 | * 'com.apple.sshd' configures sshd 29 | * 'com.apple.sudo' configures sudo 30 | * 'com.apple.pam' configures PAM 31 | * 'com.apple.cups' configures CUPS 32 | * 'com.apple.apache.httpd' configures Apache httpd 33 | * 'com.apple.bash' configures bash 34 | * 'com.apple.zsh' configures zsh 35 | - key: DataAssetReference 36 | title: Data Asset Reference 37 | type: 38 | assettypes: 39 | - com.apple.asset.data 40 | asset-content-types: 41 | - application/zip 42 | presence: required 43 | content: |- 44 | The identifier of an asset declaration that contains a reference to the files to use for system service configuration. Ensure that the corresponding asset: 45 | 46 | * Is of type 'com.apple.asset.data' 47 | * Is a zip archive of an entire directory 48 | * Has a 'Reference' key that includes the 'ContentType' and 'Hash-SHA-256' keys, which the system requires 49 | 50 | The system expands the zip archive and stores the data in a well-known location for the service. 51 | -------------------------------------------------------------------------------- /declarative/declarations/configurations/watch.enrollment.yaml: -------------------------------------------------------------------------------- 1 | title: Watch:Enrollment 2 | description: Specifies an MDMv1 Apple Watch enrollment profile 3 | payload: 4 | declarationtype: com.apple.configuration.watch.enrollment 5 | supportedOS: 6 | iOS: 7 | introduced: '17.0' 8 | allowed-enrollments: 9 | - supervised 10 | allowed-scopes: 11 | - system 12 | sharedipad: 13 | allowed-scopes: [] 14 | macOS: 15 | introduced: n/a 16 | tvOS: 17 | introduced: n/a 18 | visionOS: 19 | introduced: n/a 20 | watchOS: 21 | introduced: n/a 22 | apply: single 23 | payloadkeys: 24 | - key: EnrollmentProfileURL 25 | title: Watch Enrollment Profile's URL. 26 | type: 27 | presence: required 28 | content: The URL of the profile that the Apple Watch downloads and installs if the 29 | user opts in to management during the pairing process, which needs to start with 30 | 'https://'. Successful enrollment requires that the pairing iPhone is supervised 31 | and the profile contains an MDM payload. Apple Watch attempts to install each 32 | payload that the profile contains. 33 | - key: AnchorCertificateAssetReferences 34 | title: Anchor Certificate Asset References. 35 | type: 36 | assettypes: 37 | - com.apple.asset.credential.certificate 38 | presence: optional 39 | content: |- 40 | An array of identifiers of asset declarations that contain anchor certificates to use to evaluate the trust of the enrollment profile server. Set the type of the corresponding assets to 'com.apple.asset.credential.certificate'. 41 | These certificates are pinned, meaning that the server specified by the 'EnrollmentProfileURL' must use a certificate that chains to one of the certs in this array. 42 | If it chains to one of the built-in trusted root certificates but not one of the 'AnchorCertificateAssetReferences' certs, the connection will fail. 43 | subkeys: 44 | - key: AnchorCertificateAssetReferenceItem 45 | type: 46 | content: Specifies the identifier of an asset declaration containing the anchor 47 | certificate to be used. 48 | -------------------------------------------------------------------------------- /declarative/declarations/management/organization-info.yaml: -------------------------------------------------------------------------------- 1 | title: Management:Organization Information 2 | description: Use this declaration to tell the client about the server's organization 3 | information. 4 | payload: 5 | declarationtype: com.apple.management.organization-info 6 | supportedOS: 7 | iOS: 8 | introduced: '15.0' 9 | macOS: 10 | introduced: '13.0' 11 | tvOS: 12 | introduced: '16.0' 13 | visionOS: 14 | introduced: '1.1' 15 | watchOS: 16 | introduced: '10.0' 17 | payloadkeys: 18 | - key: Name 19 | title: Organization Name 20 | type: 21 | presence: required 22 | content: The name of the organization. 23 | - key: Email 24 | title: Organization Email Address 25 | type: 26 | presence: optional 27 | content: The email address of the contact person for the organization. 28 | - key: URL 29 | title: Organization URL 30 | type: 31 | presence: optional 32 | content: The website of the organization to contact for support. 33 | - key: Proof 34 | title: Organization Identity 35 | type: 36 | presence: optional 37 | content: The additional properties that verify the identity and authenticity of 38 | the organization. 39 | subkeys: 40 | - key: IdentityToken 41 | title: Organization Identity Token 42 | type: 43 | presence: optional 44 | content: A token that verifies the identity of the organization when using this 45 | service. 46 | -------------------------------------------------------------------------------- /declarative/declarations/management/properties.yaml: -------------------------------------------------------------------------------- 1 | title: Management:Properties 2 | description: Use this declaration to set properties on the device. 3 | payload: 4 | declarationtype: com.apple.management.properties 5 | supportedOS: 6 | iOS: 7 | introduced: '16.0' 8 | macOS: 9 | introduced: '13.0' 10 | tvOS: 11 | introduced: '16.0' 12 | visionOS: 13 | introduced: '1.1' 14 | watchOS: 15 | introduced: '10.0' 16 | payloadkeys: 17 | - key: ANY 18 | title: Property 19 | type: 20 | presence: optional 21 | content: Each entry represents a property key/value. 22 | -------------------------------------------------------------------------------- /declarative/declarations/management/server-capabilities.yaml: -------------------------------------------------------------------------------- 1 | title: Management:Server Capabilities 2 | description: Use this declaration to tell the client about the server's capabilities. 3 | payload: 4 | declarationtype: com.apple.management.server-capabilities 5 | supportedOS: 6 | iOS: 7 | introduced: '15.0' 8 | macOS: 9 | introduced: '13.0' 10 | tvOS: 11 | introduced: '16.0' 12 | visionOS: 13 | introduced: '1.1' 14 | watchOS: 15 | introduced: '10.0' 16 | payloadkeys: 17 | - key: Version 18 | title: Protocol Version 19 | type: 20 | presence: required 21 | content: The server's protocol version. 22 | - key: SupportedFeatures 23 | title: Supported Features 24 | type: 25 | presence: required 26 | content: |- 27 | A dictionary that contains the server's optional protocol features. 28 | Each dictionary item uses the key name to represent a feature, and the value to hold the feature's associated parameters. This protocol reserves keys with a prefix of “'com.apple.'”, which appear as subkeys in this dictionary. 29 | subkeys: 30 | - key: ANY 31 | type: 32 | presence: optional 33 | content: Additional keys may be present. 34 | -------------------------------------------------------------------------------- /declarative/protocol/tokensresponse.yaml: -------------------------------------------------------------------------------- 1 | title: Tokens Response 2 | description: The server's synchronization tokens. 3 | payload: 4 | requesttype: TokensResponse 5 | supportedOS: 6 | iOS: 7 | introduced: '15.0' 8 | macOS: 9 | introduced: '13.0' 10 | tvOS: 11 | introduced: '16.0' 12 | visionOS: 13 | introduced: '1.1' 14 | watchOS: 15 | introduced: '10.0' 16 | payloadkeys: 17 | - key: SyncTokens 18 | title: Synchronization Tokens 19 | type: 20 | presence: required 21 | content: A dictionary of synchronization tokens that describes the state of different 22 | types of data on the server. The client uses these tokens to determine which endpoints 23 | it needs to use to fetch new or updated data on the server. 24 | subkeytype: SynchronizationTokens 25 | -------------------------------------------------------------------------------- /declarative/status/device.identifier.serial-number.yaml: -------------------------------------------------------------------------------- 1 | title: Status Device Serial Number 2 | description: The device's serial number. 3 | payload: 4 | statusitemtype: device.identifier.serial-number 5 | supportedOS: 6 | iOS: 7 | introduced: '16.0' 8 | allowed-enrollments: 9 | - supervised 10 | - device 11 | - local 12 | allowed-scopes: 13 | - system 14 | sharedipad: 15 | allowed-scopes: 16 | - system 17 | - user 18 | macOS: 19 | introduced: '13.0' 20 | allowed-enrollments: 21 | - supervised 22 | - local 23 | allowed-scopes: 24 | - system 25 | - user 26 | tvOS: 27 | introduced: '16.0' 28 | allowed-enrollments: 29 | - supervised 30 | - device 31 | - local 32 | allowed-scopes: 33 | - system 34 | visionOS: 35 | introduced: '1.1' 36 | allowed-enrollments: 37 | - supervised 38 | - device 39 | - local 40 | allowed-scopes: 41 | - system 42 | watchOS: 43 | introduced: '10.0' 44 | allowed-enrollments: 45 | - supervised 46 | - local 47 | allowed-scopes: 48 | - system 49 | payloadkeys: 50 | - key: device.identifier.serial-number 51 | title: Status item value. 52 | type: 53 | presence: required 54 | content: The device's serial number. 55 | -------------------------------------------------------------------------------- /declarative/status/device.identifier.udid.yaml: -------------------------------------------------------------------------------- 1 | title: Status Device UDID 2 | description: The device's UDID. 3 | payload: 4 | statusitemtype: device.identifier.udid 5 | supportedOS: 6 | iOS: 7 | introduced: '16.0' 8 | allowed-enrollments: 9 | - supervised 10 | - device 11 | - local 12 | allowed-scopes: 13 | - system 14 | sharedipad: 15 | allowed-scopes: 16 | - system 17 | - user 18 | macOS: 19 | introduced: '13.0' 20 | allowed-enrollments: 21 | - supervised 22 | - local 23 | allowed-scopes: 24 | - system 25 | - user 26 | tvOS: 27 | introduced: '16.0' 28 | allowed-enrollments: 29 | - supervised 30 | - device 31 | - local 32 | allowed-scopes: 33 | - system 34 | visionOS: 35 | introduced: '1.1' 36 | allowed-enrollments: 37 | - supervised 38 | - device 39 | - local 40 | allowed-scopes: 41 | - system 42 | watchOS: 43 | introduced: '10.0' 44 | allowed-enrollments: 45 | - supervised 46 | - local 47 | allowed-scopes: 48 | - system 49 | payloadkeys: 50 | - key: device.identifier.udid 51 | title: Status item value. 52 | type: 53 | presence: required 54 | content: The device's UDID. This value is always available on the device channel. 55 | This value is only available on user channels whose organization matches that 56 | of the device channel. 57 | -------------------------------------------------------------------------------- /declarative/status/device.model.family.yaml: -------------------------------------------------------------------------------- 1 | title: Status Device Model Family 2 | description: The device's hardware family. 3 | payload: 4 | statusitemtype: device.model.family 5 | supportedOS: 6 | iOS: 7 | introduced: '15.0' 8 | allowed-enrollments: 9 | - supervised 10 | - device 11 | - user 12 | - local 13 | allowed-scopes: 14 | - system 15 | sharedipad: 16 | allowed-scopes: 17 | - system 18 | - user 19 | macOS: 20 | introduced: '13.0' 21 | allowed-enrollments: 22 | - supervised 23 | - user 24 | - local 25 | allowed-scopes: 26 | - system 27 | - user 28 | tvOS: 29 | introduced: '16.0' 30 | allowed-enrollments: 31 | - supervised 32 | - device 33 | - local 34 | allowed-scopes: 35 | - system 36 | visionOS: 37 | introduced: '1.1' 38 | allowed-enrollments: 39 | - supervised 40 | - device 41 | - user 42 | - local 43 | allowed-scopes: 44 | - system 45 | watchOS: 46 | introduced: '10.0' 47 | allowed-enrollments: 48 | - supervised 49 | - local 50 | allowed-scopes: 51 | - system 52 | payloadkeys: 53 | - key: device.model.family 54 | title: Status item value. 55 | type: 56 | presence: required 57 | content: The hardware family of the device, such as 'Mac', 'iPhone', or 'iPad'. 58 | -------------------------------------------------------------------------------- /declarative/status/device.model.identifier.yaml: -------------------------------------------------------------------------------- 1 | title: Status Device Model Identifier 2 | description: The device's hardware identifier. 3 | payload: 4 | statusitemtype: device.model.identifier 5 | supportedOS: 6 | iOS: 7 | introduced: '15.0' 8 | allowed-enrollments: 9 | - supervised 10 | - device 11 | - user 12 | - local 13 | allowed-scopes: 14 | - system 15 | sharedipad: 16 | allowed-scopes: 17 | - system 18 | - user 19 | macOS: 20 | introduced: '13.0' 21 | allowed-enrollments: 22 | - supervised 23 | - user 24 | - local 25 | allowed-scopes: 26 | - system 27 | - user 28 | tvOS: 29 | introduced: '16.0' 30 | allowed-enrollments: 31 | - supervised 32 | - device 33 | - local 34 | allowed-scopes: 35 | - system 36 | visionOS: 37 | introduced: '1.1' 38 | allowed-enrollments: 39 | - supervised 40 | - device 41 | - user 42 | - local 43 | allowed-scopes: 44 | - system 45 | watchOS: 46 | introduced: '10.0' 47 | allowed-enrollments: 48 | - supervised 49 | - local 50 | allowed-scopes: 51 | - system 52 | payloadkeys: 53 | - key: device.model.identifier 54 | title: Status item value. 55 | type: 56 | presence: required 57 | content: A two-part string that specifies the device's model. The first part specifies 58 | device's model family, and the second part specifies the model's version. The 59 | model's version is a comma-separated number where the first part of the number 60 | is the version, and the second part is a variant, such as 'MacBookPro15,1' or 61 | 'iPhone13,2'. 62 | -------------------------------------------------------------------------------- /declarative/status/device.model.marketing-name.yaml: -------------------------------------------------------------------------------- 1 | title: Status Device Model Marketing Name 2 | description: The device's hardware marketing name. 3 | payload: 4 | statusitemtype: device.model.marketing-name 5 | supportedOS: 6 | iOS: 7 | introduced: '15.0' 8 | allowed-enrollments: 9 | - supervised 10 | - device 11 | - user 12 | - local 13 | allowed-scopes: 14 | - system 15 | sharedipad: 16 | allowed-scopes: 17 | - system 18 | - user 19 | macOS: 20 | introduced: '13.0' 21 | allowed-enrollments: 22 | - supervised 23 | - user 24 | - local 25 | allowed-scopes: 26 | - system 27 | - user 28 | tvOS: 29 | introduced: '16.0' 30 | allowed-enrollments: 31 | - supervised 32 | - device 33 | - local 34 | allowed-scopes: 35 | - system 36 | visionOS: 37 | introduced: '1.1' 38 | allowed-enrollments: 39 | - supervised 40 | - device 41 | - user 42 | - local 43 | allowed-scopes: 44 | - system 45 | watchOS: 46 | introduced: '10.0' 47 | allowed-enrollments: 48 | - supervised 49 | - local 50 | allowed-scopes: 51 | - system 52 | payloadkeys: 53 | - key: device.model.marketing-name 54 | title: Status item value. 55 | type: 56 | presence: required 57 | content: The device's marketing name, such as 'iPhone 12'. This value may not always 58 | be available. 59 | -------------------------------------------------------------------------------- /declarative/status/device.model.number.yaml: -------------------------------------------------------------------------------- 1 | title: Status Device Model Number 2 | description: The device's hardware number. 3 | payload: 4 | statusitemtype: device.model.number 5 | supportedOS: 6 | iOS: 7 | introduced: '17.0' 8 | allowed-enrollments: 9 | - supervised 10 | - device 11 | - user 12 | - local 13 | allowed-scopes: 14 | - system 15 | sharedipad: 16 | allowed-scopes: 17 | - system 18 | - user 19 | macOS: 20 | introduced: '14.0' 21 | allowed-enrollments: 22 | - supervised 23 | - user 24 | - local 25 | allowed-scopes: 26 | - system 27 | - user 28 | tvOS: 29 | introduced: '17.0' 30 | allowed-enrollments: 31 | - supervised 32 | - device 33 | - local 34 | allowed-scopes: 35 | - system 36 | visionOS: 37 | introduced: '1.1' 38 | allowed-enrollments: 39 | - supervised 40 | - device 41 | - user 42 | - local 43 | allowed-scopes: 44 | - system 45 | watchOS: 46 | introduced: '10.0' 47 | allowed-enrollments: 48 | - supervised 49 | - local 50 | allowed-scopes: 51 | - system 52 | payloadkeys: 53 | - key: device.model.number 54 | title: Status item value. 55 | type: 56 | presence: required 57 | content: The device's model number. 58 | -------------------------------------------------------------------------------- /declarative/status/device.operating-system.build-version.yaml: -------------------------------------------------------------------------------- 1 | title: Status Device Operating System Build Version 2 | description: The device's operating system build version. 3 | payload: 4 | statusitemtype: device.operating-system.build-version 5 | supportedOS: 6 | iOS: 7 | introduced: '15.0' 8 | allowed-enrollments: 9 | - supervised 10 | - device 11 | - user 12 | - local 13 | allowed-scopes: 14 | - system 15 | sharedipad: 16 | allowed-scopes: 17 | - system 18 | - user 19 | macOS: 20 | introduced: '13.0' 21 | allowed-enrollments: 22 | - supervised 23 | - user 24 | - local 25 | allowed-scopes: 26 | - system 27 | - user 28 | tvOS: 29 | introduced: '16.0' 30 | allowed-enrollments: 31 | - supervised 32 | - device 33 | - local 34 | allowed-scopes: 35 | - system 36 | visionOS: 37 | introduced: '1.1' 38 | allowed-enrollments: 39 | - supervised 40 | - device 41 | - user 42 | - local 43 | allowed-scopes: 44 | - system 45 | watchOS: 46 | introduced: '10.0' 47 | allowed-enrollments: 48 | - supervised 49 | - local 50 | allowed-scopes: 51 | - system 52 | payloadkeys: 53 | - key: device.operating-system.build-version 54 | title: Status item value. 55 | type: 56 | presence: required 57 | content: The operating system's build version on the device, such as '18F132'. 58 | -------------------------------------------------------------------------------- /declarative/status/device.operating-system.family.yaml: -------------------------------------------------------------------------------- 1 | title: Status Device Operating System Family 2 | description: The device's operating system family. 3 | payload: 4 | statusitemtype: device.operating-system.family 5 | supportedOS: 6 | iOS: 7 | introduced: '15.0' 8 | allowed-enrollments: 9 | - supervised 10 | - device 11 | - user 12 | - local 13 | allowed-scopes: 14 | - system 15 | sharedipad: 16 | allowed-scopes: 17 | - system 18 | - user 19 | macOS: 20 | introduced: '13.0' 21 | allowed-enrollments: 22 | - supervised 23 | - user 24 | - local 25 | allowed-scopes: 26 | - system 27 | - user 28 | tvOS: 29 | introduced: '16.0' 30 | allowed-enrollments: 31 | - supervised 32 | - device 33 | - local 34 | allowed-scopes: 35 | - system 36 | visionOS: 37 | introduced: '1.1' 38 | allowed-enrollments: 39 | - supervised 40 | - device 41 | - user 42 | - local 43 | allowed-scopes: 44 | - system 45 | watchOS: 46 | introduced: '10.0' 47 | allowed-enrollments: 48 | - supervised 49 | - local 50 | allowed-scopes: 51 | - system 52 | payloadkeys: 53 | - key: device.operating-system.family 54 | title: Status item value. 55 | type: 56 | presence: required 57 | content: The operating system family in use on the device, such as 'macOS' or 'iOS'. 58 | -------------------------------------------------------------------------------- /declarative/status/device.operating-system.marketing-name.yaml: -------------------------------------------------------------------------------- 1 | title: Status Device Operating System Marketing Name 2 | description: The device's operating system marketing name. 3 | payload: 4 | statusitemtype: device.operating-system.marketing-name 5 | supportedOS: 6 | iOS: 7 | introduced: '15.0' 8 | allowed-enrollments: 9 | - supervised 10 | - device 11 | - user 12 | - local 13 | allowed-scopes: 14 | - system 15 | sharedipad: 16 | allowed-scopes: 17 | - system 18 | - user 19 | macOS: 20 | introduced: '13.0' 21 | allowed-enrollments: 22 | - supervised 23 | - user 24 | - local 25 | allowed-scopes: 26 | - system 27 | - user 28 | tvOS: 29 | introduced: '16.0' 30 | allowed-enrollments: 31 | - supervised 32 | - device 33 | - local 34 | allowed-scopes: 35 | - system 36 | visionOS: 37 | introduced: '1.1' 38 | allowed-enrollments: 39 | - supervised 40 | - device 41 | - user 42 | - local 43 | allowed-scopes: 44 | - system 45 | watchOS: 46 | introduced: '10.0' 47 | allowed-enrollments: 48 | - supervised 49 | - local 50 | allowed-scopes: 51 | - system 52 | payloadkeys: 53 | - key: device.operating-system.marketing-name 54 | title: Status item value. 55 | type: 56 | presence: required 57 | content: The operating system's marketing name in use on the device, such as 'Catalina'. 58 | -------------------------------------------------------------------------------- /declarative/status/device.operating-system.supplemental.build-version.yaml: -------------------------------------------------------------------------------- 1 | title: Status Device Operating System Supplemental Build Version 2 | description: The device's operating system supplemental build version. 3 | payload: 4 | statusitemtype: device.operating-system.supplemental.build-version 5 | supportedOS: 6 | iOS: 7 | introduced: '16.1' 8 | allowed-enrollments: 9 | - supervised 10 | - device 11 | - user 12 | - local 13 | allowed-scopes: 14 | - system 15 | sharedipad: 16 | allowed-scopes: 17 | - system 18 | - user 19 | macOS: 20 | introduced: '13.0' 21 | allowed-enrollments: 22 | - supervised 23 | - user 24 | - local 25 | allowed-scopes: 26 | - system 27 | - user 28 | tvOS: 29 | introduced: '16.1' 30 | allowed-enrollments: 31 | - supervised 32 | - device 33 | - local 34 | allowed-scopes: 35 | - system 36 | visionOS: 37 | introduced: '1.1' 38 | allowed-enrollments: 39 | - supervised 40 | - device 41 | - user 42 | - local 43 | allowed-scopes: 44 | - system 45 | watchOS: 46 | introduced: '10.0' 47 | allowed-enrollments: 48 | - supervised 49 | - local 50 | allowed-scopes: 51 | - system 52 | payloadkeys: 53 | - key: device.operating-system.supplemental.build-version 54 | title: Status item value. 55 | type: 56 | presence: required 57 | content: The operating system's build and rapid security response versions in use 58 | on the device, for example, '20A123a' or '20B27c'. 59 | -------------------------------------------------------------------------------- /declarative/status/device.operating-system.supplemental.extra-version.yaml: -------------------------------------------------------------------------------- 1 | title: Status Device Operating System Supplemental Extra Version 2 | description: The device's operating system rapid security response version. 3 | payload: 4 | statusitemtype: device.operating-system.supplemental.extra-version 5 | supportedOS: 6 | iOS: 7 | introduced: '16.1' 8 | allowed-enrollments: 9 | - supervised 10 | - device 11 | - user 12 | - local 13 | allowed-scopes: 14 | - system 15 | sharedipad: 16 | allowed-scopes: 17 | - system 18 | - user 19 | macOS: 20 | introduced: '13.0' 21 | allowed-enrollments: 22 | - supervised 23 | - user 24 | - local 25 | allowed-scopes: 26 | - system 27 | - user 28 | tvOS: 29 | introduced: '16.1' 30 | allowed-enrollments: 31 | - supervised 32 | - device 33 | - local 34 | allowed-scopes: 35 | - system 36 | visionOS: 37 | introduced: '1.1' 38 | allowed-enrollments: 39 | - supervised 40 | - device 41 | - user 42 | - local 43 | allowed-scopes: 44 | - system 45 | watchOS: 46 | introduced: '10.0' 47 | allowed-enrollments: 48 | - supervised 49 | - local 50 | allowed-scopes: 51 | - system 52 | payloadkeys: 53 | - key: device.operating-system.supplemental.extra-version 54 | title: Status item value. 55 | type: 56 | presence: required 57 | content: The operating system's rapid security response version in use on the device, 58 | for example, 'a'. 59 | -------------------------------------------------------------------------------- /declarative/status/device.operating-system.version.yaml: -------------------------------------------------------------------------------- 1 | title: Status Device Operating System Version 2 | description: The device's operating system version. 3 | payload: 4 | statusitemtype: device.operating-system.version 5 | supportedOS: 6 | iOS: 7 | introduced: '15.0' 8 | allowed-enrollments: 9 | - supervised 10 | - device 11 | - user 12 | - local 13 | allowed-scopes: 14 | - system 15 | sharedipad: 16 | allowed-scopes: 17 | - system 18 | - user 19 | macOS: 20 | introduced: '13.0' 21 | allowed-enrollments: 22 | - supervised 23 | - user 24 | - local 25 | allowed-scopes: 26 | - system 27 | - user 28 | tvOS: 29 | introduced: '16.0' 30 | allowed-enrollments: 31 | - supervised 32 | - device 33 | - local 34 | allowed-scopes: 35 | - system 36 | visionOS: 37 | introduced: '1.1' 38 | allowed-enrollments: 39 | - supervised 40 | - device 41 | - user 42 | - local 43 | allowed-scopes: 44 | - system 45 | watchOS: 46 | introduced: '10.0' 47 | allowed-enrollments: 48 | - supervised 49 | - local 50 | allowed-scopes: 51 | - system 52 | payloadkeys: 53 | - key: device.operating-system.version 54 | title: Status item value. 55 | type: 56 | presence: required 57 | content: The operating system's version in use on the device, such as '15.0'. 58 | -------------------------------------------------------------------------------- /declarative/status/device.power.battery-health.yaml: -------------------------------------------------------------------------------- 1 | title: Status Device Battery Health 2 | description: The health of the battery. 3 | payload: 4 | statusitemtype: device.power.battery-health 5 | supportedOS: 6 | iOS: 7 | introduced: '17.0' 8 | allowed-enrollments: 9 | - supervised 10 | - device 11 | - local 12 | allowed-scopes: 13 | - system 14 | sharedipad: 15 | allowed-scopes: 16 | - system 17 | macOS: 18 | introduced: '14.4' 19 | allowed-enrollments: 20 | - supervised 21 | - local 22 | allowed-scopes: 23 | - system 24 | tvOS: 25 | introduced: n/a 26 | visionOS: 27 | introduced: n/a 28 | watchOS: 29 | introduced: n/a 30 | payloadkeys: 31 | - key: device.power.battery-health 32 | title: Status item value. 33 | type: 34 | presence: required 35 | rangelist: 36 | - non-genuine 37 | - normal 38 | - service-recommended 39 | - unknown 40 | - unsupported 41 | content: |- 42 | The battery health status, which has the following values: 43 | 44 | * 'non-genuine': The battery isn't a genuine Apple battery. 45 | * 'normal': The battery is operating normally. 46 | * 'service-recommended': The system recommends battery service. 47 | * 'unknown': The system couldn't determine battery health information. 48 | * 'unsupported': The device doesn't support battery health reporting. 49 | 50 | Available in iOS 17 and later on iPhone, iPadOS 18.4 and later on supported iPad models, and macOS 14.4 and later on Apple silicon Mac computers. 51 | -------------------------------------------------------------------------------- /declarative/status/diskmanagement.filevault.enabled.yaml: -------------------------------------------------------------------------------- 1 | title: Status Disk Management File Vault Enabled 2 | description: The enabled status of the File Vault. 3 | payload: 4 | statusitemtype: diskmanagement.filevault.enabled 5 | supportedOS: 6 | iOS: 7 | introduced: n/a 8 | macOS: 9 | introduced: '14.0' 10 | allowed-enrollments: 11 | - supervised 12 | - local 13 | allowed-scopes: 14 | - system 15 | tvOS: 16 | introduced: n/a 17 | visionOS: 18 | introduced: n/a 19 | watchOS: 20 | introduced: n/a 21 | payloadkeys: 22 | - key: diskmanagement.filevault.enabled 23 | title: Status item value. 24 | type: 25 | presence: required 26 | content: A Boolean value that specifies the File Vault enabled status on the device. 27 | -------------------------------------------------------------------------------- /declarative/status/passcode.is-compliant.yaml: -------------------------------------------------------------------------------- 1 | title: Status Passcode Compliance 2 | description: The state of passcode compliance. 3 | payload: 4 | statusitemtype: passcode.is-compliant 5 | supportedOS: 6 | iOS: 7 | introduced: '16.0' 8 | allowed-enrollments: 9 | - supervised 10 | - device 11 | - user 12 | - local 13 | allowed-scopes: 14 | - system 15 | sharedipad: 16 | allowed-scopes: 17 | - system 18 | - user 19 | macOS: 20 | introduced: n/a 21 | tvOS: 22 | introduced: n/a 23 | visionOS: 24 | introduced: '1.1' 25 | allowed-enrollments: 26 | - supervised 27 | - device 28 | - user 29 | - local 30 | allowed-scopes: 31 | - system 32 | watchOS: 33 | introduced: '10.0' 34 | allowed-enrollments: 35 | - supervised 36 | - local 37 | allowed-scopes: 38 | - system 39 | payloadkeys: 40 | - key: passcode.is-compliant 41 | title: Status item value. 42 | type: 43 | presence: required 44 | content: If 'true', the passcode is in compliance with all passcode policies set 45 | on the device. If 'false', the passcode isn't in compliance with one or more passcode 46 | policies set on the device. When there are no passcode policies on the device, 47 | this value 'true'. 48 | -------------------------------------------------------------------------------- /declarative/status/passcode.is-present.yaml: -------------------------------------------------------------------------------- 1 | title: Status Passcode Is Present 2 | description: Whether a passcode is present ot not. 3 | payload: 4 | statusitemtype: passcode.is-present 5 | supportedOS: 6 | iOS: 7 | introduced: '16.0' 8 | allowed-enrollments: 9 | - supervised 10 | - device 11 | - user 12 | - local 13 | allowed-scopes: 14 | - system 15 | sharedipad: 16 | allowed-scopes: 17 | - system 18 | - user 19 | macOS: 20 | introduced: n/a 21 | tvOS: 22 | introduced: n/a 23 | visionOS: 24 | introduced: '1.1' 25 | allowed-enrollments: 26 | - supervised 27 | - device 28 | - user 29 | - local 30 | allowed-scopes: 31 | - system 32 | watchOS: 33 | introduced: '10.0' 34 | allowed-enrollments: 35 | - supervised 36 | - local 37 | allowed-scopes: 38 | - system 39 | payloadkeys: 40 | - key: passcode.is-present 41 | title: Status item value. 42 | type: 43 | presence: required 44 | content: If 'true', a passcode is present on the device. If 'false', a passcode 45 | isn't present on the device. When a passcode is present, the specific attributes 46 | of the passcode, such as length or number of complex characters, aren't reported. 47 | Instead, use the 'passcode.is-compliant' status item to verify that the passcode 48 | complies with all passcode policies set on the device. 49 | -------------------------------------------------------------------------------- /declarative/status/softwareupdate.beta-enrollment.yaml: -------------------------------------------------------------------------------- 1 | title: Status Software Update Beta Enrollment 2 | description: The device's enrolled beta program. 3 | payload: 4 | statusitemtype: softwareupdate.beta-enrollment 5 | supportedOS: 6 | iOS: 7 | introduced: '18.0' 8 | allowed-enrollments: 9 | - supervised 10 | - device 11 | allowed-scopes: 12 | - system 13 | sharedipad: 14 | allowed-scopes: 15 | - system 16 | macOS: 17 | introduced: '15.0' 18 | allowed-enrollments: 19 | - supervised 20 | allowed-scopes: 21 | - system 22 | tvOS: 23 | introduced: n/a 24 | visionOS: 25 | introduced: n/a 26 | watchOS: 27 | introduced: n/a 28 | payloadkeys: 29 | - key: softwareupdate.beta-enrollment 30 | title: The device's enrolled beta program. 31 | type: 32 | presence: required 33 | content: The device's enrolled beta program name, or an empty string if there's 34 | no enrolled beta program. 35 | -------------------------------------------------------------------------------- /declarative/status/softwareupdate.device-id.yaml: -------------------------------------------------------------------------------- 1 | title: Status Software Update Device ID 2 | description: The device's software update device ID. 3 | payload: 4 | statusitemtype: softwareupdate.device-id 5 | supportedOS: 6 | iOS: 7 | introduced: '18.0' 8 | allowed-enrollments: 9 | - supervised 10 | - device 11 | allowed-scopes: 12 | - system 13 | sharedipad: 14 | allowed-scopes: 15 | - system 16 | macOS: 17 | introduced: '15.0' 18 | allowed-enrollments: 19 | - supervised 20 | allowed-scopes: 21 | - system 22 | tvOS: 23 | introduced: '18.4' 24 | allowed-enrollments: 25 | - supervised 26 | - device 27 | allowed-scopes: 28 | - system 29 | visionOS: 30 | introduced: n/a 31 | watchOS: 32 | introduced: n/a 33 | payloadkeys: 34 | - key: softwareupdate.device-id 35 | title: The device's software update device ID. 36 | type: 37 | presence: required 38 | content: The device identifier to use when looking up available software updates 39 | via 'https://gdmf.apple.com/v2/pmv'. 40 | -------------------------------------------------------------------------------- /declarative/status/softwareupdate.failure-reason.yaml: -------------------------------------------------------------------------------- 1 | title: Status Software Update Failure Reason 2 | description: The software update failure reason state. 3 | payload: 4 | statusitemtype: softwareupdate.failure-reason 5 | supportedOS: 6 | iOS: 7 | introduced: '17.0' 8 | allowed-enrollments: 9 | - supervised 10 | - device 11 | allowed-scopes: 12 | - system 13 | sharedipad: 14 | allowed-scopes: 15 | - system 16 | macOS: 17 | introduced: '14.0' 18 | allowed-enrollments: 19 | - supervised 20 | allowed-scopes: 21 | - system 22 | tvOS: 23 | introduced: '18.4' 24 | allowed-enrollments: 25 | - supervised 26 | - device 27 | allowed-scopes: 28 | - system 29 | visionOS: 30 | introduced: n/a 31 | watchOS: 32 | introduced: n/a 33 | payloadkeys: 34 | - key: softwareupdate.failure-reason 35 | title: The software update failure reason state. 36 | type: 37 | presence: required 38 | content: Details about a software update failure. 39 | subkeytype: Dictionary 40 | subkeys: 41 | - key: count 42 | title: The software update failure count. 43 | type: 44 | presence: required 45 | content: The number of times the current software update failed. If there are 46 | no failures, or no pending software update, this is '0'. 47 | - key: reason 48 | title: The reason for the software update failure. 49 | type: 50 | presence: optional 51 | content: If present, this describes the reason for last software update failure. 52 | This key isn't present if there are no failures or no pending software update. 53 | - key: timestamp 54 | title: The timestamp of the software update failure. 55 | type: 56 | presence: optional 57 | content: If present, this is the RFC 3339 timestamp of the last software update 58 | failure. This key isn't present if there are no failures or no pending software 59 | update. 60 | -------------------------------------------------------------------------------- /declarative/status/softwareupdate.install-state.yaml: -------------------------------------------------------------------------------- 1 | title: Status Software Update Install State 2 | description: The software update install state. 3 | payload: 4 | statusitemtype: softwareupdate.install-state 5 | supportedOS: 6 | iOS: 7 | introduced: '17.0' 8 | allowed-enrollments: 9 | - supervised 10 | - device 11 | allowed-scopes: 12 | - system 13 | sharedipad: 14 | allowed-scopes: 15 | - system 16 | macOS: 17 | introduced: '14.0' 18 | allowed-enrollments: 19 | - supervised 20 | allowed-scopes: 21 | - system 22 | tvOS: 23 | introduced: '18.4' 24 | allowed-enrollments: 25 | - supervised 26 | - device 27 | allowed-scopes: 28 | - system 29 | visionOS: 30 | introduced: n/a 31 | watchOS: 32 | introduced: n/a 33 | payloadkeys: 34 | - key: softwareupdate.install-state 35 | title: The software update install state. 36 | type: 37 | presence: required 38 | rangelist: 39 | - none 40 | - downloading 41 | - prepared 42 | - installing 43 | - failed 44 | content: |- 45 | The software update install status, which has the following values: 46 | 47 | * 'none': There's no software update pending, and any previous software update succeeded. 48 | * 'waiting': A software update is waiting to start. 49 | * 'downloading': The system is downloading data for a software update. 50 | * 'prepared': The system prepared the software update and it's ready for installation. 51 | * 'installing': The system is installing the software update. 52 | * 'failed': The software update failed. 53 | -------------------------------------------------------------------------------- /declarative/status/softwareupdate.pending-version.yaml: -------------------------------------------------------------------------------- 1 | title: Status Software Update Pending Version 2 | description: The pending software update version. 3 | payload: 4 | statusitemtype: softwareupdate.pending-version 5 | supportedOS: 6 | iOS: 7 | introduced: '17.0' 8 | allowed-enrollments: 9 | - supervised 10 | - device 11 | allowed-scopes: 12 | - system 13 | sharedipad: 14 | allowed-scopes: 15 | - system 16 | macOS: 17 | introduced: '14.0' 18 | allowed-enrollments: 19 | - supervised 20 | allowed-scopes: 21 | - system 22 | tvOS: 23 | introduced: '18.4' 24 | allowed-enrollments: 25 | - supervised 26 | - device 27 | allowed-scopes: 28 | - system 29 | visionOS: 30 | introduced: n/a 31 | watchOS: 32 | introduced: n/a 33 | payloadkeys: 34 | - key: softwareupdate.pending-version 35 | title: Pending software update version. 36 | type: 37 | presence: required 38 | content: A dictionary that contains the build and OS versions of the software update 39 | that's pending on the device. 40 | subkeytype: Dictionary 41 | subkeys: 42 | - key: os-version 43 | title: The OS version 44 | type: 45 | presence: required 46 | content: The OS version of the pending software update, including any rapid security 47 | response version. This string is empty if no update is pending. 48 | - key: build-version 49 | title: The build version 50 | type: 51 | presence: required 52 | content: The build version of the pending software update, including any rapid 53 | security response version. This string is empty if no update is pending. 54 | - key: target-local-date-time 55 | title: The target local date-time 56 | type: 57 | presence: optional 58 | content: The local date time value for when the pending software update will be 59 | installed. This key is only present when the pending software update is being 60 | enforced. 61 | -------------------------------------------------------------------------------- /declarative/status/statusreason.yaml: -------------------------------------------------------------------------------- 1 | title: Status Reason 2 | description: Information about a status error. 3 | payload: 4 | declarationtype: status-reason 5 | supportedOS: 6 | iOS: 7 | introduced: '15.0' 8 | macOS: 9 | introduced: '13.0' 10 | tvOS: 11 | introduced: '16.0' 12 | visionOS: 13 | introduced: '1.1' 14 | watchOS: 15 | introduced: '10.0' 16 | payloadkeys: 17 | - key: code 18 | title: Error Code 19 | type: 20 | presence: required 21 | content: The error code for this error. 22 | - key: description 23 | title: Error Description 24 | type: 25 | presence: optional 26 | content: A description of this error. 27 | - key: details 28 | title: Error Details 29 | type: 30 | presence: optional 31 | content: An arbitrary object containing details specific to this error. 32 | -------------------------------------------------------------------------------- /declarative/status/test.array-value.yaml: -------------------------------------------------------------------------------- 1 | title: Status Test Array Value 2 | description: A test status item array. 3 | payload: 4 | statusitemtype: test.array-value 5 | supportedOS: 6 | iOS: 7 | introduced: '16.0' 8 | allowed-enrollments: 9 | - supervised 10 | - device 11 | - user 12 | - local 13 | allowed-scopes: 14 | - system 15 | sharedipad: 16 | allowed-scopes: 17 | - system 18 | - user 19 | macOS: 20 | introduced: '13.0' 21 | allowed-enrollments: 22 | - supervised 23 | - user 24 | - local 25 | allowed-scopes: 26 | - system 27 | - user 28 | tvOS: 29 | introduced: '16.0' 30 | allowed-enrollments: 31 | - supervised 32 | - device 33 | - local 34 | allowed-scopes: 35 | - system 36 | visionOS: 37 | introduced: '1.1' 38 | allowed-enrollments: 39 | - supervised 40 | - device 41 | - user 42 | - local 43 | allowed-scopes: 44 | - system 45 | watchOS: 46 | introduced: '10.0' 47 | allowed-enrollments: 48 | - supervised 49 | - local 50 | allowed-scopes: 51 | - system 52 | payloadkeys: 53 | - key: test.array-value 54 | title: Status item value. 55 | type: 56 | presence: required 57 | content: The test status item array value. 58 | subkeytype: Array 59 | subkeys: 60 | - key: status_value 61 | type: 62 | subkeys: 63 | - key: key1 64 | title: First Key Value 65 | type: 66 | presence: required 67 | content: The value of the first sub-key. 68 | - key: key2 69 | title: Second Key Value 70 | type: 71 | presence: optional 72 | content: The value of the second sub-key. 73 | -------------------------------------------------------------------------------- /declarative/status/test.boolean-value.yaml: -------------------------------------------------------------------------------- 1 | title: Status Test Boolean Value 2 | description: A test status item boolean. 3 | payload: 4 | statusitemtype: test.boolean-value 5 | supportedOS: 6 | iOS: 7 | introduced: '16.0' 8 | allowed-enrollments: 9 | - supervised 10 | - device 11 | - user 12 | - local 13 | allowed-scopes: 14 | - system 15 | sharedipad: 16 | allowed-scopes: 17 | - system 18 | - user 19 | macOS: 20 | introduced: '13.0' 21 | allowed-enrollments: 22 | - supervised 23 | - user 24 | - local 25 | allowed-scopes: 26 | - system 27 | - user 28 | tvOS: 29 | introduced: '16.0' 30 | allowed-enrollments: 31 | - supervised 32 | - device 33 | - local 34 | allowed-scopes: 35 | - system 36 | visionOS: 37 | introduced: '1.1' 38 | allowed-enrollments: 39 | - supervised 40 | - device 41 | - user 42 | - local 43 | allowed-scopes: 44 | - system 45 | watchOS: 46 | introduced: '10.0' 47 | allowed-enrollments: 48 | - supervised 49 | - local 50 | allowed-scopes: 51 | - system 52 | payloadkeys: 53 | - key: test.boolean-value 54 | title: Status item value. 55 | type: 56 | presence: required 57 | content: The test status Boolean value. 58 | -------------------------------------------------------------------------------- /declarative/status/test.dictionary-value.yaml: -------------------------------------------------------------------------------- 1 | title: Status Test Dictionary Value 2 | description: A test status item dictionary. 3 | payload: 4 | statusitemtype: test.dictionary-value 5 | supportedOS: 6 | iOS: 7 | introduced: '16.0' 8 | allowed-enrollments: 9 | - supervised 10 | - device 11 | - user 12 | - local 13 | allowed-scopes: 14 | - system 15 | sharedipad: 16 | allowed-scopes: 17 | - system 18 | - user 19 | macOS: 20 | introduced: '13.0' 21 | allowed-enrollments: 22 | - supervised 23 | - user 24 | - local 25 | allowed-scopes: 26 | - system 27 | - user 28 | tvOS: 29 | introduced: '16.0' 30 | allowed-enrollments: 31 | - supervised 32 | - device 33 | - local 34 | allowed-scopes: 35 | - system 36 | visionOS: 37 | introduced: '1.1' 38 | allowed-enrollments: 39 | - supervised 40 | - device 41 | - user 42 | - local 43 | allowed-scopes: 44 | - system 45 | watchOS: 46 | introduced: '10.0' 47 | allowed-enrollments: 48 | - supervised 49 | - local 50 | allowed-scopes: 51 | - system 52 | payloadkeys: 53 | - key: test.dictionary-value 54 | title: Status item value. 55 | type: 56 | presence: required 57 | content: The test status dictionary value. 58 | subkeytype: Dictionary 59 | subkeys: 60 | - key: key1 61 | title: First Key Value 62 | type: 63 | presence: required 64 | content: The value of the first sub-key. 65 | - key: key2 66 | title: Second Key Value 67 | type: 68 | presence: optional 69 | content: The value of the second sub-key. 70 | -------------------------------------------------------------------------------- /declarative/status/test.error-value.yaml: -------------------------------------------------------------------------------- 1 | title: Status Test Error Value 2 | description: A test status item for errors. 3 | payload: 4 | statusitemtype: test.error-value 5 | supportedOS: 6 | iOS: 7 | introduced: '16.0' 8 | allowed-enrollments: 9 | - supervised 10 | - device 11 | - user 12 | - local 13 | allowed-scopes: 14 | - system 15 | sharedipad: 16 | allowed-scopes: 17 | - system 18 | - user 19 | macOS: 20 | introduced: '13.0' 21 | allowed-enrollments: 22 | - supervised 23 | - user 24 | - local 25 | allowed-scopes: 26 | - system 27 | - user 28 | tvOS: 29 | introduced: '16.0' 30 | allowed-enrollments: 31 | - supervised 32 | - device 33 | - local 34 | allowed-scopes: 35 | - system 36 | visionOS: 37 | introduced: '1.1' 38 | allowed-enrollments: 39 | - supervised 40 | - device 41 | - user 42 | - local 43 | allowed-scopes: 44 | - system 45 | watchOS: 46 | introduced: '10.0' 47 | allowed-enrollments: 48 | - supervised 49 | - local 50 | allowed-scopes: 51 | - system 52 | payloadkeys: 53 | - key: test.error-value 54 | title: Status item value. 55 | type: 56 | presence: required 57 | content: The test status error value. 58 | -------------------------------------------------------------------------------- /declarative/status/test.integer-value.yaml: -------------------------------------------------------------------------------- 1 | title: Status Test Integer Value 2 | description: A test status item integer. 3 | payload: 4 | statusitemtype: test.integer-value 5 | supportedOS: 6 | iOS: 7 | introduced: '16.0' 8 | allowed-enrollments: 9 | - supervised 10 | - device 11 | - user 12 | - local 13 | allowed-scopes: 14 | - system 15 | sharedipad: 16 | allowed-scopes: 17 | - system 18 | - user 19 | macOS: 20 | introduced: '13.0' 21 | allowed-enrollments: 22 | - supervised 23 | - user 24 | - local 25 | allowed-scopes: 26 | - system 27 | - user 28 | tvOS: 29 | introduced: '16.0' 30 | allowed-enrollments: 31 | - supervised 32 | - device 33 | - local 34 | allowed-scopes: 35 | - system 36 | visionOS: 37 | introduced: '1.1' 38 | allowed-enrollments: 39 | - supervised 40 | - device 41 | - user 42 | - local 43 | allowed-scopes: 44 | - system 45 | watchOS: 46 | introduced: '10.0' 47 | allowed-enrollments: 48 | - supervised 49 | - local 50 | allowed-scopes: 51 | - system 52 | payloadkeys: 53 | - key: test.integer-value 54 | title: Status item value. 55 | type: 56 | presence: required 57 | content: The test status integer value. 58 | -------------------------------------------------------------------------------- /declarative/status/test.real-value.yaml: -------------------------------------------------------------------------------- 1 | title: Status Test Real Value 2 | description: A test status item real. 3 | payload: 4 | statusitemtype: test.real-value 5 | supportedOS: 6 | iOS: 7 | introduced: '16.0' 8 | allowed-enrollments: 9 | - supervised 10 | - device 11 | - user 12 | - local 13 | allowed-scopes: 14 | - system 15 | sharedipad: 16 | allowed-scopes: 17 | - system 18 | - user 19 | macOS: 20 | introduced: '13.0' 21 | allowed-enrollments: 22 | - supervised 23 | - user 24 | - local 25 | allowed-scopes: 26 | - system 27 | - user 28 | tvOS: 29 | introduced: '16.0' 30 | allowed-enrollments: 31 | - supervised 32 | - device 33 | - local 34 | allowed-scopes: 35 | - system 36 | visionOS: 37 | introduced: '1.1' 38 | allowed-enrollments: 39 | - supervised 40 | - device 41 | - user 42 | - local 43 | allowed-scopes: 44 | - system 45 | watchOS: 46 | introduced: '10.0' 47 | allowed-enrollments: 48 | - supervised 49 | - local 50 | allowed-scopes: 51 | - system 52 | payloadkeys: 53 | - key: test.real-value 54 | title: Status item value. 55 | type: 56 | presence: required 57 | content: The test status real value. 58 | -------------------------------------------------------------------------------- /declarative/status/test.string-value.yaml: -------------------------------------------------------------------------------- 1 | title: Status Test String Value 2 | description: A test status item string. 3 | payload: 4 | statusitemtype: test.string-value 5 | supportedOS: 6 | iOS: 7 | introduced: '16.0' 8 | allowed-enrollments: 9 | - supervised 10 | - device 11 | - user 12 | - local 13 | allowed-scopes: 14 | - system 15 | sharedipad: 16 | allowed-scopes: 17 | - system 18 | - user 19 | macOS: 20 | introduced: '13.0' 21 | allowed-enrollments: 22 | - supervised 23 | - user 24 | - local 25 | allowed-scopes: 26 | - system 27 | - user 28 | tvOS: 29 | introduced: '16.0' 30 | allowed-enrollments: 31 | - supervised 32 | - device 33 | - local 34 | allowed-scopes: 35 | - system 36 | visionOS: 37 | introduced: '1.1' 38 | allowed-enrollments: 39 | - supervised 40 | - device 41 | - user 42 | - local 43 | allowed-scopes: 44 | - system 45 | watchOS: 46 | introduced: '10.0' 47 | allowed-enrollments: 48 | - supervised 49 | - local 50 | allowed-scopes: 51 | - system 52 | payloadkeys: 53 | - key: test.string-value 54 | title: Status item value. 55 | type: 56 | presence: required 57 | content: The test status string value. 58 | -------------------------------------------------------------------------------- /mdm/checkin/checkout.yaml: -------------------------------------------------------------------------------- 1 | title: Check Out 2 | description: Check-in protocol check out request keys. 3 | payload: 4 | requesttype: CheckOut 5 | supportedOS: 6 | iOS: 7 | introduced: '4.0' 8 | supervised: false 9 | requiresdep: false 10 | sharedipad: 11 | mode: allowed 12 | devicechannel: true 13 | userchannel: false 14 | userenrollment: 15 | mode: allowed 16 | macOS: 17 | introduced: '10.7' 18 | devicechannel: true 19 | userchannel: false 20 | supervised: false 21 | requiresdep: false 22 | userenrollment: 23 | mode: allowed 24 | tvOS: 25 | introduced: '10.2' 26 | supervised: false 27 | visionOS: 28 | introduced: '1.1' 29 | supervised: false 30 | requiresdep: false 31 | userenrollment: 32 | mode: allowed 33 | watchOS: 34 | introduced: '10.0' 35 | supervised: false 36 | content: Check-in protocol check out request and response. 37 | payloadkeys: 38 | - key: MessageType 39 | type: 40 | presence: required 41 | rangelist: 42 | - CheckOut 43 | content: The message type, which must have a value of 'CheckOut'. 44 | - key: Topic 45 | type: 46 | presence: required 47 | content: The topic to which the device subscribed. 48 | - key: UDID 49 | supportedOS: 50 | iOS: 51 | userenrollment: 52 | mode: forbidden 53 | visionOS: 54 | userenrollment: 55 | mode: forbidden 56 | type: 57 | presence: required 58 | content: The device's UDID (Unique Device ID). 59 | - key: EnrollmentID 60 | supportedOS: 61 | iOS: 62 | introduced: '13.0' 63 | userenrollment: 64 | mode: required 65 | macOS: 66 | introduced: '10.15' 67 | userenrollment: 68 | mode: required 69 | tvOS: 70 | introduced: n/a 71 | visionOS: 72 | userenrollment: 73 | mode: required 74 | watchOS: 75 | introduced: n/a 76 | type: 77 | presence: required 78 | content: The per-enrollment identifier for the device. Available in macOS 10.15 79 | and iOS 13.0 and later. 80 | -------------------------------------------------------------------------------- /mdm/checkin/getbootstraptoken.yaml: -------------------------------------------------------------------------------- 1 | title: Get Bootstrap Token 2 | description: Check-in protocol get bootstrap token data. 3 | payload: 4 | requesttype: GetBootstrapToken 5 | supportedOS: 6 | iOS: 7 | introduced: n/a 8 | macOS: 9 | introduced: '10.15' 10 | devicechannel: true 11 | userchannel: false 12 | supervised: true 13 | requiresdep: false 14 | userenrollment: 15 | mode: forbidden 16 | tvOS: 17 | introduced: n/a 18 | visionOS: 19 | introduced: n/a 20 | watchOS: 21 | introduced: n/a 22 | content: Check-in protocol get bootstrap token data request and response. 23 | payloadkeys: 24 | - key: MessageType 25 | type: 26 | presence: required 27 | rangelist: 28 | - GetBootstrapToken 29 | content: The message type, which must have a value of 'GetBootstrapToken'. 30 | - key: AwaitingConfiguration 31 | type: 32 | presence: optional 33 | default: false 34 | content: If 'true', the device is awaiting a DeviceConfigured MDM command before 35 | proceeding through Setup Assistant. 36 | responsekeys: 37 | - key: BootstrapToken 38 | type: 39 | presence: optional 40 | content: The current bootstrap token data for the device. 41 | -------------------------------------------------------------------------------- /mdm/checkin/setbootstraptoken.yaml: -------------------------------------------------------------------------------- 1 | title: Set Bootstrap Token 2 | description: Check-in protocol set bootstrap token data. 3 | payload: 4 | requesttype: SetBootstrapToken 5 | supportedOS: 6 | iOS: 7 | introduced: n/a 8 | macOS: 9 | introduced: '10.15' 10 | devicechannel: true 11 | userchannel: false 12 | supervised: true 13 | requiresdep: false 14 | userenrollment: 15 | mode: forbidden 16 | tvOS: 17 | introduced: n/a 18 | visionOS: 19 | introduced: n/a 20 | watchOS: 21 | introduced: n/a 22 | content: Check-in protocol set bootstrap token data request and response. 23 | payloadkeys: 24 | - key: MessageType 25 | type: 26 | presence: required 27 | rangelist: 28 | - SetBootstrapToken 29 | content: The message type, which must have a value of 'SetBootstrapToken'. 30 | - key: BootstrapToken 31 | type: 32 | presence: optional 33 | content: The device's bootstrap token data. If this field is missing or zero length, 34 | the bootstrap token should be removed for this device. 35 | - key: AwaitingConfiguration 36 | type: 37 | presence: optional 38 | default: false 39 | content: If 'true', the device is awaiting a DeviceConfigured MDM command before 40 | proceeding through Setup Assistant. 41 | -------------------------------------------------------------------------------- /mdm/checkin/userauthenticate.yaml: -------------------------------------------------------------------------------- 1 | title: UserAuthenticate 2 | description: Authenticate network or mobile users with MDM. 3 | payload: 4 | requesttype: UserAuthenticate 5 | supportedOS: 6 | iOS: 7 | introduced: n/a 8 | macOS: 9 | introduced: '10.7' 10 | devicechannel: false 11 | userchannel: true 12 | supervised: false 13 | requiresdep: false 14 | userenrollment: 15 | mode: forbidden 16 | tvOS: 17 | introduced: n/a 18 | visionOS: 19 | introduced: n/a 20 | watchOS: 21 | introduced: n/a 22 | content: Authenticate network or mobile users with MDM. 23 | payloadkeys: 24 | - key: MessageType 25 | type: 26 | presence: required 27 | rangelist: 28 | - UserAuthenticate 29 | content: The message type, which must have a value of 'UserAuthenticate'. 30 | - key: UDID 31 | type: 32 | presence: required 33 | content: The device's UDID (Unique Device ID). 34 | - key: UserID 35 | type: 36 | presence: required 37 | content: Local mobile user's GUID or network user's GUID from an Open Directory 38 | record. 39 | - key: DigestResponse 40 | type: 41 | presence: required 42 | content: A string provided by the client on second UserAuthenticate request after 43 | receiving 'DigestChallenge' from server on first UserAuthenticate request. 44 | -------------------------------------------------------------------------------- /mdm/commands/application.extensions.mappings.yaml: -------------------------------------------------------------------------------- 1 | title: NSExtension Mappings Command 2 | description: This command returns information about installed extensions for a user. 3 | payload: 4 | requesttype: NSExtensionMappings 5 | supportedOS: 6 | iOS: 7 | introduced: n/a 8 | macOS: 9 | introduced: '10.13' 10 | accessrights: QueryInstalledApps 11 | devicechannel: false 12 | userchannel: true 13 | supervised: false 14 | requiresdep: false 15 | userenrollment: 16 | mode: forbidden 17 | tvOS: 18 | introduced: n/a 19 | visionOS: 20 | introduced: n/a 21 | watchOS: 22 | introduced: n/a 23 | content: |- 24 | This command returns information about installed extensions for a user. 25 | The purpose of this command is to allow the server to build a mapping of 26 | extension identifiers to extension points to provide a UI for generating 27 | "com.apple.NSExtension" payloads. 28 | Requires "Query Installed Apps" right; supported on user channel only 29 | responsekeys: 30 | - key: Extensions 31 | type: 32 | presence: required 33 | content: An array of dictionaries that contains information about extensions on 34 | the device. 35 | subkeys: 36 | - key: ExtensionsItem 37 | type: 38 | subkeys: 39 | - key: Identifier 40 | type: 41 | presence: required 42 | content: The identifier of the extension. 43 | - key: ExtensionPoint 44 | type: 45 | presence: required 46 | content: The NSExtensionPointIdentifier for the extension. 47 | - key: DisplayName 48 | type: 49 | presence: required 50 | content: The display name of the extension. 51 | -------------------------------------------------------------------------------- /mdm/commands/application.invitetoprogram.yaml: -------------------------------------------------------------------------------- 1 | title: Invite To Program Command 2 | description: This command allows a server to invite a user to join a program. 3 | payload: 4 | requesttype: InviteToProgram 5 | supportedOS: 6 | iOS: 7 | introduced: '7.0' 8 | accessrights: AllowAppInstallation 9 | supervised: false 10 | requiresdep: false 11 | sharedipad: 12 | mode: allowed 13 | devicechannel: false 14 | userchannel: true 15 | userenrollment: 16 | mode: forbidden 17 | macOS: 18 | introduced: '10.9' 19 | accessrights: None 20 | devicechannel: false 21 | userchannel: true 22 | supervised: false 23 | requiresdep: false 24 | userenrollment: 25 | mode: forbidden 26 | tvOS: 27 | introduced: n/a 28 | visionOS: 29 | introduced: n/a 30 | watchOS: 31 | introduced: n/a 32 | content: This command allows a server to invite a user to join a program. This command 33 | issues the invitation, but does not allow the server to monitor whether the user 34 | has joined the program. This command is supported in the user channel. This command 35 | will yield a NotNow status until the user exits Setup Assistant. This command 36 | does not work with Account Driven Device Enrollment. 37 | payloadkeys: 38 | - key: ProgramID 39 | type: 40 | presence: required 41 | rangelist: 42 | - com.apple.cloudvpp 43 | content: The program's identifier, which can only be 'com.apple.cloudvpp'. 44 | - key: InvitationURL 45 | type: 46 | presence: required 47 | content: The Volume Purchase Program (VPP) invitation URL. 48 | responsekeys: 49 | - key: InvitationResult 50 | type: 51 | presence: required 52 | rangelist: 53 | - Acknowledged 54 | - InvalidProgramID 55 | - InvalidInvitationURL 56 | content: The result of the command. 57 | -------------------------------------------------------------------------------- /mdm/commands/application.redemptioncode.yaml: -------------------------------------------------------------------------------- 1 | title: Apply Redemption Code Command 2 | description: If a redemption code is needed during app installation, the server can 3 | use this command to complete the app installation. 4 | payload: 5 | requesttype: ApplyRedemptionCode 6 | supportedOS: 7 | iOS: 8 | introduced: '5.0' 9 | accessrights: AllowAppInstallation 10 | supervised: false 11 | requiresdep: false 12 | sharedipad: 13 | mode: forbidden 14 | userenrollment: 15 | mode: forbidden 16 | macOS: 17 | introduced: n/a 18 | tvOS: 19 | introduced: n/a 20 | visionOS: 21 | introduced: n/a 22 | watchOS: 23 | introduced: n/a 24 | content: If a redemption code is needed during app installation, the server can 25 | use this command to complete the app installation. 26 | payloadkeys: 27 | - key: Identifier 28 | type: 29 | presence: required 30 | content: The bundle identifier of the app. 31 | - key: RedemptionCode 32 | type: 33 | presence: required 34 | content: The redemption code that applies to the app pending installation. 35 | -------------------------------------------------------------------------------- /mdm/commands/application.remove.yaml: -------------------------------------------------------------------------------- 1 | title: Remove Application Command 2 | description: This command allows a server to remove a managed app. 3 | payload: 4 | requesttype: RemoveApplication 5 | supportedOS: 6 | iOS: 7 | introduced: '5.0' 8 | accessrights: AllowAppInstallation 9 | supervised: false 10 | requiresdep: false 11 | sharedipad: 12 | mode: allowed 13 | devicechannel: true 14 | userchannel: false 15 | userenrollment: 16 | mode: allowed 17 | macOS: 18 | introduced: '11.0' 19 | accessrights: AllowAppInstallation 20 | devicechannel: true 21 | userchannel: false 22 | supervised: false 23 | requiresdep: false 24 | userenrollment: 25 | mode: forbidden 26 | tvOS: 27 | introduced: '10.2' 28 | accessrights: AllowAppInstallation 29 | supervised: false 30 | visionOS: 31 | introduced: '1.1' 32 | accessrights: AllowAppInstallation 33 | supervised: false 34 | requiresdep: false 35 | userenrollment: 36 | mode: allowed 37 | watchOS: 38 | introduced: '10.0' 39 | accessrights: AllowAppInstallation 40 | supervised: false 41 | content: This command allows a server to remove a managed app. This command will 42 | fail for apps that are managed by Declarative Device Management. 43 | payloadkeys: 44 | - key: Identifier 45 | type: 46 | presence: required 47 | content: |- 48 | The bundle identifier of the managed app. 49 | For a watchOS app, the identifier needs to be the watch's bundle identifier, which differs from the main bundle identifier for the iPhone to which the watch is paired. Obtain the watch's bundle identifier for an app with a watch bundle, in the 'watchBundleId' key that's part of the Content Metadata query. For more information on this query, see Getting App and Book Information (Legacy). 50 | -------------------------------------------------------------------------------- /mdm/commands/application.validate.yaml: -------------------------------------------------------------------------------- 1 | title: Validate Applications Command 2 | description: This commands allows the server to force validation of the free developer 3 | and universal provisioning profiles associated with an enterprise app. 4 | payload: 5 | requesttype: ValidateApplications 6 | supportedOS: 7 | iOS: 8 | introduced: '9.2' 9 | accessrights: AllowAppInstallation 10 | supervised: false 11 | requiresdep: false 12 | sharedipad: 13 | mode: allowed 14 | devicechannel: true 15 | userchannel: false 16 | userenrollment: 17 | mode: allowed 18 | macOS: 19 | introduced: n/a 20 | tvOS: 21 | introduced: '10.2' 22 | accessrights: AllowAppInstallation 23 | supervised: false 24 | visionOS: 25 | introduced: '1.1' 26 | accessrights: AllowAppInstallation 27 | supervised: false 28 | requiresdep: false 29 | userenrollment: 30 | mode: allowed 31 | watchOS: 32 | introduced: n/a 33 | content: This command allows the server to query for installed 3rd party applications. 34 | payloadkeys: 35 | - key: Identifiers 36 | type: 37 | presence: optional 38 | content: The bundle identifiers of the enterprise apps to include for validation 39 | of associated provisioning profiles, if you choose to provide them. Otherwise, 40 | validation occurs for the provisioning profiles for the installed managed apps. 41 | subkeys: 42 | - key: IdentifiersItem 43 | type: 44 | -------------------------------------------------------------------------------- /mdm/commands/declarativemanagement.yaml: -------------------------------------------------------------------------------- 1 | title: Declarative Management Command 2 | description: This command allows the server to turn on the Declarative Management 3 | engine on the device (the first time it is used), or to trigger a Declarative Management 4 | synchronization operation. 5 | payload: 6 | requesttype: DeclarativeManagement 7 | supportedOS: 8 | iOS: 9 | introduced: '15.0' 10 | supervised: false 11 | requiresdep: false 12 | sharedipad: 13 | mode: allowed 14 | devicechannel: true 15 | userchannel: true 16 | userenrollment: 17 | mode: allowed 18 | macOS: 19 | introduced: '13.0' 20 | devicechannel: true 21 | userchannel: true 22 | supervised: false 23 | requiresdep: false 24 | userenrollment: 25 | mode: allowed 26 | tvOS: 27 | introduced: '16.0' 28 | supervised: false 29 | requiresdep: false 30 | visionOS: 31 | introduced: '1.1' 32 | supervised: false 33 | requiresdep: false 34 | userenrollment: 35 | mode: allowed 36 | watchOS: 37 | introduced: '10.0' 38 | supervised: false 39 | content: This command allows the server to turn on the Declarative Management engine 40 | on the device (the first time it is used), or to trigger a Declarative Management 41 | synchronization operation. 42 | payloadkeys: 43 | - key: Data 44 | type: 45 | presence: optional 46 | content: The base64-encoded Declarative Management JSON request using a TokensResponse. 47 | -------------------------------------------------------------------------------- /mdm/commands/device.activationlock.bypasscode.yaml: -------------------------------------------------------------------------------- 1 | title: Activation Lock Bypass Code Command 2 | description: Retrieves the Activation Lock bypass code from the device. 3 | payload: 4 | requesttype: ActivationLockBypassCode 5 | supportedOS: 6 | iOS: 7 | introduced: '7.1' 8 | accessrights: None 9 | supervised: true 10 | requiresdep: false 11 | sharedipad: 12 | mode: forbidden 13 | userenrollment: 14 | mode: forbidden 15 | macOS: 16 | introduced: '10.15' 17 | accessrights: None 18 | devicechannel: true 19 | userchannel: false 20 | supervised: true 21 | requiresdep: false 22 | userenrollment: 23 | mode: forbidden 24 | tvOS: 25 | introduced: n/a 26 | visionOS: 27 | introduced: '2.0' 28 | accessrights: None 29 | supervised: true 30 | requiresdep: false 31 | userenrollment: 32 | mode: forbidden 33 | watchOS: 34 | introduced: n/a 35 | content: Retrieves the Activation Lock bypass code from the device. This bypass 36 | code is only available for 15 days after supervision. 37 | responsekeys: 38 | - key: ActivationLockBypassCode 39 | type: 40 | presence: required 41 | content: The Activation Lock bypass code if it's available. 42 | -------------------------------------------------------------------------------- /mdm/commands/device.activationlock.clearbypasscode.yaml: -------------------------------------------------------------------------------- 1 | title: Clear Activation Lock Bypass Code Command 2 | description: Clears the Activation Lock bypass code from the device. 3 | payload: 4 | requesttype: ClearActivationLockBypassCode 5 | supportedOS: 6 | iOS: 7 | introduced: '7.1' 8 | accessrights: None 9 | supervised: true 10 | requiresdep: false 11 | sharedipad: 12 | mode: forbidden 13 | userenrollment: 14 | mode: forbidden 15 | macOS: 16 | introduced: '10.15' 17 | accessrights: None 18 | devicechannel: true 19 | userchannel: false 20 | supervised: true 21 | requiresdep: false 22 | userenrollment: 23 | mode: forbidden 24 | tvOS: 25 | introduced: n/a 26 | visionOS: 27 | introduced: '2.0' 28 | accessrights: None 29 | supervised: true 30 | requiresdep: false 31 | userenrollment: 32 | mode: forbidden 33 | watchOS: 34 | introduced: n/a 35 | content: Clears the Activation Lock bypass code from the device. 36 | -------------------------------------------------------------------------------- /mdm/commands/device.configured.yaml: -------------------------------------------------------------------------------- 1 | title: Device Configured Command 2 | description: Informs the device that it can continue past DEP enrollment. Only works 3 | on devices in DEP that have their cloud configuration set to await configuration. 4 | payload: 5 | requesttype: DeviceConfigured 6 | supportedOS: 7 | iOS: 8 | introduced: '9.0' 9 | accessrights: None 10 | supervised: true 11 | requiresdep: true 12 | sharedipad: 13 | mode: allowed 14 | devicechannel: true 15 | userchannel: false 16 | userenrollment: 17 | mode: forbidden 18 | macOS: 19 | introduced: '10.11' 20 | accessrights: None 21 | devicechannel: true 22 | userchannel: false 23 | supervised: false 24 | requiresdep: true 25 | userenrollment: 26 | mode: forbidden 27 | tvOS: 28 | introduced: '10.2' 29 | accessrights: None 30 | supervised: true 31 | visionOS: 32 | introduced: '2.0' 33 | accessrights: None 34 | supervised: true 35 | requiresdep: true 36 | userenrollment: 37 | mode: forbidden 38 | watchOS: 39 | introduced: n/a 40 | content: Informs the device that it can continue past DEP enrollment. Only works 41 | on devices in DEP that have their cloud configuration set to await configuration. 42 | -------------------------------------------------------------------------------- /mdm/commands/device.esim.yaml: -------------------------------------------------------------------------------- 1 | title: Refresh Cellular Plans Command 2 | description: Instructs the device to query for active cellular plan eSIM "profiles" 3 | at the designated carrier eSIM server URL. 4 | payload: 5 | requesttype: RefreshCellularPlans 6 | supportedOS: 7 | iOS: 8 | introduced: '13.0' 9 | accessrights: None 10 | supervised: false 11 | requiresdep: false 12 | sharedipad: 13 | mode: allowed 14 | devicechannel: true 15 | userchannel: false 16 | userenrollment: 17 | mode: forbidden 18 | macOS: 19 | introduced: n/a 20 | tvOS: 21 | introduced: n/a 22 | visionOS: 23 | introduced: n/a 24 | watchOS: 25 | introduced: n/a 26 | content: |- 27 | Instructs the device to query for active cellular plan eSIM "profiles" (not a profile in the MDM sense) 28 | at the designated carrier eSIM server URL. This command is only supported on cellular devices, and only 29 | a subset of those devices support eSIM configuration management. (Need details from CoreTelephony.) 30 | payloadkeys: 31 | - key: eSIMServerURL 32 | type: 33 | presence: required 34 | content: The carrier's eSIM server URL to query. Obtain this URL from each carrier 35 | separately. 36 | -------------------------------------------------------------------------------- /mdm/commands/device.lostmode.disable.yaml: -------------------------------------------------------------------------------- 1 | title: Disable Lost Mode Command 2 | description: This command allows the server to take the device out of MDM lost mode. 3 | payload: 4 | requesttype: DisableLostMode 5 | supportedOS: 6 | iOS: 7 | introduced: '9.3' 8 | accessrights: None 9 | supervised: true 10 | requiresdep: false 11 | sharedipad: 12 | mode: allowed 13 | devicechannel: true 14 | userchannel: false 15 | userenrollment: 16 | mode: forbidden 17 | macOS: 18 | introduced: n/a 19 | tvOS: 20 | introduced: n/a 21 | visionOS: 22 | introduced: n/a 23 | watchOS: 24 | introduced: n/a 25 | content: This command allows the server to take the device out of MDM lost mode. 26 | -------------------------------------------------------------------------------- /mdm/commands/device.lostmode.enable.yaml: -------------------------------------------------------------------------------- 1 | title: Enable Lost Mode Command 2 | description: This command allows the server to put the device in MDM lost mode, with 3 | a message, phone number, and footnote text. A message or phone number must be provided. 4 | payload: 5 | requesttype: EnableLostMode 6 | supportedOS: 7 | iOS: 8 | introduced: '9.3' 9 | accessrights: None 10 | supervised: true 11 | requiresdep: false 12 | sharedipad: 13 | mode: allowed 14 | devicechannel: true 15 | userchannel: false 16 | userenrollment: 17 | mode: forbidden 18 | macOS: 19 | introduced: n/a 20 | tvOS: 21 | introduced: n/a 22 | visionOS: 23 | introduced: n/a 24 | watchOS: 25 | introduced: n/a 26 | content: This command allows the server to put the device in MDM lost mode, with 27 | a message, phone number, and footnote text. A message or phone number must be 28 | provided. 29 | payloadkeys: 30 | - key: Message 31 | type: 32 | presence: optional 33 | content: If present, display this text on the Lock screen. You must provide this 34 | value if you don't provide a value for 'PhoneNumber'. 35 | - key: PhoneNumber 36 | type: 37 | presence: optional 38 | content: If present, display this phone number on the Lock screen. You must provide 39 | this value if you don't provide a value for 'Message'. 40 | - key: Footnote 41 | type: 42 | presence: optional 43 | content: If present, display this text in place of Slide to Unlock. 44 | -------------------------------------------------------------------------------- /mdm/commands/device.lostmode.playsound.yaml: -------------------------------------------------------------------------------- 1 | title: Play Lost Mode Sound Command 2 | description: This command allows the server to tell the device to play a sound if 3 | it is in MDM Lost Mode. The sound will play until the device is either removed from 4 | Lost Mode or a user disables the sound from the device. 5 | payload: 6 | requesttype: PlayLostModeSound 7 | supportedOS: 8 | iOS: 9 | introduced: '10.3' 10 | accessrights: None 11 | supervised: true 12 | requiresdep: false 13 | sharedipad: 14 | mode: allowed 15 | devicechannel: true 16 | userchannel: false 17 | userenrollment: 18 | mode: forbidden 19 | macOS: 20 | introduced: n/a 21 | tvOS: 22 | introduced: n/a 23 | visionOS: 24 | introduced: n/a 25 | watchOS: 26 | introduced: n/a 27 | content: This command allows the server to tell the device to play a sound if it 28 | is in MDM Lost Mode. The sound will play until the device is either removed from 29 | Lost Mode or a user disables the sound from the device. 30 | -------------------------------------------------------------------------------- /mdm/commands/device.restrictions.clearpassword.yaml: -------------------------------------------------------------------------------- 1 | title: Clear Restrictions Password Command 2 | description: This command clears the restrictions passcode, either disabling parental 3 | controls or allowing you to edit them. 4 | payload: 5 | requesttype: ClearRestrictionsPassword 6 | supportedOS: 7 | iOS: 8 | introduced: '8.0' 9 | accessrights: None 10 | supervised: true 11 | requiresdep: false 12 | sharedipad: 13 | mode: forbidden 14 | userenrollment: 15 | mode: forbidden 16 | macOS: 17 | introduced: n/a 18 | tvOS: 19 | introduced: n/a 20 | visionOS: 21 | introduced: n/a 22 | watchOS: 23 | introduced: n/a 24 | -------------------------------------------------------------------------------- /mdm/commands/device.shutdown.yaml: -------------------------------------------------------------------------------- 1 | title: Shut Down Device Command 2 | description: This command requires the Device Lock access right. The device will shut 3 | down immediately. 4 | payload: 5 | requesttype: ShutDownDevice 6 | supportedOS: 7 | iOS: 8 | introduced: '10.3' 9 | accessrights: AllowPasscodeRemovalAndLock 10 | supervised: true 11 | requiresdep: false 12 | sharedipad: 13 | mode: allowed 14 | devicechannel: true 15 | userchannel: false 16 | userenrollment: 17 | mode: forbidden 18 | macOS: 19 | introduced: '10.13' 20 | accessrights: AllowPasscodeRemovalAndLock 21 | devicechannel: true 22 | userchannel: false 23 | supervised: false 24 | requiresdep: false 25 | userenrollment: 26 | mode: forbidden 27 | tvOS: 28 | introduced: n/a 29 | visionOS: 30 | introduced: n/a 31 | watchOS: 32 | introduced: n/a 33 | content: This command requires the Device Lock access right. The device will shut 34 | down immediately. 35 | -------------------------------------------------------------------------------- /mdm/commands/lom.setuprequest.yaml: -------------------------------------------------------------------------------- 1 | title: LOM Setup Request Command 2 | description: Queries the device for LOM setup information such as IP addresses, protocol 3 | version, etc. 4 | payload: 5 | requesttype: LOMSetupRequest 6 | supportedOS: 7 | iOS: 8 | introduced: n/a 9 | macOS: 10 | introduced: '11.0' 11 | accessrights: DeviceLockAndRemovePasscode 12 | devicechannel: true 13 | userchannel: false 14 | supervised: false 15 | requiresdep: false 16 | userenrollment: 17 | mode: forbidden 18 | tvOS: 19 | introduced: n/a 20 | visionOS: 21 | introduced: n/a 22 | watchOS: 23 | introduced: n/a 24 | content: Queries the device for LOM setup information such as IP addresses, protocol 25 | version, etc. The MDM server must send this command prior to sending the LOMDeviceRequest 26 | command. 27 | responsekeys: 28 | - key: PrimaryIPv6AddressList 29 | type: 30 | presence: required 31 | content: An array that contains the IPv6 addresses for primary LOM-compatible Ethernet 32 | interfaces for the device. 33 | subkeys: 34 | - key: PrimaryIPv6AddressListItem 35 | type: 36 | presence: required 37 | - key: SecondaryIPv6AddressList 38 | type: 39 | presence: required 40 | content: An array that contains the IPv6 addresses for secondary LOM-compatible 41 | Ethernet interfaces for the device. 42 | subkeys: 43 | - key: SecondaryIPv6AddressListItem 44 | type: 45 | presence: required 46 | - key: LOMProtocolVersion 47 | type: 48 | presence: required 49 | content: The LOM protocol version that the device supports. 50 | -------------------------------------------------------------------------------- /mdm/commands/media.remove.yaml: -------------------------------------------------------------------------------- 1 | title: Remove Media Command 2 | description: This command allows an MDM server to remove managed media. This command 3 | returns Acknowledged even if the item is not found. 4 | payload: 5 | requesttype: RemoveMedia 6 | supportedOS: 7 | iOS: 8 | introduced: '8.0' 9 | accessrights: AllowAppInstallation 10 | supervised: false 11 | requiresdep: false 12 | sharedipad: 13 | mode: allowed 14 | devicechannel: true 15 | userchannel: false 16 | userenrollment: 17 | mode: allowed 18 | macOS: 19 | introduced: n/a 20 | tvOS: 21 | introduced: n/a 22 | visionOS: 23 | introduced: n/a 24 | watchOS: 25 | introduced: n/a 26 | content: This command allows an MDM server to remove managed media. This command 27 | returns Acknowledged even if the item is not found. 28 | payloadkeys: 29 | - key: MediaType 30 | type: 31 | presence: required 32 | rangelist: 33 | - Book 34 | content: The media type, which can only be 'Book'. 35 | - key: iTunesStoreID 36 | type: 37 | presence: optional 38 | content: The book's iTunes Store identifier. 39 | - key: PersistentID 40 | type: 41 | presence: optional 42 | content: The book's persistent identifier in reverse-DNS form; for example, 'com.acme.manuals.training'. 43 | -------------------------------------------------------------------------------- /mdm/commands/mirroring.stop.yaml: -------------------------------------------------------------------------------- 1 | title: Stop Mirroring Command 2 | description: This command stops AirPlay mirroring. 3 | payload: 4 | requesttype: StopMirroring 5 | supportedOS: 6 | iOS: 7 | introduced: '7.0' 8 | accessrights: None 9 | supervised: true 10 | requiresdep: false 11 | sharedipad: 12 | mode: allowed 13 | devicechannel: true 14 | userchannel: false 15 | userenrollment: 16 | mode: forbidden 17 | macOS: 18 | introduced: '10.10' 19 | accessrights: None 20 | devicechannel: true 21 | userchannel: false 22 | supervised: false 23 | requiresdep: false 24 | userenrollment: 25 | mode: forbidden 26 | tvOS: 27 | introduced: n/a 28 | visionOS: 29 | introduced: n/a 30 | watchOS: 31 | introduced: n/a 32 | content: This command stops AirPlay mirroring. 33 | -------------------------------------------------------------------------------- /mdm/commands/passcode.clear.yaml: -------------------------------------------------------------------------------- 1 | title: Clear Passcode Command 2 | description: This command allows the server to clear the passcode on the device. This 3 | command requires the Device Lock and Passcode Removal right. 4 | payload: 5 | requesttype: ClearPasscode 6 | supportedOS: 7 | iOS: 8 | introduced: '4.0' 9 | accessrights: AllowPasscodeRemovalAndLock 10 | supervised: false 11 | requiresdep: false 12 | sharedipad: 13 | mode: forbidden 14 | userenrollment: 15 | mode: forbidden 16 | macOS: 17 | introduced: n/a 18 | tvOS: 19 | introduced: n/a 20 | visionOS: 21 | introduced: '1.1' 22 | accessrights: AllowPasscodeRemovalAndLock 23 | supervised: false 24 | requiresdep: false 25 | userenrollment: 26 | mode: forbidden 27 | watchOS: 28 | introduced: '10.0' 29 | accessrights: AllowPasscodeRemovalAndLock 30 | supervised: false 31 | content: This command allows the server to clear the passcode on the device. This 32 | command requires the Device Lock and Passcode Removal right. 33 | payloadkeys: 34 | - key: UnlockToken 35 | type: 36 | presence: required 37 | content: The unlock token value that the device provides in its 'TokenUpdateMessage' 38 | check-in message. 39 | -------------------------------------------------------------------------------- /mdm/commands/passcode.firmware.set.yaml: -------------------------------------------------------------------------------- 1 | title: Set Firmware Password Command 2 | description: Changes or clears the firmware password for the device. 3 | payload: 4 | requesttype: SetFirmwarePassword 5 | supportedOS: 6 | iOS: 7 | introduced: n/a 8 | macOS: 9 | introduced: '10.13' 10 | accessrights: DeviceLockAndRemovePasscode 11 | devicechannel: true 12 | userchannel: false 13 | supervised: false 14 | requiresdep: false 15 | userenrollment: 16 | mode: forbidden 17 | tvOS: 18 | introduced: n/a 19 | visionOS: 20 | introduced: n/a 21 | watchOS: 22 | introduced: n/a 23 | content: Changes or clears the firmware password for the device. Requires the "Device 24 | lock and passcode removal right". This command is not available on Apple silicon 25 | devices. 26 | payloadkeys: 27 | - key: CurrentPassword 28 | type: 29 | presence: optional 30 | content: The current password, which you must set if the device has a firmware password. 31 | - key: NewPassword 32 | type: 33 | presence: required 34 | content: The new firmware password. Set to an empty string to clear the password. 35 | The characters in this value must consist of low-ASCII, printable characters ('0x20' 36 | through '0x7E') to ensure that all characters are enterable on the EFI login screen. 37 | - key: AllowOroms 38 | type: 39 | presence: optional 40 | default: false 41 | content: If 'true', enable ROMs. 42 | responsekeys: 43 | - key: SetFirmwarePassword 44 | type: 45 | presence: required 46 | content: Command result. 47 | subkeys: 48 | - key: PasswordChanged 49 | type: 50 | presence: required 51 | content: If 'true', the password change succeeded. 52 | -------------------------------------------------------------------------------- /mdm/commands/passcode.firmware.verify.yaml: -------------------------------------------------------------------------------- 1 | title: Verify Firmware Password Command 2 | description: Verifies the device's firmware password. 3 | payload: 4 | requesttype: VerifyFirmwarePassword 5 | supportedOS: 6 | iOS: 7 | introduced: n/a 8 | macOS: 9 | introduced: '10.13' 10 | accessrights: None 11 | devicechannel: true 12 | userchannel: false 13 | supervised: false 14 | requiresdep: false 15 | userenrollment: 16 | mode: forbidden 17 | tvOS: 18 | introduced: n/a 19 | visionOS: 20 | introduced: n/a 21 | watchOS: 22 | introduced: n/a 23 | content: Verifies the device's firmware password. This command is not available 24 | on Apple silicon devices. 25 | payloadkeys: 26 | - key: Password 27 | type: 28 | presence: required 29 | content: The password to verify. 30 | responsekeys: 31 | - key: VerifyFirmwarePassword 32 | type: 33 | presence: required 34 | content: Command result. 35 | subkeys: 36 | - key: PasswordVerified 37 | type: 38 | presence: required 39 | content: If 'true', the provided password matched the firmware password set for 40 | the device. 41 | -------------------------------------------------------------------------------- /mdm/commands/passcode.recovery.set.yaml: -------------------------------------------------------------------------------- 1 | title: Set Recovery Lock Command 2 | description: Sets or clears the recovery lock password (AppleSilicon devices only) 3 | payload: 4 | requesttype: SetRecoveryLock 5 | supportedOS: 6 | iOS: 7 | introduced: n/a 8 | macOS: 9 | introduced: '11.5' 10 | accessrights: DeviceLockAndRemovePasscode 11 | devicechannel: true 12 | userchannel: false 13 | supervised: false 14 | requiresdep: false 15 | userenrollment: 16 | mode: forbidden 17 | tvOS: 18 | introduced: n/a 19 | visionOS: 20 | introduced: n/a 21 | watchOS: 22 | introduced: n/a 23 | content: Sets or clears the recovery lock password (Apple Silicon devices only). 24 | Requires the "Device lock and passcode removal right". 25 | payloadkeys: 26 | - key: CurrentPassword 27 | type: 28 | presence: optional 29 | content: If the device has a Recovery Lock password set, the system requires the 30 | current password. 31 | - key: NewPassword 32 | type: 33 | presence: required 34 | content: The new password for Recovery Lock. Set as an empty string to clear the 35 | Recovery Lock password. 36 | -------------------------------------------------------------------------------- /mdm/commands/passcode.recovery.verify.yaml: -------------------------------------------------------------------------------- 1 | title: Verify Recovery Lock Command 2 | description: Verifies the device's recovery lock password. (AppleSilicon devices only) 3 | payload: 4 | requesttype: VerifyRecoveryLock 5 | supportedOS: 6 | iOS: 7 | introduced: n/a 8 | macOS: 9 | introduced: '11.5' 10 | accessrights: DeviceLockAndRemovePasscode 11 | devicechannel: true 12 | userchannel: false 13 | supervised: false 14 | requiresdep: false 15 | userenrollment: 16 | mode: forbidden 17 | tvOS: 18 | introduced: n/a 19 | visionOS: 20 | introduced: n/a 21 | watchOS: 22 | introduced: n/a 23 | content: Verifies the device's recovery lock password. (AppleSilicon devices only) 24 | payloadkeys: 25 | - key: Password 26 | type: 27 | presence: required 28 | content: The password to verify. 29 | responsekeys: 30 | - key: PasswordVerified 31 | type: 32 | presence: required 33 | content: If 'true', the device verified the password. 34 | -------------------------------------------------------------------------------- /mdm/commands/passcode.unlocktoken.yaml: -------------------------------------------------------------------------------- 1 | title: Request Unlock Token Command 2 | description: This command requests an UnlockToken from the device. 3 | payload: 4 | requesttype: RequestUnlockToken 5 | supportedOS: 6 | iOS: 7 | introduced: '5.0' 8 | deprecated: 6.1.6 9 | accessrights: None 10 | supervised: true 11 | requiresdep: false 12 | sharedipad: 13 | mode: forbidden 14 | userenrollment: 15 | mode: forbidden 16 | macOS: 17 | introduced: n/a 18 | tvOS: 19 | introduced: n/a 20 | visionOS: 21 | introduced: n/a 22 | watchOS: 23 | introduced: n/a 24 | content: This command requests an UnlockToken from the device. Pass this token to 25 | the ClearPasscode command to unlock the device. 26 | responsekeys: 27 | - key: UnlockToken 28 | type: 29 | presence: required 30 | content: The unlock token. Erasing the user partition invalidates this token. 31 | -------------------------------------------------------------------------------- /mdm/commands/profile.install.yaml: -------------------------------------------------------------------------------- 1 | title: Install Profile Command 2 | description: This command allows the host to install a configuration profile. The 3 | profile may be encrypted using any installed identity certificate. The profile may 4 | also be signed. This command requires the Profile Installation and Removal right. 5 | It's supported in the user channel. 6 | payload: 7 | requesttype: InstallProfile 8 | supportedOS: 9 | iOS: 10 | introduced: '4.0' 11 | accessrights: AllowInstallationRemoval 12 | supervised: false 13 | requiresdep: false 14 | sharedipad: 15 | mode: allowed 16 | devicechannel: true 17 | userchannel: true 18 | userenrollment: 19 | mode: allowed 20 | macOS: 21 | introduced: '10.7' 22 | accessrights: AllowInstallationRemoval 23 | devicechannel: true 24 | userchannel: true 25 | supervised: false 26 | requiresdep: false 27 | userenrollment: 28 | mode: allowed 29 | tvOS: 30 | introduced: '9.0' 31 | accessrights: AllowInstallationRemoval 32 | supervised: false 33 | visionOS: 34 | introduced: '1.1' 35 | accessrights: AllowInstallationRemoval 36 | supervised: false 37 | requiresdep: false 38 | userenrollment: 39 | mode: allowed 40 | watchOS: 41 | introduced: '10.0' 42 | accessrights: AllowInstallationRemoval 43 | supervised: false 44 | content: This command allows the host to install a configuration profile. The profile 45 | may be encrypted using any installed identity certificate. The profile may also 46 | be signed. This command requires the Profile Installation and Removal right. It's 47 | supported in the user channel. 48 | payloadkeys: 49 | - key: Payload 50 | type: 51 | presence: required 52 | content: The profile to install, which you can encrypt using any identity certificate 53 | installed on the device. You can also sign the profile. 54 | -------------------------------------------------------------------------------- /mdm/commands/profile.provisioning.install.yaml: -------------------------------------------------------------------------------- 1 | title: Install Provisioning Profile Command 2 | description: This command allows the server to install a provisioning profile. No 3 | error occurs if the provisioning profile is already installed. This command requires 4 | the Provisioning Profile Installation and Removal right. On macOS, this command 5 | is for iOS and iPadOS style provisioning profiles only. 6 | payload: 7 | requesttype: InstallProvisioningProfile 8 | supportedOS: 9 | iOS: 10 | introduced: '4.0' 11 | accessrights: AllowProvisioningInstallationRemoval 12 | supervised: false 13 | requiresdep: false 14 | sharedipad: 15 | mode: allowed 16 | devicechannel: true 17 | userchannel: false 18 | userenrollment: 19 | mode: allowed 20 | macOS: 21 | introduced: '11.0' 22 | accessrights: None 23 | devicechannel: true 24 | userchannel: false 25 | supervised: false 26 | requiresdep: false 27 | userenrollment: 28 | mode: allowed 29 | tvOS: 30 | introduced: '10.2' 31 | accessrights: AllowProvisioningInstallationRemoval 32 | supervised: false 33 | visionOS: 34 | introduced: '1.1' 35 | accessrights: AllowProvisioningInstallationRemoval 36 | supervised: false 37 | requiresdep: false 38 | userenrollment: 39 | mode: allowed 40 | watchOS: 41 | introduced: '10.0' 42 | accessrights: AllowProvisioningInstallationRemoval 43 | supervised: false 44 | content: This command allows the server to install a provisioning profile. No error 45 | occurs if the provisioning profile is already installed. This command requires 46 | the Provisioning Profile Installation and Removal right. On macOS, this command 47 | is for iOS and iPadOS style provisioning profiles only. 48 | payloadkeys: 49 | - key: ProvisioningProfile 50 | type: 51 | presence: required 52 | content: The provisioning profile. 53 | -------------------------------------------------------------------------------- /mdm/commands/profile.provisioning.remove.yaml: -------------------------------------------------------------------------------- 1 | title: Remove Provisioning Profile Command 2 | description: This command allows the server to remove a provisioning profile. This 3 | command requires the Provisioning Profile Installation and Removal right. On macOS, 4 | this command is for iOS and iPadOS style provisioning profiles only. 5 | payload: 6 | requesttype: RemoveProvisioningProfile 7 | supportedOS: 8 | iOS: 9 | introduced: '4.0' 10 | accessrights: AllowProvisioningInstallationRemoval 11 | supervised: false 12 | requiresdep: false 13 | sharedipad: 14 | mode: allowed 15 | devicechannel: true 16 | userchannel: false 17 | userenrollment: 18 | mode: allowed 19 | macOS: 20 | introduced: '11.0' 21 | accessrights: None 22 | devicechannel: true 23 | userchannel: false 24 | supervised: false 25 | requiresdep: false 26 | userenrollment: 27 | mode: allowed 28 | tvOS: 29 | introduced: '10.2' 30 | accessrights: AllowProvisioningInstallationRemoval 31 | supervised: false 32 | visionOS: 33 | introduced: '1.1' 34 | accessrights: AllowProvisioningInstallationRemoval 35 | supervised: false 36 | requiresdep: false 37 | userenrollment: 38 | mode: allowed 39 | watchOS: 40 | introduced: '10.0' 41 | accessrights: AllowProvisioningInstallationRemoval 42 | supervised: false 43 | content: This command allows the server to remove a provisioning profile. This command 44 | requires the Provisioning Profile Installation and Removal right. On macOS, this 45 | command is for iOS and iPadOS style provisioning profiles only. 46 | payloadkeys: 47 | - key: UUID 48 | type: 49 | presence: required 50 | content: The unique identifier of the provisioning profile to remove. 51 | -------------------------------------------------------------------------------- /mdm/commands/profile.remove.yaml: -------------------------------------------------------------------------------- 1 | title: Remove Profile Command 2 | description: This command allows the server to remove a profile. This command requires 3 | the Profile Installation and Removal Right. It's supported in the user channel. 4 | payload: 5 | requesttype: RemoveProfile 6 | supportedOS: 7 | iOS: 8 | introduced: '4.0' 9 | accessrights: AllowInstallationRemoval 10 | supervised: false 11 | requiresdep: false 12 | sharedipad: 13 | mode: allowed 14 | devicechannel: true 15 | userchannel: true 16 | userenrollment: 17 | mode: allowed 18 | macOS: 19 | introduced: '10.7' 20 | accessrights: AllowInstallationRemoval 21 | devicechannel: true 22 | userchannel: true 23 | supervised: false 24 | requiresdep: false 25 | userenrollment: 26 | mode: allowed 27 | tvOS: 28 | introduced: '9.0' 29 | accessrights: AllowInstallationRemoval 30 | supervised: false 31 | visionOS: 32 | introduced: '1.1' 33 | accessrights: AllowInstallationRemoval 34 | supervised: false 35 | requiresdep: false 36 | userenrollment: 37 | mode: allowed 38 | watchOS: 39 | introduced: '10.0' 40 | accessrights: AllowInstallationRemoval 41 | supervised: false 42 | content: This command allows the server to remove a profile. This command requires 43 | the Profile Installation and Removal Right. It's supported in the user channel. 44 | payloadkeys: 45 | - key: Identifier 46 | type: 47 | presence: required 48 | content: The identifier of the profile to remove. 49 | -------------------------------------------------------------------------------- /mdm/commands/remotedesktop.disable.yaml: -------------------------------------------------------------------------------- 1 | title: Disable Remote Desktop Command 2 | description: Disable Remote Desktop on the device. 3 | payload: 4 | requesttype: DisableRemoteDesktop 5 | supportedOS: 6 | iOS: 7 | introduced: n/a 8 | macOS: 9 | introduced: 10.14.4 10 | devicechannel: true 11 | userchannel: false 12 | supervised: true 13 | requiresdep: false 14 | userenrollment: 15 | mode: forbidden 16 | tvOS: 17 | introduced: n/a 18 | visionOS: 19 | introduced: n/a 20 | watchOS: 21 | introduced: n/a 22 | content: Disable Remote Desktop. 23 | -------------------------------------------------------------------------------- /mdm/commands/remotedesktop.enable.yaml: -------------------------------------------------------------------------------- 1 | title: Enable Remote Desktop Command 2 | description: Enable Remote Desktop on the device. 3 | payload: 4 | requesttype: EnableRemoteDesktop 5 | supportedOS: 6 | iOS: 7 | introduced: n/a 8 | macOS: 9 | introduced: 10.14.4 10 | devicechannel: true 11 | userchannel: false 12 | supervised: true 13 | requiresdep: false 14 | userenrollment: 15 | mode: forbidden 16 | tvOS: 17 | introduced: n/a 18 | visionOS: 19 | introduced: n/a 20 | watchOS: 21 | introduced: n/a 22 | content: Enable Remote Desktop. 23 | -------------------------------------------------------------------------------- /mdm/commands/set.auto.admin.password.yaml: -------------------------------------------------------------------------------- 1 | title: Set Auto Admin Password Command 2 | description: Allows changing the password of a local admin account that was created 3 | by Setup Assistant during DEP enrollment via the AccountConfiguration command. 4 | payload: 5 | requesttype: SetAutoAdminPassword 6 | supportedOS: 7 | iOS: 8 | introduced: n/a 9 | macOS: 10 | introduced: '10.11' 11 | accessrights: None 12 | devicechannel: true 13 | userchannel: false 14 | supervised: false 15 | requiresdep: true 16 | userenrollment: 17 | mode: forbidden 18 | tvOS: 19 | introduced: n/a 20 | visionOS: 21 | introduced: n/a 22 | watchOS: 23 | introduced: n/a 24 | content: Allows changing the password of a local admin account that was created 25 | by Setup Assistant during DEP enrollment via the AccountConfiguration command. 26 | payloadkeys: 27 | - key: GUID 28 | type: 29 | presence: required 30 | content: The unique identifier of the local administrator account. If this value 31 | doesn't match the GUID of an administrator account that MDM created during Device 32 | Enrollment Program (DEP) enrollment, the command returns an error. 33 | - key: passwordHash 34 | type: 35 | presence: required 36 | content: |- 37 | The precreated salted SHA-512 PBKDF2 password hash for the account. 38 | Create this hash on the server using the CommonCrypto libraries, or equivalent, as a salted SHA-512 PBKDF2 dictionary that contains these elements: 39 | * 'entropy': The derived key from the password hash; for example, from 'CCKeyDerivationPBKDF()' 40 | * 'salt': The 32-byte randomized salt; for example, from 'CCRandomCopyBytes()' 41 | * 'iterations:' The number of iterations; for example, from 'CCCalibratePBKDF()' using a minimum hash time of 100 milliseconds, or if unknown, a number in the range of 20,000 to 40,000 iterations 42 | Place the dictionary that contains these elements into an outer dictionary with the key 'SALTED-SHA512-PBKDF2'. Convert this dictionary to binary data before setting it as the value for 'passwordHash'. 43 | -------------------------------------------------------------------------------- /mdm/commands/system.update.scan.yaml: -------------------------------------------------------------------------------- 1 | title: Schedule OS Update Scan Command 2 | description: Requests that the device perform a background scan for OS updates. 3 | payload: 4 | requesttype: ScheduleOSUpdateScan 5 | supportedOS: 6 | iOS: 7 | introduced: n/a 8 | macOS: 9 | introduced: '10.11' 10 | accessrights: None 11 | devicechannel: true 12 | userchannel: false 13 | supervised: true 14 | requiresdep: false 15 | userenrollment: 16 | mode: forbidden 17 | tvOS: 18 | introduced: n/a 19 | visionOS: 20 | introduced: n/a 21 | watchOS: 22 | introduced: n/a 23 | content: Requests that the device perform a background scan for OS updates. 24 | payloadkeys: 25 | - key: Force 26 | type: 27 | presence: optional 28 | default: false 29 | content: If 'true', force a scan to start immediately. Otherwise, the scan starts 30 | at a system-determined time. 31 | responsekeys: 32 | - key: ScanInitiated 33 | type: 34 | presence: required 35 | content: If 'true', the scan started successfully. 36 | -------------------------------------------------------------------------------- /mdm/commands/user.configured.yaml: -------------------------------------------------------------------------------- 1 | title: User Configured Command 2 | description: Informs the device that it can continue past Setup Assistant and finish 3 | login. Only works on Shared iPads that have the AwaitUserConfiguration feature enabled. 4 | payload: 5 | requesttype: UserConfigured 6 | supportedOS: 7 | iOS: 8 | introduced: '17.0' 9 | accessrights: None 10 | supervised: true 11 | requiresdep: true 12 | sharedipad: 13 | mode: allowed 14 | devicechannel: false 15 | userchannel: true 16 | userenrollment: 17 | mode: forbidden 18 | macOS: 19 | introduced: n/a 20 | tvOS: 21 | introduced: n/a 22 | visionOS: 23 | introduced: n/a 24 | watchOS: 25 | introduced: n/a 26 | content: Informs the device that it can continue past Setup Assistant and finish 27 | login. Only works on Shared iPads that have the AwaitUserConfiguration feature 28 | enabled. 29 | -------------------------------------------------------------------------------- /mdm/commands/user.delete.yaml: -------------------------------------------------------------------------------- 1 | title: Delete User Command 2 | description: This command allows the server to delete a user that has an active account 3 | on the device. 4 | payload: 5 | requesttype: DeleteUser 6 | supportedOS: 7 | iOS: 8 | introduced: '9.3' 9 | accessrights: None 10 | supervised: false 11 | requiresdep: false 12 | sharedipad: 13 | mode: required 14 | devicechannel: true 15 | userchannel: false 16 | userenrollment: 17 | mode: forbidden 18 | macOS: 19 | introduced: '10.13' 20 | accessrights: None 21 | devicechannel: true 22 | userchannel: false 23 | supervised: true 24 | requiresdep: false 25 | userenrollment: 26 | mode: forbidden 27 | tvOS: 28 | introduced: n/a 29 | visionOS: 30 | introduced: n/a 31 | watchOS: 32 | introduced: n/a 33 | content: This command allows the server to delete a user that has an active account 34 | on the device. 35 | payloadkeys: 36 | - key: UserName 37 | type: 38 | presence: optional 39 | content: The user name of the account to delete. This key is required when the value 40 | for 'DeleteAllUsers' is absent or 'false'. 41 | - key: ForceDeletion 42 | supportedOS: 43 | macOS: 44 | introduced: n/a 45 | type: 46 | presence: optional 47 | default: false 48 | content: If 'true', the system deletes the account even if the user has data that's 49 | pending sync to the cloud. This value is available on iOS 9.3 and later. 50 | - key: DeleteAllUsers 51 | supportedOS: 52 | iOS: 53 | introduced: '14.0' 54 | macOS: 55 | introduced: n/a 56 | type: 57 | presence: optional 58 | default: false 59 | content: If 'true', the system attempts to delete all users from the device. If 60 | 'ForceDeletion' is 'false', the system generates an error instead and doesn't 61 | delete users who have data that's pending sync. This value is available in iOS 62 | 14 and later. 63 | -------------------------------------------------------------------------------- /mdm/commands/user.logout.yaml: -------------------------------------------------------------------------------- 1 | title: Log Out User Command 2 | description: This command allows the server to force the current user to logout. 3 | payload: 4 | requesttype: LogOutUser 5 | supportedOS: 6 | iOS: 7 | introduced: '9.3' 8 | accessrights: None 9 | supervised: false 10 | requiresdep: false 11 | sharedipad: 12 | mode: required 13 | devicechannel: true 14 | userchannel: false 15 | userenrollment: 16 | mode: forbidden 17 | macOS: 18 | introduced: n/a 19 | tvOS: 20 | introduced: n/a 21 | visionOS: 22 | introduced: n/a 23 | watchOS: 24 | introduced: n/a 25 | content: This command allows the server to force the current user to logout. 26 | -------------------------------------------------------------------------------- /mdm/commands/user.unlock.yaml: -------------------------------------------------------------------------------- 1 | title: Unlock User Account Command 2 | description: This command allows the server to unlock a local user account. 3 | payload: 4 | requesttype: UnlockUserAccount 5 | supportedOS: 6 | iOS: 7 | introduced: n/a 8 | macOS: 9 | introduced: '10.13' 10 | accessrights: DeviceLockAndRemovePasscode 11 | devicechannel: true 12 | userchannel: false 13 | supervised: false 14 | requiresdep: false 15 | userenrollment: 16 | mode: forbidden 17 | tvOS: 18 | introduced: n/a 19 | visionOS: 20 | introduced: n/a 21 | watchOS: 22 | introduced: n/a 23 | content: This command allows the server to unlock a local user account that has 24 | been locked due to too many failed password attempts. Requires "Device lock and 25 | passcode removal right". 26 | payloadkeys: 27 | - key: UserName 28 | type: 29 | presence: required 30 | content: The user name of the local account, which can be any local account on the 31 | system, not just a managed user account. 32 | -------------------------------------------------------------------------------- /mdm/errors/unrecognized.device.yaml: -------------------------------------------------------------------------------- 1 | title: Error Unrecognized Device 2 | description: Error response for unrecognized device. 3 | payload: 4 | supportedOS: 5 | iOS: 6 | introduced: '17.0' 7 | macOS: 8 | introduced: '14.0' 9 | tvOS: 10 | introduced: '17.0' 11 | visionOS: 12 | introduced: '1.1' 13 | watchOS: 14 | introduced: '10.0' 15 | content: |- 16 | The schema for a JSON or property list XML document returned in an MDM server's 403 response body. The 17 | response headers must include a "Content-Type" header indicating whether JSON or XML is being returned. 18 | 19 | This response is returned when a server does not recognize the device making the MDM request, and 20 | causes the device to unenroll with the MDM server. This error should be used in place of the server 21 | returning a 401 response to trigger an unenroll. 22 | payloadkeys: 23 | - key: code 24 | type: 25 | presence: required 26 | rangelist: 27 | - com.apple.unrecognized.device 28 | content: Indicates that the device is not recognized by the server, causing the 29 | device to unenroll from MDM. 30 | - key: description 31 | type: 32 | presence: optional 33 | content: The description of the error. This will only be used by the client for 34 | logging purposes and will not be displayed to the user. 35 | - key: message 36 | type: 37 | presence: optional 38 | content: A description of the error suitable for displaying to the user. If needed, 39 | the client will make a best-effort attempt to display the message, but may not 40 | be able to, due to local conditions. 41 | -------------------------------------------------------------------------------- /mdm/errors/watch.pairing.token.missing.yaml: -------------------------------------------------------------------------------- 1 | title: Error Code Pairing Token Missing 2 | description: Error response for missing pairing token. 3 | payload: 4 | supportedOS: 5 | iOS: 6 | introduced: n/a 7 | macOS: 8 | introduced: n/a 9 | tvOS: 10 | introduced: n/a 11 | visionOS: 12 | introduced: n/a 13 | watchOS: 14 | introduced: '10.0' 15 | content: |- 16 | The schema for a JSON or property list XML document returned in an MDM server's 403 response body. The response headers 17 | must include a "Content-Type" header indicating whether JSON or XML is being returned. 18 | 19 | This response is returned when an Apple Watch is attempting to enroll in MDM and the watch did not include a pairing token 20 | in the machine info request sent to the server to initiate enrollment. After receiving this response, the watch will fetch 21 | a pairing token from the phone's MDM server via a request to the phone. The watch will then repeat the enrollment request 22 | with the pairing token included. 23 | payloadkeys: 24 | - key: code 25 | type: 26 | presence: required 27 | rangelist: 28 | - com.apple.watch.pairing.token.missing 29 | content: Indicates that pairing token required to enroll a watch is missing. 30 | - key: description 31 | type: 32 | presence: optional 33 | content: The description of the error. This will only be used by the client for 34 | logging purposes and will not be displayed to the user. 35 | - key: message 36 | type: 37 | presence: optional 38 | content: A description of the error suitable for displaying to the user. If needed, 39 | the client will make a best-effort attempt to display the message, but may not 40 | be able to, due to local conditions. 41 | - key: details 42 | type: 43 | presence: required 44 | content: A dictionary of additional data specific to the error code. 45 | subkeys: 46 | - key: security-token 47 | type: 48 | presence: required 49 | content: The security token to pass to the phone's MDM server to use to form the 50 | pairing token. This should be a random UUID string. 51 | -------------------------------------------------------------------------------- /mdm/errors/well-known.failed.yaml: -------------------------------------------------------------------------------- 1 | title: Error Well-known Failed 2 | description: Error response for well-known failed 3 | payload: 4 | supportedOS: 5 | iOS: 6 | introduced: '17.5' 7 | macOS: 8 | introduced: '14.5' 9 | tvOS: 10 | introduced: n/a 11 | visionOS: 12 | introduced: '1.2' 13 | watchOS: 14 | introduced: n/a 15 | content: |- 16 | The schema for a JSON or property list XML document returned in an MDM server's 403 response body. The 17 | response headers must include a "Content-Type" header indicating whether JSON or XML is being returned. 18 | 19 | This response is returned when a device is doing well-known resource service discovery for account driven 20 | enrollments, and the server rejects the request. 21 | payloadkeys: 22 | - key: code 23 | type: 24 | presence: required 25 | rangelist: 26 | - com.apple.well-known.failed 27 | content: Indicates that the well-known request has failed. 28 | - key: description 29 | type: 30 | presence: optional 31 | content: The description of the error. This will only be used by the client for 32 | logging purposes and will not be displayed to the user. 33 | - key: message 34 | type: 35 | presence: optional 36 | content: A description of the error suitable for displaying to the user. If needed, 37 | the client will make a best-effort attempt to display the message, but may not 38 | be able to, due to local conditions. 39 | -------------------------------------------------------------------------------- /mdm/profiles/GlobalPreferences.yaml: -------------------------------------------------------------------------------- 1 | title: Global Preferences 2 | description: '' 3 | payload: 4 | payloadtype: .GlobalPreferences 5 | supportedOS: 6 | iOS: 7 | introduced: n/a 8 | macOS: 9 | introduced: '10.7' 10 | multiple: false 11 | devicechannel: true 12 | userchannel: true 13 | supervised: false 14 | requiresdep: false 15 | userapprovedmdm: false 16 | allowmanualinstall: true 17 | userenrollment: 18 | mode: forbidden 19 | tvOS: 20 | introduced: n/a 21 | visionOS: 22 | introduced: n/a 23 | watchOS: 24 | introduced: n/a 25 | content: Global preferences on macOS 26 | payloadkeys: 27 | - key: MultipleSessionEnabled 28 | type: 29 | presence: optional 30 | default: true 31 | content: If 'false', disables fast user switching. 32 | - key: com.apple.autologout.AutoLogOutDelay 33 | type: 34 | presence: optional 35 | content: The 'autologout' delay, in seconds. A value of '0' means 'autologout' is 36 | off. In some cases, this delay may be restricted to values between 5 minutes and 37 | 24 hours. 38 | -------------------------------------------------------------------------------- /mdm/profiles/com.apple.AIM.account.yaml: -------------------------------------------------------------------------------- 1 | title: AIM Account 2 | description: Use this section to define settings for configuration access to AIM servers. 3 | payload: 4 | payloadtype: com.apple.AIM.account 5 | supportedOS: 6 | iOS: 7 | introduced: n/a 8 | macOS: 9 | introduced: '10.7' 10 | deprecated: '10.13' 11 | removed: '10.14' 12 | multiple: true 13 | devicechannel: false 14 | userchannel: true 15 | supervised: false 16 | requiresdep: false 17 | userapprovedmdm: false 18 | allowmanualinstall: true 19 | userenrollment: 20 | mode: forbidden 21 | tvOS: 22 | introduced: n/a 23 | visionOS: 24 | introduced: n/a 25 | watchOS: 26 | introduced: n/a 27 | content: An AIM payload creates an AIM account on the device. 28 | payloadkeys: 29 | - key: AIMAccountDescription 30 | title: Account Description 31 | type: 32 | presence: optional 33 | content: The description of the account. 34 | - key: AIMHostName 35 | title: Account Hostname 36 | type: 37 | presence: required 38 | rangelist: 39 | - slogin.oscar.aol.com 40 | content: The server address. 41 | - key: AIMUserName 42 | title: Account Username 43 | type: 44 | presence: optional 45 | content: The user's login name. 46 | - key: AIMPassword 47 | title: Account Password 48 | type: 49 | presence: optional 50 | content: The user's password. 51 | - key: AIMUseSSL 52 | title: Use SSL 53 | type: 54 | presence: optional 55 | default: true 56 | content: If 'true', enables SSL. 57 | - key: AIMPort 58 | title: Port Number 59 | type: 60 | presence: optional 61 | range: 62 | min: 0 63 | max: 65535 64 | default: 5190 65 | content: The connection port for the server. 66 | - key: AIMAuthentication 67 | title: AIM Authentication 68 | type: 69 | presence: required 70 | rangelist: 71 | - AIMAuthPassword 72 | content: The authentication method for the account. 73 | -------------------------------------------------------------------------------- /mdm/profiles/com.apple.Dictionary.yaml: -------------------------------------------------------------------------------- 1 | title: 'Parental Controls: Dictionary' 2 | description: '' 3 | payload: 4 | payloadtype: com.apple.Dictionary 5 | supportedOS: 6 | iOS: 7 | introduced: n/a 8 | macOS: 9 | introduced: '10.7' 10 | multiple: false 11 | devicechannel: true 12 | userchannel: true 13 | supervised: false 14 | requiresdep: false 15 | userapprovedmdm: false 16 | allowmanualinstall: true 17 | userenrollment: 18 | mode: forbidden 19 | tvOS: 20 | introduced: n/a 21 | visionOS: 22 | introduced: n/a 23 | watchOS: 24 | introduced: n/a 25 | content: Parental controls dictionary restrictions. 26 | payloadkeys: 27 | - key: parentalControl 28 | type: 29 | presence: required 30 | content: If 'true', enables parental controls dictionary restrictions. 31 | -------------------------------------------------------------------------------- /mdm/profiles/com.apple.DiscRecording.yaml: -------------------------------------------------------------------------------- 1 | title: 'Media Management: Disc Burning' 2 | description: '' 3 | payload: 4 | payloadtype: com.apple.DiscRecording 5 | supportedOS: 6 | iOS: 7 | introduced: n/a 8 | macOS: 9 | introduced: '10.7' 10 | multiple: false 11 | devicechannel: true 12 | userchannel: true 13 | supervised: false 14 | requiresdep: false 15 | userapprovedmdm: false 16 | allowmanualinstall: true 17 | userenrollment: 18 | mode: forbidden 19 | tvOS: 20 | introduced: n/a 21 | visionOS: 22 | introduced: n/a 23 | watchOS: 24 | introduced: n/a 25 | payloadkeys: 26 | - key: BurnSupport 27 | type: 28 | presence: required 29 | rangelist: 30 | - 'off' 31 | - authenticate 32 | - 'on' 33 | content: |- 34 | Configure disc-burn. Allowed values: 35 | 36 | * 'off': The system disables disc burning. 37 | * 'on': The system allows normal default operation. Setting this key to 'on' doesn't enable disc burn support if other mechanisms or preferences disabled it. Needs to be enabled with the Finder profile. 38 | * 'authenticate': The system requires authentication. 39 | -------------------------------------------------------------------------------- /mdm/profiles/com.apple.MCX(Accounts).yaml: -------------------------------------------------------------------------------- 1 | title: Accounts 2 | description: '' 3 | payload: 4 | payloadtype: com.apple.MCX 5 | supportedOS: 6 | iOS: 7 | introduced: n/a 8 | macOS: 9 | introduced: '10.7' 10 | multiple: true 11 | devicechannel: true 12 | userchannel: false 13 | requiresdep: false 14 | userapprovedmdm: false 15 | allowmanualinstall: true 16 | userenrollment: 17 | mode: forbidden 18 | tvOS: 19 | introduced: n/a 20 | visionOS: 21 | introduced: n/a 22 | watchOS: 23 | introduced: n/a 24 | payloadkeys: 25 | - key: EnableGuestAccount 26 | supportedOS: 27 | macOS: 28 | introduced: '10.7' 29 | type: 30 | presence: optional 31 | default: false 32 | content: If 'true', the system enables the guest account. 33 | - key: DisableGuestAccount 34 | supportedOS: 35 | macOS: 36 | introduced: '10.7' 37 | type: 38 | presence: optional 39 | default: false 40 | content: If 'true', the system disables the guest account. This property has no 41 | effect if 'EnableGuestAccount' is 'true'. 42 | -------------------------------------------------------------------------------- /mdm/profiles/com.apple.MCX(FileVault2).yaml: -------------------------------------------------------------------------------- 1 | title: FDE FileVault Options 2 | description: '' 3 | payload: 4 | payloadtype: com.apple.MCX 5 | supportedOS: 6 | iOS: 7 | introduced: n/a 8 | macOS: 9 | introduced: '10.7' 10 | multiple: false 11 | devicechannel: true 12 | userchannel: false 13 | requiresdep: false 14 | userapprovedmdm: false 15 | allowmanualinstall: true 16 | userenrollment: 17 | mode: forbidden 18 | tvOS: 19 | introduced: n/a 20 | visionOS: 21 | introduced: n/a 22 | watchOS: 23 | introduced: n/a 24 | content: The FileVault accounts payload sets up options for enabling FileVault. 25 | payloadkeys: 26 | - key: dontAllowFDEDisable 27 | type: 28 | presence: optional 29 | default: false 30 | content: If 'true', the system won't disable FileVault. 31 | - key: dontAllowFDEEnable 32 | type: 33 | presence: optional 34 | default: false 35 | content: If 'true', the system won't enable FileVault. 36 | - key: DestroyFVKeyOnStandby 37 | supportedOS: 38 | macOS: 39 | introduced: '10.9' 40 | type: 41 | presence: optional 42 | default: false 43 | content: If 'true', the system won't store th FileVault key across restarts. 44 | -------------------------------------------------------------------------------- /mdm/profiles/com.apple.MCX(TimeServer).yaml: -------------------------------------------------------------------------------- 1 | title: Time Server 2 | description: '' 3 | payload: 4 | payloadtype: com.apple.MCX 5 | supportedOS: 6 | iOS: 7 | introduced: n/a 8 | macOS: 9 | introduced: 10.12.4 10 | multiple: false 11 | devicechannel: true 12 | userchannel: false 13 | requiresdep: false 14 | userapprovedmdm: false 15 | allowmanualinstall: true 16 | userenrollment: 17 | mode: forbidden 18 | tvOS: 19 | introduced: n/a 20 | visionOS: 21 | introduced: n/a 22 | watchOS: 23 | introduced: n/a 24 | content: Settings for time zone and server. If multiple profiles with this payload 25 | are sent, the device's time server will be set to the value in the last payload 26 | installed. Removing the payload will not change the settings back to the prior 27 | settings. 28 | payloadkeys: 29 | - key: timeServer 30 | type: 31 | presence: optional 32 | content: The NTP server to connect to. As of macOS 10.13 only one time server is 33 | supported. 34 | - key: timeZone 35 | type: 36 | presence: optional 37 | content: The time zone path location string in '/usr/share/zoneinfo/'; for example, 38 | 'America/Denver' or 'Zulu'. 39 | -------------------------------------------------------------------------------- /mdm/profiles/com.apple.MCX(WiFi).yaml: -------------------------------------------------------------------------------- 1 | title: Wi-Fi Managed Settings 2 | description: '' 3 | payload: 4 | payloadtype: com.apple.MCX 5 | supportedOS: 6 | iOS: 7 | introduced: n/a 8 | macOS: 9 | introduced: '10.9' 10 | multiple: true 11 | devicechannel: true 12 | userchannel: false 13 | requiresdep: false 14 | userapprovedmdm: false 15 | allowmanualinstall: true 16 | userenrollment: 17 | mode: forbidden 18 | tvOS: 19 | introduced: n/a 20 | visionOS: 21 | introduced: n/a 22 | watchOS: 23 | introduced: n/a 24 | payloadkeys: 25 | - key: RequireAdminForIBSS 26 | supportedOS: 27 | macOS: 28 | introduced: '10.9' 29 | type: 30 | presence: optional 31 | default: false 32 | content: If 'true', requires administrator authorization to enable IBSS. 33 | - key: RequireAdminForAirPortNetworkChange 34 | supportedOS: 35 | macOS: 36 | introduced: '10.9' 37 | type: 38 | presence: optional 39 | default: false 40 | content: If 'true', requires administrator authorization for network changes. 41 | - key: RequireAdminToTurnAirPortOnOff 42 | supportedOS: 43 | macOS: 44 | introduced: '10.9' 45 | type: 46 | presence: optional 47 | default: false 48 | content: If 'true', requires administrator authorization to turn Wi-Fi on or off. 49 | -------------------------------------------------------------------------------- /mdm/profiles/com.apple.MCX.TimeMachine.yaml: -------------------------------------------------------------------------------- 1 | title: Time Machine 2 | payload: 3 | payloadtype: com.apple.MCX.TimeMachine 4 | supportedOS: 5 | iOS: 6 | introduced: n/a 7 | macOS: 8 | introduced: '10.7' 9 | multiple: false 10 | devicechannel: true 11 | userchannel: false 12 | requiresdep: false 13 | userapprovedmdm: false 14 | allowmanualinstall: true 15 | userenrollment: 16 | mode: forbidden 17 | tvOS: 18 | introduced: n/a 19 | visionOS: 20 | introduced: n/a 21 | watchOS: 22 | introduced: n/a 23 | payloadkeys: 24 | - key: AutoBackup 25 | type: 26 | presence: optional 27 | default: true 28 | content: If 'true', performs automatic backups at regular intervals. 29 | - key: BackupAllVolumes 30 | type: 31 | presence: optional 32 | default: false 33 | content: If 'true', backs up only the startup volume by default. 34 | - key: BackupDestURL 35 | type: 36 | presence: required 37 | content: The URL of the backup destination. 38 | - key: BackupSizeMB 39 | type: 40 | presence: optional 41 | default: 0 42 | content: The backup size limit, in megabytes. Set to 0 for unlimited. 43 | - key: BackupSkipSys 44 | type: 45 | presence: optional 46 | default: false 47 | content: If 'true', skips system files and folders by default. 48 | - key: MobileBackups 49 | type: 50 | presence: optional 51 | default: true 52 | content: If 'true', create local backup snapshots when not connected to the network. 53 | - key: BasePaths 54 | type: 55 | presence: optional 56 | content: The list of paths to back up besides the startup volume. 57 | subkeys: 58 | - key: BasePathItem 59 | type: 60 | presence: required 61 | - key: SkipPaths 62 | type: 63 | presence: optional 64 | content: The path to skip from start volume. 65 | subkeys: 66 | - key: SkipPathItem 67 | type: 68 | presence: required 69 | -------------------------------------------------------------------------------- /mdm/profiles/com.apple.ManagedClient.preferences.yaml: -------------------------------------------------------------------------------- 1 | title: Managed Preferences 2 | description: '' 3 | payload: 4 | payloadtype: com.apple.ManagedClient.preferences 5 | supportedOS: 6 | iOS: 7 | introduced: n/a 8 | macOS: 9 | introduced: '10.7' 10 | multiple: true 11 | devicechannel: true 12 | userchannel: true 13 | supervised: false 14 | requiresdep: false 15 | userapprovedmdm: false 16 | allowmanualinstall: true 17 | userenrollment: 18 | mode: forbidden 19 | tvOS: 20 | introduced: n/a 21 | visionOS: 22 | introduced: n/a 23 | watchOS: 24 | introduced: n/a 25 | payloadkeys: 26 | - key: PayloadContent 27 | type: 28 | presence: required 29 | content: Dictionary containing app preference domains. The key names correspond 30 | to application preference domain identifiers (e.g., 'com.example.my-app'), or 31 | the string '.GlobalPreferences' for the global domain. The values specify the 32 | corresponding forced and set-once preferences. 33 | subkeys: 34 | - key: ANY 35 | type: 36 | presence: required 37 | content: The dictionary containing app preference domains. 38 | subkeytype: PreferenceDomain 39 | subkeys: 40 | - key: Forced 41 | type: 42 | presence: optional 43 | content: The dictionary of forced settings. 44 | subkeys: &id001 45 | - key: Settings 46 | type: 47 | presence: required 48 | subkeys: 49 | - key: mcx_preference_settings 50 | type: 51 | presence: required 52 | content: The dictionary of settings. 53 | subkeys: 54 | - key: ANY 55 | type: 56 | presence: optional 57 | content: The setting/value pairs. 58 | - key: Set-Once 59 | type: 60 | presence: optional 61 | content: The dictionary of one-time settings. 62 | subkeys: *id001 63 | -------------------------------------------------------------------------------- /mdm/profiles/com.apple.NSExtension.yaml: -------------------------------------------------------------------------------- 1 | title: NSExtension Management 2 | description: '' 3 | payload: 4 | payloadtype: com.apple.NSExtension 5 | supportedOS: 6 | iOS: 7 | introduced: n/a 8 | macOS: 9 | introduced: '10.13' 10 | multiple: true 11 | devicechannel: true 12 | userchannel: true 13 | supervised: false 14 | requiresdep: false 15 | userapprovedmdm: false 16 | allowmanualinstall: true 17 | userenrollment: 18 | mode: forbidden 19 | tvOS: 20 | introduced: n/a 21 | visionOS: 22 | introduced: n/a 23 | watchOS: 24 | introduced: n/a 25 | content: Specifies which NSExtension extensions are to be allowed or disallowed 26 | on a system. Extensions can be managed by bundleID allow/deny lists and "extension 27 | points". 28 | payloadkeys: 29 | - key: AllowedExtensions 30 | type: 31 | presence: optional 32 | content: An array of bundle identifiers for allowed extensions. 33 | subkeys: 34 | - key: AllowedExtensionsItem 35 | type: 36 | presence: required 37 | content: An extension identifier. 38 | - key: DeniedExtensions 39 | type: 40 | presence: optional 41 | content: An array of bundle identifiers for extensions that the system doesn't allow 42 | to run. 43 | subkeys: 44 | - key: DeniedExtensionsItem 45 | type: 46 | presence: required 47 | content: An extension identifier. 48 | - key: DeniedExtensionPoints 49 | type: 50 | presence: optional 51 | content: An array of extension points for extensions that the system doesn't allow 52 | to run. 53 | subkeys: 54 | - key: DeniedExtensionPointsItem 55 | type: 56 | presence: required 57 | content: An extension identifier. 58 | -------------------------------------------------------------------------------- /mdm/profiles/com.apple.ShareKitHelper.yaml: -------------------------------------------------------------------------------- 1 | title: ShareKit 2 | description: '' 3 | payload: 4 | payloadtype: com.apple.ShareKitHelper 5 | supportedOS: 6 | iOS: 7 | introduced: n/a 8 | macOS: 9 | introduced: '10.9' 10 | deprecated: '10.12' 11 | multiple: false 12 | devicechannel: true 13 | userchannel: true 14 | supervised: false 15 | requiresdep: false 16 | userapprovedmdm: false 17 | allowmanualinstall: true 18 | userenrollment: 19 | mode: forbidden 20 | tvOS: 21 | introduced: n/a 22 | visionOS: 23 | introduced: n/a 24 | watchOS: 25 | introduced: n/a 26 | content: macOS only. Specifies which ShareKit plugin can be accessed on client. 27 | Both allow and disallow lists can be specified. 28 | payloadkeys: 29 | - key: SHKAllowedShareServices 30 | type: 31 | presence: optional 32 | content: The list of plugin IDs that show up in the user's Share menu. If this array 33 | exists, only these items are permitted. 34 | subkeys: 35 | - key: SHKAllowedShareServicesItem 36 | type: 37 | presence: required 38 | content: A plugin ID. 39 | - key: SHKDeniedShareServices 40 | type: 41 | presence: optional 42 | content: The list of plugin IDs that won't show up in the user's Share menu. This 43 | key is used only if there is no 'SHKAllowedShareServices' key. 44 | subkeys: 45 | - key: SHKDeniedShareServicesItem 46 | type: 47 | presence: required 48 | content: A plugin ID. 49 | -------------------------------------------------------------------------------- /mdm/profiles/com.apple.airplay.security.yaml: -------------------------------------------------------------------------------- 1 | title: AirPlay Security 2 | description: AirPlay Security settings 3 | payload: 4 | payloadtype: com.apple.airplay.security 5 | supportedOS: 6 | iOS: 7 | introduced: n/a 8 | macOS: 9 | introduced: n/a 10 | tvOS: 11 | introduced: '11.0' 12 | multiple: false 13 | supervised: false 14 | allowmanualinstall: true 15 | visionOS: 16 | introduced: n/a 17 | watchOS: 18 | introduced: n/a 19 | content: Manages the AirPlay Security settings on Apple TV (Settings > AirPlay > 20 | Security). Use this payload to lock Apple TV to a particular style of AirPlay 21 | security. The setting can enable/disable an on-screen passcode, or require a specific 22 | password phrase. 23 | payloadkeys: 24 | - key: SecurityType 25 | title: Security Type 26 | type: 27 | presence: required 28 | rangelist: 29 | - PASSCODE_ONCE 30 | - PASSCODE_ALWAYS 31 | - PASSWORD 32 | content: |- 33 | The security policy for AirPlay. Allowed values: 34 | 35 | * 'PASSCODE_ONCE': Requires an onscreen passcode on first connection from a device. Subsequent connections from the same device aren't prompted. 36 | * 'PASSCODE_ALWAYS': Requires an onscreen passcode for every AirPlay connection. After an AirPlay connection ends, the system allows reconnecting within 30 seconds without a password. 37 | * 'PASSWORD': Requires the passphrase set for 'Password'. 38 | 39 | 'NONE' was deprecated in tvOS 11.3. Existing profiles that use 'NONE' get the 'PASSWORD_ONCE' behavior. 40 | - key: AccessType 41 | title: Access Type 42 | type: 43 | presence: required 44 | rangelist: 45 | - ANY 46 | - WIFI_ONLY 47 | content: |- 48 | The access policy for AirPlay. 49 | 'ANY' allows connections from both Ethernet/WiFi and Apple Wireless Direct Link. 50 | 'WIFI_ONLY' allows connections only from devices on the same Ethernet/WiFi network as Apple TV. 51 | - key: Password 52 | title: Password 53 | type: 54 | presence: optional 55 | content: The AirPlay password; required if 'SecurityType' is 'PASSWORD'. 56 | -------------------------------------------------------------------------------- /mdm/profiles/com.apple.appstore.yaml: -------------------------------------------------------------------------------- 1 | title: App Store 2 | description: '' 3 | payload: 4 | payloadtype: com.apple.appstore 5 | supportedOS: 6 | iOS: 7 | introduced: n/a 8 | macOS: 9 | introduced: '10.9' 10 | multiple: false 11 | devicechannel: true 12 | userchannel: true 13 | supervised: false 14 | requiresdep: false 15 | userapprovedmdm: false 16 | allowmanualinstall: true 17 | userenrollment: 18 | mode: forbidden 19 | tvOS: 20 | introduced: n/a 21 | visionOS: 22 | introduced: n/a 23 | watchOS: 24 | introduced: n/a 25 | content: Use this payload to set restrictions used by the Mac App Store. 26 | payloadkeys: 27 | - key: restrict-store-require-admin-to-install 28 | supportedOS: 29 | macOS: 30 | introduced: '10.9' 31 | deprecated: '10.14' 32 | type: 33 | presence: optional 34 | default: false 35 | content: If 'true', the system restricts app installations to admin users only. 36 | Deprecated in macOS 10.14. Use the 'com.apple.SoftwareUpdate' payload key 'restrict-software-update-require-admin-to-install' 37 | instead. 38 | - key: restrict-store-softwareupdate-only 39 | supportedOS: 40 | macOS: 41 | introduced: '10.10' 42 | type: 43 | presence: optional 44 | default: false 45 | content: If 'true', the system prevents App Store from launching. Available in macOS 46 | 10.14 and later. Restricts installations to software updates only in macOS 10.10 47 | through 10.13. 48 | - key: restrict-store-disable-app-adoption 49 | supportedOS: 50 | macOS: 51 | introduced: '10.10' 52 | type: 53 | presence: optional 54 | default: false 55 | content: If 'true', the system disables app adoption by users. Available in macOS 56 | 10.10 and later. 57 | - key: DisableSoftwareUpdateNotifications 58 | supportedOS: 59 | macOS: 60 | introduced: '10.10' 61 | type: 62 | presence: optional 63 | default: false 64 | content: If 'true', the system disables software update notifications. Available 65 | in macOS 10.10 and later. 66 | -------------------------------------------------------------------------------- /mdm/profiles/com.apple.asam.yaml: -------------------------------------------------------------------------------- 1 | title: Autonomous Single App Mode 2 | description: '' 3 | payload: 4 | payloadtype: com.apple.asam 5 | supportedOS: 6 | iOS: 7 | introduced: n/a 8 | macOS: 9 | introduced: 10.13.4 10 | multiple: false 11 | devicechannel: true 12 | userchannel: false 13 | requiresdep: false 14 | userapprovedmdm: true 15 | allowmanualinstall: false 16 | userenrollment: 17 | mode: forbidden 18 | tvOS: 19 | introduced: n/a 20 | visionOS: 21 | introduced: n/a 22 | watchOS: 23 | introduced: n/a 24 | payloadkeys: 25 | - key: AllowedApplications 26 | supportedOS: 27 | macOS: 28 | introduced: 10.13.4 29 | type: 30 | presence: required 31 | content: An array of dictionaries that specifies the apps that the system grants 32 | access to the Accessibility APIs. 33 | subkeys: 34 | - key: AllowedApplicationsItem 35 | type: 36 | subkeys: 37 | - key: BundleIdentifier 38 | supportedOS: 39 | macOS: 40 | introduced: 10.13.4 41 | type: 42 | presence: required 43 | content: The unique bundle identifier. If two dictionaries contain the same 44 | 'BundleIdentifier' value but a different 'TeamIdentifier' value, this will 45 | be considered an error and the profile won't be installed. 46 | - key: TeamIdentifier 47 | supportedOS: 48 | macOS: 49 | introduced: 10.13.4 50 | type: 51 | presence: required 52 | content: The developer's team identifier that the system used when it signed 53 | the app. 54 | -------------------------------------------------------------------------------- /mdm/profiles/com.apple.conferenceroomdisplay.yaml: -------------------------------------------------------------------------------- 1 | title: Conference Room Display 2 | description: Use this section to place an Apple TV device into Conference Room Display 3 | mode. 4 | payload: 5 | payloadtype: com.apple.conferenceroomdisplay 6 | supportedOS: 7 | iOS: 8 | introduced: n/a 9 | macOS: 10 | introduced: n/a 11 | tvOS: 12 | introduced: '10.2' 13 | multiple: false 14 | supervised: true 15 | allowmanualinstall: true 16 | visionOS: 17 | introduced: n/a 18 | watchOS: 19 | introduced: n/a 20 | content: Configures an Apple TV to enter Conference Room Display mode, and restrictions 21 | exit from that mode 22 | payloadkeys: 23 | - key: Message 24 | title: Custom message 25 | type: 26 | presence: optional 27 | content: The custom message displayed on the screen in Conference Room Display mode. 28 | -------------------------------------------------------------------------------- /mdm/profiles/com.apple.dashboard.yaml: -------------------------------------------------------------------------------- 1 | title: 'Parental Controls: Dashboard Widget Restrictions' 2 | description: '' 3 | payload: 4 | payloadtype: com.apple.dashboard 5 | supportedOS: 6 | iOS: 7 | introduced: n/a 8 | macOS: 9 | introduced: '10.7' 10 | deprecated: '10.15' 11 | removed: '10.15' 12 | multiple: false 13 | devicechannel: true 14 | userchannel: true 15 | supervised: false 16 | requiresdep: false 17 | userapprovedmdm: false 18 | allowmanualinstall: true 19 | userenrollment: 20 | mode: forbidden 21 | tvOS: 22 | introduced: n/a 23 | visionOS: 24 | introduced: n/a 25 | watchOS: 26 | introduced: n/a 27 | content: Widget restrictions. 28 | payloadkeys: 29 | - key: whiteListEnabled 30 | type: 31 | presence: required 32 | content: If 'true', enables the widget allow list. 33 | - key: WhiteList 34 | type: 35 | presence: required 36 | content: An array of widget item dictionaries that are allowed. 37 | subkeys: 38 | - key: WhiteListItem 39 | type: 40 | subkeys: 41 | - key: Type 42 | type: 43 | presence: required 44 | content: The type of allow list item. Set to 'bundleID' to use a widget's bundle 45 | ID as its main ID. 46 | - key: ID 47 | type: 48 | presence: required 49 | content: The bundle ID of a widget. 50 | -------------------------------------------------------------------------------- /mdm/profiles/com.apple.declarations.yaml: -------------------------------------------------------------------------------- 1 | title: Declarations 2 | description: Declarations 3 | payload: 4 | payloadtype: com.apple.declarations 5 | supportedOS: 6 | iOS: 7 | introduced: '17.0' 8 | multiple: true 9 | supervised: false 10 | allowmanualinstall: true 11 | sharedipad: 12 | mode: forbidden 13 | userenrollment: 14 | mode: forbidden 15 | macOS: 16 | introduced: '14.0' 17 | multiple: true 18 | devicechannel: true 19 | userchannel: true 20 | supervised: false 21 | requiresdep: false 22 | userapprovedmdm: false 23 | allowmanualinstall: true 24 | userenrollment: 25 | mode: forbidden 26 | tvOS: 27 | introduced: '17.0' 28 | multiple: true 29 | supervised: false 30 | allowmanualinstall: true 31 | visionOS: 32 | introduced: '1.0' 33 | multiple: true 34 | supervised: false 35 | allowmanualinstall: true 36 | userenrollment: 37 | mode: forbidden 38 | watchOS: 39 | introduced: '10.0' 40 | multiple: true 41 | supervised: false 42 | allowmanualinstall: true 43 | content: This profile applies a set of declarations to the device via the Settings 44 | app. This allows manual installations of declarations in cases where an MDM enrollment 45 | is not present. This profile can only be manually installed, and cannot be installed 46 | via an MDM server. 47 | payloadkeys: 48 | - key: Declarations 49 | title: Declarations 50 | type: 51 | presence: required 52 | content: The set of declarations to apply. The items in this array are Base64-encoded 53 | data representations of the declaration JSON data. 54 | subkeys: 55 | - key: DeclarationsItem 56 | title: Declarations Content Item 57 | type: 58 | presence: required 59 | content: An item in the declarations list 60 | -------------------------------------------------------------------------------- /mdm/profiles/com.apple.desktop.yaml: -------------------------------------------------------------------------------- 1 | title: Desktop 2 | description: '' 3 | payload: 4 | payloadtype: com.apple.desktop 5 | supportedOS: 6 | iOS: 7 | introduced: n/a 8 | macOS: 9 | introduced: '10.10' 10 | multiple: false 11 | devicechannel: true 12 | userchannel: true 13 | supervised: false 14 | requiresdep: false 15 | userapprovedmdm: false 16 | allowmanualinstall: true 17 | userenrollment: 18 | mode: forbidden 19 | tvOS: 20 | introduced: n/a 21 | visionOS: 22 | introduced: n/a 23 | watchOS: 24 | introduced: n/a 25 | payloadkeys: 26 | - key: locked 27 | supportedOS: 28 | macOS: 29 | deprecated: '10.13' 30 | type: 31 | presence: optional 32 | default: false 33 | content: If 'true', locks the desktop picture. Replaced with allowWallpaperModification 34 | in macOS 10.13. 35 | - key: override-picture-path 36 | type: 37 | presence: optional 38 | content: The path to the desktop picture. If set, this picture is always locked. 39 | -------------------------------------------------------------------------------- /mdm/profiles/com.apple.firstactiveethernet.managed.yaml: -------------------------------------------------------------------------------- 1 | title: '802.1X: First Active Ethernet' 2 | description: '' 3 | payload: 4 | payloadtype: com.apple.firstactiveethernet.managed 5 | supportedOS: 6 | iOS: 7 | introduced: n/a 8 | macOS: 9 | introduced: '10.7' 10 | multiple: false 11 | devicechannel: true 12 | userchannel: true 13 | supervised: false 14 | requiresdep: false 15 | userapprovedmdm: false 16 | allowmanualinstall: true 17 | userenrollment: 18 | mode: allowed 19 | tvOS: 20 | introduced: n/a 21 | visionOS: 22 | introduced: n/a 23 | watchOS: 24 | introduced: n/a 25 | payloadkeys: 26 | - key: ANY 27 | type: 28 | presence: optional 29 | content: Keys relevant to 802.1x configuration. User enrollment payloads do not 30 | support the various proxy keys including ProxyType, ProxyServer, ProxyServerPort, 31 | ProxyUsername, ProxyPassword,, ProxyPACURL and ProxyPACFallbackAllowed. 32 | -------------------------------------------------------------------------------- /mdm/profiles/com.apple.firstethernet.managed.yaml: -------------------------------------------------------------------------------- 1 | title: '802.1X: First Ethernet' 2 | description: '' 3 | payload: 4 | payloadtype: com.apple.firstethernet.managed 5 | supportedOS: 6 | iOS: 7 | introduced: n/a 8 | macOS: 9 | introduced: '10.7' 10 | multiple: false 11 | devicechannel: true 12 | userchannel: true 13 | supervised: false 14 | requiresdep: false 15 | userapprovedmdm: false 16 | allowmanualinstall: true 17 | userenrollment: 18 | mode: allowed 19 | tvOS: 20 | introduced: n/a 21 | visionOS: 22 | introduced: n/a 23 | watchOS: 24 | introduced: n/a 25 | payloadkeys: 26 | - key: ANY 27 | type: 28 | presence: optional 29 | content: Keys relevant to 802.1x configuration. User enrollment payloads do not 30 | support the various proxy keys including ProxyType, ProxyServer, ProxyServerPort, 31 | ProxyUsername, ProxyPassword,, ProxyPACURL and ProxyPACFallbackAllowed. 32 | -------------------------------------------------------------------------------- /mdm/profiles/com.apple.gamed.yaml: -------------------------------------------------------------------------------- 1 | title: 'Parental Controls: Game Center' 2 | description: '' 3 | payload: 4 | payloadtype: com.apple.gamed 5 | supportedOS: 6 | iOS: 7 | introduced: n/a 8 | macOS: 9 | introduced: '10.9' 10 | multiple: false 11 | devicechannel: true 12 | userchannel: true 13 | supervised: false 14 | requiresdep: false 15 | userapprovedmdm: false 16 | allowmanualinstall: true 17 | userenrollment: 18 | mode: forbidden 19 | tvOS: 20 | introduced: n/a 21 | visionOS: 22 | introduced: n/a 23 | watchOS: 24 | introduced: n/a 25 | content: Parental controls Game Center restrictions. 26 | payloadkeys: 27 | - key: GKFeatureGameCenterAllowed 28 | supportedOS: 29 | macOS: 30 | deprecated: '10.13' 31 | type: 32 | presence: optional 33 | default: true 34 | content: If 'true', enables Game Center. 35 | - key: GKFeatureAccountModificationAllowed 36 | type: 37 | presence: optional 38 | default: true 39 | content: If 'true', allows account modifications. 40 | - key: GKFeatureAddingGameCenterFriendsAllowed 41 | supportedOS: 42 | macOS: 43 | deprecated: '10.13' 44 | type: 45 | presence: optional 46 | default: true 47 | content: If 'true', allows adding Game Center friends. 48 | - key: GKFeatureMultiplayerGamingAllowed 49 | supportedOS: 50 | macOS: 51 | deprecated: '10.13' 52 | type: 53 | presence: optional 54 | default: true 55 | content: If 'true', allows multiplayer gaming. 56 | -------------------------------------------------------------------------------- /mdm/profiles/com.apple.globalethernet.managed.yaml: -------------------------------------------------------------------------------- 1 | title: '802.1X: Global Ethernet' 2 | description: '' 3 | payload: 4 | payloadtype: com.apple.globalethernet.managed 5 | supportedOS: 6 | iOS: 7 | introduced: '17.0' 8 | multiple: false 9 | supervised: false 10 | allowmanualinstall: true 11 | sharedipad: 12 | mode: allowed 13 | devicechannel: true 14 | userchannel: true 15 | userenrollment: 16 | mode: allowed 17 | macOS: 18 | introduced: '10.13' 19 | multiple: false 20 | devicechannel: true 21 | userchannel: true 22 | supervised: false 23 | requiresdep: false 24 | userapprovedmdm: false 25 | allowmanualinstall: true 26 | userenrollment: 27 | mode: allowed 28 | tvOS: 29 | introduced: '17.0' 30 | multiple: false 31 | supervised: false 32 | allowmanualinstall: true 33 | visionOS: 34 | introduced: n/a 35 | watchOS: 36 | introduced: n/a 37 | payloadkeys: 38 | - key: ANY 39 | type: 40 | presence: optional 41 | content: Keys relevant to 802.1X configuration. User enrollment payloads don't support 42 | the various proxy keys, including 'ProxyType', 'ProxyServer', 'ProxyServerPort', 43 | 'ProxyUsername', 'ProxyPassword', 'ProxyPACURL' and 'ProxyPACFallbackAllowed'. 44 | -------------------------------------------------------------------------------- /mdm/profiles/com.apple.ironwood.support.yaml: -------------------------------------------------------------------------------- 1 | title: 'Parental Control: Dictation and Profanity' 2 | description: Parental controls for restricting Siri, Dictation and Profanity 3 | payload: 4 | payloadtype: com.apple.ironwood.support 5 | supportedOS: 6 | iOS: 7 | introduced: n/a 8 | macOS: 9 | introduced: '10.9' 10 | deprecated: '10.13' 11 | multiple: false 12 | devicechannel: true 13 | userchannel: true 14 | supervised: false 15 | requiresdep: false 16 | userapprovedmdm: false 17 | allowmanualinstall: true 18 | userenrollment: 19 | mode: forbidden 20 | tvOS: 21 | introduced: n/a 22 | visionOS: 23 | introduced: n/a 24 | watchOS: 25 | introduced: n/a 26 | payloadkeys: 27 | - key: Profanity Allowed 28 | type: 29 | presence: optional 30 | default: true 31 | content: If 'false', suppresses profanity. Use 'forceAssistantProfanityFilter' in 32 | Restrictions instead. 33 | - key: Ironwood Allowed 34 | type: 35 | presence: optional 36 | default: true 37 | content: If 'false', disables dictation. Use 'allowDictation' in Restrictions instead. 38 | -------------------------------------------------------------------------------- /mdm/profiles/com.apple.jabber.account.yaml: -------------------------------------------------------------------------------- 1 | title: Jabber Account 2 | description: Use this section to define settings for configuration access to Jabber 3 | servers. 4 | payload: 5 | payloadtype: com.apple.jabber.account 6 | supportedOS: 7 | iOS: 8 | introduced: n/a 9 | macOS: 10 | introduced: '10.7' 11 | deprecated: '10.14' 12 | removed: '10.14' 13 | multiple: true 14 | devicechannel: false 15 | userchannel: true 16 | supervised: false 17 | requiresdep: false 18 | userapprovedmdm: false 19 | allowmanualinstall: true 20 | userenrollment: 21 | mode: forbidden 22 | tvOS: 23 | introduced: n/a 24 | visionOS: 25 | introduced: n/a 26 | watchOS: 27 | introduced: n/a 28 | content: A Jabber payload creates a Jabber account on the device. 29 | payloadkeys: 30 | - key: JabberAccountDescription 31 | title: Account Description 32 | type: 33 | presence: optional 34 | content: The description of the account. 35 | - key: JabberHostName 36 | title: Account Hostname 37 | type: 38 | presence: required 39 | content: The server's address. 40 | - key: JabberUserName 41 | title: Account Username 42 | type: 43 | presence: optional 44 | content: The user's user name. 45 | - key: JabberPassword 46 | title: Account Password 47 | type: 48 | presence: optional 49 | content: The user's password. 50 | - key: JabberUseSSL 51 | title: Use SSL 52 | type: 53 | presence: optional 54 | default: false 55 | content: If 'true', enables SSL. 56 | - key: JabberPort 57 | title: Port Number 58 | type: 59 | presence: optional 60 | range: 61 | min: 0 62 | max: 65535 63 | default: 5222 64 | content: The server's port. 65 | - key: JabberAuthentication 66 | title: Jabber Authentication 67 | type: 68 | presence: required 69 | rangelist: 70 | - JabberAuthPassword 71 | content: The authentication method for the account. 72 | -------------------------------------------------------------------------------- /mdm/profiles/com.apple.loginitems.managed.yaml: -------------------------------------------------------------------------------- 1 | title: 'Login Items: Managed Items' 2 | description: '' 3 | payload: 4 | payloadtype: com.apple.loginitems.managed 5 | supportedOS: 6 | iOS: 7 | introduced: n/a 8 | macOS: 9 | introduced: '10.13' 10 | multiple: true 11 | devicechannel: true 12 | userchannel: true 13 | supervised: false 14 | requiresdep: false 15 | userapprovedmdm: false 16 | allowmanualinstall: true 17 | userenrollment: 18 | mode: allowed 19 | tvOS: 20 | introduced: n/a 21 | visionOS: 22 | introduced: n/a 23 | watchOS: 24 | introduced: n/a 25 | content: This payload handles login items usage on macOS. 26 | payloadkeys: 27 | - key: AutoLaunchedApplicationDictionary-managed 28 | type: 29 | presence: required 30 | content: An array of login item dictionaries. 31 | subkeys: 32 | - key: LoginItem 33 | type: 34 | presence: required 35 | content: A login item. 36 | subkeys: 37 | - key: Path 38 | type: 39 | presence: required 40 | content: The URL or path string to the item's location. 41 | - key: Hide 42 | type: 43 | presence: optional 44 | default: false 45 | content: If 'true', the system hides this item in the Users & Groups login items 46 | list. 47 | -------------------------------------------------------------------------------- /mdm/profiles/com.apple.mcxloginscripts.yaml: -------------------------------------------------------------------------------- 1 | title: 'Login Window: Scripts' 2 | description: '' 3 | payload: 4 | payloadtype: com.apple.mcxloginscripts 5 | supportedOS: 6 | iOS: 7 | introduced: n/a 8 | macOS: 9 | introduced: '10.7' 10 | multiple: false 11 | devicechannel: true 12 | userchannel: false 13 | requiresdep: false 14 | userapprovedmdm: false 15 | allowmanualinstall: true 16 | userenrollment: 17 | mode: forbidden 18 | tvOS: 19 | introduced: n/a 20 | visionOS: 21 | introduced: n/a 22 | watchOS: 23 | introduced: n/a 24 | content: Login and logout managed script handling 25 | payloadkeys: 26 | - key: loginscripts 27 | type: 28 | presence: optional 29 | content: An array of one or more dictionaries of scripts to run at user login time. 30 | subkeytype: ScriptsItems 31 | subkeys: &id001 32 | - key: ScriptsItems 33 | type: 34 | subkeys: 35 | - key: filename 36 | type: 37 | presence: required 38 | content: The filename for display purposes. 39 | - key: filedata 40 | type: 41 | presence: required 42 | content: The UTF-8 encoded data object representing the executable script. 43 | - key: logoutscripts 44 | type: 45 | presence: optional 46 | content: An array of one or more dictionaries of scripts to run at user logout time. 47 | subkeytype: ScriptsItems 48 | subkeys: *id001 49 | - key: skipLoginHook 50 | type: 51 | presence: optional 52 | default: false 53 | content: If 'true', the system doesn't execute the login scripts during login. 54 | - key: skipLogoutHook 55 | type: 56 | presence: optional 57 | default: false 58 | content: If 'true', the system doesn't execute the logout scripts during logout. 59 | -------------------------------------------------------------------------------- /mdm/profiles/com.apple.osxserver.account.yaml: -------------------------------------------------------------------------------- 1 | title: macOS Server Account 2 | description: Use this section to define a macOS Server account 3 | payload: 4 | payloadtype: com.apple.osxserver.account 5 | supportedOS: 6 | iOS: 7 | introduced: '9.0' 8 | deprecated: '12.0' 9 | removed: '12.0' 10 | multiple: true 11 | supervised: false 12 | allowmanualinstall: true 13 | sharedipad: 14 | mode: forbidden 15 | userenrollment: 16 | mode: forbidden 17 | macOS: 18 | introduced: n/a 19 | tvOS: 20 | introduced: n/a 21 | visionOS: 22 | introduced: n/a 23 | watchOS: 24 | introduced: n/a 25 | payloadkeys: 26 | - key: HostName 27 | title: Account Hostname 28 | type: 29 | presence: required 30 | content: The server's address. 31 | - key: UserName 32 | title: Account Username 33 | type: 34 | presence: required 35 | content: The user's user name. 36 | - key: Password 37 | title: Account Password 38 | type: 39 | presence: optional 40 | content: The user's password. 41 | - key: AccountDescription 42 | title: Account Description 43 | type: 44 | presence: optional 45 | content: The description of the account. 46 | - key: ConfiguredAccounts 47 | title: Configured Accounts 48 | type: 49 | presence: required 50 | content: Array of dictionaries containing configured account types and relevant 51 | settings 52 | subkeys: 53 | - key: ConfiguredAccountsItem 54 | title: Configured Account 55 | type: 56 | subkeys: 57 | - key: Type 58 | title: Account Type 59 | type: 60 | presence: required 61 | rangelist: 62 | - com.apple.osxserver.documents 63 | content: com.apple.osxserver.documents (the Documents account type). 64 | - key: Port 65 | title: Port Number 66 | type: 67 | presence: optional 68 | content: Designates the port number to use when contacting the server. If no 69 | port number is specified, the default port is used. 70 | -------------------------------------------------------------------------------- /mdm/profiles/com.apple.preference.security.yaml: -------------------------------------------------------------------------------- 1 | title: Security Preferences 2 | payload: 3 | payloadtype: com.apple.preference.security 4 | supportedOS: 5 | iOS: 6 | introduced: n/a 7 | macOS: 8 | introduced: '10.10' 9 | multiple: false 10 | devicechannel: true 11 | userchannel: true 12 | supervised: false 13 | requiresdep: false 14 | userapprovedmdm: false 15 | allowmanualinstall: true 16 | userenrollment: 17 | mode: forbidden 18 | tvOS: 19 | introduced: n/a 20 | visionOS: 21 | introduced: n/a 22 | watchOS: 23 | introduced: n/a 24 | payloadkeys: 25 | - key: dontAllowPasswordResetUI 26 | type: 27 | presence: optional 28 | default: false 29 | content: If 'true', disables user changes to the password. 30 | - key: dontAllowLockMessageUI 31 | type: 32 | presence: optional 33 | default: false 34 | content: If 'true', disables user changes to the lock message. 35 | - key: dontAllowFireWallUI 36 | type: 37 | presence: optional 38 | default: false 39 | content: If 'true', disables user changes to the firewall settings. 40 | -------------------------------------------------------------------------------- /mdm/profiles/com.apple.preferences.users.yaml: -------------------------------------------------------------------------------- 1 | title: User Preferences 2 | payload: 3 | payloadtype: com.apple.preference.users 4 | supportedOS: 5 | iOS: 6 | introduced: n/a 7 | macOS: 8 | introduced: '10.12' 9 | multiple: false 10 | devicechannel: true 11 | userchannel: true 12 | supervised: false 13 | requiresdep: false 14 | userapprovedmdm: false 15 | allowmanualinstall: true 16 | userenrollment: 17 | mode: allowed 18 | tvOS: 19 | introduced: n/a 20 | visionOS: 21 | introduced: n/a 22 | watchOS: 23 | introduced: n/a 24 | payloadkeys: 25 | - key: DisableUsingiCloudPassword 26 | type: 27 | presence: optional 28 | default: false 29 | content: If 'true', disables the iCloud password for local accounts. 30 | -------------------------------------------------------------------------------- /mdm/profiles/com.apple.profileRemovalPassword.yaml: -------------------------------------------------------------------------------- 1 | title: Profile Removal Password 2 | description: Use this section to define settings for profile removal 3 | payload: 4 | payloadtype: com.apple.profileRemovalPassword 5 | supportedOS: 6 | iOS: 7 | introduced: '4.0' 8 | multiple: false 9 | supervised: true 10 | allowmanualinstall: true 11 | sharedipad: 12 | mode: forbidden 13 | userenrollment: 14 | mode: forbidden 15 | macOS: 16 | introduced: '10.7' 17 | multiple: false 18 | devicechannel: true 19 | userchannel: true 20 | supervised: false 21 | requiresdep: false 22 | userapprovedmdm: false 23 | allowmanualinstall: true 24 | userenrollment: 25 | mode: forbidden 26 | tvOS: 27 | introduced: '9.0' 28 | multiple: false 29 | supervised: true 30 | allowmanualinstall: true 31 | visionOS: 32 | introduced: n/a 33 | watchOS: 34 | introduced: n/a 35 | payloadkeys: 36 | - key: RemovalPassword 37 | title: Removal Password 38 | type: 39 | presence: optional 40 | content: The password to allow removing the profile. 41 | -------------------------------------------------------------------------------- /mdm/profiles/com.apple.screensaver.user.yaml: -------------------------------------------------------------------------------- 1 | title: Screensaver User 2 | description: '' 3 | payload: 4 | payloadtype: com.apple.screensaver.user 5 | supportedOS: 6 | iOS: 7 | introduced: n/a 8 | macOS: 9 | introduced: '10.11' 10 | multiple: false 11 | devicechannel: false 12 | userchannel: true 13 | supervised: false 14 | requiresdep: false 15 | userapprovedmdm: false 16 | allowmanualinstall: true 17 | userenrollment: 18 | mode: forbidden 19 | tvOS: 20 | introduced: n/a 21 | visionOS: 22 | introduced: n/a 23 | watchOS: 24 | introduced: n/a 25 | content: Specifies *user* screensaver settings. (Settings for loginwindow screensaver 26 | use a different payload) 27 | payloadkeys: 28 | - key: moduleName 29 | type: 30 | presence: required 31 | content: The name of the screen saver module. 32 | - key: modulePath 33 | type: 34 | presence: optional 35 | content: A full path to the screen-saver module to use. 36 | - key: idleTime 37 | type: 38 | presence: optional 39 | content: The number of seconds of inactivity before the screen saver activates ('0' 40 | = Never activate). 41 | -------------------------------------------------------------------------------- /mdm/profiles/com.apple.screensaver.yaml: -------------------------------------------------------------------------------- 1 | title: Screensaver 2 | description: '' 3 | payload: 4 | payloadtype: com.apple.screensaver 5 | supportedOS: 6 | iOS: 7 | introduced: n/a 8 | macOS: 9 | introduced: '10.11' 10 | multiple: false 11 | devicechannel: true 12 | userchannel: false 13 | requiresdep: false 14 | userapprovedmdm: false 15 | allowmanualinstall: true 16 | userenrollment: 17 | mode: forbidden 18 | tvOS: 19 | introduced: n/a 20 | visionOS: 21 | introduced: n/a 22 | watchOS: 23 | introduced: n/a 24 | content: Specifies grace period for screensaver locking 25 | payloadkeys: 26 | - key: askForPassword 27 | supportedOS: 28 | macOS: 29 | introduced: '10.13' 30 | type: 31 | presence: optional 32 | default: false 33 | content: If 'true', the user is prompted for a password when the screen saver is 34 | unlocked or stopped. When you use this prompt, you must also provide 'askForPasswordDelay'. 35 | Available in macOS 10.13 and later. 36 | - key: askForPasswordDelay 37 | supportedOS: 38 | macOS: 39 | introduced: '10.13' 40 | type: 41 | presence: optional 42 | content: The number of seconds to delay before the password will be required to 43 | unlock or stop the screen saver (the grace period). A value of '2147483647' (for 44 | example, '0x7FFFFFFF') disables this requirement. To use this option, you must 45 | set 'askForPassword' to 'true'. Available in macOS 10.13 and later. 46 | - key: loginWindowIdleTime 47 | type: 48 | presence: optional 49 | content: The number of seconds of inactivity before the screen saver activates (0 50 | = Never activate). 51 | - key: loginWindowModulePath 52 | type: 53 | presence: optional 54 | content: The full path to the screen-saver module to use. 55 | - key: moduleName 56 | type: 57 | presence: required 58 | content: The name of the screen saver module. 59 | -------------------------------------------------------------------------------- /mdm/profiles/com.apple.secondactiveethernet.managed.yaml: -------------------------------------------------------------------------------- 1 | title: '802.1X: Second Active Ethernet' 2 | description: '' 3 | payload: 4 | payloadtype: com.apple.secondactiveethernet.managed 5 | supportedOS: 6 | iOS: 7 | introduced: n/a 8 | macOS: 9 | introduced: '10.7' 10 | multiple: false 11 | devicechannel: true 12 | userchannel: true 13 | supervised: false 14 | requiresdep: false 15 | userapprovedmdm: false 16 | allowmanualinstall: true 17 | userenrollment: 18 | mode: allowed 19 | tvOS: 20 | introduced: n/a 21 | visionOS: 22 | introduced: n/a 23 | watchOS: 24 | introduced: n/a 25 | payloadkeys: 26 | - key: ANY 27 | type: 28 | presence: optional 29 | content: Keys relevant to 802.1x configuration. User enrollment payloads do not 30 | support the various proxy keys including ProxyType, ProxyServer, ProxyServerPort, 31 | ProxyUsername, ProxyPassword,, ProxyPACURL and ProxyPACFallbackAllowed. 32 | -------------------------------------------------------------------------------- /mdm/profiles/com.apple.secondethernet.managed.yaml: -------------------------------------------------------------------------------- 1 | title: '802.1X: Second Ethernet' 2 | description: '' 3 | payload: 4 | payloadtype: com.apple.secondethernet.managed 5 | supportedOS: 6 | iOS: 7 | introduced: n/a 8 | macOS: 9 | introduced: '10.7' 10 | multiple: false 11 | devicechannel: true 12 | userchannel: true 13 | supervised: false 14 | requiresdep: false 15 | userapprovedmdm: false 16 | allowmanualinstall: true 17 | userenrollment: 18 | mode: allowed 19 | tvOS: 20 | introduced: n/a 21 | visionOS: 22 | introduced: n/a 23 | watchOS: 24 | introduced: n/a 25 | payloadkeys: 26 | - key: ANY 27 | type: 28 | presence: optional 29 | content: Keys relevant to 802.1x configuration. User enrollment payloads do not 30 | support the various proxy keys including ProxyType, ProxyServer, ProxyServerPort, 31 | ProxyUsername, ProxyPassword,, ProxyPACURL and ProxyPACFallbackAllowed. 32 | -------------------------------------------------------------------------------- /mdm/profiles/com.apple.security.FDERecoveryRedirect.yaml: -------------------------------------------------------------------------------- 1 | title: FDE Recovery Key Redirection 2 | description: '' 3 | payload: 4 | payloadtype: com.apple.security.FDERecoveryRedirect 5 | supportedOS: 6 | iOS: 7 | introduced: n/a 8 | macOS: 9 | introduced: '10.9' 10 | deprecated: '10.13' 11 | multiple: false 12 | devicechannel: true 13 | userchannel: false 14 | requiresdep: false 15 | userapprovedmdm: false 16 | allowmanualinstall: true 17 | userenrollment: 18 | mode: forbidden 19 | tvOS: 20 | introduced: n/a 21 | visionOS: 22 | introduced: n/a 23 | watchOS: 24 | introduced: n/a 25 | content: |- 26 | *** This payload will be ignored on macOS 10.13 and later. See "com.apple.security.FDERecoveryKeyEscrow" payload. *** 27 | Old notes: 28 | Once installed, this payload will cause any FDE (Full Disk Encryption) recovery keys to be redirected to the specified URL instead of being sent to Apple. This will require sites to implement their own HTTPS server that will receive the recovery keys via a POST request. Details of the data sent to the server will be provided in a different document. 29 | Notes: 30 | * The payload must exist in a "system" scoped profile. 31 | * It will be an error to install more than one payload of this type per machine. 32 | payloadkeys: 33 | - key: RedirectURL 34 | type: 35 | presence: required 36 | content: The URL to which FDE recovery keys should be sent instead of to Apple. 37 | The URL must begin with https://. 38 | - key: EncryptCertPayloadUUID 39 | type: 40 | presence: required 41 | content: The UUID of a payload within the same profile that contains a certificate 42 | used to encrypt the recovery key when it's sent to the redirected URL. The referenced 43 | payload must be of type `com.apple.security.pkcs1`. 44 | -------------------------------------------------------------------------------- /mdm/profiles/com.apple.security.certificatepreference.yaml: -------------------------------------------------------------------------------- 1 | title: Certificate Preference 2 | description: '' 3 | payload: 4 | payloadtype: com.apple.security.certificatepreference 5 | supportedOS: 6 | iOS: 7 | introduced: n/a 8 | macOS: 9 | introduced: '10.12' 10 | multiple: true 11 | devicechannel: false 12 | userchannel: true 13 | supervised: false 14 | requiresdep: false 15 | userapprovedmdm: false 16 | allowmanualinstall: true 17 | userenrollment: 18 | mode: allowed 19 | tvOS: 20 | introduced: n/a 21 | visionOS: 22 | introduced: n/a 23 | watchOS: 24 | introduced: n/a 25 | content: Defines a Certificate Preference item in the user's keychain that references 26 | a certificate payload included in the same profile. Can only appear in a user 27 | profile (not a device profile). See also "com.apple.security.identitypreference" 28 | for setting up identity preferences. 29 | payloadkeys: 30 | - key: Name 31 | type: 32 | presence: required 33 | content: An email address (in RFC 822 format) or other name for which a preferred 34 | certificate is requested. 35 | - key: PayloadCertificateUUID 36 | type: 37 | presence: required 38 | content: The UUID of the certificate payload within the same profile to use for 39 | the identity credential. 40 | -------------------------------------------------------------------------------- /mdm/profiles/com.apple.security.certificaterevocation.yaml: -------------------------------------------------------------------------------- 1 | title: Certificate Revocation 2 | description: Use this section to define settings for certificate revocation. 3 | payload: 4 | payloadtype: com.apple.security.certificaterevocation 5 | supportedOS: 6 | iOS: 7 | introduced: '14.2' 8 | multiple: true 9 | supervised: false 10 | allowmanualinstall: true 11 | sharedipad: 12 | mode: allowed 13 | devicechannel: true 14 | userchannel: false 15 | userenrollment: 16 | mode: allowed 17 | macOS: 18 | introduced: n/a 19 | tvOS: 20 | introduced: n/a 21 | visionOS: 22 | introduced: '1.1' 23 | multiple: true 24 | supervised: false 25 | allowmanualinstall: true 26 | userenrollment: 27 | mode: allowed 28 | watchOS: 29 | introduced: n/a 30 | content: Policies that affect system-wide certificate revocation checking. 31 | payloadkeys: 32 | - key: EnabledForCerts 33 | title: Enabled Certs 34 | type: 35 | presence: optional 36 | content: |- 37 | An array of certificates that the system checks for revocation. 38 | Specifying a certificate authority (CA) enables revocation checking for all certificates chaining up to that CA. 39 | It's not necessary to specify trusted root certificates because they're implicitly specified. See for the available trusted root certificates for Apple operating systems. 40 | subkeys: 41 | - key: SubjectPublicKeyInfoHashDict 42 | type: 43 | subkeys: 44 | - key: Algorithm 45 | type: 46 | presence: required 47 | rangelist: 48 | - sha256 49 | content: The algorithm must be 'sha256'. 50 | - key: Hash 51 | type: 52 | presence: required 53 | content: |- 54 | The hash of the DER-encoding of the certificate's 'subjectPublicKeyInfo'. 55 | The hash field requires the data ('subjectPublicKeyInfo' hash) in a specific format: a Base64 encoded (binary) SHA-256 hash of the certificate's public key. 56 | -------------------------------------------------------------------------------- /mdm/profiles/com.apple.security.identitypreference.yaml: -------------------------------------------------------------------------------- 1 | title: Identity Preference 2 | description: '' 3 | payload: 4 | payloadtype: com.apple.security.identitypreference 5 | supportedOS: 6 | iOS: 7 | introduced: n/a 8 | macOS: 9 | introduced: '10.12' 10 | multiple: true 11 | devicechannel: false 12 | userchannel: true 13 | supervised: false 14 | requiresdep: false 15 | userapprovedmdm: false 16 | allowmanualinstall: true 17 | userenrollment: 18 | mode: allowed 19 | tvOS: 20 | introduced: n/a 21 | visionOS: 22 | introduced: n/a 23 | watchOS: 24 | introduced: n/a 25 | content: Defines an Identity Preference item in the user's keychain that references 26 | a identity payload included in the same profile. Can only appear in a user profile 27 | (not a device profile). See also "com.apple.security.certificatepreference" for 28 | setting up certificate preferences. 29 | payloadkeys: 30 | - key: Name 31 | type: 32 | presence: required 33 | content: The email address (in RFC 822 format), DNS host name, or other name that 34 | uniquely identifies a service requiring this identity. 35 | - key: PayloadCertificateUUID 36 | type: 37 | presence: required 38 | content: The UUID of the certificate payload within the same profile to use for 39 | the identity credential. 40 | -------------------------------------------------------------------------------- /mdm/profiles/com.apple.security.pem.yaml: -------------------------------------------------------------------------------- 1 | title: Certificate (PEM) 2 | description: Use this section to define settings for a pem certificate. 3 | payload: 4 | payloadtype: com.apple.security.pem 5 | supportedOS: 6 | iOS: 7 | introduced: '4.0' 8 | multiple: true 9 | supervised: false 10 | allowmanualinstall: true 11 | sharedipad: 12 | mode: allowed 13 | devicechannel: true 14 | userchannel: false 15 | userenrollment: 16 | mode: allowed 17 | macOS: 18 | introduced: '10.7' 19 | multiple: true 20 | devicechannel: true 21 | userchannel: true 22 | supervised: false 23 | requiresdep: false 24 | userapprovedmdm: false 25 | allowmanualinstall: true 26 | userenrollment: 27 | mode: allowed 28 | tvOS: 29 | introduced: '9.0' 30 | multiple: true 31 | supervised: false 32 | allowmanualinstall: true 33 | visionOS: 34 | introduced: '1.0' 35 | multiple: true 36 | supervised: false 37 | allowmanualinstall: true 38 | userenrollment: 39 | mode: allowed 40 | watchOS: 41 | introduced: '3.0' 42 | multiple: true 43 | allowmanualinstall: true 44 | content: PEM-encoded certificate without private key. May contain root certificates. 45 | payloadkeys: 46 | - key: PayloadCertificateFileName 47 | title: Payload Certificate Filename 48 | type: 49 | presence: optional 50 | content: The file name of the enclosed certificate. 51 | - key: PayloadContent 52 | title: Payload Certificate Data 53 | type: 54 | presence: required 55 | content: The binary representation of the payload, encoded in Base64. 56 | -------------------------------------------------------------------------------- /mdm/profiles/com.apple.security.pkcs1.yaml: -------------------------------------------------------------------------------- 1 | title: 'Certificate (PKCS #1)' 2 | description: Use this section to define settings for a pkcs1 certificate. 3 | payload: 4 | payloadtype: com.apple.security.pkcs1 5 | supportedOS: 6 | iOS: 7 | introduced: '4.0' 8 | multiple: true 9 | supervised: false 10 | allowmanualinstall: true 11 | sharedipad: 12 | mode: allowed 13 | devicechannel: true 14 | userchannel: false 15 | userenrollment: 16 | mode: allowed 17 | macOS: 18 | introduced: '10.7' 19 | multiple: true 20 | devicechannel: true 21 | userchannel: true 22 | supervised: false 23 | requiresdep: false 24 | userapprovedmdm: false 25 | allowmanualinstall: true 26 | userenrollment: 27 | mode: allowed 28 | tvOS: 29 | introduced: '9.0' 30 | multiple: true 31 | supervised: false 32 | allowmanualinstall: true 33 | visionOS: 34 | introduced: '1.0' 35 | multiple: true 36 | supervised: false 37 | allowmanualinstall: true 38 | userenrollment: 39 | mode: allowed 40 | watchOS: 41 | introduced: '3.0' 42 | multiple: true 43 | allowmanualinstall: true 44 | content: DER-encoded certificate without private key. May contain root certificates. 45 | payloadkeys: 46 | - key: PayloadCertificateFileName 47 | title: Payload Certificate Filename 48 | type: 49 | presence: optional 50 | content: The file name of the enclosed certificate. 51 | - key: PayloadContent 52 | title: Payload Certificate Data 53 | type: 54 | presence: required 55 | content: The binary representation of the payload, encoded in Base64. 56 | -------------------------------------------------------------------------------- /mdm/profiles/com.apple.security.root.yaml: -------------------------------------------------------------------------------- 1 | title: Certificate (Root) 2 | description: Use this section to define settings for a root certificate. 3 | payload: 4 | payloadtype: com.apple.security.root 5 | supportedOS: 6 | iOS: 7 | introduced: '4.0' 8 | multiple: true 9 | supervised: false 10 | allowmanualinstall: true 11 | sharedipad: 12 | mode: allowed 13 | devicechannel: true 14 | userchannel: false 15 | userenrollment: 16 | mode: allowed 17 | macOS: 18 | introduced: '10.7' 19 | multiple: true 20 | devicechannel: true 21 | userchannel: true 22 | supervised: false 23 | requiresdep: false 24 | userapprovedmdm: false 25 | allowmanualinstall: true 26 | userenrollment: 27 | mode: allowed 28 | tvOS: 29 | introduced: '9.0' 30 | multiple: true 31 | supervised: false 32 | allowmanualinstall: true 33 | visionOS: 34 | introduced: '1.0' 35 | multiple: true 36 | supervised: false 37 | allowmanualinstall: true 38 | userenrollment: 39 | mode: allowed 40 | watchOS: 41 | introduced: '3.0' 42 | multiple: true 43 | allowmanualinstall: true 44 | content: Alias for com.apple.security.pkcs1. 45 | payloadkeys: 46 | - key: PayloadCertificateFileName 47 | title: Payload Certificate Filename 48 | type: 49 | presence: optional 50 | content: The file name of the enclosed certificate. 51 | - key: PayloadContent 52 | title: Payload Certificate Data 53 | type: 54 | presence: required 55 | content: The binary representation of the payload encoded in base64. 56 | -------------------------------------------------------------------------------- /mdm/profiles/com.apple.security.wapi-identity.yaml: -------------------------------------------------------------------------------- 1 | title: WAPI Identity Certificate 2 | description: '' 3 | payload: 4 | payloadtype: com.apple.security.wapi-identity 5 | payloadkeys: 6 | - key: PEMData 7 | type: 8 | presence: required 9 | content: Certificate data in PEM format. 10 | -------------------------------------------------------------------------------- /mdm/profiles/com.apple.shareddeviceconfiguration.yaml: -------------------------------------------------------------------------------- 1 | title: Lock Screen Message 2 | description: Use this section to define text displayed by shared devices in the login 3 | window and lock screen. 4 | payload: 5 | payloadtype: com.apple.shareddeviceconfiguration 6 | supportedOS: 7 | iOS: 8 | introduced: '9.3' 9 | multiple: false 10 | supervised: true 11 | allowmanualinstall: true 12 | sharedipad: 13 | mode: allowed 14 | devicechannel: true 15 | userchannel: false 16 | userenrollment: 17 | mode: forbidden 18 | macOS: 19 | introduced: n/a 20 | tvOS: 21 | introduced: n/a 22 | visionOS: 23 | introduced: n/a 24 | watchOS: 25 | introduced: n/a 26 | content: Allows admins to specify optional text displayed on the login window and 27 | lock screen (i.e. a footnote and Asset Tag Information). 28 | payloadkeys: 29 | - key: AssetTagInformation 30 | title: Asset Tag 31 | type: 32 | presence: optional 33 | content: The asset tag information for the device, displayed in the login window 34 | and Lock screen. 35 | - key: IfLostReturnToMessage 36 | title: If Lost message 37 | supportedOS: 38 | iOS: 39 | introduced: '9.3' 40 | deprecated: 9.3.1 41 | type: 42 | presence: optional 43 | content: Deprecated. Use 'LockScreenFootnote' instead. 44 | - key: LockScreenFootnote 45 | supportedOS: 46 | iOS: 47 | introduced: 9.3.1 48 | type: 49 | presence: optional 50 | content: The footnote displayed in the login window and Lock screen. 51 | -------------------------------------------------------------------------------- /mdm/profiles/com.apple.subscribedcalendar.account.yaml: -------------------------------------------------------------------------------- 1 | title: Subscribed Calendars 2 | description: Use this section to define settings for subscribed calendar account. 3 | payload: 4 | payloadtype: com.apple.subscribedcalendar.account 5 | supportedOS: 6 | iOS: 7 | introduced: '4.0' 8 | multiple: true 9 | supervised: false 10 | allowmanualinstall: true 11 | sharedipad: 12 | mode: allowed 13 | devicechannel: false 14 | userchannel: true 15 | userenrollment: 16 | mode: allowed 17 | macOS: 18 | introduced: n/a 19 | tvOS: 20 | introduced: n/a 21 | visionOS: 22 | introduced: '1.1' 23 | multiple: true 24 | supervised: false 25 | allowmanualinstall: true 26 | userenrollment: 27 | mode: allowed 28 | watchOS: 29 | introduced: n/a 30 | payloadkeys: 31 | - key: SubCalAccountDescription 32 | title: Description 33 | type: 34 | presence: optional 35 | content: The description of the account. 36 | - key: SubCalAccountHostName 37 | title: URL 38 | type: 39 | presence: required 40 | content: The server's address. 41 | - key: SubCalAccountUsername 42 | title: Username 43 | type: 44 | presence: optional 45 | content: The user's user name. 46 | - key: SubCalAccountPassword 47 | title: Password 48 | type: 49 | presence: optional 50 | content: The user's password. 51 | - key: SubCalAccountUseSSL 52 | title: Use SSL 53 | type: 54 | presence: optional 55 | default: false 56 | content: If 'true', the system enables SSL. 57 | - key: VPNUUID 58 | title: VPNUUID 59 | supportedOS: 60 | iOS: 61 | introduced: '14.0' 62 | type: 63 | presence: optional 64 | content: The VPNUUID of the per-app VPN the account uses for network communication. 65 | Available in iOS 14 and later. 66 | -------------------------------------------------------------------------------- /mdm/profiles/com.apple.system.logging.yaml: -------------------------------------------------------------------------------- 1 | title: System Logging 2 | description: '' 3 | payload: 4 | payloadtype: com.apple.system.logging 5 | supportedOS: 6 | iOS: 7 | introduced: n/a 8 | macOS: 9 | introduced: '10.12' 10 | multiple: true 11 | devicechannel: true 12 | userchannel: true 13 | supervised: false 14 | requiresdep: false 15 | userapprovedmdm: false 16 | allowmanualinstall: true 17 | userenrollment: 18 | mode: forbidden 19 | tvOS: 20 | introduced: n/a 21 | visionOS: 22 | introduced: n/a 23 | watchOS: 24 | introduced: n/a 25 | payloadkeys: 26 | - key: Processes 27 | supportedOS: 28 | macOS: 29 | introduced: n/a 30 | type: 31 | presence: optional 32 | content: Not to be used. 33 | subkeytype: Item 34 | subkeys: &id001 35 | - key: ANY 36 | type: 37 | presence: optional 38 | content: TBD 39 | - key: Subsystems 40 | supportedOS: 41 | macOS: 42 | introduced: n/a 43 | type: 44 | presence: optional 45 | content: A dictionary enabling the logging level for subsystems. See 'Customizing 46 | Logging Behavior While Debugging' for more details about the format of the dictionary. 47 | subkeytype: Item 48 | subkeys: *id001 49 | - key: System 50 | supportedOS: 51 | macOS: 52 | introduced: n/a 53 | type: 54 | presence: optional 55 | content: This dictionary has one key, 'Enable-Private-Data'. Setting that value 56 | to 'true' enables private data logging for the entire system. 57 | subkeytype: Item 58 | subkeys: *id001 59 | -------------------------------------------------------------------------------- /mdm/profiles/com.apple.systemmigration.yaml: -------------------------------------------------------------------------------- 1 | title: System Migration 2 | description: '' 3 | payload: 4 | payloadtype: com.apple.systemmigration 5 | supportedOS: 6 | iOS: 7 | introduced: n/a 8 | macOS: 9 | introduced: 10.12.4 10 | multiple: false 11 | devicechannel: true 12 | userchannel: false 13 | requiresdep: false 14 | userapprovedmdm: false 15 | allowmanualinstall: true 16 | userenrollment: 17 | mode: forbidden 18 | tvOS: 19 | introduced: n/a 20 | visionOS: 21 | introduced: n/a 22 | watchOS: 23 | introduced: n/a 24 | content: Provides a way of customizing items migrated during System Migration. 25 | payloadkeys: 26 | - key: CustomBehavior 27 | type: 28 | presence: optional 29 | content: The list of custom behavior dictionaries. 30 | subkeys: 31 | - key: CustomBehaviorItem 32 | type: 33 | subkeys: 34 | - key: Context 35 | type: 36 | presence: required 37 | content: The context that custom paths apply to. 38 | - key: Paths 39 | type: 40 | presence: required 41 | content: The list of custom behavior path dictionaries. 42 | subkeys: 43 | - key: PathsItem 44 | type: 45 | subkeys: 46 | - key: SourcePath 47 | type: 48 | presence: required 49 | content: The path to the migrating file or directory on the source system. 50 | - key: SourcePathInUserHome 51 | type: 52 | presence: required 53 | content: If 'true', the source path is located within a user home directory. 54 | - key: TargetPath 55 | type: 56 | presence: required 57 | content: The path to the destination file or directory on the target system. 58 | - key: TargetPathInUserHome 59 | type: 60 | presence: required 61 | content: If 'true', the target path is located within a user home directory. 62 | -------------------------------------------------------------------------------- /mdm/profiles/com.apple.systempolicy.control.yaml: -------------------------------------------------------------------------------- 1 | title: System Policy Control 2 | description: '' 3 | payload: 4 | payloadtype: com.apple.systempolicy.control 5 | supportedOS: 6 | iOS: 7 | introduced: n/a 8 | macOS: 9 | introduced: '10.8' 10 | multiple: true 11 | devicechannel: true 12 | userchannel: false 13 | requiresdep: false 14 | userapprovedmdm: false 15 | allowmanualinstall: true 16 | userenrollment: 17 | mode: forbidden 18 | tvOS: 19 | introduced: n/a 20 | visionOS: 21 | introduced: n/a 22 | watchOS: 23 | introduced: n/a 24 | content: Provides a way of enabling System Policy assessment processing. This corresponds 25 | to the Gatekeeper UI in the Security pref pane. 26 | payloadkeys: 27 | - key: EnableAssessment 28 | type: 29 | presence: optional 30 | content: If 'true', enables Gatekeeper. If 'false', disables Gatekeeper. 31 | - key: AllowIdentifiedDevelopers 32 | type: 33 | presence: optional 34 | content: |- 35 | If 'true', enables Gatekeeper's “Mac App Store and identified developers” option. 36 | If 'false', enables Gatekeeper's “Mac App Store” option. 37 | If the value of 'EnableAssessment' isn't set to 'true', this key has no effect. 38 | - key: EnableXProtectMalwareUpload 39 | supportedOS: 40 | macOS: 41 | introduced: '15.0' 42 | type: 43 | presence: optional 44 | content: If 'false', prevents Gatekeeper from prompting the user to upload blocked 45 | malware to Apple for purposes of improving malware detection. 46 | -------------------------------------------------------------------------------- /mdm/profiles/com.apple.systempolicy.managed.yaml: -------------------------------------------------------------------------------- 1 | title: System Policy Managed 2 | description: '' 3 | payload: 4 | payloadtype: com.apple.systempolicy.managed 5 | supportedOS: 6 | iOS: 7 | introduced: n/a 8 | macOS: 9 | introduced: '10.8' 10 | multiple: true 11 | devicechannel: true 12 | userchannel: true 13 | supervised: false 14 | requiresdep: false 15 | userapprovedmdm: false 16 | allowmanualinstall: true 17 | userenrollment: 18 | mode: forbidden 19 | tvOS: 20 | introduced: n/a 21 | visionOS: 22 | introduced: n/a 23 | watchOS: 24 | introduced: n/a 25 | content: Provides a way of disabling the Finder's contextual menu that allows bypass 26 | of System Policy restrictions. 27 | payloadkeys: 28 | - key: DisableOverride 29 | type: 30 | presence: optional 31 | default: false 32 | content: If 'true', disables the Finder's contextual menu item. 33 | -------------------------------------------------------------------------------- /mdm/profiles/com.apple.systempolicy.rule.yaml: -------------------------------------------------------------------------------- 1 | title: System Policy Rule 2 | description: '' 3 | payload: 4 | payloadtype: com.apple.systempolicy.rule 5 | supportedOS: 6 | iOS: 7 | introduced: n/a 8 | macOS: 9 | introduced: '10.8' 10 | multiple: true 11 | devicechannel: true 12 | userchannel: false 13 | requiresdep: false 14 | userapprovedmdm: false 15 | allowmanualinstall: true 16 | userenrollment: 17 | mode: forbidden 18 | tvOS: 19 | introduced: n/a 20 | visionOS: 21 | introduced: n/a 22 | watchOS: 23 | introduced: n/a 24 | content: This payload allows control over Gatekeeper's system policy rules. The 25 | keys and functionality are tightly related to the spctl command line tool. For 26 | more information, see the manual page for spctl. 27 | payloadkeys: 28 | - key: Requirement 29 | type: 30 | presence: optional 31 | content: The policy requirement. This key must follow the syntax described in Code 32 | Signing Requirement Language . 33 | - key: Comment 34 | type: 35 | presence: optional 36 | content: This string appears in the System Policy UI. If it's missing, 'PayloadDisplayName' 37 | or 'PayloadDescription' is entered into this field before the rule is added to 38 | the System Policy database. 39 | - key: Priority 40 | type: 41 | presence: optional 42 | content: The rule's priority. 43 | - key: Expiration 44 | type: 45 | presence: optional 46 | content: The expiration date for rules being processed. 47 | - key: OperationType 48 | type: 49 | presence: optional 50 | rangelist: 51 | - operation:execute 52 | - operation:install 53 | - operation:lsopen 54 | default: operation:execute 55 | content: The type of operation. 56 | - key: LeafCertificate 57 | type: 58 | presence: optional 59 | content: The single leaf certificate for the app that is in the allow list. 60 | -------------------------------------------------------------------------------- /mdm/profiles/com.apple.thirdactiveethernet.managed.yaml: -------------------------------------------------------------------------------- 1 | title: '802.1X: Third Active Ethernet' 2 | description: '' 3 | payload: 4 | payloadtype: com.apple.thirdactiveethernet.managed 5 | supportedOS: 6 | iOS: 7 | introduced: n/a 8 | macOS: 9 | introduced: '10.7' 10 | multiple: false 11 | devicechannel: true 12 | userchannel: true 13 | supervised: false 14 | requiresdep: false 15 | userapprovedmdm: false 16 | allowmanualinstall: true 17 | userenrollment: 18 | mode: allowed 19 | tvOS: 20 | introduced: n/a 21 | visionOS: 22 | introduced: n/a 23 | watchOS: 24 | introduced: n/a 25 | payloadkeys: 26 | - key: ANY 27 | type: 28 | presence: optional 29 | content: Keys relevant to 802.1x configuration. User enrollment payloads do not 30 | support the various proxy keys including ProxyType, ProxyServer, ProxyServerPort, 31 | ProxyUsername, ProxyPassword,, ProxyPACURL and ProxyPACFallbackAllowed. 32 | -------------------------------------------------------------------------------- /mdm/profiles/com.apple.thirdethernet.managed.yaml: -------------------------------------------------------------------------------- 1 | title: '802.1X: Third Ethernet' 2 | description: '' 3 | payload: 4 | payloadtype: com.apple.thirdethernet.managed 5 | supportedOS: 6 | iOS: 7 | introduced: n/a 8 | macOS: 9 | introduced: '10.7' 10 | multiple: false 11 | devicechannel: true 12 | userchannel: true 13 | supervised: false 14 | requiresdep: false 15 | userapprovedmdm: false 16 | allowmanualinstall: true 17 | userenrollment: 18 | mode: allowed 19 | tvOS: 20 | introduced: n/a 21 | visionOS: 22 | introduced: n/a 23 | watchOS: 24 | introduced: n/a 25 | payloadkeys: 26 | - key: ANY 27 | type: 28 | presence: optional 29 | content: Keys relevant to 802.1x configuration. User enrollment payloads do not 30 | support the various proxy keys including ProxyType, ProxyServer, ProxyServerPort, 31 | ProxyUsername, ProxyPassword,, ProxyPACURL and ProxyPACFallbackAllowed. 32 | -------------------------------------------------------------------------------- /mdm/profiles/com.apple.tvremote.yaml: -------------------------------------------------------------------------------- 1 | title: TV Remote 2 | description: '' 3 | payload: 4 | payloadtype: com.apple.tvremote 5 | supportedOS: 6 | iOS: 7 | introduced: '11.3' 8 | multiple: false 9 | supervised: true 10 | allowmanualinstall: true 11 | sharedipad: 12 | mode: allowed 13 | devicechannel: true 14 | userchannel: true 15 | userenrollment: 16 | mode: forbidden 17 | macOS: 18 | introduced: n/a 19 | tvOS: 20 | introduced: '11.3' 21 | multiple: false 22 | supervised: true 23 | allowmanualinstall: true 24 | visionOS: 25 | introduced: n/a 26 | watchOS: 27 | introduced: n/a 28 | payloadkeys: 29 | - key: AllowedRemotes 30 | supportedOS: 31 | iOS: 32 | introduced: n/a 33 | type: 34 | presence: optional 35 | content: The array of valid devices that Apple TV can connect to. 36 | subkeys: 37 | - key: AllowedRemotesItem 38 | type: 39 | subkeys: 40 | - key: RemoteDeviceID 41 | type: 42 | presence: required 43 | content: The MAC address of a permitted iOS device that can control this Apple 44 | TV. Use the format 'xx:xx:xx:xx:xx:xx', which isn't case-sensitive. 45 | - key: AllowedTVs 46 | supportedOS: 47 | tvOS: 48 | introduced: n/a 49 | type: 50 | presence: optional 51 | content: The array of valid Apple TV identifiers that the remote can connect to. 52 | subkeys: 53 | - key: AllowedTVsItem 54 | type: 55 | subkeys: 56 | - key: TVDeviceID 57 | type: 58 | presence: required 59 | content: The MAC address of an Apple TV device that the system permits this 60 | iOS device to control. Use the format 'xx:xx:xx:xx:xx:xx', which isn't case-sensitive. 61 | - key: TVDeviceName 62 | supportedOS: 63 | iOS: 64 | introduced: '15.0' 65 | type: 66 | presence: optional 67 | content: The name of an Apple TV device that the system permits this iOS device 68 | to control. 69 | -------------------------------------------------------------------------------- /mdm/profiles/loginwindow.yaml: -------------------------------------------------------------------------------- 1 | title: 'Login Window: Login Items' 2 | description: '' 3 | payload: 4 | payloadtype: loginwindow 5 | supportedOS: 6 | iOS: 7 | introduced: n/a 8 | macOS: 9 | introduced: '10.7' 10 | multiple: false 11 | devicechannel: true 12 | userchannel: false 13 | requiresdep: false 14 | userapprovedmdm: false 15 | allowmanualinstall: true 16 | userenrollment: 17 | mode: forbidden 18 | tvOS: 19 | introduced: n/a 20 | visionOS: 21 | introduced: n/a 22 | watchOS: 23 | introduced: n/a 24 | content: This payload handles login items management. 25 | payloadkeys: 26 | - key: DisableLoginItemsSuppression 27 | supportedOS: 28 | macOS: 29 | introduced: all 30 | type: 31 | presence: optional 32 | default: false 33 | content: If 'true', the system prevents the user from disabling login item launches 34 | by using the Shift key. 35 | -------------------------------------------------------------------------------- /other/passwordhash.yaml: -------------------------------------------------------------------------------- 1 | title: passwordHash 2 | description: The passwordHash object used in the AccountConfiguration and SetAutoAdminPassword 3 | commands 4 | payload: 5 | payloadtype: passwordHash 6 | supportedOS: 7 | iOS: 8 | introduced: n/a 9 | macOS: 10 | introduced: '10.11' 11 | userenrollment: 12 | mode: allowed 13 | tvOS: 14 | introduced: n/a 15 | visionOS: 16 | introduced: n/a 17 | watchOS: 18 | introduced: n/a 19 | payloadkeys: 20 | - key: SALTED-SHA512-PBKDF2 21 | title: SALTED-SHA512-PBKDF2 22 | type: 23 | presence: required 24 | content: A dictionary containing the entropy, iterations and salt 25 | subkeys: 26 | - key: entropy 27 | title: Entropy 28 | type: 29 | presence: required 30 | content: The derived key from the password hash; for example, from CCKeyDerivationPBKDF() 31 | - key: iterations 32 | title: Iterations 33 | type: 34 | presence: required 35 | content: The number of iterations; for example, from CCCalibratePBKDF() using 36 | a minimum hash time of 100 milliseconds, or if unknown, a number in the range 37 | of 20,000 to 40,000 iterations 38 | - key: salt 39 | title: Salt 40 | type: 41 | presence: required 42 | content: The 32-byte randomized salt; for example, from CCRandomCopyBytes() 43 | --------------------------------------------------------------------------------