ConfigurationProfile
Reference
Developer
Contents
ConfigurationProfileKeys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
PayloadDictionaryKeysCommontoAllPayloads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Payload-SpecificPropertyKeys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
ActiveDirectoryCertificateProfilePayload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
AirPlayPayload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
AirPlaySecurityPayload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
AirPrintPayload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
AppLockPayload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
AppStorePayload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
AutonomousSingleAppMode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
CalDAVPayload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
CalendarSubscriptionPayload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
CardDAVPayload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
CellularPayload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
CertificatePayload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
CertificatePreferencePayload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
CertificateTransparencyPayload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
ConferenceRoomDisplayPayload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
ContentCachingPayload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
DesktopPayload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
DNSProxyPayload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
DockPayload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
EducationConfigurationPayload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
EmailPayload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
802.1xEthernetPayload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
ExchangePayload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
FileVault2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
FDERecoveryKeyEscrowPayload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
FileVaultClientRequest . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
FileVaultServerResponse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
FirewallPayload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
FontPayload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
GlobalHTTPProxyPayload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
GlobalPreferencesPayload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
GoogleAccountPayload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
HomeScreenLayoutPayload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
IdentificationPayload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
IdentityPreferencePayload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
KernelExtensionPolicy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
2
LDAPPayload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
LoginItemsPayload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
LoginwindowPayload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
MediaManagement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
MobileAccountsPayload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
NetworkUsageRulesPayload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
NotificationsPayload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
NSExtensionManagement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
ParentalControlsPayload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
PasscodePolicyPayload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
PrivacyPreferencesPolicyControlPayload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
ProfileRemovalPasswordPayload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
RestrictionsPayload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
SCEPPayload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Screensaver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
SetupAssistant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
SharedDeviceConfigurationPayload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
ShareKitPayload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
SingleSign-OnAccountPayload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
SmartCardSettingsPayload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
SoftwareUpdate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
SystemMigrationPayload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
SystemPolicyControlPayload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
SystemPolicyRulePayload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
SystemPolicyManagedPayload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
TVRemotePayload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
TimeServerPayload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
VPNPayload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Per-AppVPNPayload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
App-to-Per-AppVPNMapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
WebClipPayload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
WebContentFilterPayload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Wi-FiPayload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
DomainsPayload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
UnmarkedEmailDomains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
ManagedSafariWebDomains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
ActiveDirectoryPayload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
EncryptedProfiles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
SigningaProfile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
SampleConfigurationProfile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
RevisionHistory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
3
Note
This document was previously titled iPhone Configuration Profile Reference. It now supports both iOS and
macOS.
AconfigurationprofileisanXMLfilethatallowsyoutodistributeconfigurationinformation. Ifyouneedtoconfigurea
largenumberofdevicesortoprovidelotsofcustomemailsettings,networksettings,orcertificatestoalargenumber
ofdevices,configurationprofilesareaneasywaytodoit.
Aconfigurationprofilecontainsanumberofsettingsthatyoucanspecify,including:
• Restrictionsondevicefeatures
• Wi-Fisettings
• VPNsettings
• Emailserversettings
• Exchangesettings
• LDAPdirectoryservicesettings
• CalDAVcalendarservicesettings
• Webclips
• Credentialsandkeys
Note
OSXversions10.10 andlaterhonor atrue valueofthe PayloadRemovalDisallowed keytopreventman-
ual removal of profiles installed through an MDM server. Such profilescannot be removedusing the Profiles
preferencepane,northeprofilescommandlinetoolevenwhenrunasroot. OnlytheMDMservercanremove
such profiles. Profiles installedmanually, withPayloadRemovalDisallowed set totrue, can be removed
manually,butonlybyusingadministrativeauthority.
Configurationprofilesarewritteninpropertylistformat,withData valuesstoredinBase64encoding. The.plist
formatcanbereadandwrittenbyanyXMLlibrary.
Therearefivewaystodeployconfigurationprofiles:
• UsingAppleConfigurator2,availableintheAppStore
• Inanemailmessage
• Onawebpage
• Usingover-the-airconfigurationasdescribedinOver-the-AirProfileDeliveryandConfiguration
• OvertheairusingaMobileDeviceManagementServer
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
4
Note
Profileinstallationfailswhenthedeviceislockedwithapasscode.
BothiOSandmacOSsupportusingencryptiontoprotectthecontentsofprofiles.Profilescanalsobesignedtoguar-
anteedataintegrity. Tolearnaboutencryptedprofiledelivery,readOver-the-AirProfileDeliveryandConfiguration.
DevicescanbesupervisedwhenpreparingthemfordeploymentwithAppleConfigurator2(iOS5orlater)orbyusing
theDevice EnrollmentProgram(iOS 7or later). Forinformationabout AppleConfigurator, gototheMacApp Store
descriptionatAppleConfigurator2.
ForgeneralinformationabouttheDeviceEnrollmentProgram,visitAppleʼsCorporate-owneddeploymentsmadesim-
pleorITinEducation. Fordetails,gotoAppleDeploymentProgramsHelp.
Whenadevice issupervised, youcanuse configurationprofilestocontrolmany ofits settings. Thisdocumentde-
scribestheavailablekeysinaprofileandprovidesexamplesoftheresultingXMLpayloads.
Note
Beforeyougetstartedworkingwithconfigurationprofiles,youshouldcreateaskeletonprofile. Thisprovidesa
usefulstartingpointthatyoucanthenmodifyasdesired.
ConfigurationProfileKeys
Atthetoplevel,aprofilepropertylistcontainsthefollowingkeys:
Key Type Content
PayloadContent Array Optional. Arrayofpayloaddictionaries. Notpresentif
IsEncryptedis
true
.
PayloadDescription String Optional. Adescriptionoftheprofile,shownontheDetailscreen
fortheprofile. Thisshouldbedescriptiveenoughtohelpthe
userdecidewhethertoinstalltheprofile.
PayloadDisplayName String Optional. Ahuman-readablenamefortheprofile. Thisvalueis
displayedontheDetailscreen. Itdoesnothavetobeunique.
PayloadExpirationDate Date Optional. Adateonwhichaprofileisconsideredtohaveexpired
andcanbeupdatedovertheair. Thiskeyisonlyusedifthe
profileisdeliveredviaover-the-airprofiledelivery.
PayloadIdentifier String Areverse-DNSstyleidentifier(com.example.myprofile,for
example)thatidentifiestheprofile. Thisstringisusedto
determinewhetheranewprofileshouldreplaceanexistingone
orshouldbeadded.
PayloadOrganization String Optional. Ahuman-readablestringcontainingthenameofthe
organizationthatprovidedtheprofile.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
5
Key Type Content
PayloadUUID String Agloballyuniqueidentifierfortheprofile. Theactualcontentis
unimportant,butitmustbegloballyunique. InmacOS,youcan
useuuidgen togeneratereasonableUUIDs.
PayloadRemovalDisallowed Boolean Optional. Supervisedonly. Ifpresentandsettotrue,theuser
cannotdeletetheprofile(unlesstheprofilehasaremoval
passwordandtheuserprovidesit).
PayloadType String TheonlysupportedvalueisConfiguration.
PayloadVersion Integer Theversionnumberoftheprofileformat. Thisdescribesthe
versionoftheconfigurationprofileasawhole,notofthe
individualprofileswithinit.
Currently,thisvalueshouldbe1.
PayloadScope String Optional. Determinesiftheprofileshouldbeinstalledforthe
systemortheuser. Inmanycases,itdeterminesthelocationof
thecertificateitems,suchaskeychains.Thoughitisnot
possibletodeclaredifferentpayloadscopes,payloads,likeVPN,
mayautomaticallyinstalltheiritemsinbothscopesifneeded.
LegalvaluesareSystem andUser,withUser asthedefault
value.
Availability: AvailableinmacOS10.7andlater.
RemovalDate Date Optional. Thedateonwhichtheprofilewillbeautomatically
removed.
DurationUntilRemoval Float Optional. Numberofsecondsuntiltheprofileisautomatically
removed.IftheRemovalDate keysispresent,whicheverfield
yieldstheearliestdatewillbeused.
ConsentText Dictionary Optional. Adictionarycontainingthesekeysandvalues:
• Foreachlanguageinwhichaconsentorlicense
agreementisavailable,akeyconsistingoftheIETFBCP
47identifierforthatlanguage(forexample,en orjp)and
avalueconsistingoftheagreementlocalizedtothat
language. Theagreementisdisplayedinadialogto
whichtheusermustagreebeforeinstallingtheprofile.
• Theoptionalkeydefault withitsvalueconsistingofthe
unlocalizedagreement(usuallyinen).
Thesystemchoosesalocalizedversionintheorderof
preferencespecifiedbytheuser(macOS)orbasedontheuserʼs
currentlanguagesetting(iOS).Ifnoexactmatchisfound,the
defaultlocalizationisused. Ifthereisnodefaultlocalization,the
en localizationisused. Ifthereisnoen localization,thenthe
firstavailablelocalizationisused.
Youshouldprovideadefaultvalueifpossible. Nowarningwillbe
displayediftheuserʼslocaledoesnotmatchanylocalizationin
theConsentText dictionary.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
6
Note
Profile payload dictionary keys that are prefixed with “Payload” are reserved key names and must never be
treatedasmanagedpreferences. Anyotherkeyinthepayloaddictionarymaybeconsideredamanagedprefer-
enceforthatpreferencedomain.
Keysinthepayloaddictionaryaredescribedindetailinthenextsection.
PayloadDictionaryKeysCommontoAllPayloads
Thefollowingkeysarecommontoallpayloads:
Key Type Content
PayloadType String Thepayloadtype. Thepayloadtypesaredescribedin
Payload-SpecificPropertyKeys.
PayloadVersion Integer Theversionnumberoftheindividualpayload.
Aprofilecanconsistofpayloadswithdifferentversionnumbers. For
example,changestotheVPNsoftwareiniOSmightintroduceanew
payloadversiontosupportadditionalfeatures,butMailpayload
versionswouldnotnecessarilychangeinthesamerelease.
PayloadIdentifier String Areverse-DNS-styleidentifierforthespecificpayload. Itisusually
thesameidentifierastheroot-levelPayloadIdentifier valuewith
anadditionalcomponentappended.
PayloadUUID String Agloballyuniqueidentifierforthepayload. Theactualcontentis
unimportant,butitmustbegloballyunique. InmacOS,youcanuse
uuidgen togeneratereasonableUUIDs.
PayloadDisplayName String Ahuman-readablenamefortheprofilepayload. Thisnameis
displayedontheDetailscreen. Itdoesnothavetobeunique.
PayloadDescription String Optional. Ahuman-readabledescriptionofthispayload. This
descriptionisshownontheDetailscreen.
PayloadOrganization String Optional. Ahuman-readablestringcontainingthenameofthe
organizationthatprovidedtheprofile.
Thepayloadorganizationforapayloadneednotmatchthepayload
organizationintheenclosingprofile.
Payload-SpecificPropertyKeys
Inadditiontothestandardpayloadkeys(describedinPayloadDictionaryKeysCommontoAllPayloads),eachpayload
typecontainskeysthat arespecificto thatpayload type. The sections thatfollowdescribe those payload-specific
keys.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
7
ActiveDirectoryCertificateProfilePayload
TheActiveDirectoryCertificateProfilepayloadisdesignatedbyspecifyingcom.apple.ADCertificate.managed
asthePayloadType value.
You can request a certificate from a Microsoft Certificate Authority (CA) using DCE/RPC and the Active Directory
Certificateprofilepayloadinstructionsdetailedathttps://support.apple.com/kb/HT5357.
Thispayloadincludesthefollowinguniquekeys:
Key Type Value
AllowAllAppsAccess Boolean Iftrue,appshaveaccesstotheprivatekey.
CertServer String FullyqualifiedhostnameoftheActiveDirectoryissuing
CA.
CertTemplate String TemplateNameasitappearsintheGeneraltabofthe
templateʼsobjectintheCertificateTemplatesʼMicrosoft
ManagementConsolesnap-incomponent.
CertificateAcquisitionMechanism String MostcommonlyRPC.Ifusing‘Webenrollment,ʼHTTP.
CertificateAuthority String NameoftheCA.Thisvalueisdeterminedfromthe
CommonName(CN)oftheActiveDirectoryentry:
CN=<yourCAname>,CN=ʼCertificationAuthoritiesʼ,
CN=ʼPublicKeyServicesʼ,CN=ʼServicesʼ,or
CN=ʼConfigurationʼ,<yourbaseDomainName>.
CertificateRenewalTimeInterval Integer Numberofdaysinadvanceofcertificateexpirationthat
thenotificationcenterwillnotifytheuser.
Description
String User-friendlydescriptionofthecertificationidentity.
KeyIsExtractable Boolean Iftrue,theprivatekeycanbeexported.
PromptForCredentials Boolean ThiskeyappliesonlytousercertificateswhereManual
Downloadisthechosenmethodofprofiledelivery. If
true,theuserwillbepromptedforcredentialswhen
theprofileisinstalled. Omitthiskeyforcomputer
certificates.
Keysize Integer Optional;defaultsto2048. TheRSAkeysizeforthe
CertificateSigningRequest(CSR).
Availability: AvailableinmacOS10.11andlater.
EnableAutoRenewal Boolean Optional. Ifsettotrue,thecertificateobtainedwith
thispayloadwillattemptauto-renewal. Onlyappliesto
deviceActiveDirectorycertificatepayloads.
Availability: AvailableinmacOS10.13.4andlater.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
8
AirPlayPayload
TheAirPlaypayloadisdesignatedbyspecifyingcom.apple.airplay asthePayloadType value.
ThispayloadissupportedoniOS7.0andlaterandonmacOS10.10andlater.
Key Type Value
Whitelist Arrayof
Dictionaries
Optional. Supervisedonly(ignoredotherwise). Ifpresent,onlyAirPlay
destinationspresentinthislistareavailabletothedevice.
Thedictionaryformatisdescribedbelow.
Passwords Arrayof
Dictionaries
Optional. Ifpresent,setspasswordsforknownAirPlaydestinations. The
dictionaryformatisdescribedbelow.
EachentryintheWhitelist arrayisadictionarythatcancontainthefollowingfields:
Key Type Value
DeviceID String TheDeviceIDoftheAirPlaydestination,intheformatxx:xx:xx:xx:xx:xx. This
fieldisnotcasesensitive.
EachentryinthePasswords arrayisadictionarythatcontainsthefollowingfields:
Key Type Value
DeviceName String ThenameoftheAirPlaydestination(usedoniOS).
DeviceID String TheDeviceID oftheAirPlaydestination(usedonmacOS).
Password String ThepasswordfortheAirPlaydestination.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
9
AirPlaySecurityPayload
TheAirPlaySecuritypayloadlockstheAppleTVtoaparticularstyleofAirPlaySecurity. TheAirPlaySecuritypayload
isdesignatedbyspecifyingcom.apple.airplay.security asthePayloadType vaue.
ThispayloadissupportedontvOS11.0andlater.
Inadditiontothesettingscommontoallpayloads,thispayloaddefinesthefollowingkeys:
Key Type Value
SecurityType String Required.Mustbeoneofthedefinedvalues: PASSCODE_ONCE,
PASSCODE_ALWAYS,orPASSWORD.
PASSCODE_ONCE willrequireanon-screenpasscodetobeenteredonthe
firstconnectionfromadevice. Subsequentconnectionsfromthesame
devicewillnotbeprompted.
PASSCODE_ALWAYS willrequireanon-screenpasscodetobeenteredupon
everyAirPlayconnection.
PASSWORD willrequireapassphrasetobeenteredasspecifiedinthe
Passwordkey. ThePasswordkeyisrequiredifthisSecurityType is
selected.
NONE wasdeprecatedintvOS11.3. ExistingprofilesusingNONE willgetthe
PASSWORD_ONCE behavior.
AccessType String Required.Mustbeoneofthedefinedvalues: ANY orWIFI_ONLY.
ANY allowsconnectionsfrombothEthernet/WiFiandAWDL.
WIFI_ONLY allowsconnectionsonlyfromdevicesonthesameEthernet/WiFi
networkastheAppleTV.
Password String Optional. TheAirPlaypassword. RequiredifSecurityType isPASSWORD.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
10
AirPrintPayload
TheAirPrint payloadaddsAirPrintprinterstothe userʼsAirPrint printerlist. Thismakesiteasiertosupportenviron-
mentswherethe printersandthe devicesareon differentsubnets. An AirPrintpayloadisdesignatedbyspecifying
com.apple.airprint asthePayloadType value.
ThispayloadissupportedoniOS7.0andlaterandonmacOS10.10andlater.
Key Type Value
AirPrint ArrayofDictionaries AnarrayofAirPrintprintersthatshouldalwaysbeshown.
EachdictionaryintheAirPrint arraymustcontainthefollowingkeysandvalues:
Key Type Value
IPAddress String TheIPAddressoftheAirPrintdestination.
ResourcePath String TheResourcePathassociatedwiththeprinter. Thiscorrespondstotherp
parameterofthe_ipps.tcp Bonjourrecord.Forexample:
• printers/Canon_MG5300_series
• printers/Xerox_Phaser_7600
• ipp/print
• Epson_IPP_Printer
Port Integer ListeningportoftheAirPrintdestination. IfthiskeyisnotspecifiedAirPrint
willusethedefaultport.
Availability: AvailableonlyiniOS11.0andlater.
ForceTLS Boolean Iftrue AirPrintconnectionsaresecuredbyTransportLayerSecurity(TLS).
Defaultisfalse.
Availability: AvailableonlyiniOS11.0andlater.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
11
AppLockPayload
TheAppLockpayloadisdesignatedbyspecifyingcom.apple.app.lock asthePayloadType value. Onlyoneof
thispayloadtypecanbeinstalledatanytime. ThispayloadcanbeinstalledonlyonaSuperviseddevice.
Byinstallinganapplockpayload,thedeviceislockedtoasingleapplicationuntilthepayloadisremoved. Thehome
buttonisdisabled,andthedevicereturnstothespecifiedapplicationautomaticallyuponwakeorreboot.
Note
YoucanʼtupdateanyappwhilethedeviceislockedinSingleAppMode. YouneedtoexitSingleAppModelong
enoughtoupdateappsasneeded. During thattimeyoushould restrictthevisibleapps asmuch aspossible,
exceptforSettingsandPhoneandanyotherappsthatcannotbeblacklisted.
ThispayloadissupportedonlyiniOS6.0andlater.
Thepayloadcontainsthefollowingkey:
Key Type Value
App Dictionary Adictionarycontaininginformationabouttheapp.
TheApp dictionary,inturn,containsthefollowingkey:
Key Type Value
Identifier String Thebundleidentifieroftheapplication.
Options Dictionary Optional. Describedbelow.
Availability: AvailableonlyiniOS7.0andlater.
UserEnabledOptions Dictionary Optional. Describedbelow.
Availability: AvailableonlyiniOS7.0andlater.
TheOptions dictionary,ifpresent,cancontainthefollowingkeys(iniOS7.0andlater):
Key Type Value
DisableTouch Boolean Optional. Iftrue,thetouchscreenisdisabled. Defaultisfalse.
Also,availableintvOS10.2andlatertolockthetouchpadonthe
remote.
DisableDeviceRotation Boolean Optional. Iftrue,devicerotationsensingisdisabled. Defaultis
false.
DisableVolumeButtons Boolean Optional. Iftrue,thevolumebuttonsaredisabled. Defaultto
false.
DisableRingerSwitch Boolean Optional. Iftrue,theringerswitchisdisabled. Defaultisfalse.
Whendisabled,theringerbehaviordependsonwhatpositionthe
switchwasinwhenitwasfirstdisabled.
DisableSleepWakeButton Boolean Optional. Iftrue,thesleep/wakebuttonisdisabled. Defaultis
false.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
12
Key Type Value
DisableAutoLock Boolean Optional. Iftrue,thedevicewillnotautomaticallygotosleep
afteranidleperiod. Also,availableintvOS10.2andlater.
EnableVoiceOver Boolean Optional. Iftrue,VoiceOveristurnedon. Defaultisfalse. Also,
availableintvOS10.2andlater.
EnableZoom Boolean Optional. Iftrue,Zoomisturnedon. Defaultisfalse. Also,
availableintvOS10.2andlater.
EnableInvertColors Boolean Optional.Iftrue,InvertColorsisturnedon. Defaultisfalse.
Also,availableintvOS10.2andlater.
EnableAssistiveTouch Boolean Optional. Iftrue,AssistiveTouchisturnedon. Defaultisfalse.
EnableSpeakSelection Boolean Optional. Iftrue,SpeakSelectionisturnedon. Defaultisfalse.
EnableMonoAudio Boolean Optional. Iftrue,MonoAudioisturnedon. Defaultisfalse.
TheUserEnabledOptions dictionary,ifpresent,cancontainthefollowingkeys(iniOS7.0andlater):
Key Type Value
VoiceOver Boolean Optional. Iftrue,allowVoiceOveradjustment. Defaultisfalse. Also,
availableintvOS10.2andlater.
Zoom Boolean Optional. Iftrue,allowZoomadjustment. Defaultisfalse. Also,available
intvOS10.2andlater.
InvertColors Boolean Optional. Iftrue,allowInvertColorsadjustment. Defaultisfalse. Also,
availableintvOS10.2andlater.
AssistiveTouch Boolean Optional. Iftrue,allowAssistiveTouchadjustment. Defaultisfalse.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
13
AppStorePayload
TheAppStorepayloadisdesignatedbyspecifyingcom.apple.appstore asthePayloadType value.
ItestablishesmacOSAppStorerestrictionsandissupportedontheUserchannel.
Thepayloadcontainsthefollowingkeys:
Key Type Value
restrict-store-require-admin-to-install Boolean Optional. Restrictappinstallationsto
adminusers. AvailableonmacOS10.9and
later.
restrict-store-softwareupdate-only Boolean Optional. Restrictappinstallationsto
softwareupdatesonly. Availableon
macOS10.10andlater.
restrict-store-disable-app-adoption Boolean Optional. DisableAppAdoptionbyusers.
AvailableonmacOS10.10andlater.
DisableSoftwareUpdateNotifications Boolean Optional. Disablesoftwareupdate
notifications. AvailableonmacOS10.10
andlater.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
14
AutonomousSingleAppMode
Thepayloadisdesignatedbyspecifyingcom.apple.asam asthePayloadType.
ThispayloadgrantsAutonomousSingleAppModecapabilitiesforspecificapplications. AvailableinmacOS10.13.4
andlater.
Itmustbeinstalledasadeviceprofile. Onlyonepayloadofthistypecanbeinstalledonasystem. Thispayloadcan
onlybeinstalledviaa“userapproved”MDMserver.
Note
Applications listed in this payload will have low-level access to the system, including, but not limited to, key
logginganduserinterfacemanipulationoutsideoftheapplicationʼscontext.
Inadditiontothesettingscommontoallpayloads,thispayloaddefinesthefollowingkey:
Key Type Value
AllowedApplications Array Arrayofdictionariesthatspecifyapplicationsthataretobegranted
accesstoAssessmentAPIs.
EachdictionaryintheAllowedApplications arrayconsistsof:
Key Type Value
BundleIdentifier String Theapplicationʼsbundleidentifier. BundleIdentifier mustbeunique.
IftwodictionariescontainthesameBundleIdentifier butdifferent
TeamIdentifiers
,thiswillbeconsideredaharderrorandthepayload
willnotbeinstalled.
TeamIdentifier String Thedeveloperʼsteamidentifierusedtosigntheapplication.
Tobegrantedaccess,applications mustbesigned withthe specifiedbundleidentifier andteam identifierusingan
Apple-issuedproductiondevelopercertificate.Applicationsmustspecifythecom.apple.developer.assessment
entitlementwithavalueoftrue.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
15
CalDAVPayload
Thepayloadisdesignatedbyspecifyingcom.apple.caldav.account asthePayloadType.
ThispayloadconfiguresaCalDAVaccount.
Inadditiontothesettingscommontoallpayloads,thispayloaddefinesthefollowingkeys:
Key Type Value
CalDAVAccountDescription String Optional. Thedescriptionoftheaccount.
CalDAVHostName String Theserveraddress.
InmacOS,thiskeyisrequired.
CalDAVUsername String Theuserʼsloginname.
InmacOS,thiskeyisrequired.
CalDAVPassword String Optional. Theuserʼspassword.
CalDAVUseSSL Boolean WhetherornottouseSSL.
InmacOS,thiskeyisoptional.
CalDAVPort Integer Optional. Theportonwhichtoconnecttotheserver.
CalDAVPrincipalURL String Optional. ThebaseURLtotheuserʼscalendar. InmacOSthis
URLisrequirediftheuserdoesnʼtprovideapassword,because
auto-discoveryoftheservicewillfailandtheaccountwonʼtbe
created.
CalendarSubscriptionPayload
Thecalendarsubscription payload isdesignatedby specifyingcom.apple.subscribedcalendar.account as
thePayloadType value.
Acalendarsubscriptionpayloadaddsasubscribedcalendartotheuserʼscalendarslist.
ThecalendarsubscriptionpayloadisnotsupportedinmacOS.
Inadditiontothesettingscommontoallpayloads,thispayloaddefinesthefollowingkeys:
Key Type Value
SubCalAccountDescription String Optional. Descriptionoftheaccount.
SubCalAccountHostName String Theserveraddress.
SubCalAccountUsername String Theuserʼsloginname.
SubCalAccountPassword String Theuserʼspassword.
SubCalAccountUseSSL Boolean WhetherornottouseSSL.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
16
CardDAVPayload
TheCardDAVpayloadisdesignatedbyspecifyingcom.apple.carddav.account asthePayloadType value.
AsofmacOSv10.8andlater,thispayloadtypesupportsobtainingCardDAVUsername andCardDAVPassword from
anIdentificationPayload,ifpresent.
Inadditiontothesettingscommontoallpayloads,thispayloaddefinesthefollowingkeys:
Key Type Value
CardDAVAccountDescription String Optional. Thedescriptionoftheaccount.
CardDAVHostName String Theserveraddress.
CardDAVUsername String Theuserʼsloginname.
CardDAVPassword String Optional. Theuserʼspassword.
CardDAVUseSSL Boolean Optional. WhetherornottouseSSL.
CardDAVPort Integer Optional. Theportonwhichtoconnecttotheserver.
CardDAVPrincipalURL String Optional. NotsupportedonmacOS.ThebaseURLtothe
userʼsaddressbook.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
17
CellularPayload
Thecellularpayloadisdesignatedbyspecifyingcom.apple.cellular asthePayloadType value.
Acellularpayloadconfigurescellularnetworksettingsfortheuser-selecteddataSIMonthedevice. Itissupported
oniOS7andlaterandisnotsupportedonmacOS.
Cellularpayloadshavetwoimportantinstallationrequirements:
• Nomorethanonecellularpayloadcanbeinstalledatanytime.
• AcellularpayloadcannotbeinstalledifanAPNpayloadisalreadyinstalled.
Thispayloadreplacesthecom.apple.managedCarrier payload,whichissupported,butdeprecated.
Inadditiontothesettingscommontoallpayloads,thispayloaddefinesthefollowingkeys:
Key Type Value
AttachAPN Dictionary Optional. AnAttachAPN configurationdictionary,describedbelow.
APNs Array Optional. AnarrayofAPNdictionaries,describedbelow. Onlythefirstentryis
currentlyused.
TheAttachAPN dictionarycontainsthefollowingkeys:
Key Type Value
Name String Required.TheAccessPointName.
AuthenticationType String Optional. MustcontaineitherCHAP orPAP.DefaultstoPAP.
Username String Optional. Ausernameusedforauthentication.
Password String Optional. Apasswordusedforauthentication.
EachAPN dictionarycontainsthefollowingkeys:
Key Type Value
Name String Required. TheAccessPointName.
AuthenticationType String Optional. MustcontaineitherCHAP orPAP.DefaultstoPAP.
Username String Optional. Ausernameusedforauthentication.
Password String Optional. Apasswordusedforauthentication.
ProxyServer String Optional. Theproxyserverʼsnetworkaddress.
ProxyPort Integer Optional. Theproxyserverʼsport.
DefaultProtocolMask Integer Deprecated. DefaultInternetProtocolversions. Settothe
samevalueasAllowedProtocolMask. Possiblevalues
are:1=IPv4,2=IPv6,and3=Both.
Availability: AvailableiniOS10.3andlater.
AllowedProtocolMask Integer Optional. SupportedInternetProtocolversions.Possible
valuesare: 1=IPv4,2=IPv6,and3=Both.
Availability: AvailableiniOS10.3andlater.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
18
Key Type Value
AllowedProtocolMask
InRoaming
Integer Optional. SupportedInternetProtocolversionswhile
roaming.Possiblevaluesare:1=IPv4,2=IPv6,and3=
Both.
Availability: AvailableiniOS10.3andlater.
AllowedProtocolMask
InDomesticRoaming
Integer Optional. SupportedInternetProtocolversionswhile
domesticroaming. Possiblevaluesare:1=IPv4,2=IPv6,
and3=Both.
Availability: AvailableiniOS10.3andlater.
CertificatePayload
ThePayloadType ofacertificatepayloadmustbeoneofthefollowing:
Payloadtype Container
format
Certificatetype
com.apple.security.root PKCS#1(.cer) Aliasforcom.apple.security.pkcs1.
com.apple.security.pkcs1 PKCS#1(.cer) DER-encodedcertificatewithoutprivatekey. Maycontain
rootcertificates.
com.apple.security.pem PKCS#1(.cer) PEM-encodedcertificatewithoutprivatekey. Maycontain
rootcertificates.
com.apple.security.pkcs12 PKCS#12(.p12) Password-protectedidentitycertificate. Onlyone
certificatemaybeincluded.
Inadditiontothesettingscommontoallpayloads,allCertificatepayloadsdefinethefollowingkeys:
Key Type Value
PayloadCertificateFileName String Optional. Thefilenameoftheenclosedcertificate.
PayloadContent Data Mandatory. Thebase64representationofthepayloadwitha
linelengthof52.
Password String Optional. ForPKCS#12certificates,containsthepasswordto
theidentity.
AllowAllAppsAccess Boolean Optional. ForPKCS#12certificates,iftrue,allappshave
accesstotheprivatekey. Defaultisfalse.
Availability: AvailableinmacOS10.10andlater.
Note
Becausethepasswordstringisstoredintheclearintheprofile,itisrecommendedthattheprofilebeencrypted
forthedevice.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
19
CertificatePreferencePayload
CertificatePreferencepayloadsaredesignatedbyspecifyingcom.apple.security.certificatepreference
asthePayloadType value. SeealsoIdentityPreferencePayloadforsettingupidentitypreferences.
ACertificatePreferencepayloadletsyouidentifyaCertificatePreferenceitemintheuserʼskeychainthatreferences
acertificatepayloadincludedin thesameprofile. It canonly appearina userprofile, nota deviceprofile. Youcan
includemultipleCertificatePreferencepayloadsasneeded.
AvailableinMacOS10.12andlater.
Inadditiontothesettingscommontoallpayloads,thispayloaddefinesthefollowingkeys:
Key Type Value
Name String Required.Anemailaddress(RFC822)orothernameforwhicha
preferredcertificateisrequested.
PayloadCertificateUUID String TheUUIDofanotherpayloadwithinthesameprofilethatinstalled
thecertificate;forexample,aʼcom.apple.security.rootʼpayload.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
20
CertificateTransparencyPayload
CertificatePreferencepayloadsaredesignatedbyspecifyingcom.apple.security.certificatetransparency
asthePayloadType value.
A Certificate Transparency payload controls Certificate Transparency enforcement. It can only appear in a device
profile,notauserprofile. YoucanincludemultipleCertificateTransparencypayloadsasneeded.
ThispayloaddoesnotrequireMDMorDEPenrollment.
AvailableiniOS12.1.1,MacOS10.14.2,tvOS12.1.1,andwatchOS5.1.1andlater.
Inadditiontothesettingscommontoallpayloads,thispayloaddefinesthefollowingkeys:
Key Type Value
DisabledForDomains Arrayof
Strings
Optional. Listofdomainswherecertificatetransparencyisdisabled. A
leadingperiodcanbeusedtomatchsubdomains,butadomain
matchingrulemustnotmatchalldomainswithinatopleveldomain
(”.example.com”and”.example.co.uk”areallowedwhile”.com”and
”.co.uk”arenotallowed).
DisabledForCerts Arrayof
Dictionar-
ies
Optional. AlistofhashedsubjectPublicKeyInfo dictionaries
definingthecertificateswherecertificatetransparencyisdisabled. For
certificatetransparencyenforcementtobedisabled,oneofthe
followingconditionsmustbemet:
• Thehashisoftheservercertificateʼs
subjectPublicKeyInfo.
• ThehashisofasubjectPublicKeyInfo thatappearsina
CAcertificateinthecertificatechain,thatCAcertificateis
constrainedviatheX.509v3nameConstraintsextension,oneor
moredirectoryNamenameConstraintsarepresentinthe
permittedSubtrees,andthedirectoryNamecontainsan
organizationNameattribute.
• ThehashisofasubjectPublicKeyInfo thatappearsina
CAcertificateinthecertificatechain,theCAcertificatehasone
ormoreorganizationNameattributesinthecertificateSubject,
andtheserverʼscertificatecontainsthesamenumberof
organizationNameattributes,inthesameorder,andwith
byte-for-byteidenticalvalues.
ThehashedsubjectPublicKeyInfo dictionarycontainsthefollowingkeys:
Key Type Value
Algorithm String Required. Currently,mustbe”sha256”.
Hash Data Required. CreatedbyapplyingthespecifiedhashalgorithmtotheDER-encoding
ofthecertificateʼssubjectPublicKeyInfo.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
21
TogeneratethedataspecifiedbytheHash keyinthesubjectPublicKeyInfo dictionary,usethiscommandfora
PEMencodedcertificate:
openssl x509 -pubkey -in example_certificate.pem -inform pem | openssl pkey -pubin -
outform der | openssl dgst -sha256 -binary | base64
IfyourcertificateisDERencoded,usethiscommand:
openssl x509 -pubkey -in example_certificate.der -inform der | openssl pkey -pubin -
outform der | openssl dgst -sha256 -binary | base64
Ifyourcertificatedoesnothavea.pemor.derextension,usethefile commandtoidentifyitsencodingtype.
$ file example_certificate.crt
example_certificate.crt: PEM certificate
$ file example_certificate.cer
example_certificate.cer: data
ConferenceRoomDisplayPayload
TheConferenceRoomDisplaypayloadisdesignatedbyspecifyingcom.apple.conferenceroomdisplay asthe
PayloadType.
ItconfiguresanAppleTVtoenterConferenceRoomDisplaymodeandrestrictsexitfromthatmode. Itissupported
onsuperviseddevicesrunningtvOS10.2orlater.
Inadditiontothesettingscommontoallpayloads,thispayloaddefinesthefollowingkey:
Key Type Value
Message String Optional. AcustommessagedisplayedonthescreeninConferenceRoomDisplay
mode.
Note
WhenConferenceRoomDisplaymodeandSingleAppmodearebothenabled,ConferenceRoomDisplaymode
isactiveandtheusercanʼtaccesstheapp.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
22
ContentCachingPayload
TheContentCachingpayloadisdesignatedbyspecifyingcom.apple.AssetCache.managed asthePayloadType.
ItconfigurestheContentCachingservice.
Inadditiontothesettingscommontoallpayloads,thispayloaddefinesthefollowingkeys:
Key Type Value
AllowPersonalCaching Boolean Optional.Ifsettotrue,cachestheuserʼsiClouddata. Clients
maytakesometime(hours,days)toreacttochangestothis
setting;itdoesnothaveanimmediateeffect.Defaultistrue.
AtleastoneoftheAllowPersonalCaching or
AllowSharedCaching keysmustbetrue.
Availability: AvailableinmacOS10.13.4andlater.
AllowSharedCaching Boolean Optional.Ifsettotrue,cachesnon-iCloudcontent,suchas
appsandsoftwareupdates. Clientsmaytakesometime(hours,
days)toreacttochangestothissetting;itdoesnothavean
immediateeffect. Defaultistrue.
AtleastoneoftheAllowPersonalCaching or
AllowSharedCaching keysmustbetrue.
Availability: AvailableinmacOS10.13.4andlater.
AutoActivation Boolean Optional.Ifsettotrue,automaticallyactivatetheContent
CachewhenpossibleandpreventdisablingoftheContent
Cache. Defaultisfalse.
Availability: AvailableinmacOS10.13.4andlater.
CacheLimit Integer Optional. Definesthemaximumnumberofbytesofdiskspace
thatwillbeusedfortheContentCache. ACacheLimit of0
meansunlimiteddiskspace. Defaultis0.
Availability: AvailableinmacOS10.13.4andlater.
DataPath String Optional. ThepathtothedirectoryusedtostoreCached
Content. Changingthissettingmanuallydoesnotautomatically
movecachedcontentfromtheoldtothenewlocation. Tomove
contentautomatically,usetheSharingpreferenceʼsContent
Cachingpane.
Thevaluemustbe,orendwith,/Library/Application
Support/Apple/AssetCache/Data. Adirectory(andits
intermediates)willbecreatedforthegivenDataPath ifitdoes
notalreadyexist. Thedirectorywillbeownedby
_assetcache:_assetcache andhavemode0750. Its
immediateparentdirectory(.../Library/Application
Support/Apple/AssetCache)willbeownedby
_assetcache:_assetcache andhavemode0755.
Defaultis/Library/Application
Support/Apple/AssetCache/Data.
Availability: AvailableinmacOS10.13.4andlater.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
23
Key Type Value
DenyTetheredCaching Boolean Optional.Ifsettotrue,tetheredcachingisdisabled. Defaultis
false.
Availability: AvailableinmacOS10.13.4andlater.
ListenRanges Arrayof
Dictionaries
Optional. ArrayofdictionariesdescribingarangeofclientIP
addressestoserve.
Availability: AvailableinmacOS10.13.4andlater.
ListenRangesOnly Boolean Optional.Ifsettotrue,theContentCacheprovidescontent
onlytoclientsintherangesspecifiedbytheListenRanges
key. TousetheListenRangesOnly key,theListenRanges
keymustalsobespecified. Defaultisfalse.
Availability: AvailableinmacOS10.13.4andlater.
ListenWithPeersAndParents Boolean Optional. Ifsettotrue,theContentCacheprovidescontentto
theclientsintheunionoftheListenRanges,PeerListenRanges
andParentsranges. Defaultistrue.
Availability: AvailableinmacOS10.13.4andlater.
LocalSubnetsOnly Boolean Optional.Ifsettotrue,theContentCacheofferscontentto
clientsonlyonthesameimmediatelocalnetworkastheContent
Cache. Nocontentwouldbeofferedtoclientsonother
networksreachablebytheContentCache. Defaultistrue.
IfLocalSubnetsOnly issettotrue,ListenRanges willbe
ignored.
Availability: AvailableinmacOS10.13.4andlater.
LogClientIdentity Boolean Optional.Ifsettotrue,theContentCachewilllogtheIP
addressandportnumberoftheclientsthatrequestcontent.
Defaultisfalse.
Availability:
AvailableinmacOS10.13.4andlater.
Parents Arrayof
Strings
Optional. ArrayofthelocalIPaddressesofotherContent
Cachesthatthiscacheshoulddownloadfromoruploadto,
insteadofdownloadingfromoruploadingtoAppledirectly.
Invalidaddressesandaddressesofcomputersthatarenot
ContentCachesareignored.
Parentcachesthatbecomeunavailableareskipped. Ifallparent
ContentCachesbecomeunavailable,theContentCachewill
downloadfromoruploadtoAppledirectlyuntilaparentContent
Cachebecomesavailableagain.
Availability: AvailableinmacOS10.13.4andlater.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
24
Key Type Value
ParentSelectionPolicy String Optional. Thepolicytousewhenchoosingamongmorethan
oneconfiguredparentContentCache. Witheverypolicy,parent
cachesthataretemporarilyunavailableareskipped.
• first-available: Alwaysusethefirstparentinthe
Parentslistthatisavailable.Thisisusefulfordesignating
permanentprimary,secondary,andsubsequentparents.
• url-path-hash: Hashthepathpartoftherequested
URLsothatthesameparentisalwaysusedforthesame
URL.Thisisusefulformaximizingthesizeofthe
combinedcachesoftheparents.
• random: Chooseaparentatrandom. Thisisusefulfor
loadbalancing.
• round-robin: Rotatethroughtheparentsinorder. This
isusefulforloadbalancing.
• sticky-available: Startingwiththefirstparentinthe
Parentslist,alwaysusethefirstparentthatisavailable.
Usethatparentuntilitbecomesunavailable,then
advancetothenextone. Thisisusefulfordesignating
floatingprimary,secondary,andsubsequentparents.
Defaultisround-robin.
Availability: AvailableinmacOS10.13.4andlater.
PeerFilterRanges Arrayof
Dictionaries
Optional. ArrayofdictionariesdescribingarangeofpeerIP
addressesthattheContentCachewillusetofilteritslistofpeers
toqueryforcontent. TheContentCacheonlyqueriespeersthat
areinthePeerFilterRanges. WhenPeerFilterRanges is
anemptyarraytheContentCachewillnotqueryanypeers.
Availability: AvailableinmacOS10.13.4andlater.
PeerListenRanges Arrayof
Dictionaries
Optional. ArrayofdictionariesdescribingarangeofpeerIP
addressestheContentCachewillrespondtopeercachequeries
from.WhenPeerListenRanges isanemptyarray,the
ContentCachewillrespondwithanerrortoallcachequeries.
Availability: AvailableinmacOS10.13.4andlater.
PeerLocalSubnetsOnly Boolean Optional.Ifsettotrue,theContentCachewillonlypeerwith
otherContentCachesonthesameimmediatelocalnetwork,
ratherthanwithContentCachesthatusethesamepublicIP
addressasthedevice. WhenPeerLocalSubnetsOnly istrue,
itoverridestheconfigurationofPeerFilterRanges and
PeerListenRanges. Ifthenetworkchanges,thelocalnetwork
peeringrestrictionsupdateappropriately.
Ifsettofalse,theContentCachedefersto
PeerFilterRanges andPeerListenRanges forconfiguring
thepeeringrestrictions.
Defaultistrue.
Availability: AvailableinmacOS10.13.4andlater.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
25
Key Type Value
Port Integer Optional. TheTCPportnumberonwhichtheContentCache
acceptsrequestsforuploadsordownloads. Portsetto0picksa
random,availableport. Defaultis0.
Availability: AvailableinmacOS10.13.4andlater.
PublicRanges Arrayof
Dictionaries
Optional. ArrayofdictionariesdescribingarangeofpublicIP
addressesthatthecloudserversshoulduseformatchingclients
toContentCaches.
Availability: AvailableinmacOS10.13.4andlater.
ThedictionaryusedtodefinerangesusedbytheContentCacheusesthefollowingkeys:
Key Type Value
type String Optional. TheIPaddresstype(IPv4 orIPv6). DefaultisIPv4.
first String Required.FirstIPaddressintherange.
last String Required. LastIPaddressintherange.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
26
DesktopPayload
TheDesktoppayloadisdesignatedbyspecifyingcom.apple.desktop asthePayloadType.
Thispayloadsets upmacOSDesktop settingsandrestrictions. It issupportedonthe user channeland on macOS
10.10andlater.
Inadditiontothesettingscommontoallpayloads,thispayloaddefinesthefollowingkeys:
Key Type Value
locked Boolean Optional. Iftrue,thedesktoppictureislocked.Defaultisfalse.
override-picture-path String Optional. Ifsupplied,itsetsthepathtothedesktoppicture.
DNSProxyPayload
TheDNSProxypayloadisdesignatedbyspecifyingcom.apple.dnsProxy.managed asthePayloadType. This
payloadcanbeinstalledonlyonaSuperviseddevice.
ThispayloadsetsupiOSDNSProxysettings. ItissupportedoniOS11andlater.
Inadditiontothesettingscommontoallpayloads,thispayloaddefinesthefollowingkeys:
Key Type Value
AppBundleIdentifier String Required.BundleidentiferoftheappcontainingtheDNSproxy
networkextension.
ProviderBundleIdentifier String Optional. BundleidentifieroftheDNSproxynetworkextension
touse. UsefulforappsthatcontainmorethanoneDNSproxy
extension.
ProviderConfiguration Dictionary Optional. Dictionaryofvendor-specificconfigurationitems.
DockPayload
TheDockpayloadisdesignatedbyspecifyingcom.apple.dock asthePayloadType.
TheDock payloadissupportedontheuserchannel and,exceptforAllowDockFixupOverride, onallversionof
macOS.ThekeyAllowDockFixupOverride issupportedonmacOS10.12andlater.
Inadditiontothesettingscommontoallpayloads,thispayloaddefinesthefollowingkeys:
Key Type Value
orientation String Optional. Orientationofthedock. Valuesmaybe
bottom,left,orright.
position-immutable Boolean Optional. Iftrue,thepositionislocked.
autohide Boolean Optional. Iftrue,automaticallyhideandshowthe
dock.
autohide-immutable Boolean Optional. Iftrue,theAutomaticallyHidecheckboxis
disabled.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
27
Key Type Value
minimize-to-application Boolean Optional. Iftrue,enabletheminimize-to-application
feature.
magnification Boolean Optional. Iftrue,magnificationisactive.
magnify-immutable Boolean Optional. Iftrue,themagnificationcheckboxis
disabled.
largesize Integer Optional. Thesizeofthelargestmagnification.
Valuesmustbeinrange16to128.
magsize-immutable Boolean Optional. Iftrue,themagnifysliderisdisabled.
show-process-indicators Boolean Optional. Iftrue,showtheprocessindicator.
launchanim Boolean Optional. Iftrue,animateopeningapplications.
launchanim-immutable Boolean Optional. Iftrue,theAnimateOpeningApplications
checkboxisdisabled.
mineffect String Optional. Setminimizeeffect.Valuesmaybegenie
orscale.
mineffect-immutable Boolean Optional. Iftrue,theMinimizeUsingpopupis
disabled.
tilesize Integer Optional. Thetilesize. Valuesmustbeinrange16to
128.
size-immutable Boolean Optional. Iftrue,thesizesliderwillbedisabled.
MCXDockSpecialFolders Arrayof
Strings
Optional. Oneormorespecialfoldersthatmaybe
createdatuserlogintimeandplacedinthedock.
Valuesmaybe
AddDockMCXMyApplicationsFolder,
AddDockMCXDocumentsFolder,
AddDockMCXSharedFolder,or
AddDockMCXOriginalNetworkHomeFolder. The
”MyApplications”itemisonlyusedforSimpleFinder
environments. The”OriginalNetworkHome”itemis
onlyusedformobileaccountusers.
AllowDockFixupOverride Boolean Optional. Iftrue,usethefilein
/Library/Preferences/
com.apple.dockfixup.plist whenanewuser
ormigrateduserlogsin. Theformatofthisfile
currentlyhasnodocumentation. Thisoptionhasno
effectforexistingusers.
static-only Boolean Optional. Iftrue,thedevicewillusethestatic-apps
andstatic-othersdictionariesforthedockandignore
anyitemsinthepersistent-appsand
persistent-othersdictionaries. Iffalse,thecontents
willbemergedwiththestatic itemslistedfirst.
static-others Arrayof
Dictionaries
Optional. DockitemsintheDocumentssidethat
cannotberemovedfromthedock.
static-apps Arrayof
Dictionaries
Optional. DockitemsintheApplicationssidethat
cannotberemovedfromthedock.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
28
Key Type Value
contents-immutable Boolean Optional. Iftrue,theusercannotremoveanyitem
fromoraddanyitemtothedock.
Thestatic-others andstatic-apps dictionariesdefinethefollowingkeys:
Key Type Value
tile-data Dictionary Required. Informationaboutadockitem.
tile-type String Required. Thetypeofthetile. Valuesmaybefile-tile,directory-tile,or
url-tile. Ifyofuareunsurewhetherthefileitemisafileoradirectory,setthis
keytofile-tile.
Thetile-data dictionarydefinesthefollowingkeys:
Key Type Value
label String Required. Labelofadockitem.
url String Optional. ForURLtiles,theURLstring.
file-type Integer Required.Thetypeofthetileexpressedasanumber. 3=directory,0=URL,1
=file.
EducationConfigurationPayload
The Education Configuration Payload is designated by specifying com.apple.education as the PayloadType
value. Itcancontainonlyonepayload.
TheEducationConfigurationPayloaddefinestheusers,groups,anddepartmentswithinaneducationalorganization.
ItissupportedoniOS9.3andlater. OniOS,itmustbesupervisedandsentoverthedevicechannel.
ItissupportedonmacOS 10.14 andlater. On macOS,itmustbesent overthe userchannel. Studentpayloadsare
onlysupportedonmacOS10.14.4andlater.
Inadditiontothesettingscommontoallpayloads,thispayloaddefinesthefollowingkeys:
Key Type Value
OrganizationUUID String Required.TheorganizationʼsUUIDidentifier. Thiscanbe
anyvalidUUID.Allteacherandstudentdevicesthatneed
tocommunicatewithoneanothermusthavethesame
OrganizationUUID,particularlyiftheyoriginatedfrom
differentDeviceEnrollmentPrograms.
OrganizationName String Required.Theorganizationʼsdisplayname. Thisnamewill
beshownintheiOSloginscreen.
PayloadCertificateUUID String Required. TheUUIDofanidentitycertificatepayloadthat
willbeusedtoperformclientauthenticationwithother
devices.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
29
Key Type Value
LeaderPayloadCertificate
AnchorUUID
Array Optional. AnarrayofUUIDsreferringtocertificatepayloads
thatwillbeusedtoauthorizeleaderpeercertificate
identities. Thisarraymustcontainallcertificatesneededto
validatetheentirechainoftrust. Leadercertificatesmust
havethecommonnameprefixleader (caseinsensitive)
andhavea.cer type.
MemberPayloadCertificate
AnchorUUID
Array Optional. AnarrayofUUIDsreferringtocertificatepayloads
thatwillbeusedtoauthorizegroupmemberpeercertificate
identities. Thisarraymustcontainallcertificatesneededto
validatetheentirechainoftrust. Membercertificatesmust
havethecommonnameprefixmember (caseinsensitive)
andhavea.cer type.
ResourcePayload
CertificateUUID
String Optional. TheUUIDofanidentitycertificatepayloadthat
willbeusedtoperformclientauthenticationwhenfetching
additionalresources,suchas,studentimages. Ifnot
specifiedtheMDMclientidentitywillbeused.
UserIdentifier String Optional. Auniquestringthatidentifiestheuserofthis
devicewithintheorganization.
Departments Array Optional. Shared: Anarrayofdictionariesthatdefine
departmentsthatareshownintheiOSloginwindow.
Groups Array Required.Shared: Anarrayofdictionariesthatdefine
groupsthattheusercanselectintheloginwindow.
Leader:Anarrayofdictionariesthatdefinethegroupsthat
theusercancontrol.
Member: Anarrayofdictionariesthatdefinethegroupsof
whichtheuserisamember.
Users Array Required.Shared: Anarrayofdictionariesthatdefinethe
usersthatareshownintheiOSloginwindow.
Leader:Anarrayofdictionariesthatdefineusersthatare
membersoftheleaderʼsgroups.
Member: Anarrayofadictionariesthatmustcontainthe
definitionoftheuserspecifiedintheUserIdentifier
key.
Withone-to-onememberdevices,thiskeyshouldinclude
onlythedeviceuserandtheleaderbutnototherclass
members.
DeviceGroups Array Optional. Leader: Anarrayofdictionariesthatdefinethe
devicegroupstowhichtheleadercanassigndevices. This
keyisnotincludedinmemberpayloads.
ScreenObservation
PermissionModificationAllowed
Boolean Optional. Ifsettotrue,studentsenrolledinmanaged
classescanmodifytheirteacherʼspermissionsforscreen
observationonthisdevice. Defaultstofalse.
TheDepartments keymustcontainanarrayofdictionarieswiththefollowingkey-valuepairs:
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
30
Key Type Value
Name String Required. Thedisplaynameofthedepartment.
GroupBeaconIDs Array Required.Thegroupbeaconidentifiersthataremembersofthis
department.
TheGroups keymustcontainanarrayofdictionarieswiththefollowingkey-valuepairs:
Key Type Value
BeaconID Integer Required. Theunsigned16bitintegerspecifyingthisgroupʼs
uniquebeaconID.
Name String Required.Thedisplaynameofthegroup.
Description String Optional. Descriptionofthegroup.
ImageURL String Deprecated in iOS 9.3.1 and later. URLofanimageforthegroup.
ConfigurationSource String Optional. Thesourcethatprovidedthisgroup;e.g. iTunesU,SIS,
orMDM.
LeaderIdentifiers Array Optional. Theuseridentifiersthatareleadersofthisgroup.
MemberIdentifiers Array Required.ThestringsthatrefertoentriesintheUsers arraythat
aremembersofthegroup.
DeviceGroupIdentifiers Array Required. Theidentifierstringsthatrefertoentriesinthe
DeviceGroups arraythataredevicegroupstowhichtheteacher
canassignusersfromthisclass.
TheUsers keymustcontainanarrayofdictionarieswiththefollowingkey-valuepairs:
Key Type Value
Identifier String Required. Thestringthatuniquelyidentifiesauserintheorganization.
Name String Required. Thestringdisplayedasthenameoftheuser.
GivenName String Optional. Thestringdisplayedasthegivennameoftheuser.
FamilyName String Optional. Thestringdisplayedasthefamilynameoftheuser.
PhoneticGivenName String Optional. Thestringthatrepresentstheuserʼsphoneticgivenname. It
willbeusedtosortusersintheClassroomappandtheSharediPad
LoginScreen.
PhoneticFamilyName String Optional. Thestringthatrepresentstheuserʼsphoneticfamilyname. It
willbeusedtosortusersintheClassroomappandtheSharediPad
LoginScreen.
ImageURL String Optional. AstringcontainingaURLpointingtoanimageoftheuser.
ThisimagewillbedisplayedintheiOSloginscreenandinthe
Classroomapp. Therecommendedresolutionis256x256pixels(512
x512pixelsona2xdevice). TherecommendedformatsareJPEG,
PNG,andTIFF.TheResourcePayloadCertificateUUID identity
certificateortheMDMclientidentitywillbeusedtoperform
authenticationwhenfetchingtheimage.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
31
Key Type Value
FullScreenImageURL String Deprecated in iOS 9.3.1 and later. URLpointingtoanimageofthe
user. TheResourcePayloadCertificateUUID identitycertificate
ortheMDMclientidentitywillbeusedtoperformauthenticationwhen
fetchingthespecifiedresource.
AppleID String Optional. TheManagedAppleIDforthisuser.
PasscodeType String Optional. ThepasscodeUItoshowwhentheuserisatthelogin
window;possiblevaluesarecomplex,four,orsix.
TheDeviceGroups keymustcontainanarrayofdictionarieswiththefollowingkey-valuepairs:
Key Type Content
Identifier String Required. Thestringthatuniquelyidentifiesthedevicegroupinthe
organization.
Name String Required. Thestringdisplayedasthenameofthedevicegroup,whichmust
beuniqueintheorganization.
SerialNumbers Array Required. Thestringscontainingtheserialnumbersofthedevicesinthe
group.
Notes:
• AllidentitiesmustbeconfiguredasbothSSLclientsandservers.
• Leadercertificatesmusthavethecommonnameprefixleader (caseinsensitive).
• Membercertificatesmusthavethecommonnameprefixmember (caseinsensitive).
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
32
EmailPayload
Theemailpayloadisdesignatedbyspecifyingcom.apple.mail.managed asthePayloadType value.
Anemailpayloadcreatesanemailaccountonthedevice.
Inadditiontothesettingscommontoallpayloads,thispayloaddefinesthefollowingkeys:
Key Type Value
EmailAccountDescription String Optional. Auser-visibledescriptionoftheemailaccount,
shownintheMailandSettingsapplications.
EmailAccountName String Optional. Thefullusernamefortheaccount. Thisisthe
usernameinsentmessages,etc.
EmailAccountType String AllowedvaluesareEmailTypePOP andEmailTypeIMAP.
Definestheprotocoltobeusedforthataccount.
EmailAddress String Designatesthefullemailaddressfortheaccount. Ifnot
presentinthepayload,thedevicepromptsforthisstring
duringprofileinstallation.
IncomingMailServer
Authentication
String Designatestheauthenticationschemeforincomingmail.
AllowedvaluesareEmailAuthPassword,
EmailAuthCRAMMD5,EmailAuthNTLM,
EmailAuthHTTPMD5,andEmailAuthNone.
IncomingMailServer
HostName
String Designatestheincomingmailserverhostname(orIP
address).
IncomingMailServer
IMAPPathPrefix
String Optional. ThepathprefixfortheIMAPmailserver.
IncomingMailServer
PortNumber
Integer Optional. Designatestheincomingmailserverportnumber.
Ifnoportnumberisspecified,thedefaultportforagiven
protocolisused.
IncomingMailServerUseSSL Boolean Optional. Defaultfalse. Designateswhethertheincoming
mailserverusesSSLforauthentication.
IncomingMailServerUsername String Designatestheusernamefortheemailaccount,usuallythe
sameastheemailaddressuptothe@character. Ifnot
presentinthepayload,andtheaccountissetuptorequire
authenticationforincomingemail,thedevicewillpromptfor
thisstringduringprofileinstallation.
IncomingPassword String Optional. PasswordfortheIncomingMailServer. Useonly
withencryptedprofiles.
OutgoingPassword String Optional. PasswordfortheOutgoingMailServer. Useonly
withencryptedprofiles.
OutgoingPasswordSameAs
IncomingPassword
Boolean Optional. Ifset,theuserwillbepromptedforthepassword
onlyonceanditwillbeusedforbothoutgoingand
incomingmail.
OutgoingMailServer
Authentication
String Designatestheauthenticationschemeforoutgoingmail.
AllowedvaluesareEmailAuthPassword,
EmailAuthCRAMMD5,EmailAuthNTLM,
EmailAuthHTTPMD5,andEmailAuthNone.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
33
Key Type Value
OutgoingMailServer
HostName
String Designatestheoutgoingmailserverhostname(orIP
address).
OutgoingMailServer
PortNumber
Integer Optional. Designatestheoutgoingmailserverportnumber.
Ifnoportnumberisspecified,ports25,587and465are
used,inthisorder.
OutgoingMailServerUseSSL Boolean Optional. Defaultfalse. Designateswhethertheoutgoing
mailserverusesSSLforauthentication.
OutgoingMailServerUsername String Designatestheusernamefortheemailaccount,usuallythe
sameastheemailaddressuptothe@character. Ifnot
presentinthepayload,andtheaccountissetuptorequire
authenticationforoutgoingemail,thedevicepromptsfor
thisstringduringprofileinstallation.
PreventMove Boolean Optional. Defaultfalse.
Iftrue,messagesmaynotbemovedoutofthisemail
accountintoanotheraccount. Alsopreventsforwardingor
replyingfromadifferentaccountthanthemessagewas
originatedfrom.
Availability: AvailableonlyiniOS5.0andlater.
PreventAppSheet Boolean Optional.Defaultfalse.
Iftrue,thisaccountisnotavailableforsendingmailinany
appotherthantheAppleMailapp.
Availability: AvailableonlyiniOS5.0andlater.
SMIMEEnabled Boolean Optional. Defaultfalse. Iftrue,thisaccountsupports
S/MIME.
AsofiOS10.0,thiskeyisignored.
Availability: AvailableonlyiniOS5.0throughiOS9.3.3.
SMIMESigningEnabled Boolean Optional. Defaulttrue. Ifsettotrue,S/MIMEsigningis
enabledforthisaccount.
Availability: AvailableonlyiniOS10.3andlater.
SMIMESigning
CertificateUUID
String Optional. ThePayloadUUID oftheidentitycertificate
usedtosignmessagessentfromthisaccount.
Availability: AvailableonlyiniOS5.0andlater.
SMIMEEncryptionEnabled Boolean Optional. Defaultfalse. Ifsettotrue,S/MIMEencryption
isonbydefaultforthisaccount.
Availability: AvailableonlyiniOS10.3andlater. AsofiOS
12.0,thiskeyisdeprecated.Itisrecommendedtouse
SMIMEEncryptByDefault instead.
SMIMEEncryption
CertificateUUID
String Optional. ThePayloadUUID oftheidentitycertificate
usedtodecryptmessagessenttothisaccount. Thepublic
certificateisattachedtooutgoingmailtoallowencrypted
mailtobesenttothisuser. Whentheusersendsencrypted
mail,thepubliccertificateisusedtoencryptthecopyofthe
mailintheirSentmailbox.
Availability: AvailableonlyiniOS5.0andlater.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
34
Key Type Value
SMIMEEnablePerMessage
Switch
Boolean Optional. Defaultfalse. Ifsettotrue,displaysthe
per-messageencryptionswitchintheMailComposeUI.
Availability: AvailableonlyiniOS8.0andlater. AsofiOS
12.0,thiskeyisdeprecated.Itisrecommendedtouse
SMIMEEnableEncryptionPerMessageSwitch instead.
disableMailRecentsSyncing Boolean Iftrue,thisaccountisexcludedfromaddressRecents
syncing. Thisdefaultstofalse.
Availability: AvailableonlyiniOS6.0andlater.
allowMailDrop Boolean Optional. Iftrue,thisaccountisallowedtouseMailDrop.
Thedefaultisfalse.
Availability: AvailableiniOS9.2andmacOS10.12and
later.
SMIMESigningUser
Overrideable
Boolean Optional. Defaultfalse. Ifsettotrue,theusercantoggle
S/MIMEsigningonoroffinSettings.
Availability: AvailableonlyiniOS12.0andlater.
SMIMESigningCertificate
UUIDUserOverrideable
Boolean Optional. Defaultfalse. Ifsettotrue,theusercanselect
thesigningidentity.
Availability: AvailableonlyiniOS12.0andlater.
SMIMEEncryptByDefault Boolean Optional. Defaultfalse. Ifsettotrue,S/MIMEencryption
isenabledbydefault.If
SMIMEEnableEncryptionPerMessageSwitch is
false,thisdefaultcannotbechangedbytheuser.
Availability: AvailableonlyiniOS12.0andlater.
SMIMEEncryptByDefault
UserOverrideable
Boolean Optional. Defaultfalse. Ifsettotrue,theusercantoggle
theencryptionbydefaultsetting.
Availability: AvailableonlyiniOS12.0andlater.
SMIMEEncryptionCertificate
UUIDUserOverrideable
Boolean Optional. Defaultfalse. Ifsettotrue,theusercanselect
theS/MIMEencryptionidentityandencryptionisenabled.
Availability: AvailableonlyiniOS12.0andlater.
SMIMEEnableEncryptionPer
MessageSwitch
Boolean Optional. Defaultfalse. Ifsettotrue,displaythe
per-messageencryptionswitchintheMailComposeUI.
Availability: AvailableonlyiniOS12.0andlater.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
35
802.1xEthernetPayload
The802.1xEthernetpayloadisdesignatedbyspecifyingoneofthefollowingasthePayloadType value:
• com.apple.firstactiveethernet.managed [default]
• com.apple.firstethernet.managed
• com.apple.secondactiveethernet.managed
• com.apple.secondethernet.managed
• com.apple.thirdactiveethernet.managed
• com.apple.thirdethernet.managed
• com.apple.globalethernet.managed
Inadditiontothesettingscommontoallpayloads,thispayloaddefinesthefollowingkeys:
Key Type Value
Interface String Thecom.apple.globalethernet.managed payloadusesthevalue
AnyEthernet. Thevaluesfortheotherpayloadsarederivedfromtheirname;
forexamplethecom.apple.firstethernet.managed valuewouldbe
FirstEthernet.
Payloads with “active” in their name apply to Ethernet interfacesthatare workingatthetimeofprofile installation.
If there is no active Ethernet interface working, the com.apple.firstactiveethernet.managed payload will
configuretheinterfacewiththehighestserviceorderpriority.
Payloadswithout“active”inthenameapplytoEthernetinterfacesaccordingtoserviceorderregardlessofwhether
theinterfaceisworkingornot.
ThereiscurrentlynosupportforaBSDlevelspecifier.
Tospecifyanenterpriseprofileforagiven802.1xnetwork,includetheEAPClientConfiguration keyinthepay-
load,asdescribedinEAPClientConfigurationDictionary.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
36
ExchangePayload
IniOS,theExchangepayload isdesignated byspecifyingcom.apple.eas.account asthe PayloadType value.
ThispayloadconfiguresanExchangeActiveSyncContactsaccountonthedevice. MailandCalendararenotconfig-
uredusingthispayloadoniOS.
InmacOS,theExchangepayloadisdesignatedbyspecifyingcom.apple.ews.account asthePayloadType value.
ThispayloadwillconfigureanExchangeWebServicesaccountforContacts,Mail,Notes,Reminders,andCalendar.
Inadditiontothesettingscommontoallpayloads,thispayloaddefinesthefollowingkeys:
Key Type Value
AvailableinbothiOSandmacOS
EmailAddress String Specifiesthefullemailaddressfortheaccount. Ifnot
presentinthepayload,thedevicepromptsforthisstring
duringprofileinstallation.
InmacOS,thiskeyisrequired.
Host String SpecifiestheExchangeserverhostname(orIPaddress).
InmacOS10.11andlater,thiskeyisoptional.
SSL Boolean Optional.DefaultYES.SpecifieswhethertheExchange
serverusesSSLforauthentication.
UserName String ThisstringspecifiestheusernameforthisExchange
account.
RequiredinmacOSornon-interactiveinstallations(like
MDMoniOS).
Password String Optional. Thepasswordoftheaccount. Useonlywith
encryptedprofiles.
OAuth Boolean Optional. Specifieswhethertheconnectionshoulduse
OAuthforauthentication. Ifenabled,apasswordshould
notbespecified. Thisdefaultstofalse.
Availability: AvailableonlyiniOS12.0andmacOS10.14
andlater.
AvailableiniOSonly
Certificate NSData
blob
Optional. Foraccountsthatallowauthenticationvia
certificate,a.p12identitycertificateinNSDatablob
format.
CertificateName String Optional. Specifiesthenameordescriptionofthe
certificate.
CertificatePassword Data Optional. Thepasswordnecessaryforthep12identity
certificate. Usedwithmandatoryencryptionofprofiles.
PreventMove Boolean Optional. Defaultfalse.
Ifsettotrue,messagesmaynotbemovedoutofthis
emailaccountintoanotheraccount. Alsoprevents
forwardingorreplyingfromadifferentaccountthanthe
messagewasoriginatedfrom.
Availability: AvailableiniOS5.0andlater.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
37
Key Type Value
PreventAppSheet Boolean Optional. Defaultfalse. Ifsettotrue,thisaccountwill
notbeavailableforsendingmailinanyappotherthanthe
AppleMailapp.
Availability: AvailableiniOS5.0andlater.
PayloadCertificateUUID String UUIDofthecertificatepayloadtousefortheidentity
credential.Ifthisfieldispresent,theCertificate field
isnotused.
Availability: AvailableiniOS5.0andlater.
SMIMEEnabled Boolean Optional. Defaultfalse. Iftrue,thisaccountsupports
S/MIME.
AsofiOS10.0,thiskeyisignored.
Availability: AvailableonlyiniOS5.0through9.3.3.
SMIMESigningEnabled Boolean Optional. Defaulttrue. Ifsettotrue,S/MIMEsigningis
enabledforthisaccount.
Availability: AvailableonlyiniOS10.3andlater.
SMIMESigningCertificateUUID String Optional. ThePayloadUUID oftheidentitycertificate
usedtosignmessagessentfromthisaccount.
Availability: AvailableonlyiniOS5.0andlater.
SMIMEEncryptionEnabled Boolean Optional. Defaultfalse. Ifsettotrue,S/MIME
encryptionisonbydefaultforthisaccount.
Availability: AvailableonlyiniOS10.3andlater. AsofiOS
12.0,thiskeyisdeprecated.Itisrecommendedtouse
SMIMEEncryptByDefault instead.
SMIMEEncryption
CertificateUUID
String Optional. ThePayloadUUID oftheidentitycertificate
usedtodecryptmessagessenttothisaccount. The
publiccertificateisattachedtooutgoingmailtoallow
encryptedmailtobesenttothisuser. Whentheuser
sendsencryptedmail,thepubliccertificateisusedto
encryptthecopyofthemailintheirSentmailbox.
Availability: AvailableonlyiniOS5.0andlater.
SMIMEEnablePerMessageSwitch Boolean Optional. Defaultfalse. Ifsettotrue,displaysthe
per-messageencryptionswitchintheMailComposeUI.
Availability: AvailableonlyiniOS8.0andlater. AsofiOS
12.0,thiskeyisdeprecated.Itisrecommendedtouse
SMIMEEnableEncryptionPerMessageSwitch
instead.
SMIMESigningUserOverrideable Boolean Optional. Defaultfalse. Ifsettotrue,theusercan
toggleS/MIMEsigningonoroffinSettings.
Availability: AvailableonlyiniOS12.0andlater.
SMIMESigningCertificateUUID
UserOverrideable
Boolean Optional. Defaultfalse. Ifsettotrue,theusercan
selectthesigningidentity.
Availability: AvailableonlyiniOS12.0andlater.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
38
Key Type Value
SMIMEEncryptByDefault Boolean Optional. Defaultfalse. Ifsettotrue,S/MIME
encryptionisenabledbydefault.If
SMIMEEnableEncryptionPerMessageSwitch is
false,thisdefaultcannotbechangedbytheuser.
Availability: AvailableonlyiniOS12.0andlater.
SMIMEEncryptByDefaultUser
Overrideable
Boolean Optional. Defaultfalse. Ifsettotrue,theusercan
toggletheencryptionbydefaultsetting.
Availability: AvailableonlyiniOS12.0andlater.
SMIMEEncryptionCertificate
UUIDUserOverrideable
Boolean Optional. Defaultfalse. Ifsettotrue,theusercan
selecttheS/MIMEencryptionidentityandencryptionis
enabled.
Availability: AvailableonlyiniOS12.0andlater.
SMIMEEnableEncryptionPer
MessageSwitch
Boolean Optional. Defaultfalse. Ifsettotrue,displaysthe
per-messageencryptionswitchintheMailComposeUI.
Availability: AvailableonlyiniOS12.0andlater.
allowMailDrop Boolean Optional. Iftrue,thisaccountisallowedtouseMailDrop.
Thedefaultisfalse.
Availability: AvailableonlyinmacOS10.12andlater.
disableMailRecentsSyncing Boolean Iftrue,thisaccountisexcludedfromaddressRecents
syncing. Thisdefaultstofalse.
Availability: AvailableonlyiniOS6.0andlater.
MailNumberOfPastDaysToSync Integer Thenumberofdayssincesynchronization.
CommunicationServiceRules Dictionary Optional. Thecommunicationservicehandlerrulesfor
thisaccount. TheCommunicationServiceRules
dictionarycurrentlycontainsonlya
DefaultServiceHandlers key;itsvalueisadictionary
whichcontainsanAudioCall keywhosevalueisastring
containingthebundleidentifierforthedefaultapplication
thathandlesaudiocallsmadetocontactsfromthis
account.
AvailableinmacOSOnly
Path String Optional.
Port Integer Optional.
ExternalHost String Optional.
ExternalSSL Boolean Optional.
ExternalPath String Optional.
ExternalPort Integer Optional.
OAuthSignInURL String Optional. SpecifiestheURLtoloadintoawebviewfor
authenticationviaOAuthwhenauto-discoveryisnotused.
RequiresaHost value.
Availability: AvailableonlyinmacOS10.14andlater.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
39
Note
AswithVPNandWi-Ficonfigurations,itispossibletoassociateanSCEPcredentialwithanExchangeconfigu-
rationviathePayloadCertificateUUID key.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
40
FileVault2
InmacOS10.9,youcanuseFileVault2toperformfullXTS-AES128encryptiononthecontentsofavolume. FileVault
2payloadsaredesignated byspecifying com.apple.MCX.FileVault2 as thePayloadType value. Removalof
theFileVaultpayloaddoesnotdisableFileVault.
Key Type Value
Enable String SettoʼOnʼtoenableFileVault. SettoʼOffʼtodisableFileVault.
Thisvalueisrequired.
Defer Boolean Settotrue todeferenablingFileVaultuntilthedesignateduser
logsout. Fordetails,see
fdesetup(8)
. Thepersonenabling
FileVaultmustbeeitheralocaluseroramobileaccountuser.
UserEntersMissingInfo Boolean Settotrue formanualprofileinstallstopromptformissing
usernameorpasswordfields.
UseRecoveryKey Boolean Settotrue tocreateapersonalrecoverykey.Defaultstotrue.
ShowRecoveryKey Boolean Settofalse tonotdisplaythepersonalrecoverykeytothe
userafterFileVaultisenabled. Defaultstotrue.
OutputPath String Pathtothelocationwheretherecoverykeyandcomputer
informationplistwillbestored.
Certificate Data DER-encodedcertificatedataifaninstitutionalrecoverykeywill
beadded.
PayloadCertificateUUID String UUIDofthepayloadcontainingtheasymmetricrecoverykey
certificatepayload.
Username String UsernameoftheOpenDirectoryuserthatwillbeaddedto
FileVault.
Password String UserpasswordoftheOpenDirectoryuserthatwillbeaddedto
FileVault. UsetheUserEntersMissingInfo keyifyouwant
topromptforthisinformation.
UseKeychain Boolean Ifsettotrue andnocertificateinformationisprovidedinthis
payload,thekeychainalreadycreatedat
/Library/Keychains/FileVaultMaster.keychainwillbeusedwhen
theinstitutionalrecoverykeyisadded.
DeferForceAtUserLogin
MaxBypassAttempts
Integer WhenusingtheDefer optionyoucanoptionallysetthiskeyto
themaximumnumberoftimestheusercanbypassenabling
FileVaultbeforeitwillrequirethatitbeenabledbeforetheuser
canlogin. Ifsetto0,itwillalwaysprompttoenableFileVault
untilitisenabled,thoughitwillallowyoutobypassenablingit.
Settingthiskeyto–1willdisablethisfeature.
Availability: AvailableinmacOS10.10andlater.
DeferDontAskAtUserLogout Boolean WhenusingtheDefer option,setthiskeytotrue tonot
requestenablingFileVaultatuserlogouttime.
Availability: AvailableinmacOS10.10andlater.
A personal recovery user will normally be created unless the UseRecoveryKey key value is false. An insti-
tutional recovery key will be created only if either there is certificate data available in the Certificate key
value, a specific certificate payload is referenced, or the UseKeychain key value is set to true and a valid
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
41
FileVaultMaster.keychain filewascreated. Inallcases,thecertificateinformationmustbesetupproperlyfor
FileVaultoritwillbeignoredandnoinstitutionalrecoverykeywillbesetup.
FDERecoveryKeyEscrowPayload
FileVaultFullDiskEncryption(FDE)recoverykeysare,bydefault,senttoAppleiftheuserrequestsit. Startingwithma-
cOS10.13,recoverykeyescrowpayloadsaredesignatedbyspecifyingcom.apple.security.FDERecoveryKeyEscrow
asthePayloadType value. Onlyonepayloadofthistypeisallowedpersystem.
IfFileVaultisenabledafterthispayloadisinstalledonthesystem,theFileVaultPRKwillbeencryptedwiththespecified
certificate, wrapped with a CMS envelope and stored at
/var/db/FileVaultPRK.dat
. The encrypteddatawill
bemadeavailableto theMDMserveraspart of theSecurityInfo command. Alternatively,ifa siteuses itsown
administrationsoftware,itcanextractthePRKfromtheforegoinglocationatanytime. BecausethePRKisencrypted
usingthecertificateprovidedintheprofile,onlytheauthoroftheprofilecanextractthedata.
Notethesecautions:
• Thepayloadmustexistinasystem-scopedprofile.
• Installingmorethanonepayloadofthistypepermachinewillcauseanerror.
• Thepreviouspayload(com.apple.security.FDERecoveryRedirect)isnolongersupported. Itcanstill
beinstalled,butitwillbeignored. Thisletsserverssendoutthesameprofiletooldandnewclients.
• Ifonlyanold-styleredirectionpayloadisinstalledatthetimeFileVaultisturnedon(bymeansoftheSecurity
Preferencespane),anerrorwillbedisplayedandFileVaultwillnotbeenabled.
• NowarningorerrorwillbeprovidedifFileVaultisalreadyenabledandanold-stylepayloadisinstalled. Inthis
case,itʼsassumedthattherecoverykeyhasalreadybeenescrowedwiththeserver.
Thispayloadcontainsthesekeys:
Key Type Value
Location String Required. Ashortdescriptionofthelocationwheretherecovery
keywillbeescrowed.Thistextwillbeinsertedintothemessage
theuserseeswhenenablingFileVault.
EncryptCertPayloadUUID String Required. TheUUIDofapayloadwithinthesameprofilethat
containsthecertificatethatwillbeusedtoencrypttherecovery
key. Thereferencedpayloadmustbeoftype
com.apple.security.pkcs1.
DeviceKey String Optional. Anoptionalstringthatwillbeincludedinhelptextifthe
userappearstohaveforgottenthepassword. Canbeusedbya
siteadmintolookuptheescrowedkeyfortheparticularmachine.
ReplacestheRecordNumber keyusedinpreviousescrow
mechanism. Ifmissing,thedeviceserialnumberwillbeused
instead.
AlthoughthepreviousFDERecoverypayloadisnolongersupportedonmacOS10.13andlater,itisstillsupportedon
macOS10.9through10.12.Thispayloadisdesignatedbyspecifyingcom.apple.security.FDERecoveryRedirect
asthePayloadType.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
42
Onceinstalled,thispayloadwillcauseanyFDE(FullDiskEncryption)recoverykeystoberedirectedtothespecified
URLinsteadofbeingsenttoApple. ThiswillrequiresitestoimplementtheirownHTTPSserverthatwillreceivethe
recoverykeysviaaPOSTrequest.
Notethesecautions:
• Thepayloadmustexistinasystem-scopedprofile.
• Installingmorethanonepayloadofthistypepermachinewillcauseanerror.
Thispayloadcontainsthesekeys:
Key Type Value
RedirectURL String Required. TheURLtowhichFDErecoverykeysshouldbesent
insteadofApple. Mustbeginwithhttps://.
EncryptCertPayloadUUID String Required. TheUUIDofapayloadwithinthesameprofilethat
containsacertificatethatwillbeusedtoencrypttherecoverykey
whenitissenttotheredirectedURL.Thereferencedpayload
mustbeoftypecom.apple.security.pkcs1.
FileVaultClientRequest
TheclientissuesaHTTPSPOSTrequesttotheserverwithXMLdatacontainingthefollowing:
Key Type Value
VersionNumber String Currentlysettoʼ1.0ʼ.
SerialNumber String Theserialnumberoftheclientcomputer. Theservermustincludethis
valueinitsresponsebacktotheclient(seebelow).
RecoveryKeyCMS64 String Therecoverykeyencryptedusingtheencryptioncertificateprovidedin
theconfigurationprofile(referencedbythe
EncryptCertPayloadUUID key). Theencryptedpayloadcontainsonly
therecoverykeystringwithoutanyXMLwrapper. Theencrypteddatais
wrappedinaCMSenvelopeandisthenBase-64encoded.
ThesetagsareenclosedwithinaparentFDECaptureRequest tag. AnexampleofanXMLmessagebodyis:
<FDECaptureRequest>
<VersionNumber>1.0</VersionNumber>
<SerialNumber>A02FE08UCC8X</SerialNumber>
<RecoveryKeyCMS64>MIAGCSqGSIb3DQEHA ... AAAAAAAAA==</RecoveryKeyCMS64>
</FDECaptureRequest>
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
43
FileVaultServerResponse
Uponreceivingtheclientʼsrequest,theservermustrespondtotheclientwithXMLdatacontaining:
Key Type Value
SerialNumber String Theserialnumberoftheclientcomputer. Thisvaluemustbethesameasthe
onesentintherequest.
RecordNumber String Thisvaluemustbenonemptybutotherwiseisuptothesitetodefineit. This
valuewillbedisplayedtotheuseralongwiththeserialnumberontheEFIlogin
screenwhentheuserisaskedtoentertherecoverykey. Asanexample,this
couldbeavaluetoassistthesiteadministratorinlocatingorverifyingthe
userʼsrecoverykeyinadatabase.
FirewallPayload
Available in macOS 10.12 and later. A Firewallpayload manages the Application Firewall settings accessible in the
SecurityPreferencespane. Notetheserestrictions:
• Thepayloadmustexistinasystem-scopedprofile.
• Ifmorethanoneprofilecontainsthispayload,themostrestrictiveunionofsettingswillbeused.
• The”Automaticallyallowsigneddownloadedsoftware”and”Automaticallyallowbuilt-insoftware”optionsare
notsupported,butbothwillbeforcedONwhenthispayloadispresent.
Thispayloadisdesignatedbyspecifyingcom.apple.security.firewall asthePayloadType value.
TheFirewallpayloadcontainsthefollowingkeys:
Key Type Value
EnableFirewall Boolean Required. Whetherthefirewallshouldbeenabledornot.
BlockAllIncoming Boolean Optional.Correspondstothe“Blockallincomingconnections”option.
EnableStealthMode Boolean Optional.Correspondsto“Enablestealthmode.”
Applications Arrayof
Dictionaries
Optional. Thelistofapplications. Eachdictionarycontainsthesekeys:
• BundleID (string): identifiestheapplication
• Allowed (Boolean): specifieswhetherornotincoming
connectionsareallowed
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
44
FontPayload
A Font payload lets you add an additional font to an iOS device. Font payloads are designated by specifying
com.apple.font asthePayloadType value. YoucanincludemultipleFontpayloads,asneeded.
AFontpayloadcontainsthefollowingkeys:
Key Type Value
Name String Optional. Theuser-visiblenameforthefont. Thisfieldisreplacedbytheactualname
ofthefontafterinstallation.
Font Data Thecontentsofthefontfile.
EachpayloadmustcontainexactlyonefontfileinTrueType(.ttf)orOpenType(.otf)format. Collectionformats(.ttcor
.otc)arenotsupported.
Note
Fontsareidentifiedbytheirembedded PostScriptnames. Twofontswith the samePostScriptnamearecon-
sideredtobethesamefonteveniftheircontentsdiffer. InstallingtwodifferentfontswiththesamePostScript
nameisnotsupported,andtheresultingbehaviorisundefined.
GlobalHTTPProxyPayload
TheGlobalHTTPProxypayloadisdesignatedbyspecifyingcom.apple.proxy.http.global asthePayloadType.
ThispayloadallowsyoutospecifyglobalHTTPproxysettings.
Therecanonlybeoneofthispayloadatanytime. Thispayloadcanonlybeinstalledonasuperviseddevice.
Inadditiontothesettingscommontoallpayloads,thispayloaddefinesthefollowingkeys:
Key Type Value
ProxyType String Ifyouchoosemanualproxytype,youneedtheproxyserver
addressincludingitsportandoptionallyausernameand
passwordintotheproxyserver. Ifyouchooseautoproxytype,
youcanenteraproxyautoconfiguration(PAC)URL.
ProxyServer String Theproxyserverʼsnetworkaddress.
ProxyServerPort Integer Theproxyserverʼsport
ProxyUsername String Optional. Theusernameusedtoauthenticatetotheproxy
server.
ProxyPassword String Optional. Thepasswordusedtoauthenticatetotheproxyserver.
ProxyPACURL String Optional. TheURLofthePACfilethatdefinestheproxy
configuration.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
45
Key Type Value
ProxyPACFallbackAllowed Boolean Optional. Iffalse,preventsthedevicefromconnectingdirectly
tothedestinationifthePACfileisunreachable. Defaultis
false.
Availability: AvailableiniOS7andlater.
ProxyCaptiveLoginAllowed Boolean Optional. Iftrue,allowsthedevicetobypasstheproxyserver
todisplaytheloginpageforcaptivenetworks. Defaultisfalse.
Availability: AvailableiniOS7andlater.
IftheProxyType fieldissettoAuto andnoProxyPACURL valueisspecified,thedeviceusesthewebproxyautodis-
coveryprotocol(WPAD)todiscoverproxies.
GlobalPreferencesPayload
TheGlobalPreferencespayloadisdesignatedbyspecifying.GlobalPreferences asthePayloadType value.
Inadditiontothesettingscommontoallpayloads,thispayloaddefinesthefollowingkeys:
Key Type Value
MultipleSessionEnabled Boolean Optional.Ifsettofalse,fastuserswitchingisdisabled.
Defaultstotrue.
com.apple.autologout.
AutoLogOutDelay
Double Optional. Theautologoutdelay(inseconds). Avalueofzero,
meansauto-logoutisoff. Insomecases,thisvaluemaybe
restrictedtovaluesbetween5minutesand24hours.
GoogleAccountPayload
TheGoogleaccountpayloadisdesignatedbyspecifyingcom.apple.google-oauth asthePayloadType value.
YoucaninstallmultipleGooglepayloads.
Each Google payload sets up a Google email address as well as any other Google services the user enables after
authentication. GoogleaccountsmustbeinstalledviaMDMorbyAppleConfigurator2(ifthedeviceissupervised).
Thepayloadnevercontainscredentials;the userwillbepromptedtoentercredentialsshortlyafterthepayloadhas
beensuccessfullyinstalled.
Inadditiontothesettingscommontoallpayloads,thispayloaddefinesthefollowingkeys:
Key Type Value
AccountDescription String Optional. Auser-visibledescriptionoftheGoogleaccount,
shownintheMailandSettingsapps.
Availability: AvailableiniOS9.3andlater.
AccountName String Optional. TheuserʼsfullnamefortheGoogleaccount. This
namewillappearinsentmessages.
Availability: AvailableiniOS9.3andlater.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
46
Key Type Value
EmailAddress String Required.ThefullGoogleemailaddressfortheaccount.
Availability: AvailableiniOS9.3andlater.
CommunicationServiceRules Dictionary Optional. Thecommunicationservicehandlerrulesforthis
account. TheCommunicationServiceRules dictionary
currentlycontainsonlyaDefaultServiceHandlers key;its
valueisadictionarywhichcontainsanAudioCall keywhose
valueisastringcontainingthebundleidentifierforthedefault
applicationthathandlesaudiocallsmadetocontactsfromthis
account.
Availability: AvailableiniOS10andlater.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
47
HomeScreenLayoutPayload
The Home Screen Layout Payload is designated by specifying com.apple.homescreenlayout as the
PayloadType value. It can contain only one payload, which must be supervised. It is supported on the User
Channel.
Thispayloaddefinesalayoutofapps,folders,andwebclipsfortheHomescreen.ItissupportedoniOS9.3andlater.
Note
Ifa homescreenlayoutputsmorethan sixitemsintheiPaddockthelocationoftheseventhandsucceeding
itemsmaybeundefinedbuttheywillnotbeomitted.
Inadditiontothesettingscommontoallpayloads,thispayloaddefinesthefollowingkeys:
Key Type Value
Dock Array Optional. Anarrayofdictionaries,eachofwhichmustconformtotheicondictionary
format. Ifitisnotpresent,theuserʼsdockwillbeempty.
Pages Array Required.Anarrayofarraysofdictionaries,eachofwhichmustconformtotheicon
dictionaryformat.
Iconformatdictionariesaredefinedasfollows:
Key Type Value
Type String Required. Mustbeoneofthefollowing:
• Application
• Folder
• WebClip
DisplayName String Optional. Human-readablestringtobeshowntotheuser. ValidonlyifFolder
type.
BundleID String RequiredifApplication type. Thebundleidentifieroftheapp.
Pages Array Optional. Anarrayofarraysofdictionaries,eachofwhichmustconformtothe
icondictionaryformat. ValidonlyifFolder type.
URL String RequiredifWebClip type. URLoftheWebClipbeingreferenced.Ifmorethan
oneWebClipexistswiththesameURL,thebehaviorisundefined.
Availability: AvailableiniOS11.3andlater.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
48
IdentificationPayload
TheIdentificationpayloadisdesignatedbyspecifyingcom.apple.configurationprofile.identification
valueasthePayloadType value.
Thispayloadallowsyoutosavenamesoftheaccountuserandprompttext. Ifleftblank,theuserhastoprovidethis
informationwhenheorsheinstallstheprofile.
TheIdentificationpayloadisnotsupportediniOS.
Inadditiontothesettingscommontoallpayloads,thispayloaddefinesthefollowingkeys:
Key Type Value
FullName String Thefullnameofthedesignatedaccounts.
EmailAddress String Theaddressfortheaccounts.
UserName String TheUNIXusernamefortheaccounts.
Password String Youcanprovidethepasswordorchoosetohavetheuserprovideitwhenhe
orsheinstallstheprofile.
Prompt String Custominstructionfortheuser,ifneeded.
IdentityPreferencePayload
AvailableinmacOS10.12andlater. AnIdentityPreferencepayloadletsyouidentifyanIdentityPreferenceiteminthe
userʼskeychainthatreferencesaidentitypayloadincludedinthesameprofile. Itcanonlyappearinauserprofile,not
adeviceprofile. SeealsoCertificatePreferencePayloadforsettingupcertificatepreferences.
You can include multiple Identity Preference payloads as needed. Identity Preference payloads are designated by
specifyingcom.apple.security.identitypreference asthePayloadType value.
AnIdentityPreferencepayloadcontainsthefollowingkeys:
Key Type Value
Name String Required.Anemailaddress(RFC822),DNShostname,orother
namethatuniquelyidentifiesaservicerequiringthisidentity.
PayloadCertificateUUID String TheUUIDofanotherpayloadwithinthesameprofilethatinstalled
theidentity;forexample,aʼcom.apple.security.pkcs12ʼor
ʼcom.apple.security.scepʼpayload.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
49
KernelExtensionPolicy
TheKernelExtensionPolicypayloadisdesignatedbyspecifyingcom.apple.syspolicy.kernel-extension-policy
asthePayloadType value. ItissupportedonmacOS10.13.2andlater.
ThisprofilemustbedeliveredviaauserapprovedMDMserver.
Inadditiontothesettingscommontoallpayloads,thispayloaddefinesthefollowingkeys:
Key Type Value
AllowUserOverrides Boolean Ifsettotrue,userscanapproveadditionalkernelextensionsnot
explicitlyallowedbyconfigurationprofiles.
AllowedTeamIdentifiers Arrayof
Strings
Anarrayofteamidentifiersthatdefinewhichvalidlysigned
kernelextensionswillbeallowedtoload.
AllowedKernelExtensions Dictionary Adictionaryrepresentingasetofkernelextensionsthatwill
alwaysbeallowedtoloadonthemachine. Thedictionarymaps
teamidentifiers(keys)toarraysofbundleidentifiers.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
50
LDAPPayload
TheLDAPpayloadisdesignatedbyspecifyingcom.apple.ldap.account asthePayloadType value.
AnLDAPpayloadprovidesinformationaboutanLDAPservertouse,includingaccountinformationifrequired,anda
setofLDAPsearchpoliciestousewhenqueryingthatLDAPserver.
Inadditiontothesettingscommontoallpayloads,thispayloaddefinesthefollowingkeys:
Key Type Value
LDAPAccountDescription String Optional. Descriptionoftheaccount.
LDAPAccountHostName String Thehost.
LDAPAccountUseSSL Boolean WhetherornottouseSSL.
LDAPAccountUserName String Optional. Theusername.
LDAPAccountPassword String Optional. Useonlywithencryptedprofiles.
LDAPSearchSettings Dictionary Toplevelcontainerobject. Canhavemanyoftheseforone
account. Shouldhaveatleastonefortheaccounttobe
useful.
EachLDAPSearchSettings objectrepresentsanodein
theLDAPtreetostartsearchingfrom,andtellswhatscope
tosearchin(thenode,thenodeplusonelevelofchildren,
orthenodeplusalllevelsofchildren).
LDAPSearchSettingDescription String Optional. Descriptionofthissearchsetting.
LDAPSearchSettingSearchBase String Conceptually,thepathtothenodewhereasearchshould
start. Forexample:
ou=people,o=example corp
LDAPSearchSettingScope String Defineswhatrecursiontouseinthesearch.
Canbeoneofthefollowing3values:
• LDAPSearchSettingScopeBase: Justtheimmediate
nodepointedtobySearchBase
• LDAPSearchSettingScopeOneLevel:Thenodeplus
itsimmediatechildren.
• LDAPSearchSettingScopeSubtree: Thenodeplus
allchildren,regardlessofdepth.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
51
LoginItemsPayload
The Login Items payload is designated by specifying com.apple.loginitems.managed as the PayloadType
value.
This payload handles login items on macOS. In versions previous to macOS 10.13, this information was in the
loginwindow domain.
Inadditiontothesettingscommontoallpayloads,thispayloaddefinesthiskey:
Key Type Value
AutoLaunchedApplicationDictionary-managed Array AnarrayofLoginItemdictionaries.
TheLoginItemdictionarycontains:
Key Type Value
path String AURLorpathstringtotheitemʼslocation.
hide Boolean Optional. Ifsettotrue,theitemwillnotshowupinthe”Users&
Groups”loginitemslist.
LoginwindowPayload
TheLoginwindowpayloadisdesignatedbyspecifyingcom.apple.loginwindow asthePayloadType value.
ThispayloadcreatesmanagedpreferencesonallversionsofmacOSforsystemanddeviceprofiles. MultipleLogin-
windowpayloadsmaybeinstalledtogether.
Inadditiontothesettingscommontoallpayloads,thispayloaddefinesthesekeys:
Key Type Value
SHOWFULLNAME Boolean Optional. Settotrue toshowthenameandpassword
dialog. Settofalse todisplayalistofusers.
HideLocalUsers Boolean Optional. Whenshowingauserlist,settotrue toshow
onlynetworkandsystemusers.
IncludeNetworkUser Boolean Optional. Whenshowingauserlist,settotrue toshow
networkusers.
HideAdminUsers Boolean Optional. Whenshowingauserlist,settofalse tohide
theadministratorusers.
SHOWOTHERUSERS_MANAGED Boolean Optional. Whenshowingalistofusers,settotrue to
displayOther... users.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
52
Key Type Value
AdminHostInfo String Optional. Ifthiskeyisincludedinthepayload,itsvalue
willbedisplayedasadditionalcomputerinformationon
theloginwindow. BeforemacOS10.10,thisstringcould
containonlyparticularinformation(HostName,
SystemVersion,orIPAddress). AftermacOS10.10,
settingthiskeytoanyvaluewillallowtheusertoclickthe
“time”areaofthemenubartotogglethroughvarious
computerinformationvalues.
AllowList Arrayof
Strings
Optional. UserorgroupGUIDsofusersthatareallowedto
login. Anasteriskʼ*ʼstringspecifiesallusersorgroups.
DenyList Arrayof
Strings
Optional. UserorgroupGUIDsofusersthatcannotlogin.
ThislisttakespriorityoverthelistintheAllowList key.
HideMobileAccounts Boolean Optional. Ifsettotrue,mobileaccountuserswillnotbe
visibleinauserlist. Insomecasesmobileuserswillshow
upasnetworkusers.
ShutDownDisabled Boolean Optional. Ifsettotrue,theShutDownbuttonitemwillbe
hidden.
RestartDisabled Boolean Optional. Ifsettotrue,theRestartitemwillbehidden.
SleepDisabled Boolean Optional. Ifsettotrue,theSleepbuttonitemwillbe
hidden.
DisableConsoleAccess Boolean Optional. Ifsettotrue,theOtheruserwilldisregarduse
oftheʼ>consoleʼspecialusername.
LoginwindowText String Optional. Texttodisplayintheloginwindow.
ShutDownDisabledWhileLoggedIn Boolean Optional. Ifsettotrue,theShutDownmenuitemwillbe
disabledwhentheuserisloggedin.
RestartDisabledWhileLoggedIn Boolean Optional. Ifsettotrue,theRestartmenuitemwillbe
disabledwhentheuserisloggedin.
PowerOffDisabledWhileLoggedIn Boolean Optional. Ifsettotrue,thePowerOffmenuitemwillbe
disabledwhentheuserisloggedin.
LogOutDisabledWhileLoggedIn Boolean Optional. Ifsettotrue,thiswilldisabletheLogOut
menuitemwhentheuserisloggedin.
Availability:
AvailableinmacOS10.13andlater.
DisableScreenLockImmediate Boolean Optional. Ifsettotrue,theimmediateScreenLock
functionswillbedisabled.
Availability: AvailableinmacOS10.13andlater.
An older, separate, Loginwindow payload also exists and is designated by specifying loginwindow as the
PayloadType value.
Inadditiontothesettingscommontoallpayloads,thispayloaddefinesthesekeys:
Key Type Value
DisableLoginItemsSuppression Boolean Optional. Ifsettotrue,theuserispreventedfrom
disablingloginitemlaunchingusingtheShiftkey.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
53
MediaManagement
Theprofileconfigurationkeysformediamanagementareoftwokinds: thosethatrestrictdiscburningandthosethat
restrictmediamountingandejection. AllkeysareavailableonallversionsofmacOSandaresupportedontheuser
channel.
DiscBurningPayloads
DiscburningrestrictionsrequirebothDiscBurningandFinderpayloads.
TheDiscBurningpayloadisdesignatedbyspecifyingcom.apple.DiscRecording asthePayloadType value.
Inadditiontothesettingscommontoallpayloads,thispayloaddefinesthiskey:
Key Type Value
BurnSupport String Required. Settooff todisablediscburning. Settoon fornormaldefault
operation. Settoauthenticate torequireauthentication. Settingthiskeyto
on willnotenablediscburnsupportifithasalreadybeendisabledbyother
mechanismsorpreferences.
TheFinderpayloadisdesignatedbyspecifyingcom.apple.finder asthePayloadType value.
Inadditiontothesettingscommontoallpayloads,thispayloaddefinesthiskey:
Key Type Value
ProhibitBurn Boolean Required.Settofalse toenabletheFinderʼsburnsupport. Settotrue to
disabletheFinderʼsburnsupport.
AllowedMediaPayload
TheAllowedMediapayloadisdesignatedbyspecifyingcom.apple.systemuiserver asthePayloadType value.
Thispayloaddefinesthesekeys:
Key Type Value
logout-eject Dictionary Optional. Mediatypedictionarytodefinevolumestoejectwhentheuser
logsout.
mount-controls Dictionary Optional. Mediatypedictionarytocontrolvolumemounting.
unmount-controls Dictionary Optional. Mediatypedictionarytocontrolvolumeunmounting.
TheMediatypedictionariescancontainthefollowingkeys. Notalldictionariesuseallkeys. Valuesformediaaction
stringsaregiveninthenexttable.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
54
Key(mediatype) Type Value
all-media String Optional. Unused;settoempty
string.
cd StringorArrayofStrings Optional. Mediaactionstring(s).
dvd StringorArrayofStrings Optional. Mediaactionstring(s).
bd StringorArrayofStrings Optional. Mediaactionstring(s).
blankcd StringorArrayofStrings Optional. Mediaactionstring(s).
blankdvd StringorArrayofStrings Optional. Mediaactionstring(s).
blankbd StringorArrayofStrings Optional. Mediaactionstring(s).
dvdram StringorArrayofStrings Optional. Mediaactionstring(s).
disk-image StringorArrayofStrings Optional. Mediaactionstring(s).
harddisk-internal StringorArrayofStrings Optional. Mediaactionstring(s).
networkdisk StringorArrayofStrings Optional. Mediaactionstring(s).
harddisk-external StringorArrayofStrings Optional. Mediaactionstring(s).
InternallyinstalledSD-Cardsand
USBflashdrivesareincludedinthe
harddisk-external category.
Thiskeyisthedefaultformedia
typesthatdonʼtfallintoother
categories.
Mediaactionstringsaredescribedbelow. Youcancombinesomestringsinarraystocreatecustomactions.
Key Type Value
authenticate Boolean Optional. Theuserwillbeauthenticatedbeforethemediaismounted.
read-only
Boolean
Optional. Themediawillbemountedasread-only;thisactioncannotbe
combinedwithunmountcontrols.
deny Boolean Optional. Themediawillnotbemounted.
eject Boolean Optional. Themediawillnotbemountedanditwillbeejectedifpossible. Note
thatsomevolumesarenotdefinedasejectable,sousingthedenykeymaybe
thebestsolution. Thisactioncannotbecombinedwithunmountcontrols.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
55
MobileAccountsPayload
TheMobileAccountspayloadisdesignatedbyspecifyingcom.apple.MCX asthePayloadType value.
This payloadallows controlsthe authentication UI during mobileaccountcreation. Itmust be installedasadevice
profile.
Inadditiontothesettingscommontoallpayloads,thispayloaddefinesthiskey:
Key Type Value
cachedaccounts.
askForSecureTokenAuthBypass
Boolean Ifsettotrue,theauthenticationUIisnotdisplayed
whenamobileaccountiscreated.SuppressingtheUI
maypreventmobileaccountsfrombeingableto
unlockaFileVaultvolume. Defaultisfalse.
Availability: AvailableinmacOS10.13.5andlater.
NetworkUsageRulesPayload
The Network Usage Rules payload is designated by specifying com.apple.networkusagerules as the
PayloadType value.
NetworkUsageRulesallowenterprisestospecifyhowmanagedappsusenetworks,suchascellulardatanetworks.
Theserulesonlyapplytomanagedapps.
Inadditiontothesettingscommontoallpayloads,thispayloaddefinesthiskey:
Key Type Value
ApplicationRules ArrayofDictionaries Required.
EachentryintheApplicationRules arraymustbeadictionarycontainingthesekeys:
Key Type Value
AppIdentifierMatches Array Optional. Alistofmanagedappidentifiers,asstrings,thatmust
followtheassociatedrules. Ifthiskeyismissing,theruleswill
applytoallmanagedappsonthedevice.
EachstringintheAppIdentifierMatches arraymayeither
beanexactappidentifiermatch,e.g.com.mycompany.myapp,
oritmayspecifyaprefixmatchfortheBundleIDbyusingthe*
wildcardcharacter. Thewildcardcharacter,ifused,mustappear
afteraperiodcharacter(.),andmayonlyappearonce,atthe
endofthestring,e.g. com.mycompany.*.
AllowRoamingCellularData Boolean Optional. Defaulttrue. Ifsettofalse,matchingmanaged
appswillnotbeallowedtousecellulardatawhenroaming.
AllowCellularData Boolean Optional.Defaulttrue. Ifsettofalse,matchingmanaged
appswillnotbeallowedtousecellulardataatanytime.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
56
NotificationsPayload
TheNotificationsPayloadisdesignatedbyspecifyingcom.apple.notificationsettings asthePayloadType
value. It cancontain only onepayload, which mustbe installedonsupervised devices. It issupportedon theUser
Channel.
Thispayloadspecifiestherestrictionenforcednotificationsettingsforapps,usingtheirbundleidentifiers. Itissup-
ported on iOS 9.3 and later. In addition tothesettingscommonto all payloads, this payload defines the following
key:
Key Type Value
NotificationSettings Array Required. Anarrayofdictionaries,eachofwhichspecifies
notificationsettingsforonebundleidentifier.
EachentryintheNotificationSettingsfieldcontainsthefollowingdictionary:
Key Type Value
BundleIdentifier String Required.Bundleidentifierofapptowhichtoapplythese
notificationsettings.
NotificationsEnabled Boolean Optional.Whethernotificationsareallowedforthisapp. Default
istrue.
ShowInNotificationCenter Boolean Optional. Whethernotificationscanbeshowninnotification
center. Defaultistrue.
ShowInLockScreen Boolean Optional.Whethernotificationscanbeshowninthelockscreen.
Defaultistrue.
AlertType Integer Optional. Thetypeofalertfornotificationsforthisapp:
• 0: None
• 1: Banner(default)
• 2: ModalAlert
BadgesEnabled Boolean Optional.Whetherbadgesareallowedforthisapp. Defaultis
true.
SoundsEnabled Boolean Optional.Whethersoundsareallowedforthisapp. Defaultis
true.
ShowInCarPlay Boolean Optional.WhethernotificationscanbeshowninCarPlay.
Defaultistrue.
Availability: AvailableiniOS12andlater.
GroupingType Integer Optional. Thetypeofgroupingfornotificationsforthisapp:
• 0: Automatic-groupnotificationsintoapp-specified
groups.(Default)
• 1: Byapp-groupnotificationsintoonegroup.
• 2: Off-donotgroupnotifications.
Availability: AvailableiniOS12andlater.
CriticalAlertEnabled Boolean Optional.Whetheranappcanmarkanotificationasacritical
notificationthatwillignoreDoNotDisturbandringersettings.
Defaultisfalse.
Availability: AvailableiniOS12andlater.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
57
NSExtensionManagement
TheNSExtensionpayloadisdesignatedbyspecifyingcom.apple.NSExtension asthePayloadType.
ThispayloadspecifieswhichNSExtensions areallowedor disallowedon asystem. Extensionscanbe managedby
bundleIDinwhitelistsandblacklistsorbyablacklistofextensionpoints.
ItissupportedonmacOS10.13andlater.
Inadditiontothesettingscommontoallpayloads,thispayloaddefinesthesekeys:
Key Type Value
AllowedExtensions Array Optional. Arrayofextensionidentifiersforextensionsthatare
allowedtorunonthesystem.
DeniedExtensions Array Optional. Arrayofextensionidentifiersforextensionsthatarenot
allowedtorunonthesystem.
DeniedExtensionPoints Array Optional. ArrayofNSExtensionextensionpointsforextensionsthat
arenotallowedtorunonthesystem.
IfanarrayelementwithinDeniedExtensionPoints is”AllPublicExtensionPoints”,DeniedExtensionPoints will
befilledwithalistofextensionpointsthattheclientconsiderstobe”public”.Thesearetheextensionpointsreferenced
indeveloperdocumentationandsupportedbytheXcodeprogrammingenvironment.
Expansion of ”AllPublicExtensionPoints” happensatevaluation time. The list of extensionpoints may change from
releasetorelease.
Thisfeatureisintendedasawaytospecify”Startwithnoextensionsbelongingtoanypublicextensionpointsenabled
but then allow only extensions A, B, C to run”. Specifying ”AllPublicExtensionPoints” will disallow both Apple and
third-partyextensionswithinthe”public”extensionpointsbutwillstillallowextensionsbelongingtosystem-critical
extensionpointstoexecute.
ParentalControlsPayload
ParentalControlon macOSconsistsof manydifferentpayloadswhich areset individuallydependingon thetypeof
controlrequired. Parentalcontrolpayloadsaresupportedontheuserchannel. Eachpayloadanditsrespectivekeys
aredescribedinthesectionsbelow.
ParentalControlWebContentFilterPayload
TheParentalControlWebContentFilterpayloadisdesignatedbyspecifyingcom.apple.familycontrols.contentfilter
asthePayloadType value.
Inadditiontothesettingscommontoallpayloads,thispayloaddefinesthesekeys:
Key Type Value
restrictWeb Boolean Required. Settotrue toenableWebcontentfilters.
useContentFilter Boolean Optional. Settotrue totrytoautomaticallyfiltercontent.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
58
Key Type Value
whiteListEnabled Boolean Optional. Settotrue tousethefilterWhiteListandfilterBlackListlists.
siteWhiteList Arrayof
Dictionaries
RequiredifwhiteListEnabled istrue. Ifspecified,thiskeycontains
anarrayofdictionaries(seebelow)thatdefineadditionalallowedsites
besidesthoseintheautomatedlistofallowedandunallowedsites,
includingdisallowedadultsites.
filterWhiteList Arrayof
URLStrings
Optional. IfspecifiedandrestrictWeb istrue,qnarrayofURLs
designatingtheonlyallowedWebsites.
filterBlackList Arrayof
URLStrings
Optional. IfspecifiedandrestrictWeb istrue,anarrayofURLsof
Websitesnevertobeallowed.
EachsiteWhiteList dictionarycontainsthesekeys:
Key Type Value
address String Required. Siteprefix,includinghttp(s) scheme.
pageTitle String Optional. Sitepagetitle.
ParentalControlTimeLimitsPayload
TheParentalControlTimeLimitspayloadisdesignatedbyspecifyingcom.apple.familycontrols.timelimits.v2
asthePayloadType value.
Itconsistsofadictionarycontainingamasterenabledflagplusadictionaryoftimelimitspecificationkeys.
Inadditiontothesettingscommontoallpayloads,thispayloaddefinesthesekeys:
Key Type Value
familyControlsEnabled Boolean Required.Settotrue tousetimelimits.
time-limits Dictionary RequirediffamilyControlsEnabled istrue. Timelimits
settings.
Eachtime-limits dictionarycontainsthesekeys:
Key Type Value
weekday-allowance Dictionary Optional.Weekdayallowancesettings.
weekday-curfew Dictionary Optional. Weekdaycurfewsettings.
weekend-allowance Dictionary Optional.Weekendallowancesettings.
weekend-curfew Dictionary Optional. Weekendcurfewsettings.
Eachallowance orcurfew dictionarycontainsthesekeys:
Key Type Value
enabled Boolean Required.Settotrue toenablethesesettings.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
59
Key Type Value
rangeType Integer Required.Typeofdayrange: 0=weekday,1=weekend.
start String Optional. Curfewstarttimeintheformat%d:%d:%d.
end String Optional. Curfewendtimeintheformat%d:%d:%d.
secondsPerDay Integer Optional. Secondsforthatdayforallowance.
ParentalControlApplicationAccessPayload
TheParentalControlApplicationAccesspayloadisdesignatedbyspecifyingcom.apple.applicationaccess.new
asthePayloadType value.
ItenablesapplicationaccessrestrictionsonmacOS.
Todetermineifanapplicationcanbelaunched,theserulesareevaluated:
1. Certainsystemapplicationsandutilitiesarealwaysallowedtorun.
2. ThewhiteList issearchedtoseeifamatchingentryisfoundbybundleID.Ifamatchisfound,theappID
anddetachedSignature (if present)areused toverifythesignatureofthe application beinglaunched. If
thesignatureisvalidandmatchesthedesignatedrequirement(intheappID key),theapplicationisallowedto
launch.
3. If the path tothebinarybeing launched matches (orisin a subdirectory)ofa path in pathBlackList, the
binaryisdenied.
4. Ifthepathtothebinarybeinglaunchedmatches(orisasubdirectory)ofapathinpathWhiteList,thebinary
isallowedtolaunch.
5. Thebinaryisdeniedpermissiontolaunch.
Inadditiontothesettingscommontoallpayloads,thispayloaddefinesthesekeys:
Key Type Value
familyControlsEnabled Boolean Required. Settotrue toenableapplication
accessrestrictions.
whiteList ArrayofDictionaries Optional. Alistofcodesignaturesforapplications
thatareallowedtorun.
pathBlackList ArrayofStrings Optional.Pathstodisallowedapplications.
pathWhiteList ArrayofStrings Optional.Pathstoallowedapplications.
EachwhiteList dictionarycontainsthesekeys:
Key Type Value
bundleID String Required.BundleIDofapplication.
appID Data Required.Thedesignatedrequirementdescribingthecodesignatureof
thisexecutable.ThisvalueisobtainedfromtheSecurity.framework
usingSecCodeCopyDesignatedRequirement.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
60
Key Type Value
detachedSignature Data Optional. Canbeusedtoprovidetherequiredsignatureforanunsigned
binary. Generateanad-hocsignatureoftheunsignedbinaryandstore
thesignaturehere.
disabled Boolean Optional. Specifieswhetherthisapplicationinformationistobe
includedinthewhiteList ornot. Settotrue tokeeptheapplication
offthewhiteList. Itcouldstillbeallowedtolaunchvia
pathWhiteList,althoughthisbehaviorisdiscouraged.
Defaultis
false
.
subApps Arrayof
Dictionaries
Optional. Forapplicationsthatincludenestedhelperapplications,
describesthesignaturesofembeddedapplications. Thedictionary
formatisthesameasforthewhiteList key.
displayName String Optional. Displayname.
ParentalControlDashboardPayload
TheParentalControlDashboardpayloadisdesignatedbyspecifyingcom.apple.dashboard asthePayloadType
value.
Itisusedtodefineawhitelistofdashboardwidgets.
Inadditiontothesettingscommontoallpayloads,thispayloaddefinesthesekeys:
Key Type Value
whiteListEnabled Boolean Required.Settotrue toenablethewidgetwhitelistitems.
whiteList ArrayofDictionaries Required. ListthatdefinesDashboardwidgets.
EachwidgetwhiteList dictionarycontainsthesekeys:
Key Type Value
Type String Required. SettobundleID touseawidgetʼsbundleIDasitsID.
ID String Required. ThebundleIDofawidget.
ParentalControlDictionaryPayload
TheParentalControlDictionarypayloadisdesignatedbyspecifyingcom.apple.Dictionary asthePayloadType
value.
ItenablestherestrictionsdefinedinthedeviceʼsParentalControlsDictionary.
Inadditiontothesettingscommontoallpayloads,thispayloaddefinesthiskey:
Key Type Value
parentalControl Boolean Required. Settotrue toenableparentalcontrolsdictionaryrestrictions.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
61
ParentalControlDictationandProfanityPayload
TheParentalControlDictationandProfanitypayloadisdesignatedbyspecifyingcom.apple.ironwood.support
asthePayloadType value.
Itdisablesdictationandsuppressesprofanityonthedevice.
Inadditiontothesettingscommontoallpayloads,thispayloaddefinesthesekeys:
Key Type Value
IronwoodAllowed Boolean Optional. Settofalse todisabledictation.
ProfanityAllowed Boolean Optional. Settofalse tosuppressprofanity.
ParentalControlGameCenterPayload
The ParentalControl Game Center payload is designatedby specifying com.apple.gamed as the PayloadType
value.
ItrestrictsGameCenteroptionsonthedevice.
Inadditiontothesettingscommontoallpayloads,thispayloaddefinesthesekeys:
Key Type Value
GKFeatureGameCenterAllowed Boolean Optional. Settofalse todisable
GameCenter.
GKFeatureAccountModificationAllowed Boolean Optional. Settofalse todisable
accountmodifications.
GKFeatureAddingGameCenterFriendsAllowed Boolean Optional. Settofalse todisable
addingGameCenterfriends.
GKFeatureMultiplayerGamingAllowed Boolean Optional. Settofalse todisable
multiplayergaming.
AdditionalParentalControls
Additionalparentalcontrolfunctionscanbefoundinthefollowingpayloads:
• SystemPolicyControlPayload
• EmailPayload
• MediaManagement
• AppStorePayload
• DockPayload
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
62
PasscodePolicyPayload
The PasscodePolicy payloadisdesignated byspecifying com.apple.mobiledevice.passwordpolicy as the
PayloadType value.
ThepresenceofthispayloadtypepromptsaniOSormacOSdevicetopresenttheuserwithapasscodeentrymech-
anism. Thecomplexityofthepasscodecanbecustomizedwiththispayload.
Inadditiontothesettingscommontoallpayloads,thispayloaddefinesthefollowingkeys:
Key Type Value
allowSimple Boolean Optional. Defaulttrue. Determineswhetherasimplepasscodeis
allowed.Asimplepasscodeisdefinedascontainingrepeated
characters,orincreasing/decreasingcharacters(suchas123orCBA).
Settingthisvaluetofalse issynonymoustosettingminComplexChars
to”1”.
forcePIN Boolean Optional. DefaultNO.DetermineswhethertheuserisforcedtosetaPIN.
Simplysettingthisvalue(andnotothers)forcestheusertoentera
passcode,withoutimposingalengthorquality.
maxFailedAttempts Integer Optional. Default11. Allowedrange[2...11]. Specifiesthenumberof
allowedfailedattemptstoenterthepasscodeatthedeviceʼslock
screen.
Aftersixfailedattempts,thereisatimedelayimposedbeforea
passcodecanbeenteredagain. Thedelayincreaseswitheachattempt.
OnmacOS,setminutesUntilFailedLoginReset todefineadelay
beforethenextpasscodecanbeentered.
Oncethisnumberisexceeded,onmacOSthedeviceislockedandon
iOSthedeviceiswiped.
minutesUntilFailed
LoginReset
Integer Optional. OnmacOS,thiscanbesettothenumberofminutesbefore
theloginwillberesetafterthemaxFailedAttempts unsuccessful
attemptshasbeenreached. Thiskeyrequiressetting
maxFailedAttempts.
Availability: AvailableinmacOS10.10andlater.
maxInactivity Integer Optional. DefaultInfinity. Specifiesthemaximumnumberofminutesfor
whichthedevicecanbeidle(withoutbeingunlockedbytheuser)before
itgetslockedbythesystem. Oncethislimitisreached,thedeviceis
lockedandthepasscodemustbeentered.Theusercaneditthis
setting,butthevaluecannotexceedthemaxInactivity value.
InmacOS,thiswillbetranslatedtoscreensaversettings.
maxPINAgeInDays Integer Optional. DefaultInfinity. Specifiesthenumberofdaysforwhichthe
passcodecanremainunchanged. Afterthisnumberofdays,theuseris
forcedtochangethepasscodebeforethedeviceisunlocked.
minComplexChars Integer Optional. Default0. Specifiestheminimumnumberofcomplex
charactersthatapasscodemustcontain. A”complex”characterisa
characterotherthananumberoraletter,suchas&%$#.
minLength Integer Optional. Default0. Specifiestheminimumoveralllengthofthe
passcode. Thisparameterisindependentofthealsooptional
minComplexCharsargument.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
63
Key Type Value
requireAlphanumeric Boolean Optional. Specifieswhethertheusermustalsoenteralphabetic
characters(”abcd”)alongwithnumbers,orifnumbersonlyare
sufficient. Defaultisfalse.
pinHistory Integer Optional. Whentheuserchangesthepasscode,ithastobeunique
withinthelastNentriesinthehistory. Minimumvalueis1,maximum
valueis50.
maxGracePeriod Integer Optional. Themaximumgraceperiod,inminutes,tounlockwithout
enteringapasscode. Defaultis0,thatisnograceperiod,whichrequires
enteringapasscodeimmediately.
InmacOS,thiswillbetranslatedtoscreensaversettings.
allowFingerprint
Modification
Boolean Optional. Supervisedonly. NotsupportedonmacOS.Allowstheuserto
modifyTouchID.Defaultisfalse.
changeAtNextAuth Boolean Optional. OnmacOS,settingthistotrue willcauseapasswordresetto
occurthenexttimetheusertriestoauthenticate. Ifthiskeyissetina
deviceprofile,thesettingtakeseffectforallusers,andadmin
authenticationsmayfailuntiltheadminuserpasswordisalsoreset.
Availability: AvailableinmacOS10.13andlater.
PrivacyPreferencesPolicyControlPayload
ThePrivacyPreferencespayloadisdesignatedbyspecifyingcom.apple.TCC.configuration-profile-policy
valueasthePayloadType value.
Itcontrolsthesettingsthataredisplayedinthe”Privacy”tabofthe”Security&Privacy”paneinSystemPreferences.
ThisprofilemustbedeliveredviaauserapprovedMDMserverinadeviceprofile.
Availability: AvailableinmacOS10.14andlater.
Inadditiontothesettingscommontoallpayloads,thispayloaddefinesthiskey:
Key Type Value
Services Dictionary Keysarelimitedtotheprivacyservicenameslistedbelow. Eachkeyisanarrayof
dictionariesdescribingtheapporprocesstowhichaccessisgiven.
Inthecaseofconflictingspecifications,themostrestrictivesetting(deny)willbe
used.
PrivacyServiceDictionaryKeys
Key Type Value
AddressBook ArrayofIdentityDictionaries Optional. Contactinformation
managedbyContacts.app.
Calendar ArrayofIdentityDictionaries Optional. Calendarinformation
managedbyCalendar.app.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
64
Key Type Value
Reminders ArrayofIdentityDictionaries Optional. Remindersinformation
managedbyReminders.app.
Photos ArrayofIdentityDictionaries Optional. Picturesmanagedby
Photos.appin
~/Pictures/.photoslibrary.
Camera ArrayofIdentityDictionaries Optional. Asystemcamera. Accessto
thecameracannotbegiveninaprofile;
itcanonlybedenied.
Microphone ArrayofIdentityDictionaries Optional. Asystemmicrophone.
Accesstothemicrophonecannotbe
giveninaprofile;itcanonlybedenied.
Accessibility ArrayofIdentityDictionaries Optional. Controltheapplicationvia
theAccessibilitysubsystem.
PostEvent ArrayofIdentityDictionaries Optional. Allowstheapplicationtouse
CoreGraphicsAPIstosendCGEvents
tothesystemeventstream.
SystemPolicyAllFiles ArrayofIdentityDictionaries Optional. Allowstheapplicationaccess
toallprotectedfiles,includingsystem
administrationfiles.
SystemPolicySysAdminFiles ArrayofIdentityDictionaries Optional. Allowstheapplicationaccess
tosomefilesusedinsystem
administration.
AppleEvents ArrayofIdentityDictionaries Optional. Allowstheapplicationto
sendarestrictedAppleEvent to
anotherprocess.
IdentityDictionaryKeys
Key Type Value
Identifier String ThebundleIDorinstallationpathofthebinary.
IdentifierType String ThetypeofIdentifier value. MustbeeitherbundleID or
path.
ApplicationbundlesshouldbeidentifiedbybundleID.
Non-bundledbinariesmustbyidentifiedbyinstallationpath.
Helpertoolsembeddedwithinanapplicationbundlewill
automaticallyinheritthepermissionsoftheirenclosingapp
bundle.
CodeRequirement String Obtainedviathecommand”codesign –display -r -”.
StaticCode Boolean Optional.Ifsettotrue,staticallyvalidatethecoderequirement.
Usedonlyiftheprocessinvalidatesitsdynamiccodesignature.
Defaultstofalse.
Allowed Boolean Ifsettotrue,accessisgranted. Otherwisetheprocessdoes
nothaveaccess. Theuserisnotpromptedandcannotchange
thisvalue.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
65
Key Type Value
AEReceiverIdentifier String Optional. Theidentifieroftheprocessreceivingan
AppleEvent sentbytheIdentifier process.Requiredfor
AppleEvents service;notvalidforotherservices.
AEReceiverIdentifierType String Optional. ThetypeofAEReceiverIdentifier value. Must
beeitherbundleID orpath. RequiredforAppleEvents
service;notvalidforotherservices.
AEReceiverCodeRequirement String Optional. Coderequirementforthereceivingbinary. Required
forAppleEvents service;notvalidforotherservices.
Comment String Notused.
ProfileRemovalPasswordPayload
TheRemovalPasswordpayloadisdesignatedbyspecifyingcom.apple.profileRemovalPassword valueasthe
PayloadType value.
Apasswordremovalpolicypayloadprovidesapasswordtoallowuserstoremovealockedconfigurationprofilefrom
thedevice. Ifthispayloadispresentandhasapasswordvalueset,thedeviceasksforthepasswordwhentheuser
tapsaprofileʼsRemovebutton. Thispayloadisencryptedwiththerestoftheprofile.
Key Type Value
RemovalPassword String Optional. Supervisedonly. Specifiestheremovalpasswordfortheprofile.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
66
RestrictionsPayload
The Restrictions payload is designated by specifying com.apple.applicationaccess as the PayloadType
value.
ARestrictionspayloadallowstheadministratortorestricttheuserfromdoingcertainthingswiththedevice,suchas
usingthecamera.
Note
Youcanspecifyadditionalrestrictions,includingmaximumallowedcontentratings,bycreatingaprofileusing
AppleConfigurator2orProfileManager.
TheRestrictionspayloadissupportediniOS;somekeysarealsosupportedinmacOS,asnotedbelow.
Inadditiontothesettingscommontoallpayloads,thispayloaddefinesthefollowingkeys:
Key Type Value
allowAccount
Modification
Boolean Optional. Supervisedonly. Ifsettofalse,accountmodification
isdisabled.
Availability: AvailableonlyiniOS7.0andlater.
allowAddingGameCenter
Friends
Boolean Optional. Whenfalse,prohibitsaddingfriendstoGameCenter.
Thiskeyisdeprecatedonunsuperviseddevices.
allowAirDrop Boolean Optional. Supervisedonly. Ifsettofalse,AirDropisdisabled.
Availability: AvailableonlyiniOS7.0andlater.
allowAppCellularData
Modification
Boolean Optional. Supervisedonly. Ifsettofalse,changestocellular
datausageforappsaredisabled.
Availability: AvailableonlyiniOS7.0andlater.
allowAppInstallation Boolean Optional.Supervisedonly. Whenfalse,theAppStoreis
disabledanditsiconisremovedfromtheHomescreen. Users
areunabletoinstallorupdatetheirapplications. Thiskeyis
deprecatedonunsuperviseddevices.
IniOS10andlater,MDMcommandscanoverridethisrestriction.
allowAppRemoval Boolean Optional. Whenfalse,disablesremovalofappsfromiOS
device. Thiskeyisdeprecatedonunsuperviseddevices.
allowAssistant Boolean Optional. Whenfalse,disablesSiri. Defaultstotrue.
allowAssistantUser
GeneratedContent
Boolean Optional. Supervisedonly. Whenfalse,preventsSirifrom
queryinguser-generatedcontentfromtheweb.
Availability: AvailableiniOS7andlater.
allowAssistantWhile
Locked
Boolean Optional. Whenfalse,theuserisunabletouseSiriwhenthe
deviceislocked.Defaultstotrue. Thisrestrictionisignoredif
thedevicedoesnothaveapasscodeset.
Availability: AvailableonlyiniOS5.1andlater.
allowBookstore Boolean Optional. Supervisedonly. Ifsettofalse,AppleBookswillbe
disabled. Thiswilldefaulttotrue.
Availability: AvailableiniOS6.0andlater.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
67
Key Type Value
allowBookstoreErotica Boolean Optional. SupervisedonlypriortoiOS6.1. Ifsettofalse,the
userwillnotbeabletodownloadmediafromAppleBooksthat
hasbeentaggedaserotica. Thiswilldefaulttotrue.
Availability: AvailableiniOSandintvOS11.3andlater.
allowCamera Boolean Optional. Whenfalse,thecameraiscompletelydisabledand
itsiconisremovedfromtheHomescreen.Usersareunableto
takephotographs.
Availability: AvailableiniOSandinmacOS10.11andlater.
allowChat Boolean Optional. Whenfalse,disablestheuseofiMessagewith
superviseddevices. Ifthedevicesupportstextmessaging,the
usercanstillsendandreceivetextmessages.
Availability: AvailableiniOS6.0andlater.
allowCloudBackup Boolean Optional. Whenfalse,disablesbackingupthedevicetoiCloud.
Availability: AvailableiniOS5.0andlater.
allowCloudBookmarks Boolean Optional. Whenfalse,disallowsmacOSiCloudBookmarksync.
Availability: AvailableinmacOS10.12andlater.
allowCloudMail Boolean Optional. Whenfalse,disallowsmacOSMailiCloudservices.
Availability: AvailableinmacOS10.12andlater.
allowCloudCalendar Boolean Optional. Whenfalse,disallowsmacOSiCloudCalendar
services.
Availability: AvailableinmacOS10.12andlater.
allowCloudReminders Boolean Optional. Whenfalse,disallowsiCloudReminderservices.
Availability: AvailableinmacOS10.12andlater.
allowCloudAddressBook Boolean Optional. Whenfalse,disallowsmacOSiCloudAddressBook
services.
Availability: AvailableinmacOS10.12andlater.
allowCloudNotes Boolean Optional. Whenfalse,disallowsmacOSiCloudNotesservices.
Availability: AvailableinmacOS10.12andlater.
allowCloudDocumentSync Boolean Optional. Whenfalse,disablesdocumentandkey-value
syncingtoiCloud. Thiskeyisdeprecatedonunsupervised
devices.
Availability: AvailableiniOS5.0andlaterandinmacOS10.11
andlater.
allowCloudKeychainSync Boolean Optional. Whenfalse,disablesiCloudkeychain
synchronization.Defaultistrue.
Availability: AvailableiniOS7.0andlaterandmacOS10.12and
later.
allowContentCaching Boolean Optional. Whenfalse,thisdisallowscontentcaching. Defaults
totrue.
Availability: AvailableonlyinmacOS10.13andlater.
allowDiagnostic
Submission
Boolean Optional. Whenfalse,thispreventsthedevicefrom
automaticallysubmittingdiagnosticreportstoApple. Defaultsto
true.
Availability: AvailableonlyiniOS6.0andlater.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
68
Key Type Value
allowExplicitContent Boolean Optional.Whenfalse,explicitmusicorvideocontent
purchasedfromtheiTunesStoreishidden. Explicitcontentis
markedassuchbycontentproviders,suchasrecordlabels,
whensoldthroughtheiTunesStore. Thiskeyisdeprecatedon
unsuperviseddevices.
Availability: AvailableiniOSandintvOS11.3andlater.
allowFindMyFriends
Modification
Boolean Optional. Supervisedonly. Ifsettofalse,changestoFindMy
Friendsaredisabled.
Availability: AvailableonlyiniOS7.0andlater.
allowFingerprintFor
Unlock
Boolean Optional. Iffalse,preventsTouchIDfromunlockingadevice.
Availability: AvailableiniOS7andlaterandinmacOS10.12.4
andlater.
allowGameCenter Boolean Optional. Supervisedonly. Whenfalse,GameCenteris
disabledanditsiconisremovedfromtheHomescreen.Defaultis
true.
Availability: AvailableonlyiniOS6.0andlater.
allowGlobalBackground
FetchWhenRoaming
Boolean Optional. Whenfalse,disablesglobalbackgroundfetchactivity
whenaniOSphoneisroaming.
allowInAppPurchases Boolean Optional. Whenfalse,prohibitsin-apppurchasing.
allowLockScreenControl
Center
Boolean Optional. Iffalse,preventsControlCenterfromappearingon
theLockscreen.
Availability: AvailableiniOS7andlater.
allowHostPairing Boolean Supervisedonly. Ifsettofalse,hostpairingisdisabledwiththe
exceptionofthesupervisionhost. Ifnosupervisionhost
certificatehasbeenconfigured,allpairingisdisabled. Host
pairingletstheadministratorcontrolwhichdevicesaniOS7
devicecanpairwith.
Availability: AvailableonlyiniOS7.0andlater.
allowLockScreen
NotificationsView
Boolean Optional. Ifsettofalse,theNotificationshistoryviewonthe
lockscreenisdisabledanduserscanʼtviewpastnotifications.
Though,whenthedeviceislocked,theuserwillstillbeableto
viewnotificationswhentheyarrive.
Availability: AvailableonlyiniOS7.0andlater.
allowLockScreenToday
View
Boolean Optional. Ifsettofalse,theTodayviewinNotificationCenter
onthelockscreenisdisabled.
Availability: AvailableonlyiniOS7.0andlater.
allowMultiplayerGaming Boolean Optional. Whenfalse,prohibitsmultiplayergaming. Thiskeyis
deprecatedonunsuperviseddevices.
allowOpenFromManaged
ToUnmanaged
Boolean Optional. Iffalse,documentsinmanagedappsandaccounts
onlyopeninothermanagedappsandaccounts. Defaultistrue.
Availability: AvailableonlyiniOS7.0andlater.
allowOpenFromUnmanaged
ToManaged
Boolean Optional. Ifsettofalse,documentsinunmanagedappsand
accountswillonlyopeninotherunmanagedappsandaccounts.
Defaultistrue.
Availability: AvailableonlyiniOS7.0andlater.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
69
Key Type Value
allowOTAPKIUpdates Boolean Optional. Iffalse,over-the-airPKIupdatesaredisabled.
Settingthisrestrictiontofalse doesnotdisableCRLandOCSP
checks.Defaultistrue.
Availability: AvailableonlyiniOS7.0andlater.
allowPassbookWhile
Locked
Boolean Optional. Ifsettofalse,Passbooknotificationswillnotbe
shownonthelockscreen.Thiswilldefaulttotrue.
Availability: AvailableiniOS6.0andlater.
allowPhotoStream Boolean Optional. Whenfalse,disablesPhotoStream.
Availability: AvailableiniOS5.0andlater.
allowSafari Boolean Optional. Whenfalse,theSafariwebbrowserapplicationis
disabledanditsiconremovedfromtheHomescreen. Thisalso
preventsusersfromopeningwebclips. Thiskeyisdeprecatedon
unsuperviseddevices.
safariAllowAutoFill Boolean Optional. Whenfalse,Safariauto-fillisdisabled. Defaultsto
true.
safariForceFraudWarning Boolean Optional. Whentrue,Safarifraudwarningisenabled. Defaults
tofalse.
Availability: AvailableiniOS4.0andlater.
safariAllowJavaScript Boolean Optional. Whenfalse,SafariwillnotexecuteJavaScript.
Defaultstotrue.
Availability: AvailableiniOS4.0andlater.
safariAllowPopups Boolean Optional. Whenfalse,Safariwillnotallowpop-uptabs.
Defaultstotrue.
Availability: AvailableiniOS4.0andlater.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
70
Key Type Value
safariAcceptCookies Real Optional.Determinesconditionsunderwhichthedevicewill
acceptcookies.
TheuserfacingsettingschangediniOS11,thoughthepossible
valuesremainthesame:
• 0: PreventCross-SiteTrackingandBlockAllCookiesare
enabledandtheusercanʼtdisableeithersetting.
• 1or1.5:PreventCross-SiteTrackingisenabledandthe
usercanʼtdisableit. BlockAllCookiesisnotenabled,
thoughtheusercanenableit.
• 2: PreventCross-SiteTrackingisenabledandBlockAll
Cookiesisnotenabled. Theusercantoggleeithersetting.
(Default)
ThesearetheallowedvaluesandsettingsiniOS10andearlier:
• 0: Never
• 1: Allowfromcurrentwebsiteonly
• 1.5: Allowfromwebsitesvisited(AvailableiniOS8.0and
later);enter’<real>1.5</real>’
• 2: Always(Default)
IniOS10andearlier,userscanalwayspickanoptionthatismore
restrictivethanthepayloadpolicy,butnotalessrestrictivepolicy.
Forexample,withapayloadvalueof1.5,ausercouldswitchto
Never,butnotAlways Allow.
Availability: AvailableiniOS4.0andlater.
allowSharedStream Boolean Optional. Ifsettofalse,SharedPhotoStreamwillbedisabled.
Thiswilldefaulttotrue.
Availability: AvailableiniOS6.0andlater.
allowUIConfiguration
ProfileInstallation
Boolean Optional. Supervisedonly. Ifsettofalse,theuserisprohibited
frominstallingconfigurationprofilesandcertificatesinteractively.
Thiswilldefaulttotrue.
Availability: AvailableiniOS6.0andlater.
allowUntrustedTLSPrompt Boolean Optional. Whenfalse,automaticallyrejectsuntrustedHTTPS
certificateswithoutpromptingtheuser.
Availability: AvailableiniOS5.0andlater.
allowVideoConferencing Boolean Optional. Whenfalse,disablesvideoconferencing.Thiskeyis
deprecatedonunsuperviseddevices.
allowVoiceDialing Boolean Optional. Whenfalse,disablesvoicedialingifthedeviceis
lockedwithapasscode. Defaultistrue.
allowYouTube Boolean Optional. Whenfalse,theYouTubeapplicationisdisabledand
itsiconisremovedfromtheHomescreen.
ThiskeyisignorediniOS6andlaterbecausetheYouTubeappis
notprovided.
allowiTunes Boolean Optional. Whenfalse,theiTunesMusicStoreisdisabledandits
iconisremovedfromtheHomescreen.Userscannotpreview,
purchase,ordownloadcontent. Thiskeyisdeprecatedon
unsuperviseddevices.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
71
Key Type Value
allowiTunesFileSharing Boolean Optional. Whenfalse,iTunesapplicationfilesharingservices
aredisabled.
Availability: AvailableinmacOS10.13andlater.
autonomousSingleAppMode
PermittedAppIDs
Arrayof
Strings
Optional. Supervisedonly. Ifpresent,allowsappsidentifiedby
thebundleIDslistedinthearraytoautonomouslyenterSingle
AppMode.
Availability: AvailableonlyiniOS7.0andlater.
forceAssistantProfanity
Filter
Boolean Optional. Supervisedonly. Whentrue,forcestheuseofthe
profanityfilterassistant.
forceEncryptedBackup Boolean Optional.Whentrue,encryptsallbackups.
forceITunesStore
PasswordEntry
Boolean Optional. Whentrue,forcesusertoentertheiriTunespassword
foreachtransaction.
Availability: AvailableiniOS5.0andlater.
forceLimitAdTracking Boolean Optional.Iftrue,limitsadtracking. Defaultisfalse.
Availability: AvailableonlyiniOS7.0andlater.
forceAirPlayOutgoing
RequestsPairingPassword
Boolean Optional. Ifsettotrue,forcesalldevicesreceivingAirPlay
requestsfromthisdevicetouseapairingpassword.Defaultis
false.
Availability: AvailableonlyiniOS7.1andlater.
forceAirPlayIncoming
RequestsPairingPassword
Boolean Optional. Ifsettotrue,forcesalldevicessendingAirPlay
requeststothisdevicetouseapairingpassword. Defaultis
false.
Availability: AvailableonlyinAppleTV6.1totvOS10.1. Thisis
notsupportedasoftvOS10.2. Itisrecommendedtousethe
AirPlaySecurityPayload.
allowManagedAppsCloud
Sync
Boolean Optional. Ifsettofalse,preventsmanagedapplicationsfrom
usingiCloudsync.
allowEraseContentAnd
Settings
Boolean Supervisedonly. Ifsettofalse,disablesthe“EraseAllContent
AndSettings”optionintheResetUI.
allowSpotlightInternet
Results
Boolean Supervisedonly. Ifsettofalse,SpotlightwillnotreturnInternet
searchresults.
Availability: AvailableiniOSandinmacOS10.11andlater.
allowEnabling
Restrictions
Boolean Supervisedonly. Ifsettofalse,disablesthe”Enable
Restrictions”optionintheRestrictionsUIinSettings. Defaultis
true.
OniOS12orlater,ifsettofalse disablesthe”Enable
ScreenTime”optionintheScreenTimeUIinSettingsanddisables
ScreenTimeifalreadyenabled.
Availability: AvailableiniOS8.0andlater.
allowActivity
Continuation
Boolean Ifsettofalse,ActivityContinuationwillbedisabled. Defaultsto
true.
allowEnterpriseBook
Backup
Boolean Ifsettofalse,Enterprisebookswillnotbebackedup.Defaults
totrue.
allowEnterpriseBook
MetadataSync
Boolean Ifsettofalse,Enterprisebooksnotesandhighlightswillnotbe
synced. Defaultstotrue.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
72
Key Type Value
allowPodcasts Boolean Supervisedonly. Ifsettofalse,disablespodcasts. Defaultsto
true.
Availability: AvailableiniOS8.0andlater.
allowDefinitionLookup Boolean Supervisedonly. Ifsettofalse,disablesdefinitionlookup.
Defaultstotrue.
Availability: AvailableiniOS8.1.3andlaterandinmacOS10.11.2
andlater.
allowPredictiveKeyboard Boolean Supervisedonly. Ifsettofalse,disablespredictivekeyboards.
Defaultstotrue.
Availability: AvailableiniOS8.1.3andlater.
allowAutoCorrection Boolean Supervisedonly. Ifsettofalse,disableskeyboard
auto-correction.Defaultstotrue.
Availability: AvailableiniOS8.1.3andlater.
allowSpellCheck Boolean Supervisedonly. Ifsettofalse,disableskeyboardspell-check.
Defaultstotrue.
Availability: AvailableiniOS8.1.3andlater.
forceWatchWrist
Detection
Boolean Ifsettotrue,apairedAppleWatchwillbeforcedtouseWrist
Detection. Defaultstofalse.
Availability: AvailableiniOS8.2andlater.
allowMusicService Boolean Supervisedonly. Ifsettofalse,Musicserviceisdisabledand
Musicapprevertstoclassicmode. Defaultstotrue.
Availability: AvailableiniOS9.3andlaterandmacOS10.12and
later.
allowCloudPhotoLibrary Boolean Ifsettofalse,disablesiCloudPhotoLibrary. Anyphotosnot
fullydownloadedfromiCloudPhotoLibrarytothedevicewillbe
removedfromlocalstorage.
Availability: AvailableiniOS9.0andlaterandinmacOS10.12
andlater.
allowNews Boolean Supervisedonly. Ifsettofalse,disablesNews. Defaultsto
true.
Availability: AvailableiniOS9.0andlater.
forceAirDropUnmanaged Boolean Optional. Ifsettotrue,causesAirDroptobeconsideredan
unmanageddroptarget. Defaultstofalse.
Availability: AvailableiniOS9.0andlater.
allowUIAppInstallation Boolean Supervisedonly. Whenfalse,theAppStoreisdisabledandits
iconisremovedfromtheHomescreen.However,usersmay
continuetouseHostapps(iTunes,Configurator)toinstallor
updatetheirapps. Defaultstotrue.
IniOS10andlater,MDMcommandscanoverridethisrestriction.
Availability: AvailableiniOS9.0andlater.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
73
Key Type Value
allowScreenShot Boolean Optional. Ifsettofalse,userscanʼtsaveascreenshotofthe
displayandarepreventedfromcapturingascreenrecording;it
alsopreventstheClassroomappfromobservingremotescreens.
Defaultstotrue.
Availability: UpdatediniOS9.0toincludescreenrecordings.
AvailableinmacOS10.14.4andlater.
allowKeyboardShortcuts Boolean Supervisedonly. Ifsettofalse,keyboardshortcutscannotbe
used. Defaultstotrue.
Availability: AvailableiniOS9.0andlater.
allowPairedWatch Boolean Supervisedonly. Ifsettofalse,disablespairingwithanApple
Watch. AnycurrentlypairedAppleWatchisunpairedanderased.
Defaultstotrue.
Availability: AvailableiniOS9.0andlater.
allowPasscode
Modification
Boolean Supervisedonly. Ifsettofalse,preventsthedevicepasscode
frombeingadded,changed,orremoved. Defaultstotrue. This
restrictionisignoredbysharediPads.
Availability:
AvailableiniOS9.0andlater.
allowDeviceName
Modification
Boolean Supervisedonly. Ifsettofalse,preventsdevicenamefrom
beingchanged. Defaultstotrue.
Availability: AvailableiniOS9.0andtvOS11.0andlater.
allowWallpaper
Modification
Boolean Supervisedonly. Ifsettofalse,preventswallpaperfrombeing
changed. Defaultstotrue.
Availability: AvailableiniOS9.0andlater.
allowAutomaticApp
Downloads
Boolean Supervisedonly. Ifsettofalse,preventsautomatic
downloadingofappspurchasedonotherdevices. Doesnot
affectupdatestoexistingapps. Defaultstotrue.
Availability: AvailableiniOS9.0andlater.
allowEnterpriseAppTrust Boolean Ifsettofalse removestheTrustEnterpriseDeveloperbuttonin
Settings->General->Profiles&DeviceManagement,preventing
appsfrombeingprovisionedbyuniversalprovisioningprofiles.
Thisrestrictionappliestofreedeveloperaccountsbutitdoesnot
applytoenterpriseappdeveloperswhoaretrustedbecausetheir
appswerepushedviaMDM,nordoesitrevokepreviously
grantedtrust. Defaultstotrue.
Availability:
AvailableiniOS9.0andlater.
allowRadioService Boolean Supervisedonly. Ifsettofalse,AppleMusicRadioisdisabled.
Defaultstotrue.
Availability: AvailableiniOS9.3andlater.
blacklistedAppBundleIDs Arrayof
Strings
Supervisedonly. Ifpresent,preventsbundleIDslistedinthearray
frombeingshownorlaunchable. Includethevalue
com.apple.webapp toblacklistallwebclips.
Availability: AvailableiniOS9.3andlater.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
74
Key Type Value
whitelistedAppBundleIDs Arrayof
Strings
Supervisedonly. Ifpresent,allowsonlybundleIDslistedinthe
arrayfrombeingshownorlaunchable. Includethevalue
com.apple.webapp towhitelistallwebclips.
Availability: AvailableiniOS9.3andlater.
allowNotifications
Modification
Boolean Supervisedonly. Ifsettofalse,notificationsettingscannotbe
modified. Defaultstotrue.
Availability: AvailableiniOS9.3andlater.
allowRemoteScreen
Observation
Boolean Ifsettofalse,remotescreenobservationbytheClassroomapp
isdisabled. Defaultstotrue.
ThiskeyshouldbenestedbeneathallowScreenShot asa
sub-restriction. IfallowScreenShot issettofalse,italso
preventstheClassroomappfromobservingremotescreens.
Availability: AvailableiniOS9.3andmacOS10.14.4andlater.
allowDiagnostic
SubmissionModification
Boolean Supervisedonly. Ifsettofalse,thediagnosticsubmissionand
appanalyticssettingsintheDiagnostics&Usagepanein
Settingscannotbemodified. Defaultstotrue.
Availability:
AvailableiniOS9.3.2andlater.
allowBluetooth
Modification
Boolean Supervisedonly. Ifsettofalse,preventsmodificationof
Bluetoothsettings. Defaultstotrue.
Availability: AvailableiniOS10.0andlater.
allowAutoUnlock Boolean Ifsettofalse,disallowsmacOSautounlock. Defaultstotrue.
Availability: AvailableonlyinmacOS10.12andlater.
allowCloudDesktopAnd
Documents
Boolean Ifsettofalse,disallowsmacOSclouddesktopanddocument
services. Defaultstotrue.
Availability: AvailableonlyinmacOS10.12.4andlater.
allowDictation Boolean Supervisedonly. Ifsettofalse,disallowsdictationinput.
Defaultstotrue.
Availability: AvailableonlyiniOS10.3andlater.
allowRemoteAppPairing Boolean Ifsettofalse,theAppleTVcannotbepairedforusewiththe
RemoteapporControlCenterwidget. Defaultstotrue.
Availability: AvailableintvOS10.2andlater.
forceWiFiWhitelisting Boolean Optional. Supervisedonly. Ifsettotrue,thedevicecanjoin
Wi-Finetworksonlyiftheyweresetupthroughaconfiguration
profile.Defaultstofalse.
Availability: AvailableonlyiniOS10.3andlater.
forceUnpromptedManaged
ClassroomScreenObservation
Boolean DeprecatediniOS11. Use
forceClassroomUnpromptedScreenObservation instead.
allowAirPrint Boolean Supervisedonly. Ifsettofalse,disallowAirPrint. Defaultsto
true.
Availability: AvailableiniOS11.0andlater.
allowAirPrint
CredentialsStorage
Boolean Supervisedonly. Ifsettofalse,disallowskeychainstorageof
usernameandpasswordforAirprint. Defaultstotrue.
Availability: AvailableiniOS11.0andlater.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
75
Key Type Value
forceAirPrintTrustedTLS
Requirement
Boolean Supervisedonly. Ifsettotrue,requirestrustedcertificatesfor
TLSprintingcommunication. Defaultstofalse.
Availability: AvailableiniOS11.0andlater.
allowAirPrintiBeacon
Discovery
Boolean Supervisedonly. Ifsettofalse,disablesiBeacondiscoveryof
AirPrintprinters. ThispreventsspuriousAirPrintBluetooth
beaconsfromphishingfornetworktraffic. Defaultstotrue.
Availability: AvailableiniOS11.0andlater.
allowCellularPlan
Modificaton
Boolean Supervisedonly. Ifsettofalse,userscanʼtchangeanysettings
relatedtotheircellularplan. Defaultstotrue.
Availability: AvailableiniOS11.0andlater.
allowProximitySetupTo
NewDevice
Boolean Supervisedonly. Ifsettofalse,disablestheprompttosetup
newdevicesthatarenearby. Defaultstotrue.
Availability: AvailableonlyiniOS11.0andlater.
allowSystemAppRemoval Boolean Supervisedonly. Ifsettofalse,disablestheremovalofsystem
appsfromthedevice. Defaultstotrue.
Availability: AvailableonlyiniOS11.0andlater.
allowVPNCreation Boolean Supervisedonly. Ifsettofalse,disallowthecreationofVPN
configurations. Defaultstotrue.
Availability: AvailableonlyiniOS11.0andlater.
allowUSBRestrictedMode Boolean Supervisedonly. Ifsettofalse,devicewillalwaysbeableto
connecttoUSBaccessorieswhilelocked. Defaultstotrue.
Availability: AvailableonlyiniOS11.4.1andlater.
forceDelayedSoftware
Updates
Boolean Supervisedonly. Ifsettotrue,delaysuservisibilityofSoftware
Updates. Defaultstofalse.
OnmacOS,seedbuildupdateswillbeallowed,withoutdelay.
Availability: AvailableiniOS11.3andmacOS10.13andtvOS
12.2andlater.
enforcedSoftwareUpdate
Delay
Integer Supervisedonly. Thisrestrictionallowstheadmintosethow
manydaysasoftwareupdateonthedevicewillbedelayed. With
thisrestrictioninplace,theuserwillnotseeasoftwareupdate
untilthespecifiednumberofdaysafterthesoftwareupdate
releasedate.
Themaxis90daysandthedefaultvalueis30.
Availability: AvailableiniOS11.3andmacOS10.13.4andtvOS
12.2later.
forceAuthentication
BeforeAutoFill
Boolean Optional. Supervisedonly. Ifsettotrue,theuserwillhaveto
authenticatebeforepasswordsorcreditcardinformationcanbe
autofilledinSafariandApps. Ifthisrestrictionisnotenforced,the
usercantogglethisfeatureinsettings.
OnlysupportedondeviceswithFaceIDorTouchID.
Defaultstotrue.
Availability: AvailableonlyiniOS11.0andlater.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
76
Key Type Value
forceClassroom
AutomaticallyJoinClasses
Boolean Optional. Supervisedonly. Ifsettotrue,automaticallygive
permissiontotheteacherʼsrequestswithoutpromptingthe
student. Defaultstofalse.
Availability: AvailableonlyiniOS11.0andmacOS10.14.4and
later.
forceClassroomRequest
PermissionToLeaveClasses
Boolean Optional. Supervisedonly. Ifsettotrue,astudentenrolledinan
unmanagedcourseviaClassroomwillrequestpermissionfrom
theteacherwhenattemptingtoleavethecourse. Defaultsto
false.
Availability: AvailableonlyiniOS11.3andmacOS10.14.4and
later.
forceClassroomUnprompted
AppAndDeviceLock
Boolean Optional. Supervisedonly. Ifsettotrue,allowtheteacherto
lockappsorthedevicewithoutpromptingthestudent. Defaults
tofalse.
Availability: AvailableonlyiniOS11.0andmacOS10.14.4and
later.
forceClassroomUnprompted
ScreenObservation
Boolean Optional. Supervisedonly. Ifsettotrue,and
ScreenObservationPermissionModificationAllowed is
alsotrue intheEducationpayload,astudentenrolledina
managedcourseviatheClassroomappwillautomaticallygive
permissiontothatcourseʼsteacherʼsrequeststoobservethe
studentʼsscreenwithoutpromptingthestudent. Defaultsto
false.
Availability: AvailableonlyiniOS11.0andmacOS10.14.4and
later.
ratingRegion String This2-letterkeyisusedbyprofiletoolstodisplaytheproper
ratingsforgivenregion. Itisnotrecognizedorreportedbythe
client.
Possiblevalues:
• au: Australia
• ca: Canada
• fr: France
• de: Germany
• ie: Ireland
• jp: Japan
• nz: NewZealand
• gb: UnitedKingdom
• us: UnitedStates
Availability: AvailableiniOSandtvOS11.3andlater.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
77
Key Type Value
ratingMovies Integer Thisvaluedefinesthemaximumlevelofmoviecontentthatis
allowedonthedevice.
Possiblevalues(withtheUSdescriptionoftheratinglevel):
• 1000: All
• 500: NC-17
• 400: R
• 300: PG-13
• 200: PG
• 100: G
• 0: None
Availability: AvailableonlyiniOSandtvOS11.3andlater.
ratingTVShows Integer ThisvaluedefinesthemaximumlevelofTVcontentthatis
allowedonthedevice.
Possiblevalues(withtheUSdescriptionoftheratinglevel):
• 1000: All
• 600: TV-MA
• 500: TV-14
• 400: TV-PG
• 300: TV-G
• 200: TV-Y7
• 100: TV-Y
• 0: None
Availability: AvailableonlyiniOSandtvOS11.3andlater.
ratingApps Integer Thisvaluedefinesthemaximumlevelofappcontentthatis
allowedonthedevice.
Possiblevalues(withtheUSdescriptionoftheratinglevel):
• 1000: All
• 600: 17+
• 300: 12+
• 200: 9+
• 100: 4+
• 0: None
Availability: AvailableonlyiniOS5andtvOS11.3andlater.
forceAutomaticDate
AndTime
Boolean Optional. Supervisedonly. Ifsettotrue,theDate&Time“Set
Automatically”featureisturnedonandcanʼtbeturnedoffbythe
user. Defaultstofalse.
Note: Thedeviceʼstimezonewillonlybeupdatedwhenthe
devicecandetermineitslocation(cellularconnectionorwifiwith
locationservicesenabled).
Availability: AvailableonlyiniOS12.0andtvOS12.2andlater.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
78
Key Type Value
allowPasswordAutoFill Boolean Optional. Supervisedonly. Ifsettofalse,userswillnotbeable
tousetheAutoFillPasswordsfeatureoniOSandwillnotbe
promptedtouseasavedpasswordinSafariorinapps. Ifsetto
false,AutomaticStrongPasswordswillalsobedisabledand
strongpasswordswillnotbesuggestedtousers. Defaultsto
true.
Availability: AvailableonlyiniOS12.0andmacOS10.14and
later.
allowPasswordProximity
Requests
Boolean Optional. Supervisedonly. Ifsettofalse,auserʼsdevicewill
notrequestpasswordsfromnearbydevices. Defaultstotrue.
Availability: AvailableonlyiniOS12.0,macOS10.14,andtvOS
12.0andlater.
allowPasswordSharing Boolean Optional.Supervisedonly. Ifsettofalse,userscannotshare
theirpasswordswiththeAirdropPasswordsfeature.Defaultsto
true.
Availability: AvailableonlyiniOS12.0andmacOS10.14and
later.
allowManagedToWrite
UnmanagedContacts
Boolean Optional. Ifsettotrue,managedappscanwritecontactsto
unmanagedcontactsaccounts. Defaultstofalse.
ifallowOpenFromManagedToUnmanaged istrue,this
restrictionhasnoeffect.
Apayloadthatsetsthistotrue mustbeinstalledviaMDM.
Availability: AvailableonlyiniOS12.0andlater.
allowUnmanagedToRead
ManagedContacts
Boolean Optional. Ifsettotrue,unmanagedappscanreadfrom
managedcontactsaccounts. Defaultstofalse.
ifallowOpenFromManagedToUnmanaged istrue,this
restrictionhasnoeffect.
Apayloadthatsetsthistotrue mustbeinstalledviaMDM.
Availability: AvailableonlyiniOS12.0andlater.
allowESIMModification Boolean Optional. Supervisedonly. Ifsettofalse,theusermaynot
removeoraddacellularplantotheeSIMonthedevice. Defaults
totrue.
Availability: AvailableonlyiniOS12.1andlater.
allowPersonalHotspot
Modification
Boolean Optional. Supervisedonly. Ifsettofalse,theusermaynot
modifythepersonalhotspotsetting. Defaultstotrue.
Availability: AvailableonlyiniOS12.2andlater.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
79
SCEPPayload
TheSCEP(SimpleCertificateEnrollmentProtocol)payloadisdesignatedbyspecifyingcom.apple.security.scep
asthePayloadType value.
An SCEP payload automates the request of a client certificate from an SCEP server, as described in Over-the-Air
ProfileDeliveryandConfiguration.
Inadditiontothesettingscommontoallpayloads,thispayloaddefinesthefollowingkeys:
Key Type Value
URL String TheSCEPURL.SeeOver-the-AirProfileDeliveryandConfigurationfor
moreinformationaboutSCEP.
Name String Optional. AnystringthatisunderstoodbytheSCEPserver. For
example,itcouldbeadomainnamelikeexample.org. Ifacertificate
authorityhasmultipleCAcertificatesthisfieldcanbeusedto
distinguishwhichisrequired.
Subject Array Optional. TherepresentationofaX.500namerepresentedasanarray
ofOIDandvalue. Forexample,/C=US/O=Apple
Inc./CN=foo/1.2.5.3=bar,whichwouldtranslateto:
[ [ [”C”, ”US”] ], [ [”O”, ”Apple Inc.”] ], ..., [
[ ”1.2.5.3”, ”bar” ] ] ]
OIDscanberepresentedasdottednumbers,withshortcutsfor
country(C),locality(L),state(ST),organization(O),organizationalunit
(OU),andcommonname(CN).
Challenge String Optional. Apre-sharedsecret.
Keysize Integer Optional. Thekeysizeinbits,either1024or2048.
KeyType String Optional. Currentlyalways”RSA”.
KeyUsage Integer Optional. Abitmaskindicatingtheuseofthekey. 1issigning,4is
encryption,5isbothsigningandencryption. Somecertificate
authorities,suchasWindowsCA,supportonlyencryptionorsigning,
butnotbothatthesametime.
Availability: AvailableonlyiniOS4andlater.
Retries Integer Optional. Thenumberoftimesthedeviceshouldretryiftheserver
sendsaPENDINGresponse. Defaultsto3.
RetryDelay Integer Optional. Thenumberofsecondstowaitbetweensubsequentretries.
Thefirstretryisattemptedwithoutthisdelay. Defaultsto10.
CAFingerprint Data Optional. ThefingerprintoftheCertificateAuthoritycertificate.
AllowAllAppsAccess Boolean Optional. Iftrue,allappshaveaccesstotheprivatekey. Defaultis
false.
KeyIsExtractable Boolean Optional. Iffalse,theprivatekeycannotbeexportedfromthe
keychain. Defaultistrue.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
80
SubjectAltNameDictionaryKeys
TheSCEPpayloadcanspecifyanoptionalSubjectAltName dictionarythatprovidesvaluesrequiredbytheCAfor
issuingacertificate. Youcanspecifyasinglestringoranarrayofstringsforeachkey.
Thevaluesyouspecifydepend ontheCA youʼreusing,butmight includeDNSname, URL, oremail values. For an
example,seeSampleConfigurationProfileorreadOver-the-AirProfileDeliveryandConfiguration.
GetCACapsDictionaryKeys
IfyouaddadictionarywiththekeyGetCACaps,thedeviceusesthestringsyouprovideastheauthoritativesource
ofinformationaboutthecapabilitiesofyourCA.Otherwise,thedevicequeriestheCAforGetCACaps andusesthe
answeritgetsinresponse.IftheCAdoesnʼtrespond,thedevicedefaultstoGET 3DES andSHA-1 requests. Formore
information,readOver-the-AirProfileDeliveryandConfiguration. ThisfeatureisnotsupportedinmacOS.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
81
Screensaver
Screensaverpayloadsaredesignatedbyspecifyingcom.apple.screensaver asthePayloadType.
Thedevicelevelscreensaverpayloadcanbeusedtocustomizethescreensaverandenableordisablethescreenlock
passwordfunction.
TheScreensaverpayloaddefinesthefollowingkeys:
Key Type Value
askForPassword Boolean Optional. Iftrue,theuserwillbepromptedforapasswordwhen
thescreensaverisunlockedorstopped. Whenusingthisprompt,
askForPasswordDelay mustalsobeprovided.
Availability: AvailableinmacOS10.13andlater.
askForPasswordDelay Integer Optional. Numberofsecondstodelaybeforethepasswordwillbe
requiredtounlockorstopthescreensaver(the”graceperiod”). A
valueof2147483647(eg0x7FFFFFFF)canbeusedtodisablethis
requirement,andon10.13,thepayloadisoneoftheonlywaysof
disablingthefeature. NotethataskForPassword mustbesetto
true tousethisoption.
Availability: AvailableinmacOS10.13andlater.
loginWindowModulePath String Optional. Afullpathtothescreensavermoduletobeused.
Availability: AvailableinmacOS10.11andlater.
loginWindowIdleTime Integer Optional. Numberofsecondsofinactivitybeforescreensaver
activates.(0=neveractivate).
Availability: AvailableinmacOS10.11andlater.
User level screensaver payloads are designated by specifying com.apple.screensaver.user as the
PayloadType.
Theuserlevelscreensaversettingsarespecifictoauser,insteadofthedevice.
TheScreensaverUserpayloaddefinesthefollowingkeys:
Key Type Value
modulePath String Optional. Afullpathtothescreensavermoduletobeused.
Availability:
AvailableinmacOS10.11andlater.
idleTime Integer Optional. Numberofsecondsofinactivitybeforescreensaveractivates.
(0=neveractivate).
Availability: AvailableinmacOS10.11andlater.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
82
SetupAssistant
The Setup Assistant Payload is designated by specifying com.apple.SetupAssistant.managed as the
PayloadType.
OnmacOS,thispayloadspecifiesSetupAssistantoptionsforeitherthesystemorparticularusers.
Inadditiontothesettingscommontoallpayloads,thispayloaddefinesthefollowingkeys:
Key Type Value
SkipCloudSetup Boolean Optional. Iftrue,skiptheAppleIDsetupwindow.
Availability: AvailableinmacOS10.12andlater.
SkipSiriSetup Boolean Optional.Iftrue,skiptheSirisetupwindow.
Availability: AvailableinmacOS10.12andlater.
SkipPrivacySetup Boolean Optional. Iftrue,skipthePrivacyconsentwindow.
Availability: AvailableinmacOS10.13.4andlater.
SkipiCloudStorageSetup Boolean Optional.Iftrue,skiptheiCloudStoragewindow.
Availability: AvailableinmacOS10.13.4andlater.
SkipTrueTone Boolean Optional. Iftrue,skiptheTrueToneDisplaywindow.
Availability: AvailableinmacOS10.13.6andlater.
SkipAppearance Boolean Optional. Iftrue,skiptheChooseYourLookwindow.
Availability: AvailableinmacOS10.14andlater.
SharedDeviceConfigurationPayload
TheSharedDeviceConfigurationPayloadisdesignatedbyspecifyingcom.apple.shareddeviceconfiguration
asthePayloadType. It cancontain only onepayload, which mustbe supervised. It isnot supported ontheUser
Channel.
TheSharedDeviceConfigurationPayloadallowsadminstospecify optionaltextdisplayedon theloginwindowand
lockscreen(i.e. a”IfLost,ReturnTo”messageandAssetTagInformation). ItissupportedoniOS9.3andlater.
Inadditiontothesettingscommontoallpayloads,thispayloaddefinesthefollowingkeys:
Key Type Value
AssetTagInformation String Optional. Assettaginformationforthedevice,displayedonthe
loginwindowandlockscreen.
LockScreenFootnote String Optional. Afootnotedisplayedontheloginwindowandlockscreen.
AvailableiniOS9.3.1andlater.
IfLostReturnToMessage String Deprecated. UseLockScreenFootnote instead.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
83
ShareKitPayload
MacOS10.9orlateronly.TheShareKitPayloadisdesignatedbyspecifyingcom.apple.com.apple.ShareKitHelper
asthePayloadType. Itcancontainonlyonepayload. ItissupportedontheUserChannel.
TheShareKitPayloadspecifieswhichShareKitplugincanbeaccessedonclient. Bothallowanddisallowlistscanbe
specified.
ThispayloadisdeprecatedasofmacOS10.12.ForclientsrunningmacOS10.13orlater,usetheNSExtensionPayload
instead.IfaprofilecontainsbothaNSExtensionPayloadandaShareKitPayload,theShareKitPayloadwillbeignored.
Inadditiontothesettingscommontoallpayloads,thispayloaddefinesthefollowingkeys:
Key Type Value
SHKAllowedShareServices Arrayof
Strings
Optional. ListofpluginIDsthatwillshowupintheuserʼsShare
menu. Ifthisarrayexiststhenonlytheseitemswillbepermitted.
SHKDeniedShareServices Arrayof
Strings
Optional. ListofpluginIDsthatwillnotshowupintheuserʼs
Sharemenu. Thiskeyisusedonlyifthereisno
SHKAllowedShareServices key.
ThefollowingpluginIDsaresupportedbythispayload:
• ”com.apple.share.AirDrop”:AirDrop
• ”com.apple.share.Facebook”: Facebook
• ”com.apple.share.Twitter”:Twitter
• ”com.apple.share.Mail”: Mail
• ”com.apple.share.Messages”: Messages
• ”com.apple.share.Video”: VideoServices
• ”com.apple.share.addtoiphoto”: Photos
• ”com.apple.share.addtoaperture”: Aperture
• ”com.apple.share.readlater”: ReadingList
• ”com.apple.share.SinaWeibo”: SinaWeibo
• ”com.apple.Notes.SharingExtension”: Notes
• ”com.apple.reminders.RemindersShareExtension”: Reminders
• ”com.apple.share.LinkedIn.post”: LinkedIn
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
84
SingleSign-OnAccountPayload
TheSingleSign-OnAccountpayloadisdesignatedbyspecifyingcom.apple.sso asthePayloadType.
ThispayloadissupportedonlyiniOS7.0andlater.
Inadditiontothesettingscommontoallpayloads,thispayloaddefinesthefollowingkeys:
Key Type Value
Name String Human-readablenamefortheaccount.
Kerberos Dictionary Kerberos-relatedinformation,describedbelow.
TheKerberosdictionary cancontainthefollowingkeys:
Key Type Value
PrincipalName String Optional. TheKerberosprincipalname. Ifnotprovided,theuseris
promptedforoneduringprofileinstallation.
ThisfieldmustbeprovidedforMDMinstallation.
PayloadCertificateUUID String Optional. ThePayloadUUIDofanidentitycertificatepayloadthat
canbeusedtorenewtheKerberoscredentialwithoutuser
interaction. Thecertificatepayloadmusthaveeitherthe
com.apple.security.pkcs12 or
com.apple.security.scep payloadtype. BoththeSingle
SignOnpayloadandtheidentitycertificatepayloadmustbe
includedinthesameconfigurationprofile
Realm String TheKerberosrealmname. Thisvalueshouldbeproperly
capitalized.
URLPrefixMatches Arrayof
Strings
ListofURLsprefixesthatmustbematchedtousethisaccountfor
KerberosauthenticationoverHTTP.Note thattheURLpostfixes
mustmatchaswell.
AppIdentifierMatches Arrayof
Strings
Optional. Listofappidentifiersthatareallowedtousethislogin. If
thisfieldmissing,thisloginmatchesallappidentifiers.
Thisarray,ifpresent,maynotbeempty.
EachentryintheURLPrefixMatches arraymustcontainaURLprefix. OnlyURLsthatbeginwithoneofthestringsin
thisaccountareallowedtoaccesstheKerberosticket.URLmatchingpatternsmustincludethescheme—forexample,
http://www.example.com/. Ifamatchingpatterndoesnotendin/,a/ isappendedtoit.
TheURLmatchingpatternsmustbegin witheitherhttp:// or https://. Asimplestringmatchis performed,so
theURLprefixhttp://www.example.com/ doesnotmatchhttp://www.example.com:80/. WithiOS 9.0or
later,however,asinglewildcard*maybeusedtospecifyallmatchingvalues.Forexample,http://*.example.com/will
matchbothhttp://store.example.com/ andhttp://www.example.com.
Thepatternshttp://.com andhttps://.com matchallHTTPandHTTPSURLs,respectively.
TheAppIdentifierMatches arraymustcontainstringsthat matchapp bundleIDs. These stringsmay beexact
matches(com.mycompany.myapp,forexample)ormayspecifyaprefixmatchonthebundleIDbyusingthe* wild-
cardcharacter. The wildcardcharactermustappearafteraperiodcharacter(.),andmayappear onlyonce, atthe
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
85
endofthestring(com.mycompany.*,forexample). Whenawildcardisincluded,anyappwhosebundleIDbegins
withtheprefixisgrantedaccesstotheaccount.
SmartCardSettingsPayload
The SmartCard Settings payload is designated by specifying com.apple.security.smartcard as the
PayloadType.
ThispayloadcontrolsrestrictionsandsettingsforSmartCardpairingonmacOSv10.12.4andlater.
Inadditiontothesettingscommontoallpayloads,thispayloaddefinesthefollowingkeys:
Key Type Value
UserPairing Boolean Optional. Iffalse,userswillnotgetthepairingdialog,although
existingpairingswillstillwork. Defaultistrue.
allowSmartCard Boolean Optional. Iffalse,theSmartCardisdisabledforlogins,
authorizations,andscreensaverunlocking. Itisstillallowedfor
otherfunctions,suchassigningemailsandwebaccess. Arestart
isrequiredforachangeofsettingtotakeeffect. Defaultistrue.
checkCertificateTrust Integer Optional. Validvaluesare0-3:
• 0: certificatetrustcheckisturnedoff
• 1: certificatetrustcheckisturnedon. Standardvalidity
checkisbeingperformedbutthisdoesnotinclude
additionalrevocationchecks.
• 2: certificatetrustcheckisturnedon,plusasoftrevocation
checkisperformed. Untilthecertificateisexplicitlyrejected
byCRL/OCSP,itisconsideredasvalid. Thisimpliesthat
unavailable/unreachableCRL/OCSPallowsthischeckto
succeed.
• 3: certificatetrustcheckisturnedon,plusahardrevocation
checkisperformed. UnlessCRL/OCSPexplicitlysays“this
certificateisOK”,thecertificateisconsideredasinvalid. The
isthemostsecureoption.
Defaultis0.
oneCardPerUser Boolean Optional. Iftrue,ausercanpairwithonlyoneSmartCard,
althoughexistingpairingswillbeallowedifalreadysetup. Default
isfalse.
enforceSmartCard Boolean Optional. Iftrue,ausercanonlyloginorauthenticatewitha
SmartCard. Defaultisfalse.
tokenRemovalAction Integer Optional. If1,whentheSmartCardisremoved,thescreensaverwill
beenabled. Defaultis0.
Availability: AvailableinmacOS10.13.4andlater.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
86
SoftwareUpdate
TheSoftwareUpdatepayloadisdesignatedbyspecifyingcom.apple.SoftwareUpdate asthePayloadType.
Inadditiontothesettingscommontoallpayloads,thispayloaddefinesthefollowingkey:
Key Type Value
CatalogURL String Optional. TheURLofthesoftwareupdatecatalog.
AllowPreReleaseInstallation Boolean Optional. Iftrue,prereleasesoftwarecanbeinstalledon
thiscomputer. Defaultistrue.
restrict-software-update-
require-admin-to-install
Boolean Optional. Iftrue,restrictappinstallationstoadminusers.
Thiskeyhasthesamefunctionasthekey
restrict-store-require-admin-to-install inthe
com.apple.appstore payload.
Availability: AvailableinmacOS10.14andlater.
SystemMigrationPayload
TheSystemMigrationpayloadisdesignatedbyspecifyingcom.apple.systemmigration asthePayloadType.
Systemmigration occurswhen itemsaretransferredto amacOS devicefromaWindowsdevicebyreadingsource
anddestinationpathpairsfromplistfiles. Thispayloadprovidesawaytocustomizethosetransfers.
Thispayloadmustbesingleandexistonlyinadeviceprofile. Ifthepayloadispresentinauserprofile,anerrorwillbe
generatedduringinstallationandtheprofilewillfailtoinstall.
ThispayloadissupportedonlyonmacOS10.12.4andlater.
Inadditiontothesettingscommontoallpayloads,thispayloaddefinesthefollowingkey:
Key Type Value
CustomBehavior Arrayof
Dictionaries
Optional. Specifiescustombehaviorforthecontextdesignatedineach
dictionary.
EachdictionaryintheCustomBehavior arraycontainsthesekeys:
Key Type Value
Context String Required.Thecontexttowhichcustompathsapply.
Paths Arrayof
Dictionaries
Required.Thecustompathstobemigratedfromasourcesystemtoatarget
system.
EachdictionaryinthePaths arraycontainsthesekeys:
Key Type Value
SourcePath String Required. Thepathtothemigratingfileordirectoryonthesource
system.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
87
Key Type Value
SourcePathInUserHome Boolean Required.Iftrue,thesourcepathislocatedwithinauserhome
directory.
TargetPath String Required. Thepathtothedestinationfileordirectoryonthetarget
system.
TargetPathInUserHome Boolean Required.Iftrue,thetargetpathislocatedwithinauserhome
directory.
SystemPolicyControlPayload
The System Policy Control payload is designated by specifying com.apple.systempolicy.control as the
PayloadType.
Thispayloadallowscontroloverconfiguringthe“Allowedapplicationsdownloadedfrom:” optioninthe“General”tab
of“Security&Privacy”inSystemPreferences.
Thispayloadmustonly existina deviceprofile. Ifthepayloadispresentinauserprofile,anerrorwillbegenerated
duringinstallationandtheprofilewillfailtoinstall.
ThispayloadissupportedonlyonmacOSv10.8andlater.
Inadditiontothesettingscommontoallpayloads,thispayloaddefinesthefollowingkeys:
Key Type Value
EnableAssessment Boolean Optional.IfthekeyispresentandhasavalueofYES,
Gatekeeperisenabled. Ifthekeyispresentandhasavalueof
NO,Gatekeeperisdisabled.
AllowIdentifiedDevelopers Boolean Optional. IfthekeyispresentandhasavalueofYES,
Gatekeeperʼs“MacAppStoreandidentifieddevelopers”option
ischosen. IfthekeyispresentandhasavalueofNO,
Gatekeeperʼs“MacAppStore”optionischosen.
IfEnableAssessment isnottrue,thiskeyhasnoeffect.
SystemPolicyRulePayload
TheSystemPolicyRulepayloadisdesignatedbyspecifyingcom.apple.systempolicy.rule asthePayloadType.
ThisisoneofthreepayloadsthatallowscontrolofvariousGateKeepersettings.
ThispayloadallowscontroloverGatekeeperʼssystempolicyrules. Thekeysandfunctionalityaretightlyrelatedtothe
spctl commandlinetool. Youshouldbereadthemanualpageforspctl.
Thispayloadmustonly existina deviceprofile. Ifthepayloadispresentinauserprofile,anerrorwillbegenerated
duringinstallationandtheprofilewillfailtoinstall.
ThispayloadissupportedonlyonmacOSv10.8andlater.
Inadditiontothesettingscommontoallpayloads,thispayloaddefinesthefollowingkeys:
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
88
Key Type Value
Requirement String Thepolicyrequirement. ThiskeymustfollowthesyntaxdescribedinCode
SigningRequirementLanguage.
Comment String Optional. ThisstringwillappearintheSystemPolicyUI.Ifitismissing,
“PayloadDisplayName”or“PayloadDescription”willbeputintothisfield
beforetheruleisaddedtotheSystemPolicydatabase.
Expiration Date Optional.Anexpirationdateforrule(s)beingprocessed.
OperationType String Optional. Oneofoperation:execute,operation:install,or
operation:lsopen. Thiswilldefaulttooperation:execute.
Theclienthasnowaytodisplayinformationaboutwhatcertificateisbeingacceptedbythesigningrequirementifthe
requirementkeysisspecifiedas:
certificate leaf = H”7696f2cbf7f7d43fceb879f52f3cdc8fadfccbd4”
Youcanembedthecertificatewithinthepayloaditself,allowingtheProfilespreferencepaneandSystemProfilereport
todisplayinformationaboutthecertificate(s)beingused. Todo so,specify theRequirement keyusing apayload
variableoftheform$HASHCERT_xx$where“xx”isthenameofanadditionalkeywithinthesamepayloadthatcon-
tainsthecertificatedatainDERformat.
Forexample,ifyouspecify:
<key>Requirement</key>
<string>certificate leaf = $HASHCERT_Cert1Data$</string>
andthenprovide:
<key>Cert1Data</key>
<data>
MIIFTDCCBDSgAwIBAgIHBHXzxGzq8DANBgkqhkiG9w0BAQUFADCByjELMAkGA1UEBhMC
...
z1I6yBET5qaGhpWexEp3baLbXLcrtgufmDSUtUnImavGyw==
</data>
TheclientwillgetthevalueofCert1Data key,performaSHA1hashonitandusetheresultingrequirementstringof:
certificate leaf = H”7696f2cbf7f7d43fceb879f52f3cdc8fadfccbd4”
Ifyouwant,youmayreferencemultiple$HASHCERT_xx$withintherequirementstring.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
89
SystemPolicyManagedPayload
The System Policy Managed payload is designated by specifying com.apple.systempolicy.managed as the
PayloadType. ThisisoneofthreepayloadsthatallowscontrolofvariousGateKeepersettings.
ThispayloadallowscontroltodisabletheFinderʼscontextualmenuthatallowsbypassofSystemPolicyrestrictions.
ThispayloadissupportedonlyonmacOSv10.8andlater.
Inadditiontothesettingscommontoallpayloads,thispayloaddefinesthefollowingkeys:
Key Type Value
DisableOverride Boolean Optional. IfYES,theFinderʼscontextualmenuitemwillbedisabled.
TVRemotePayload
TheTVRemotepayloadisdesignatedbyspecifyingcom.apple.tvremote asthePayloadType value. Thispay-
loadissupportedonlyonsuperviseddevices.
This payload allows restricting the connections from the Apple TV Remote app to an Apple TV and restricting the
availableAppleTVdevicesintheAppleTVRemoteapp.
TolockspecificAppleTVstospecificdevicesrunningAppleTVRemoteapp,boththeAppleTVsandremotedevices
canbespecifiedinthesamepayload.
Inadditiontothesettingscommontoallpayloadtypes,theTVRemotepayloaddefinesthefollowingkeys:
Key Type Value
AllowedRemotes Arrayof
Dictionaries
Ifpresent,theAppleTVwillonlyconnectwiththeAppleTVRemoteapp
fromthedevicesspecified.
Ifnotpresent,orthelistisempty,anydevicewillbeallowedtoconnect.
Availability: AvailableintvOS11.3andlater.
AllowedTVs Arrayof
Dictionaries
Ifpresent,theAppleTVRemoteappwillonlyconnecttothespecified
AppleTVs.
Ifnotpresent,orthelistisempty,thedevicewillbeabletoconnecttoany
AppleTV.
Availability: AvailableiniOS11.3andlater.
EachentryintheAllowedRemotes arrayisadictionarythatcancontainthefollowingkey:
Key Type Value
RemoteDeviceID String TheMACaddressofapermittediOSdevicethatcancontrolthisAppleTV.
Usetheformat“xx:xx:xx:xx:xx:xx”. Thefieldisnotcasesensitive.
Availability: AvailableintvOS11.3andlater.
EachentryintheAllowedTVs arrayisadictionarythatcancontainthefollowingkey:
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
90
Key Type Value
TVDeviceID String TheMACaddressofanAppleTVdevicethatthisiOSdeviceispermittedto
control.
Usetheformat“xx:xx:xx:xx:xx:xx”. Thefieldisnotcasesensitive.
Availability: AvailableiniOS11.3andlater.
TimeServerPayload
TheTimeServerpayloadisdesignatedbyspecifyingcom.apple.MCX asthePayloadType value.
Thispayloadallowsdevicestoconnecttocustomtimeservers.
Inadditiontothesettingscommontoallpayloadtypes,theTimeServerpayloaddefinesthefollowingkeys:
Key Type Value
timeServer String Thentpservertoconnectto.
Availability: AvailableinmacOS10.12.4andlater.
timeZone String Timezonepathlocationstringin/usr/share/zoneinfo/. Forexample,
”America/Denver”or”Zulu”.
Availability: AvailableinmacOS10.12.4andlater.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
91
VPNPayload
TheVPNpayloadisusedfortraditionalsystemwideVPNsbasedonL2TP,PPTP,andIPSec. Thispayloadshouldnot
beconfusedwiththePer-AppVPN,describedinPer-AppVPNPayload.
TheVPNpayloadisdesignatedbyspecifyingcom.apple.vpn.managed asthePayloadType value. Inadditionto
thesettingscommontoallpayloadtypes,theVPNpayloaddefinesthefollowingkeys:
Key Type Value
UserDefinedName String Optional. DescriptionoftheVPNconnectiondisplayedonthe
device.
VPNType String Determinesthesettingsavailableinthepayloadforthistypeof
VPNconnection. Itcanhaveoneofthefollowingvalues:
• L2TP
• PPTP
• IPSec (Cisco)
• IKEv2 (seeIKEv2DictionaryKeys)
• AlwaysOn (seeAlwaysOnDictionaryKeys)
• VPN (solutionusesaVPNpluginorNetworkExtension,
sotheVPNSubType keyisrequired(seebelow)).
VPNSubType String Optional. IfVPNType isVPN,thisfieldisrequired. Ifthe
configurationistargetedataVPNsolutionthatusesaVPN
plugin,thenthisfieldcontainsthebundleidentifieroftheplugin.
Herearesomeexamples:
• CiscoAnyConnect:
com.cisco.anyconnect.applevpn.plugin
• JuniperSSL:net.juniper.sslvpn
• F5SSL:com.f5.F5-Edge-Client.vpnplugin
• SonicWALLMobileConnect:
com.sonicwall.SonicWALL-SSLVPN.vpnplugin
• ArubaVIA:
com.arubanetworks.aruba-via.vpnplugin
IftheconfigurationistargetedataVPNsolutionthatusesa
NetworkExtension provider,thenthisfieldcontainsthe
bundleidentifieroftheappthatcontainstheprovider. Contact
theVPNsolutionvendorforthevalueoftheidentifier.
IfVPNType isIKEv2,thentheVPNSubType fieldisoptional
andisreservedforfutureuse. Ifitisspecified,itmustcontain
theemptystring.
ProviderBundleIdentifier String Optional. IftheVPNSubType fieldcontainsthebundleidentifier
ofanappthatcontainsmultipleVPNprovidersofthesametype
(app-proxy orpacket-tunnel),thenthisfieldisusedto
specifywhichprovidertouseforthisconfiguration.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
92
IfVPNType isVPN,IPSec,orIKEv2,thefollowingkeysmaybedefinedinthecorrespondingVPN,IPSec,orIKEv2
dictionariestoconfigureVPNOnDemand:
Key Type Value
OnDemandEnabled Integer 1 iftheVPNconnectionshouldbebroughtupondemand,else0.
OnDemandMatch
DomainsAlways
Arrayof
Strings
Deprecated. Alistofdomainnames. InversionsofiOSpriortoiOS
7,ifthehostnameendswithoneofthesedomainnames,theVPN
isstartedautomatically.
IniOS7andlater,ifthiskeyispresent,theassociateddomain
namesaretreatedasthoughtheywereassociatedwiththe
OnDemandMatchDomainsOnRetry key.
ThisbehaviorcanbeoverriddenbyOnDemandRules.
OnDemandMatch
DomainsNever
Arrayof
Strings
Deprecated. Alistofdomainnames. Ifthehostnameendswithone
ofthesedomainnames,theVPNisnot startedautomatically. This
mightbeusedtoexcludeasubdomainwithinanincludeddomain.
ThisbehaviorcanbeoverriddenbyOnDemandRules.
IniOS7andlater,thiskeyisdeprecated(butstillsupported)in
favorofEvaluateConnection actionsintheOnDemandRules
dictionaries.
OnDemandMatch
DomainsOnRetry
Arrayof
Strings
Deprecated. Alistofdomainnames. Ifthehostnameendswith
oneofthesedomainnames,ifaDNSqueryforthatdomainname
fails,theVPNisstartedautomatically.
ThisbehaviorcanbeoverriddenbyOnDemandRules.
IniOS7andlater,thiskeyisdeprecated(butstillsupported)in
favorofEvaluateConnection actionsintheOnDemandRules
dictionaries.
OnDemandRules Arrayof
Dictionaries
Determineswhenandhowanon-demandVPNshouldbeused.
SeeOnDemandRulesDictionaryKeysfordetails.
IfVPNType isnotAlwaysOn,thefollowingkeymaybedefined:
Key Type Value
VendorConfig Dictionary Adictionaryforconfigurationinformationspecifictoagiventhird-party
VPNsolution.
Therearetwopossibledictionariespresentatthetoplevel,underthekeys”PPP”and”IPSec”. Thekeysinsidethese
twodictionariesaredescribedbelow,alongwiththeVPNTypevalueunderwhichthekeysareused.
PPPDictionaryKeys
ThefollowingelementsareforVPNpayloadsoftypePPP.
Key Type Value
AuthName String TheVPNaccountusername. UsedforL2TPandPPTP.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
93
Key Type Value
AuthPassword String Optional. OnlyvisibleifTokenCardisfalse. UsedforL2TPandPPTP.
TokenCard Boolean WhethertouseatokencardsuchasanRSASecurIDcardfor
connecting. UsedforL2TP.
CommRemoteAddress String IPaddressorhostnameofVPNserver. UsedforL2TPandPPTP.
AuthEAPPlugins Array OnlypresentifRSASecurIDisbeingused,inwhichcaseithasone
entry,astringwithvalue”EAP-RSA”. UsedforL2TPandPPTP.
AuthProtocol Array OnlypresentifRSASecurIDisbeingused,inwhichcaseithasone
entry,astringwithvalue”EAP”. UsedforL2TPandPPTP.
CCPMPPE40Enabled Boolean SeediscussionunderCCPEnabled. UsedforPPTP.
CCPMPPE128Enabled Boolean SeediscussionunderCCPEnabled. UsedforPPTP.
CCPEnabled Boolean Enablesencryptionontheconnection. Ifthiskeyand
CCPMPPE40Enabled aretrue,representsautomaticencryptionlevel;
ifthiskeyandCCPMPPE128Enabled aretrue,representsmaximum
encryptionlevel. Ifnoencryptionisused,thennoneoftheCCPkeysare
true. UsedforPPTP.
IPv4DictionaryKeys
ThefollowingelementisforVPNpayloadsoftypeL2TPorPPTP
Key Type Value
OverridePrimary Integer SpecifieswhethertosendalltrafficthroughtheVPNinterface. If1,all
networktrafficissentoverVPN.Defaultsto0.
IPSecDictionaryKeys
ThefollowingelementsareforVPNpayloadsoftypeIPSec.
Key Type Value
RemoteAddress String IPaddressorhostnameoftheVPNserver. UsedforCiscoIPSec.
AuthenticationMethod String EitherSharedSecret orCertificate. UsedforL2TPand
CiscoIPSec.
XAuthEnabled Integer 1 ifXauthison,0 ifitisoff.UsedforCiscoIPSec.
XAuthName String UsernameforVPNaccount. UsedforCiscoIPSec.
XAuthPassword String RequiredforVPNaccountuserauthentication. UsedforCisco
IPSec.
LocalIdentifier String PresentonlyifAuthenticationMethod isSharedSecret.
Thenameofthegrouptouse. IfHybridAuthenticationisused,
thestringmustendwith[hybrid]. UsedforCiscoIPSec.
LocalIdentifierType String PresentonlyifAuthenticationMethod isSharedSecret.
ThevalueisKeyID.UsedforL2TPandCiscoIPSec.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
94
Key Type Value
SharedSecret Data ThesharedsecretforthisVPNaccount. Onlypresentif
AuthenticationMethod isSharedSecret. UsedforL2TP
andCiscoIPSec.
PayloadCertificateUUID String TheUUIDofthecertificatetousefortheaccountcredentials.
OnlypresentifAuthenticationMethod isCertificate.
UsedforCiscoIPSec.
PromptForVPNPIN Boolean TellswhethertopromptforaPINwhenconnecting. Usedfor
CiscoIPSec.
OnDemandRulesDictionaryKeys
TheOnDemandRules keyinaVPNpayloadisassociatedwithanarrayofdictionariesthatdefinethenetworkmatch
criteriathatidentifyaparticularnetworklocation.
In typical use, VPN On Demand matches the dictionaries in the OnDemandRules array against properties of your
current network connection to determine whether domain-based rules should be used in determining whether to
connect,thenhandlestheconnectionasfollows:
• Ifdomain-basedmatchingis enabledforamatchingOnDemandRules dictionary, thenforeachdictionaryin
thatdictionaryʼsEvaluateConnection array,VPNOnDemandcomparestherequesteddomainagainstthe
domainslistedintheDomains array.
• Ifdomain-basedmatchingisnotenabled,thespecifiedbehavior(usuallyConnect,Disconnect,orIgnore)
isusedifthedictionaryotherwisematches.
Note
For backwards compatibility, VPN On Demand also allows you to specify the Allow action, in which case
thedomainstomatcharedeterminedbyarraysintheVPNpayloaditself(OnDemandMatchDomainsAlways,
OnDemandMatchDomainsOnRetry, and OnDemandMatchDomainsNever). However, this is deprecatedin
iOS7.
Wheneveranetworkchangeisdetected,theVPNOnDemandservicecomparesthenewlyconnectednetworkagainst
thematchnetworkcriteriaspecified ineachdictionary (in order)todetermine whetherVPN On Demandshouldbe
allowedornotonthenewlyjoinednetwork. Thematchingcriteriacanincludeanyofthefollowing:
• DNSdomainorDNSserversettings(withwildcardmatching)
• SSID
• Interfacetype
• reachableserverdetection
Dictionariesarecheckedsequentially,beginningwiththefirstdictionaryinthearray. Adictionarymatchesthecurrent
network only if all of the specified policies in that dictionary match. You should always set a default behavior for
unknownnetworksbyspecifyinganactionwithnomatchingcriteriaasthelastdictionaryinthearray.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
95
Ifadictionarymatchesthecurrentnetwork,aserverprobeissentifaURLisspecifiedintheprofile. VPNthenacts
accordingtothepolicydefinedinthedictionary(forexample,allowVPNOnDemand,ignoreVPNOnDemand,connect,
ordisconnect).
Note
Besuretosetacatch-allvalue. Ifyoudonot,thecurrentdefaultbehavioristoallowtheconnectiontooccur,
butthisbehaviorisnotguaranteed.
TheOnDemandRules dictionariescancontainoneormoreofthefollowingkeys:
Key Type Value
Action String Theactiontotakeifthisdictionarymatchesthecurrentnetwork.
Possiblevaluesare:
• Allow—Deprecated. AllowVPNOnDemandtoconnectif
triggered.
• Connect—UnconditionallyinitiateaVPNconnectiononthe
nextnetworkattempt.
• Disconnect—TeardowntheVPNconnectionanddonot
reconnectondemandaslongasthisdictionarymatches.
• EvaluateConnection
—Evaluatethe
ActionParameters arrayforeachconnectionattempt.
• Ignore—LeaveanyexistingVPNconnectionup,butdonot
reconnectondemandaslongasthisdictionarymatches.
ActionParameters Arrayof
Dictionaries
AdictionarythatprovidesrulessimilartotheOnDemandRules
dictionary,butevaluatedoneachconnectioninsteadofwhenthe
networkchanges. Thesedictionariesareevaluatedinorder,and
thebehaviorisdeterminedbythefirstdictionarythatmatches.
ThekeysallowedineachdictionaryaredescribedinKeysinthe
ActionParametersdictionary.
Note: Thisarrayisusedonlyfordictionariesinwhich
EvaluateConnection istheAction value.
DNSDomainMatch Arrayof
Strings
Anarrayofdomainnames. Thisrulematchesifanyofthedomain
namesinthespecifiedlistmatchesanydomaininthedeviceʼs
searchdomainslist.
Awildcardʼ*ʼprefixissupported. Forexample,*.example.com
matchesagainsteithermydomain.example.com or
yourdomain.example.com.
DNSServerAddressMatch Arrayof
Strings
AnarrayofIPaddresses. Thisrulematchesifanyofthenetworkʼs
specifiedDNSserversmatchanyentryinthearray.
Matchingwithasinglewildcardissupported. Forexample,17.*
matchesanyDNSserverintheclassA17subnet.
InterfaceTypeMatch String Aninterfacetype. Ifspecified,thisrulematchesonlyiftheprimary
networkinterfacehardwarematchesthespecifiedtype.
SupportedvaluesareEthernet,WiFi,andCellular.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
96
Key Type Value
SSIDMatch Arrayof
Strings
AnarrayofSSIDstomatchagainstthecurrentnetwork. Ifthe
networkisnotaWi-FinetworkoriftheSSIDdoesnotappearinthis
array,thematchfails.
Omitthiskeyandthecorrespondingarraytomatchagainstany
SSID.
URLStringProbe String AURLtoprobe. IfthisURLissuccessfullyfetched(returninga200
HTTPstatuscode)withoutredirection,thisrulematches.
ThekeysallowedineachActionParameters dictionaryare:
Key Type Value
Domains Arrayof
Strings
Required. Thedomainsforwhichthisevaluationapplies.
DomainAction String Required. DefinestheVPNbehaviorforthespecifieddomains.
Allowedvaluesare:
• ConnectIfNeeded—Thespecifieddomainsshouldtriggera
VPNconnectionattemptifdomainnameresolutionfails,
suchaswhentheDNSserverindicatesthatitcannot
resolvethedomain,respondswitharedirectiontoa
differentserver,orfailstorespond(timeout).
• NeverConnect—Thespecifieddomainswillnottriggera
VPNconnectionnorbeaccessiblethroughanexistingVPN
connection.
RequiredDNSServers Arrayof
Strings
Optional. AnarrayofIPaddressesofDNSserverstobeusedfor
resolvingthespecifieddomains. Theseserversneednotbepart
ofthedeviceʼscurrentnetworkconfiguration. IftheseDNS
serversarenotreachable,aVPNconnectionisestablishedin
response.TheseDNSserversshouldbeeitherinternalDNS
serversortrustedexternalDNSservers.
Note: ThiskeyisvalidonlyifthevalueofDomainAction is
ConnectIfNeeded.
RequiredURLStringProbe String Optional. AnHTTP orHTTPS (preferred)URLtoprobe,usinga
GET request. IfnoHTTPresponsecodeisreceivedfromthe
server,aVPNconnectionisestablishedinresponse.
Note: ThiskeyisvalidonlyifthevalueofDomainAction is
ConnectIfNeeded.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
97
IKEv2DictionaryKeys
IfVPNType isIKEv2,thefollowingkeysmaybeprovidedinadictionary:
Key Type Value
RemoteAddress String Required.IPaddressorhostnameoftheVPNserver.
LocalIdentifier String Required. IdentifieroftheIKEv2clientinoneofthefollowing
formats:
• FQDN
• UserFQDN
• Address
• ASN1DN
RemoteIdentifier String Required. Remoteidentifierinoneofthefollowingformats:
• FQDN
• UserFQDN
• Address
• ASN1DN
AuthenticationMethod String Required. Oneofthefollowing:
• SharedSecret
• Certificate
• None
ToenableEAP-onlyauthentication,theauthenticationmethod
shouldbesettoNone andtheExtendedAuthEnabled key
shouldbesetto1. IfthiskeyissettoNone andthe
ExtendedAuthEnabled keyisnotset,theauthentication
configurationdefaultstoSharedSecret.
PayloadCertificateUUID String Optional. TheUUIDoftheidentitycertificateusedastheaccount
credential.IfthevalueofAuthenticationMethod is
Certificate,thiscertificateissentoutforIKEv2machine
authentication. Ifextendedauthentication(EAP)isused,itissent
outforEAP-TLSauthentication.
CertificateType String Optional. Thiskeyspecifiesthetypeof
PayloadCertificateUUID usedforIKEv2machine
authentication. Itsvalueisoneofthefollowing:
• RSA (Default)
• ECDSA256
• ECDSA384
• ECDSA521
Ifthiskeyisincluded,the
ServerCertificateIssuerCommonName keyisrequired.
SharedSecret String Optional. IfAuthenticationMethod isSharedSecret,this
valueisusedforIKEauthentication.
ExtendedAuthEnabled Integer Optional. Setto1toenableEAP-onlyauthentication(see
AuthenticationMethod,above). Defaultsto0.
AuthName String Optional. Usernameusedforauthentication.
AuthPassword String Optional. Passwordusedforauthentication.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
98
Key Type Value
DeadPeerDetectionRate String Optional. Oneofthefollowing:
• None (Disable)
• Low (keepalive sentevery30minutes)
• Medium (keepalive sentevery10minutes)
• High (keepalive sentevery1minute)
DefaultstoMedium.
ServerCertificateIssuer
CommonName
String Optional. CommonNameoftheservercertificateissuer. Ifset,
thisfieldwillcauseIKEtosendacertificaterequestbasedonthis
certificateissuertotheserver.
ThiskeyisrequiredifboththeCertificateType keyisincluded
andtheExtendedAuthEnabled keyissetto1.
ServerCertificate
CommonName
String Optional. CommonNameoftheservercertificate. Thisnameis
usedtovalidatethecertificatesentbytheIKEserver. Ifnotset,
theRemoteIdentifierwillbeusedtovalidatethecertificate.
TLSMinimumVersion String Optional. TheminimumTLSversiontobeusedwithEAP-TLS
authentication. Valuemaybe1.0,1.1,or1.2. Ifnovalueis
specified,thedefaultminimumis1.0.
Availability: AvailableiniOS11.0andmacOS10.13andlater.
TLSMaximumVersion String Optional. ThemaximumTLSversiontobeusedwithEAP-TLS
authentication. Valuemaybe1.0,1.1,or1.2. Ifnovalueis
specified,thedefaultmaximumis1.2.
Availability: AvailableiniOS11.0andmacOS10.13andlater.
NATKeepAliveOffload
Enable
Integer Optional. Setto1toenableor0todisableNATKeepaliveoffload
forAlwaysOnVPNIKEv2connections. Keepalivepacketsaresent
bythedevicetomaintainNATmappingsforIKEv2connections
thathaveaNATonthepath. Keepalivepacketsaresentatregular
intervalwhenthedeviceisawake. If
NATKeepAliveOffloadEnable issetto1,Keepalivepackets
willbeoffloadedtohardwarewhilethedeviceisasleep. NAT
Keepaliveoffloadhasanimpactonthebatterylifesinceextra
workloadisaddedduringsleep. Thedefaultintervalforthe
Keepaliveoffloadpacketsis20secondsoverWiFiand110
secondsoverCellularinterface. ThedefaultNATKeepaliveworks
wellonnetworkswithsmallNATmappingtimeoutsbutimposesa
potentialbatteryimpact. IfanetworkisknowntohavelargerNAT
mappingtimeouts,largerKeepaliveintervalsmaybesafelyusedto
minimizebatteryimpact. TheKeepaliveintervalcanbemodified
bysettingtheNATKeepAliveInterval key. Defaultvaluefor
NATKeepAliveOffloadEnable is1.
NATKeepAliveInterval Integer Optional. NATKeepaliveintervalforAlwaysOnVPNIKEv2
connections. ThisvaluecontrolstheintervaloverwhichKeepalive
offloadpacketsaresentbythedevice. Theminimumvalueis20
seconds. Ifnokeyisspecified,thedefaultis20secondsoverWiFi
and110secondsoveraCellularinterface.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
99
Key Type Value
UseConfiguration
AttributeInternalIPSubnet
Integer Optional. Ifsetto1,negotiationsshoulduseIKEv2Configuration
AttributeINTERNAL_IP4_SUBNETandINTERNAL_IP6_SUBNET.
Defaultsto0.
Availability: AvailableiniOS9.0andlater.
DisableMOBIKE Integer Optional. Ifsetto1,disablesMOBIKE.Defaultsto0.
Availability: AvailableiniOS9.0andlater.
DisableRedirect Integer Optional. Ifsetto1,disablesIKEv2redirect. Ifnotset,theIKEv2
connectionwouldberedirectedifaredirectrequestisreceived
fromtheserver. Defaultsto0.
Availability: AvailableiniOS9.0andlater.
EnablePFS Integer Optional. Setto1toenablePerfectForwardSecrecy(PFS)for
IKEv2Connections. Defaultis0.
Availability: AvailableiniOS9.0andlater.
EnableCertificate
RevocationCheck
Integer Optional. Setto1toenableacertificaterevocationcheckfor
IKEv2connections. Thisisabest-effortrevocationcheck;server
responsetimeoutswillnotcauseittofail.
Availability: AvailableiniOS9.0andlater.
IKESecurityAssociation
Parameters
Dictionary Optional. Seetablebelow. AppliestochildSecurityAssociation
unlessChildSecurityAssociationParameters isspecified.
ChildSecurity
AssociationParameters
Dictionary Optional. Seetablebelow.
TheIKESecurityAssociationParameters andChildSecurityAssociationParameters dictionariesmay
containthefollowingkeys:
Key Type Value
EncryptionAlgorithm String Optional. Oneof:
• DES
• 3DES
• AES-128
• AES-256 (Default)
• AES-128-GCM (16-octet ICV)
• AES-256-GCM (16-octet ICV)
IntegrityAlgorithm String Optional. Oneof:
• SHA1-96
• SHA1-160
• SHA2-256 (Default)
• SHA2-384
• SHA2-512
DiffieHellmanGroup Integer Optional. Oneof: 1,2,5,14(Default),15,16,17,18,19,20,or21.
LifeTimeInMinutes Integer OptionalSAlifetime(rekeyinterval)inminutes. Validvaluesare10
through1440. Defaultsto1440minutes.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
100
DNSDictionaryKeys
IfVPNType isIKEv2,thefollowingDNSkeysmaybeprovided:
Key Type Value
ServerAddresses Arrayof
Strings
Required.AnarrayofDNSserverIPaddressstrings. TheseIP
addressescanbeamixtureofIPv4andIPv6addresses.
Availability: AvailableiniOS10.0andlaterandmacOS10.12and
later.
SearchDomains Arrayof
Strings
Optional. Alistofdomainstringsusedtofullyqualifysingle-label
hostnames.
Availability: AvailableiniOS10.0andlaterandmacOS10.12and
later.
DomainName String Optional. Theprimarydomainofthetunnel.
Availability: AvailableiniOS10.0andlaterandmacOS10.12and
later.
SupplementalMatch
Domains
Arrayof
Strings
Optional. AlistofdomainstringsusedtodeterminewhichDNS
querieswillusetheDNSresolversettingscontainedin
ServerAddresses. ThiskeyisusedtocreateasplitDNS
configurationwhereonlyhostsincertaindomainsareresolved
usingthetunnelʼsDNSresolver. Hostsnotinoneofthedomainsin
thislistareresolvedusingthesystemʼsdefaultresolver.
IfSupplementalMatchDomains containstheemptystringit
becomesthedefaultdomain. Thisishowasplit-tunnel
configurationcandirectallDNSqueriesfirsttotheVPNDNS
serversbeforetheprimaryDNSservers. IftheVPNtunnel
becomesthenetworkʼsdefaultroute,theserverslistedin
ServerAddresses becomethedefaultresolverandthe
SupplementalMatchDomains listisignored.
Availability: AvailableiniOS10.0andlaterandmacOS10.12and
later.
SupplementalMatch
DomainsNoSearch
Integer Optional. Whether(0)ornot(1)thedomainsin
theSupplementalMatchDomains listshouldbeappendedto
theresolverʼslistofsearchdomains. Defaultis0.
Availability: AvailableiniOS10.0andlaterandmacOS10.12and
later.
ProxiesDictionaryKeys
TheProxies dictionarymaycontainthefollowingkeys:
Key Type Value
ProxyAutoConfigEnable Integer Optional. Setto1toenableautomaticproxyconfiguration.
Defaultsto0.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
101
Key Type Value
ProxyAutoConfigURLString String Optional. URLtothelocationoftheproxyauto-configurationfile.
UsedonlywhenProxyAutoConfigEnable is1.
SupplementalMatchDomains Arrayof
Strings
Optional. Ifset,thenonlyconnectionstohostswithinoneor
moreofthespecifieddomainswillusetheproxysettings
IfProxyAutoConfigEnable is0,thedictionarymayalsocontainthefollowingkeys:
Key Type Value
HTTPEnable Integer Optional. Setto1toenableproxyforHTTPtraffic. Defaultsto0.
HTTPProxy String Optional. ThehostnameoftheHTTPproxy.
HTTPPort Integer Optional. TheportnumberoftheHTTPproxy. Thisfieldisrequiredif
HTTPProxyisspecified.
HTTPProxyUsername String Optional. Theusernameusedforauthentication.
HTTPProxyPassword String Optional. Thepasswordusedforauthentication.
HTTPSEnable Integer Optional. Setto1toenableproxyforHTTPStraffic. Defaultsto0.
HTTPSProxy String Optional. ThehostnameoftheHTTPSproxy.
HTTPSPort Integer Optional. TheportnumberoftheHTTPSproxy. Thisfieldisrequiredif
HTTPSProxy isspecified.
AlwaysOnDictionaryKeys
IfVPNType isAlwaysOn,thefollowingkeysmaybeprovidedinadictionary:
Key Type Value
UIToggleEnabled Integer Optional. Ifsetto1,allowstheusertodisablethis
VPNconfiguration. Defaultsto0.
TunnelConfigurations Arrayof
Dictionaries
Required.Seebelow.
ServiceExceptions Arrayof
Dictionaries
Optional. Seebelow.
AllowCaptiveWebSheet Integer Optional. Setto1toallowtrafficfromCaptiveWeb
SheetoutsidetheVPNtunnel. Defaultsto0.
AllowAllCaptiveNetworkPlugins Integer Optional. Setto1toallowtrafficfromallCaptive
NetworkingappsoutsidetheVPNtunneltoperform
Captivenetworkhandling. Defaultsto0.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
102
Key Type Value
AllowedCaptiveNetworkPlugins Arrayof
Dictionaries
Optional. ArrayofCaptiveNetworkingappswhose
trafficwillbeallowedoutsidetheVPNtunnelto
performCaptivenetworkhandling. Usedonlywhen
AllowAllCaptiveNetworkPlugins is0.
Eachdictionaryinthe
AllowedCaptiveNetworkPlugins arraymust
containaBundleIdentifier keyoftypestring,the
valueofwhichistheappʼsbundleidentifier.
CaptiveNetworkingappsmayrequireadditional
entitlementstooperateinacaptiveenvironment.
EachdictionaryinaTunnelConfigurations arraymaycontainthefollowingkeys:
Key Type Value
ProtocolType String MustbeIKEv2.
Interfaces Arrayof
Strings
Optional. Specifytheinterfacestowhichthisconfigurationapplies. Valid
valuesareCellular andWiFi. DefaultstoCellular, WiFi.
In addition, all keys defined for the IKEv2 dictionary, such as RemoteAddress and LocalIdentifier may be
presentinaTunnelConfigurations dictionary.
EachdictionaryinaServiceExceptionsarraymaycontainthefollowingkeys:
Key Type Value
ServiceName String Required. ThenameofasystemservicewhichisexemptfromAlwaysOnVPN.
Mustbeoneof:
• VoiceMail
• AirPrint
• CellularServices (AvailableiniOS11.3andlater.)
Action String Required. Oneofthefollowing:
• Allow
• Drop
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
103
Per-AppVPNPayload
ThePer-AppVPN payloadis usedforconfiguring add-onVPNsoftware,and itworksonly onVPN servicesoftype
ʼVPNʼ.ItshouldnotbeconfusedwiththestandardVPNpayload,describedinVPNPayload.
ThispayloadissupportedonlyiniOS7.0andlaterandmacOSv10.9andlater.
TheVPN payloadisdesignatedbyspecifying com.apple.vpn.managed.applayer asthe PayloadType value.
ThePer-AppVPNpayloadsupportsallofthekeysdescribedinVPNPayloadplusthefollowingadditionalkeys:
Key Type Value
VPNUUID String Aglobally-uniqueidentifierforthisVPNconfiguration. This
identifierisusedtoconfigureappssothattheyusethePer-App
VPNserviceforalloftheirnetworkcommunication. See
App-to-Per-AppVPNMapping.
SafariDomains Array ThisoptionalkeyisaspecialcaseofApp-to-PerAppVPN
Mapping. ItsetsuptheappmappingforSafari(Webkit)witha
specificidentifierandadesignatedrequirement.
Thearraycontainsstrings,eachofwhichisadomainthatshould
triggerthisVPNconnectioninSafari.Therulematchingbehavior
isasfollows:
• Beforebeingmatchedagainstahost,allleadingand
trailingdotsarestrippedfromthedomainstring. For
example,ifthedomainstringis”.com” thedomainstring
usedtomatchis”com”.
• Eachlabelinthedomainstringmustmatchanentirelabel
inthehoststring. Forexample,adomainof
”example.com” matches”www.example.com”,but
not”foo.badexample.com”.
• Domainstringswithonlyonelabelmustmatchtheentire
hoststring. Forexample,adomainof”com” matches
”com”,not”www.example.com”.
OnDemandMatchAppEnabled Boolean Iftrue,thePer-AppVPNconnectionstartsautomaticallywhen
appslinkedtothisPer-AppVPNserviceinitiatenetwork
communication.
Iffalse,thePer-AppVPNconnectionmustbestartedmanually
bytheuserbeforeappslinkedtothisPer-AppVPNservicecan
initiatenetworkcommunication.
Ifthiskeyisnotpresent,thevalueoftheOnDemandEnabled
keyisusedtodeterminethestatusofPer-AppVPNOnDemand.
ProviderType String Optional. Eitherpacket-tunnel orapp-proxy. Thedefaultis
app-proxy. Ifthevalueofthiskeyisapp-proxy,thentheVPN
servicewilltunneltrafficattheapplicationlayer. Ifthevalueof
thiskeyispacket-tunnel,thentheVPNservicewilltunnel
trafficattheIPlayer.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
104
App-to-Per-AppVPNMapping
TheApp-to-Per-Appmappingpayloadisdesignatedbyspecifyingcom.apple.vpn.managed.appmapping asthe
PayloadType value.
ThispayloadissupportedonlyinmacOS10.9andlater. ItisnotsupportediniOS.
Key Type Value
AppLayerVPNMapping ArrayofDictionaries Anarrayofmappingdictionaries.
Eachdictionaryinthearraymustcontainthefollowingkeys:
Key Type Value
Identifier String Required. TheappʼsbundleID.
VPNUUID String Required. TheVPNUUIDofthePer-AppVPNdefinedinaPer-App
VPNpayload.
DesignatedRequirement String Required. Thecodesignaturedesignatedrequirementoftheapp
thatwillusetheper-appVPN.
SigningIdentifier String Required.Thecodesignaturesigningidentifieroftheappthatwill
usetheper-appVPN.
WebClipPayload
TheWebClippayloadisdesignatedbyspecifyingcom.apple.webClip.managed asthePayloadType value.
AWebClippayloadprovidesawebclippingontheuserʼshomescreenasthoughtheuserhadsavedabookmarkto
thehomescreen.
Inadditiontothesettingscommontoallpayloads,thispayloaddefinesthefollowingkeys:
Key Type Value
URL String TheURLthattheWebClipshouldopenwhenclicked. TheURLmustbegin
withHTTPorHTTPSoritwonʼtwork.
Label String ThenameoftheWebClipasdisplayedontheHomescreen.
Icon Data Optional. APNGicontobeshownontheHomescreen. Shouldbe59x60
pixelsinsize. Ifnotspecified,awhitesquarewillbeshown.
IsRemovable Boolean Optional. Iffalse,thewebclipisnotremovable. Defaultstotrue. Not
availableinmacOS.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
105
WebContentFilterPayload
The Web ContentFilter payloadallows youto whitelistand blacklist specific webURLs. Thispayload is supported
onlyonsuperviseddevices.
Web content filtering is designated by specifying com.apple.webcontent-filter as the PayloadType value
andaddingaFilterType stringwithoneofthesevalues:
• BuiltIn (Default)
• Plugin
OnmacOS,FilterType mustbePlugin.
IfFilterType isBuiltIn,thispayloaddefinesthefollowingkeysinadditiontothesettingscommontoallpayloads:
Key Type Value
AutoFilterEnabled Boolean Optional. Iftrue,automaticfilteringisenabled. This
functionevaluateseachwebpageasitisloadedand
attemptstoidentifyandblockcontentnotsuitablefor
children.Thesearchalgorithmiscomplexandmayvary
fromreleasetorelease,butitisbasicallylookingforadult
language,i.e.swearingandsexuallyexplicitlanguage.
Thedefaultvalueisfalse.
PermittedURLs ArrayofStrings Optional. UsedonlywhenAutoFilterEnabled istrue.
Otherwise,thisfieldisignored.
EachentrycontainsaURLthatisaccessiblewhetherthe
automaticfilterallowsaccessornot.
WhitelistedBookmarks Arrayof
Dictionaries
Optional. Ifpresent,theseURLsareaddedtothe
browserʼsbookmarks,andtheuserisnotallowedtovisit
anysitesotherthanthese. ThenumberoftheseURLs
shouldbelimitedtoabout500.
BlacklistedURLs ArrayofStrings Optional. AccesstothespecifiedURLsisblocked. The
numberoftheseURLsshouldbelimitedtoabout500.
EachentryintheWhitelistedBookmarks fieldcontainsadictionarywiththefollowingkeys:
Key Type Value
URL String URLofthewhitelistedbookmark.
BookmarkPath String Optional. Thefolderintowhichthebookmarkshouldbeaddedin
Safari—/Interesting Topic Pages/Biology/,forexample.
Ifabsent,thebookmarkisaddedtothedefaultbookmarksdirectory.
Title String Thetitleofthebookmark.
Whenmultiplecontentfilterpayloadsarepresent:
• Theblacklististheunionofallblacklists—thatis,anyURLthatappearsinanyblacklistisinaccessible.
• Thepermittedlististheintersectionofallpermittedlists—thatis,onlyURLsthatappearinevery permittedlist
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
106
areaccessiblewhentheywouldotherwisebeblockedbytheautomaticfilter.
• Thewhitelistlististheintersectionofallwhitelists—thatis,onlyURLsthatappearinevery whitelistareacces-
sible.
URLsarematchedbyusingstring-basedrootmatching. AURLmatchesawhitelist,blacklist,orpermittedlistpattern
iftheexactcharactersofthepatternappearastherootoftheURL.Forexample,iftest.com/a isblacklisted,then
test.com,test.com/b,andtest.com/c/d/e willallbeblocked.Matchingdoesnotdiscardsubdomainprefixes,
soiftest.com/a isblacklisted,m.test.com isnotblocked. Also,noattemptismadetomatchaliases(IPaddress
versusDNSnames,forexample)ortohandlerequestswithexplicitportnumbers.
IfaprofiledoesnotcontainanarrayforPermittedURLs orWhitelistedBookmarks,thatprofileisskippedwhen
evaluatingthemissingarrayorarrays. Asanexception,ifapayloadcontainsanAutoFilterEnabled key,butdoes
not contain a PermittedURLs array, that profile is treatedascontaininganempty array—thatis, all websites are
blocked.
Allfilteringoptionsareactivesimultaneously. OnlyURLsandsitesthatpassall rulesarepermitted.
Appledomainscannotbeblacklisted.
IfFilterType isPlugin,thispayloaddefinesthefollowingkeysinadditiontothesettingscommontoallpayloads:
Key Type Value
UserDefinedName String Astringwhichwillbedisplayedforthisfilteringconfiguration.
PluginBundleID String TheBundleIDofthepluginthatprovidesfilteringservice.
ServerAddress String Optional. Serveraddress(maybeIPaddress,hostname,orURL).
UserName String Optional. Ausernamefortheservice.
Password String Optional. Apasswordfortheservice.
PayloadCertificateUUID String Optional. UUIDpointingtoanidentitycertificatepayload. This
identitywillbeusedtoauthenticatetheusertotheservice.
Organization String Optional. AnOrganizationstringthatwillbepassedtothe
3rd-partyplugin.
VendorConfig Dictionary Optional. Customdictionaryneededbythefilteringserviceplugin.
FilterBrowsers Integer Optional. Ifsetto1,filterWebKittraffic. Defaultsto0.
FilterSockets Integer Optional. Ifsetto1,filtersockettraffic. Defaultsto0.
AtleastoneofFilterBrowsers orFilterSockets mustbetrue forthefiltertohaveanyeffect.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
107
Wi-FiPayload
TheWi-Fipayloadisdesignatedbyspecifyingcom.apple.wifi.managed asthePayloadType value.
Inadditiontothesettingscommontoallpayloadtypes,thepayloaddefinesthefollowingkeys.
Key Type Value
SSID_STR String SSIDoftheWi-Finetworktobeused.
IniOS7.0andlater,thisisoptionalifaDomainName valueis
provided
HIDDEN_NETWORK Boolean BesidesSSID,thedeviceusesinformationsuchasbroadcast
typeandencryptiontypetodifferentiateanetwork. Bydefault
(false),itisassumedthatallconfigurednetworksareopen
orbroadcast. Tospecifyahiddennetwork,mustbetrue.
AutoJoin Boolean Optional. Defaulttrue. Iftrue,thenetworkisauto-joined. If
false,theuserhastotapthenetworknametojoinit.
Availability: AvailableiniOS5.0andlaterandinallversions
ofmacOS.
SetupModes Arrayof
Strings
Optional. OnmacOS802.1xnetworks,thisisanarrayof
stringsthatcontainthetypeofconnectionmodewhichwillbe
attached. AllowedvaluesareSystem and/orLoginwindow.
EncryptionType String ThepossiblevaluesareWEP,WPA,WPA2,Any,andNone. WPA
specifiesWPAonly;WPA2appliestobothencryptiontypes.
Makesurethatthesevaluesexactlymatchthecapabilitiesof
thenetworkaccesspoint. Ifyouʼreunsureaboutthe
encryptiontype,orwouldpreferthatitapplytoallencryption
types,usethevalueAny.
Availability: KeyavailableiniOS4.0andlaterandinall
versionsofmacOS.TheNone valueisavailableiniOS5.0and
laterandtheWPA2 valueisavailableiniOS8.0andlater.
IsHotspot Boolean Optional. Defaultfalse. Iftrue,thenetworkistreatedasa
hotspot.
Availability: AvailableiniOS7.0andlaterandinmacOS10.9
andlater.
DomainName String Optional. DomainNameusedforWi-FiHotspot2.0
negotiation. ThisfieldcanbeprovidedinsteadofSSID_STR.
Availability: AvailableiniOS7.0andlaterandinmacOS10.9
andlater..
ServiceProviderRoaming
Enabled
Boolean Optional. Iftrue,allowsconnectiontoroamingservice
providers. Defaultstofalse.
Availability: AvailableiniOS7.0andlaterandinmacOS10.9
andlater.
RoamingConsortiumOIs Arrayof
Strings
Optional. ArrayofRoamingConsortiumOrganization
IdentifiersusedforWi-FiHotspot2.0negotiation.
Availability: AvailableiniOS7.0andlaterandinmacOS10.9
andlater.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
108
Key Type Value
NAIRealmNames Arrayof
Strings
Optional. Arrayofstrings. ListofNetworkAccessIdentifier
RealmnamesusedforWi-FiHotspot2.0negotiation.
Availability: AvailableiniOS7.0andlaterandinmacOS10.9
andlater.
MCCAndMNCs Arrayof
Strings
Optional. Arrayofstrings. ListofMobileCountryCode
(MCC)/MobileNetworkCode(MNC)pairsusedforWi-Fi
Hotspot2.0negotiation. Eachstringmustcontainexactlysix
digits.
Availability: AvailableiniOS7.0andlater. Thisfeatureisnot
supportedinmacOS.
DisplayedOperatorName String Theoperatornametodisplaywhenconnectedtothis
network. UsedonlywithWi-FiHotspot2.0accesspoints.
Availability: AvailableiniOS7.0andlaterandinmacOS10.9
andlater.
ProxyType String Optional. ValidvaluesareNone,Manual,andAuto.
Availability: AvailableiniOS5.0andlaterandonallversions
ofmacOS.
CaptiveBypass Boolean Optional. Ifsettotrue,CaptiveNetworkdetectionwillbe
bypassedwhenthedeviceconnectstothenetwork. Defaults
tofalse.
Availability: AvailableiniOS10.0andlater.
QoSMarkingPolicy Dictionary Optional. WhenthisdictionaryisnotpresentforaWi-Fi
network,allappsarewhitelistedtouseL2andL3marking
whentheWi-FinetworksupportsCiscoQoSfastlane. When
presentintheWi-Fipayload,theQoSMarkingPolicy
dictionaryshouldcontainthelistofappsthatareallowedto
benefitfromL2andL3marking. Fordictionarykeys,seethe
tablebelow.
Availability: AvailableiniOS10.0andlaterandinmacOS
10.13andlater.
TheQoSMarkingPolicy dictionarycontainsthesekeys:
Key Type Value
QoSMarkingWhitelisted
AppIdentifiers
Arrayof
Strings
Optional. Arrayofappbundleidentifiersthatwillbe
whitelistedforL2andL3markingfortrafficsenttotheWi-Fi
network. Ifthearrayisnotpresentbutthe
QoSMarkingPolicy keyispresent(evenempty)noapp
getswhitelisted.
QoSMarkingAppleAudio
VideoCalls
Boolean Optional. Specifiesifaudioandvideotrafficofbuilt-in
audio/videoservicessuchasFaceTimeandWi-FiCallingwill
bewhitelistedforL2andL3markingfortrafficsenttothe
Wi-Finetwork. Defaultstotrue.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
109
Key Type Value
QoSMarkingEnabled Boolean Optional. MaybeusedtodisableL3markingandonlyuseL2
markingfortrafficsenttotheWi-Finetwork. Whenthiskeyis
false thesystembehavesasifWi-Fiwasnotassociated
withaCiscoQoSfastlanenetwork. Defaultstotrue.
IftheEncryptionType fieldissettoWEP,WPA,orANY,thefollowingfieldsmayalsobeprovided:
Key Type Value
Password String Optional.
EAPClientConfiguration Dictionary DescribedinEAPClientConfigurationDictionary.
PayloadCertificateUUID String DescribedinCertificates.
Note
Theabsence ofa passworddoes notpreventanetwork frombeing addedto thelist ofknownnetworks. The
useriseventuallypromptedtoprovidethepasswordwhenconnectingtothatnetwork.
IftheProxyType fieldissettoManual,thefollowingfieldsmustalsobeprovided:
Key Type Value
ProxyServer String Theproxyserverʼsnetworkaddress.
ProxyServerPort Integer Theproxyserverʼsport.
ProxyUsername String Optional. Theusernameusedtoauthenticatetotheproxyserver.
ProxyPassword String Optional. Thepasswordusedtoauthenticatetotheproxyserver.
ProxyPACURL String Optional. TheURLofthePACfilethatdefinestheproxy
configuration.
ProxyPACFallbackAllowed Boolean Optional.Iffalse,preventsthedevicefromconnectingdirectly
tothedestinationifthePACfileisunreachable. Defaultisfalse.
Availability: AvailableiniOS7andlater.
IftheProxyType fieldissettoAuto andnoProxyPACURL valueisspecified,thedeviceusesthewebproxyautodis-
coveryprotocol(WPAD)todiscoverproxies.
For802.1Xenterprisenetworks,theEAPClientConfigurationDictionarymustbeprovided.
EAPClientConfigurationDictionary
Inadditiontothestandardencryptiontypes,itispossibletospecifyanenterpriseprofileforagivennetworkviathe
EAPClientConfiguration key. Ifpresent,itsvalueisadictionarywiththefollowingkeys.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
110
Key Type Value
UserName String Optional. Unlessyouknowtheexactusername,thisproperty
wonʼtappearinanimportedconfiguration. Userscanenter
thisinformationwhentheyauthenticate.
AcceptEAPTypes Arrayof
Integers
ThefollowingEAPtypesareaccepted:
13=TLS
17=LEAP
18=EAP-SIM
21=TTLS
23=EAP-AKA
25=PEAP
43=EAP-FAST
ForEAP-TLSauthenticationwithoutanetworkpayload,
installthenecessaryidentitycertificatesandhaveyourusers
selectEAP-TLSmodeinthe802.1Xcredentialsdialogthat
appearswhentheyconnecttothenetwork.
ForotherEAPtypes,anetworkpayloadisnecessaryand
mustspecifythecorrectsettingsforthenetwork.
UserPassword String Optional. Userpassword. Ifnotprovided,theusermaybe
promptedduringlogin.
OneTimePassword Boolean Optional. Iftrue,theuserwillbepromptedforapassword
eachtimetheyconnecttothenetwork. Defaultstofalse.
PayloadCertificate
AnchorUUID
Arrayof
Strings
Optional. Identifiesthecertificatestobetrustedforthis
authentication. EachentrymustcontaintheUUIDofa
certificatepayload. Usethiskeytopreventthedevicefrom
askingtheuserifthelistedcertificatesaretrusted.
Dynamictrust(thecertificatedialogue)isdisabledifthis
propertyisspecified,unlessTLSAllowTrustExceptions
isalsospecifiedwiththevaluetrue.
TLSTrustedServerNames Arrayof
Strings
Optional. Thisisthelistofservercertificatecommonnames
thatwillbeaccepted. Youcanusewildcardstospecifythe
name,suchaswpa.*.example.com. Ifaserverpresentsa
certificatethatisnʼtinthislist,itwonʼtbetrusted.
Usedaloneorincombinationwith
PayloadCertificateAnchorUUID,thepropertyallows
someonetocarefullycraftwhichcertificatestotrustforthe
givennetwork,andavoiddynamicallytrustedcertificates.
Dynamictrust(thecertificatedialogue)isdisabledifthis
propertyisspecified,unlessTLSAllowTrustExceptions
isalsospecifiedwiththevaluetrue.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
111
Key Type Value
TLSAllowTrustExceptions Boolean Optional.Allows/disallowsadynamictrustdecisionbythe
user. Thedynamictrustisthecertificatedialoguethat
appearswhenacertificateisnʼttrusted. Ifthisisfalse,the
authenticationfailsifthecertificateisnʼtalreadytrusted. See
PayloadCertificateAnchorUUID and
TLSTrustedNames above.
Thedefaultvalueofthispropertyistrue unlesseither
PayloadCertificateAnchorUUID or
TLSTrustedServerNames issupplied,inwhichcasethe
defaultvalueisfalse.
Availability: DeprecatedandignorediniOS8.0andlater.
TLSCertificateIsRequired Boolean Optional. Iftrue,allowsfortwo-factorauthenticationfor
EAP-TTLS,PEAP,orEAP-FAST.Iffalse,allowsfor
zero-factorauthenticationforEAP-TLS.Thedefaultistrue
forEAP-TLS,andfalse forotherEAPtypes.
Availability: AvailableiniOS7.0andlater.
TLSMinimumVersion String Optional. TheminimumTLSversiontobeusedwithEAP
authentication. Valuemaybe1.0,1.1,or1.2. Ifnovalueis
specified,thedefaultminimumis1.0.
Availability: AvailableiniOS11.0andmacOS10.13andlater.
TLSMaximumVersion String Optional. ThemaximumTLSversiontobeusedwithEAP
authentication. Valuemaybe1.0,1.1,or1.2. Ifnovalueis
specified,thedefaultmaximumis1.2.
Availability: AvailableiniOS11.0andmacOS10.13andlater.
OuterIdentity String Optional. ThiskeyisonlyrelevanttoTTLS,PEAP,and
EAP-FAST.
Thisallowstheusertohidehisorheridentity. Theuserʼs
actualnameappearsonlyinsidetheencryptedtunnel. For
example,itcouldbesetto”anonymous”or”anon”,or
”anon@mycompany.net”.
Itcanincreasesecuritybecauseanattackercanʼtseethe
authenticatinguserʼsnameintheclear.
TTLSInnerAuthentication String Optional. SpecifiestheinnerauthenticationusedbytheTTLS
module. PossiblevaluesarePAP,CHAP,MSCHAP,
MSCHAPv2,andEA.DefaultstoMSCHAPv2.
SystemModeCredentials
Source
String Optional. OnmacOS,forSystemmodeconnections,thiscan
besettoActiveDirectory ifyouwanttousetheAD
machinenameandpasswordcredentials.
OnlyoneoftheSystemModeCredentialsSource or
SystemModeUseOpenDirectoryCredentials keys
shouldexistinthedictionary.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
112
Key Type Value
SystemModeUseOpen
DirectoryCredentials
String Optional. OnmacOS,inSystemmode,thisindicatesifthe
connectionshouldtrytousetheOpenDirectorymachine
credentials.
OnlyoneoftheSystemModeCredentialsSource or
SystemModeUseOpenDirectoryCredentials keys
shouldexistinthedictionary.
Note
ForinformationaboutEAP-SIM,seehttps://tools.ietf.org/html/rfc4186.
EAP-FastSupport
TheEAP-FASTmoduleusesthefollowingpropertiesintheEAPClientConfigurationdictionary.
Key Type Value
EAPFASTUsePAC Boolean Optional.Iftrue,thedevicewilluseanexistingPACifitʼs
present.Otherwise,theservermustpresentitsidentityusing
acertificate. Defaultstofalse.
EAPFASTProvisionPAC Boolean Optional. UsedonlyifEAPFASTUsePAC istrue. Ifsetto
true
,allowsPACprovisioning. Defaultsto
false
. Thisvalue
mustbesettotrue forEAP-FASTPACusagetosucceed,
becausethereisnootherwaytoprovisionaPAC.
EAPFASTProvisionPAC
Anonymously
Boolean Optional. Iftrue,provisionsthedeviceanonymously. Note
thatthereareknownman-in-the-middleattacksfor
anonymousprovisioning. Defaultstofalse.
EAPSIMNumberOfRANDs Integer Optional. NumberofexpectedRANDsforEAPSIM.Valid
valuesare2and3. Defaultsto3.
Thesekeysarehierarchicalinnature: ifEAPFASTUsePACisfalse,theothertwopropertiesarenʼtconsulted. Simi-
larly,ifEAPFASTProvisionPACisfalse,EAPFASTProvisionPACAnonymouslyisnʼtconsulted.
IfEAPFASTUsePACisfalse,authenticationproceedsmuchlikePEAPorTTLS:theserverprovesitsidentityusinga
certificateeachtime.
IfEAPFASTUsePACis true, thenanexistingPACis usedifpresent. The only waytogeta PAConthe devicecur-
rentlyistoallowPACprovisioning.So,youneedtoenableEAPFASTProvisionPAC,andifdesired,EAPFASTProvision-
PACAnonymously. EAPFASTProvisionPACAnonymouslyhas asecurityweakness: itdoesnʼtauthenticatetheserver
soconnectionsarevulnerabletoaman-in-the-middleattack.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
113
Certificates
Aswith VPNconfigurations,it ispossible toassociatea certificateidentityconfiguration witha Wi-Ficonfiguration.
Thisisusefulwhendefiningcredentialsforasecureenterprisenetwork. Toassociateanidentity,specifyitspayload
UUIDviathe”PayloadCertificateUUID”key.
Key Type Value
PayloadCertificateUUID String UUIDofthecertificatepayloadtousefortheidentitycredential.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
114
DomainsPayload
This payload defines domains that are under an enterpriseʼs management. This payload is designated by the
com.apple.domains PayloadType value.
UnmarkedEmailDomains
Anyemailaddressthatdoesnothaveasuffixthatmatchesoneoftheunmarkedemaildomainsspecifiedbythekey
EmailDomains willbeconsideredout-of-domainandwillbehighlightedassuchintheMailapp.
Key Type Value
EmailDomains Array Optional. Anarrayofstrings. Anemailaddresslackingasuffixthatmatches
anyofthesestringswillbeconsideredout-of-domain.
ManagedSafariWebDomains
OpeningadocumentoriginatingfromamanagedSafariwebdomaincausesiOStotreatthedocumentasmanaged
forthepurposeofManagedOpenIn.
Key
Type
Value
WebDomains Array Optional. AnarrayofURLstrings. URLsmatching
thepatternslistedherewillbeconsidered
managed. NotsupportedinmacOS
SafariPasswordAutoFillDomains Array Optional. AnarrayofURLstrings. Supportedin
iOS9.3andlater;notsupportedinmacOS.
UserscansavepasswordsinSafarionlyfrom
URLsmatchingthepatternslistedhere.
RegardlessoftheiCloudaccountthattheuseris
using,ifthedeviceisnotsupervised,therecan
benowhitelist. Ifthedeviceissupervised,there
maybeawhitelist,butifthereisstillnowhitelist,
notethesetwocases:
• IfthedeviceisconfiguredasSharediPad,
nopasswordcanbesaved.
• IfthedeviceisnotconfiguredasShared
iPad,allpasswordscanbesaved.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
115
TheWebDomains andSafariPasswordAutoFillDomains arraysmaycontainstringsusinganyofthefollowing
matchingpatterns:
Format Description
apple.com Anypathunderapple.com matches,butnotsite.apple.com/.
foo.apple.com Anypathunderfoo.apple.com matches,butnotapple.com/ or
bar.apple.com/.
*.apple.com Anypathunderfoo.apple.com orbar.apple.com matches,butnot
apple.com.
apple.com/sub apple.com/sub andanypathunderitmatches,butnotapple.com/.
foo.apple.com/sub Anypathunderfoo.apple.com/sub matches,butnotapple.com,
apple.com/sub,foo.apple.com/,orbar.apple.com/sub.
*.apple.com/sub Anypathunderfoo.apple.com/sub orbar.apple.com/sub matches,but
notapple.com orfoo.apple.com/.
*.co Anypathunderapple.co orbeats.co matches,butnotapple.co.uk or
apple.com.
AURLthatbeginswiththeprefixwww. istreatedasthoughitdidnotcontainthatprefixduringmatching. Forexample,
http://www.apple.com/store willbematchedashttp://apple.com/store.
Trailingslasheswillbeignored.
If a ManagedWebDomain string entry contains a port number, only addresses that specify that port number will
be considered managed. Otherwise, the domain willbematched without regardto the port numberspecified. For
example, the pattern *.apple.com:8080 will match http://site.apple.com:8080/page.html but not
http://site.apple.com/page.html,whilethepattern*.apple.com willmatchbothURLs.
ManagedSafariWebDomaindefinitionsarecumulative. PatternsdefinedbyallManagedWebDomainspayloadswill
beusedtomatchaURLrequest.
SafariPasswordAutoFillDomains definitionsarecumulative.PatternsdefinedbyallSafariPasswordAutoFillDomains
payloadswillbeusedtodetermineifpasswordscanbestoredforagivenURL.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
116
ActiveDirectoryPayload
In macOS 10.9 and later, a configuration profile can be used to configure macOS to join an Active Directory (AD)
domain. AdvancedADoptionsavailableviaDirectoryUtilityorthedsconfigad commandlinetoolcanalsobeset
usingaconfigurationprofile,followingthisprocedure:
1. StartwithamacOSDirectorypayload,createdinProfileManager.
2. Saveanddownloadtheprofilesoyoucanedititmanually.
ThefollowingADconfigurationkeyscanbeaddedtotheDirectorypayload,oftypecom.apple.DirectoryService.managed.
Notethatsomesettingswillonlybesetiftheassociatedflagkeyissettotrue. Forexample,ADPacketEncryptFlag
mustbesettotrue tosettheADPacketEncrypt keytoenable.
Key Type Description
HostName String TheActiveDirectorydomaintojoin.
UserName String Usernameoftheaccountusedtojointhe
domain.
Password String Passwordoftheaccountusedtojointhe
domain.
ADOrganizationalUnit String Theorganizationalunit(OU)wherethejoining
computerobjectisadded.
ADMountStyle String Networkhomeprotocoltouse: “afp”or
“smb”.
ADCreateMobileAccountAtLoginFlag Boolean Enableordisablethe
ADCreateMobileAccountAtLogin key.
ADCreateMobileAccountAtLogin Boolean Createmobileaccountatlogin.
ADWarnUserBeforeCreatingMAFlag Boolean Enableordisablethe
ADWarnUserBeforeCreatingMA key.
ADWarnUserBeforeCreatingMA Boolean WarnuserbeforecreatingaMobileAccount.
ADForceHomeLocalFlag Boolean EnableordisabletheADForceHomeLocal
key.
ADForceHomeLocal Boolean Forcelocalhomedirectory.
ADUseWindowsUNCPathFlag Boolean Enableordisablethe
ADUseWindowsUNCPath key.
ADUseWindowsUNCPath Boolean UseUNCpathfromActiveDirectorytoderive
networkhomelocation.
ADAllowMultiDomainAuthFlag Boolean Enableordisablethe
ADAllowMultiDomainAuth key.
ADAllowMultiDomainAuth Boolean Allowauthenticationfromanydomaininthe
forest.
ADDefaultUserShellFlag Boolean Enableordisablethe
ADDefaultUserShell key.
ADDefaultUserShell String Defaultusershell;e.g. /bin/bash.
ADMapUIDAttributeFlag Boolean EnableordisabletheADMapUIDAttribute
key.
ADMapUIDAttribute String MapUIDtoattribute.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
117
Key Type Description
ADMapGIDAttributeFlag Boolean EnableordisabletheADMapGIDAttribute
key.
ADMapGIDAttribute String MapuserGIDtoattribute.
ADMapGGIDAttributeFlag Boolean Enableordisablethe
ADMapGGIDAttributeFlag key.
ADMapGGIDAttribute String MapgroupGIDtoattribute.
ADPreferredDCServerFlag Boolean Enableordisablethe
ADPreferredDCServer key.
ADPreferredDCServer String Preferthisdomainserver.
ADDomainAdminGroupListFlag Boolean Enableordisablethe
ADDomainAdminGroupList key.
ADDomainAdminGroupList Arrayof
Strings
AllowadministrationbyspecifiedActive
Directorygroups.
ADNamespaceFlag Boolean EnableordisabletheADNamespace key.
ADNamespace String Setprimaryuseraccountnamingconvention:
“forest”or“domain”;“domain”isdefault.
ADPacketSignFlag Boolean EnableordisabletheADPacketSign key.
ADPacketSign String Packetsigning: ”allow”,”disable”or”require”;
“allow”isdefault.
ADPacketEncryptFlag Boolean EnableordisabletheADPacketEncrypt
key.
ADPacketEncrypt String Packetencryption: ”allow”,”disable”,”require”
or”ssl”;“allow”isdefault.
ADRestrictDDNSFlag Boolean EnableordisabletheADRestrictDDNS key.
ADRestrictDDNS Arrayof
Strings
RestrictDynamicDNSupdatestothe
specifiedinterfaces(e.g. en0,en1,etc).
ADTrustChangePassIntervalDaysFlag Boolean Enableordisablethe
ADTrustChangePassIntervalDays key.
ADTrustChangePassIntervalDays Integer Howoftentorequirechangeofthecomputer
trustaccountpasswordindays;“0”is
disabled.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
118
EncryptedProfiles
Aprofilecanbeencryptedsothatitcanonlybedecryptedusingaprivatekeypreviouslyinstalledonadevice.
Toencryptaprofiledothefollowing:
1. RemovethePayloadContent arrayandserializeitasaproperplist. Notethatthetop-levelobjectinthisplist
isanarray,notadictionary.
2. CMS-encrypttheserializedplistasenvelopeddata.
3. SerializetheencrypteddatainDERformat.
4. SettheserializeddataasthevalueofasaDataplistitemintheprofile,usingthekey
EncryptedPayloadContent
.
SigningaProfile
Tosignaprofile,placetheXMLplistinaDER-encodedCMSSignedDatadatastructure.
SampleConfigurationProfile
ThefollowingisasampleconfigurationprofilecontaininganSCEPpayload.
<?xml version=”1.0” encoding=”UTF-8”?>
<!DOCTYPE plist PUBLIC ”-//Apple Inc//DTD PLIST 1.0//EN” ”http://www.apple.com/DTDs/
PropertyList-1.0.dtd”>
<plist version=”1.0”>
<dict>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadUUID</key>
<string>Ignored</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadIdentifier</key>
<string>Ignored</string>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadContent</key>
<dict>
<key>URL</key>
<string>https://scep.example.com/scep</string>
<key>Name</key>
<string>EnrollmentCAInstance</string>
<key>Subject</key>
<array>
<array>
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
119
<array>
<string>O</string>
<string>Example, Inc.</string>
</array>
</array>
<array>
<array>
<string>CN</string>
<string>User Device Cert</string>
</array>
</array>
</array>
<key>Challenge</key>
<string>...</string>
<key>Keysize</key>
<integer>1024</integer>
<key>KeyType</key>
<string>RSA</string>
<key>KeyUsage</key>
<integer>5</integer>
</dict>
<key>PayloadDescription</key>
<string>Provides device encryption identity</string>
<key>PayloadUUID</key>
<string>fd8a6b9e-0fed-406f-9571-8ec98722b713</string>
<key>PayloadType</key>
<string>com.apple.security.scep</string>
<key>PayloadDisplayName</key>
<string>Encryption Identity</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadOrganization</key>
<string>Example, Inc.</string>
<key>PayloadIdentifier</key>
<string>com.example.profileservice.scep</string>
</dict>
</array>
</dict>
</plist>
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
120
RevisionHistory
Date Notes
2019-05-03 RemovedallowSiriServerLogging fromtheRestrictionsPayload.
2019-03-25 AddedmacOSsupportforallowRemoteScreenObservation,allowScreenShot,
forceClassroomAutomaticallyJoinClasses,
forceClassroomRequestPermissionToLeaveClasses,
forceClassroomUnpromptedAppAndDeviceLock,and
forceClassroomUnpromptedScreenObservation intheRestrictionsPayload.
Minorupdatesandcorrections.
2019-01-22 AddedallowPersonalHotspotModification andallowSiriServerLogging tothe
RestrictionsPayload.
AddedtvOSsupportforforceAutomaticDateAndTime,
forceDelayedSoftwareUpdates,andenforcedSoftwareUpdateDelay inthe
RestrictionsPayload.
Minorupdatesandcorrections.
2018-11-07 AddedtheCertificateTransparencyPayload.
2018-10-30 UpdatedtheallowEnablingRestrictionsrestrictiontorefertoScreenTimechangesiniOS12.
AddedallowESIMModificationrestriction.
AddedSkipTrueTone theSetupAssistantPayload.
AddedallowCellularPlanModificaton totheRestrictionsPayload.
AddedtheGlobalPreferencesPayload.
AddedtheMobileAccountsPayload.Minorupdatesandcorrections.
2018-09-17 DocumentedtheLoginItemsPayload.
DocumentedmacOSsupportfortheEducationConfigurationPayload.
Minorupdatesandcorrections.
2018-08-27 Minorupdatesandcorrections.
2018-08-20 Minorupdatesandcorrections.
2018-08-06 DocumentedthePrivacyPreferencesPolicyControlPanePayload.
AddedallowManagedToWriteUnmanagedContacts and
allowUnmanagedToReadManagedContacts totheRestrictionsPayload.
2018-08-06 DocumentedtheTimeServerpayload.
AddedtokenRemovalAction totheSmartCardPayload.
AddedAllowPreReleaseInstallation totheSoftwareUpdatePayload.
DocumentedtheShareKitPayloaddeprecation;instead,usetheNSExtensionManagement
Payload.
2018-07-16 Minorupdatesandcorrections.
2018-07-05 AddednewrestrictionsforallowPasswordAutoFill,
allowPasswordProximityRequests,andallowPasswordSharing.
UpdatedOAuth availabilityintheExchangePayload.
AddedAllowAllAppsAccess fortheSCEPPayload.
AddedGroupingType totheNotificationsPayload.
Othermiscellaneousupdatesandcorrections.
2018-06-18 ConvertedtoPDFformat.
RemovedAPNpayloadsection. Instead,usetheCelluarPayload.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
121
Date Notes
2018-06-04 UpdatedforiOS12,macOS10.14,andtvOS12.
2018-04-09 UpdatedforiOS11.3,macOS10.13.3,andtvOS11.3.
2017-12-07 UpdatedforiOS11.2,macOS10.13.2,andtvOS11.2publicrelease.
2017-09-19 UpdatedforiOS11.0,macOS10.13,andtvOS11.0.
2017-03-27 UpdateforiOS10.3.
2016-12-12 Addedalinkto”iOSHumanInterfaceGuidelines”forcurrenticonrecommendations.
2016-09-13 Mademiscellaneousupdatesandcorrections.
2016-07-01 UpdatedforiOS10.0andmacOS10.12.
2016-06-21 Addednewsection“ActiveDirectoryPayload”;mademinorupdatesandcorrections
throughout.
2016-03-21 UpdatedtoiOS9.3andmadeotherupdatesandcorrections.
2015-12-08 Minorupdatesandcorrections.
2015-10-08 Minorrevision.
2015-09-17 UpdateforiOS9andOSX10.11.
2015-06-12 Mademiscellaneousupdatesandcorrections.
UpdatedrulesforremovalofprofilesinstalledthroughanMDMserver.
AddednewsectionNetworkUsageRulesPayload.
AddednewsectionmacOSServerPayload.
AddednewEmail,Restrictions,SCEP,andVPNPayloadkeys.
ClarifiedWebContentFilterURLmatching.
2015-01-31 AddednewkeystotheRestrictionsPayloadandclarifiedmanageddomainterminology.
2014-09-17 UpdatedforiOS8andOSXv10.10.
2014-03-20 UpdatedforiOS7.1.
2014-01-14 UpdatedforiOS7andOSXv10.9.
2013-10-22 Addedinformationaboutthekeychainsyncingrestriction.
2013-10-01 Removedunsupportedkeysfromdocument.
2013-09-18 UpdatedwithafewadditionaliOS7keys.
2012-12-13 Correctedminortechnicalandtypographicalerrors.
2012-09-22 MademinortypographicalfixesandclarifiedafewdetailsspecifictoOSX.
2012-09-19 UpdateddocumentforiOS6andaddedsupportforOSX10.8.
2011-10-17 RemovedextraneousiCloudkey.
2011-10-12 UpdatedforiOS5.0.
2011-03-08 Retitleddocument.
2010-09-21 Fixedtypographicalerrors.
2010-08-03 NewdocumentthatdescribesthepropertylistkeysusediniOSconfigurationprofiles.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
122
CopyrightandNotices
AppleInc.
Copyright© 2019AppleInc.
Allrightsreserved.
Nopartofthispublicationmaybereproduced,storedinaretrievalsystem,ortransmitted,inanyformorbyanymeans,mechanical,electronic,photocopying,
recording,or otherwise, withoutpriorwrittenpermission of AppleInc.,withthe followingexceptions: Anypersonis herebyauthorizedtostoredocumentation
onasingle computer or deviceforpersonaluseonlyand toprint copiesofdocumentationforpersonaluse providedthatthe documentation containsAppleʼs
copyrightnotice.
No licenses, express or implied, are granted with respect to any of the technology described in this document. Apple retains all intellectual property rights
associatedwiththetechnologydescribedinthisdocument. ThisdocumentisintendedtoassistapplicationdeveloperstodevelopapplicationsonlyforApple-
brandedproducts.
AppleInc.
OneAppleParkWay
Cupertino,CA95014
USA
408-996-1010
AppleisatrademarkofAppleInc.,registeredintheU.S.andothercountries.
APPLE MAKES NO WARRANTY OR REPRESENTATION, EITHER EXPRESS OR IMPLIED, WITH RESPECT TO THIS DOCUMENT, ITS QUALITY, ACCURACY,
MERCHANTABILITY, OR FITNESS FOR A PARTICULAR PURPOSE. AS A RESULT, THIS DOCUMENT IS PROVIDED ”AS IS,” AND YOU, THE READER, ARE
ASSUMING THE ENTIRE RISK AS TO ITS QUALITY AND ACCURACY.
IN NO EVENT WILL APPLE BE LIABLE FOR DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES RESULTING FROM ANY DEFECT,
ERROR OR INACCURACY IN THIS DOCUMENT, even if advised of the possibility of such damages.
Some jurisdictions do not allow the exclusion of implied warranties or liability, so the above exclusion may not apply to you.
2019-05-03 |Copyright© 2019AppleInc. AllRightsReserved.
123
