Apple Device Management
This section explains about how to apply operations and policies to Apple devices.
Features
Apple Device Operations
Add Operations to an Apple Device
Prerequisites
Server has to be downloaded and started.
Must have been logged on to the server's Endpoint Management Portal.
View the device that you have enrolled.
Steps
-
Click on the operation that you need to apply to the device. In this tutorial, let us apply the Voice Roaming operation.
-
A pop up message will be displayed on the screen. Select the Enable voice roaming check box.
-
Click Send to Device.
The Voice Roaming operation will now be acitaved on the device.
The following table lists out the operations that can be applied to the macOS devices:
{insert table}
Apple Device Polices
Add a Policy
Prerequisites
Server has to be downloaded and started.
Must have been logged on to the server's Endpoint Management Portal.
Steps
- Click Add Policies.
(https://{IP}:{port}/devicemgt/policy/add)
. - Click iOS from DEVICE TYPES.
- Create your policy. In this tutorial, let us create a passcode policy. After defining the settings, click CONTINUE.
NOTE
A profile in the context of WSO2 IoT Server refers to a collection of policies. For example, in this use case you are only creating one policy that is the passcode policy. If you want to, you can add an restrictions policy too. All these policies will be bundled as a profile and then pushed to the devices.
- Define the user groups that the passcode policy needs to be assigned to:
NOTE Select the set user role/s or set user/s option and then select the users/roles from the item list. Let's select set user role/s and then select ANY.
-
Click CONTINUE.
-
Define the policy name and the description of the policy.
-
Click SAVE AND PUBLISH to save and publish the configured profile as an active policy to the database.
NOTE If you SAVE the configured profile, it will be in the inactive state and will not be applied to any devices. If you SAVE AND PUBLISH the configured profile of policies, it will be in the active state.
- To publish the policy to the existing devices, click APPLY CHANGES TO DEVICES from the policy management page.
View a Policy
- Go to Endpoint Management portal and click View Policies
(https://{IP}:{port}/devicemgt/devicemgt/policies
.
Publish a Policy
-
Click View under Policies to get the list of the available policies.
-
Click Select to select the policies you wish to publish that have not been published arleady.
-
Click Publish.
Unpublish a Policy
- Go to Endpoint Management portal and click View policies.
(https://{IP}:{port}/devicemgt/devicemgt/policies
. - Click Select to select the policies that you wish to unpublish from those that have already been published.
- Click Unpublish.
- Click YES to confirm that you want to unpublish the policy.
- Now your policy is unpublished and is in the inactive/updated state. Therefore, the policy will not be applied on devices that enroll newly with Entgra IoT Server.
Verify the Policy Enforced on a Device
- Click View under DEVICES.
- Click on your device to view the device details. Click Policy Compliance.
- You will see the policy that is currently applied to your device.
Manage the Policy Priority Order
You can change the priority order of the policies and make sure the policy that you want is applied on devices that register with Entgra IoT Server.
- Click View under POLICIES to get the list of the available policies.
- Click POLICY PRIORITY.
- Manage the policy priority: Drag and drop the policies to prioritize the policies accordingly. Manage the policy priority order by defining the order using the edit box.
- Click SAVE NEW PRIORITY ORDER to save the changes.
- Click APPLY CHANGES to push the changes, to the existing devices.
Updating a Policy
- Click View under POLICIES to get the list of the available policies.
- On the policy, you wish to edit, click on the edit icon.
- Edit the policy:
a. Edit current profile and click CONTINUE.
b. Edit assignment groups and click CONTINUE.
c. Optionally, edit the policy name and description.
d. Click SAVE to save the configured profile or click SAVE AND PUBLISH to save and publish the configured profile as an active policy to the database.
{Insert list of policies??}
Applicable Apple Device Polices
Passcode Policy
Refer to Add policy for instructions on how to add a policy to an iOS device.
The Passcode policy ensures better security by setting a passcode for the device which needs to be entered to unlock the device. The following configuration can be used to set up this policy in an iOS device. Once this configuration profile is installed on a device, corresponding users will not be able to modify these settings on their devices.
Data Keys of Policy and its Descriptions
Force Passcode
Determines whether the user is forced to set a PIN. Simply setting this value (and not others) forces the user to enter a passcode, without imposing a length or quality
Allow Simple Value
Determines whether a simple passcode is allowed. A simple passcode is defined as containing repeated characters, or increasing/decreasing characters (such as 123 or CBA). Setting this value to false is synonymous to setting minComplexChars to ”1”.
Allow Alphanumeric Value
Specifies whether the user must also enter alphabetic characters (”abcd”) along with numbers, or if numbers only are sufficient.
Minimum passcode length
Specifies the minimum overall length of the passcode.
Passcode history
When the user changes the passcode, it has to be unique within the last N entries in the history. Minimum value is 1, maximum value is 50. ( Should be in between 1-to-50 passcodes or none )
Auto Lock Time in minutes
Specifies the maximum number of minutes for which the device can be idle (without being unlocked by the user) before it gets locked by the system. Once this limit is reached, the device is locked and the passcode must be entered. The user can edit this setting, but the value cannot exceed the maxInactivity value.
Grace period in minutes for device lock
The maximum grace period, in minutes, to unlock without entering a passcode. Default is 0, that is no grace period, which requires entering a passcode immediately.
Maximum number of failed attempts
Allowed range [2...11]. Specifies the number of allowed failed attempts to enter the passcode at the deviceʼs lock screen. After six failed attempts, there is a time delay imposed before a passcode can be entered again. The delay increases with each attempt.Once this number is exceeded,on iOS the device is wiped.
NOTE Refer to Publish policy for instructions on how to publish an applied policy in an >iOS device.
Restrictions Policy
These configurations can be used to restrict apps, device features and media content available on an iOS device. Once this configuration profile is installed on a device, corresponding users will not be able to modify these settings on their devices.
Refer to Add policy for instructions on how to add a policy to an iOS device.
Data Keys of Policy and its Descriptions
Allow Siri
When false, disables Siri. Defaults to true.
Allow use of camera
Having this checked would enable Usage of phone camera in the device
Allow iCloud documents and data
[This key is deprecated on unsupervised devices.]
Having this checked would enable syncing iCloud documents and data in the device. This is deprecated on unsupervised devices Available in iOS 5.0 and later and in macOS 10.11and later.
Allow iCloud keychain
When false, disables iCloud keychain synchronization. Default is true. Available in iOS 7.0 and later and macOS 10 .12 and later.
Allow fingerprint for unlock
If false, prevents Touch ID from unlocking a device. Available in iOS 7 and later and in macOS 10.12.4 and later.
Allow in-app purchase
Having this checked would allow in-app purchase in the device.
Allow screenshots
If set to false, users canʼt save a screenshot of the display and are prevented from capturing a screen recording; it also prevents the Classroom app from observing remote screens.
Enable AutoFill
When false, Safari auto-fill is disabled. Defaults to true.
Allow voice dialing while device is locked
When false, disables voice dialing if the device is locked with a passcode. Default is true.
Force encrypting all backups
Having this checked would force encrypting all backups.
Allow managed apps to store data in iCloud
If set to false, prevents managed applications from using iCloud sync.
Allow Activity Continuation
If set to false, Activity Continuation will be disabled. Defaults to true.
Allow backup of enterprise books
If set to false, Enterprise books will not be backed up. Defaults to true
Allow enterprise books data sync
If set to false, Enterprise books notes and highlights will not be synced. Defaults to true.
Allow cloud photo library
If set to false, disables iCloud Photo Library. Any photos not fully downloaded from iCloud Photo Library to the device will be removed from local storage.
Allow remote screen observation
If set to false, remote screen observation by the Classroom app is disabled. Defaults to true. This key should be nested beneath allowScreenShot as a sub-restriction. If allowScreenShot is set to false, it also Available in iOS 9.3 and macOS 10.14.4 and later.
Allow adding Game Center friends
[This key is deprecated on unsupervised devices.]
When false, prohibits adding friends to Game Center. This key is deprecated on unsupervised devices.
Allow Siri to query user-generated content from web
Supervised only. When false, prevents Siri from querying user-generated content from the web. Available in iOS 7 and later.
Allow video conferencing
[This key is deprecated on unsupervised devices.]
When false, disables video conferencing. This key is deprecated on unsupervised devices
Allow Safari
[This key is deprecated on unsupervised devices.]
When false, the Safari web browser application is disabled and its icon removed from the Home screen. This also prevents users from opening web clips. This key is deprecated on unsupervised devices.
Allow multiplayer gaming
[This key is deprecated on unsupervised devices.]
When false, prohibits multiplayer gaming. This key is deprecated on unsupervised devices.
Allow use of iTunes Store
When false, the iTunes Music Store is disabled and its icon is removed from the Home screen. Users cannot preview, purchase, or download content. This key is deprecated on unsupervised devices.
Following are DEP(Supervised) only
Force Delayed Software Updates
If set to true, delays user visibility of Software Updates. Defaults to false. On macOS, seed build updates will be allowed, without delay. Available in iOS 11.3 and macOS 10.13
Allow Erase All Content And Settings
If set to false, disables the “Erase All Content And Settings” option in the Reset UI.
Allow Spotlight Internet results
If set to false, Spotlight will not return Internet search results. Available in iOS and in macOS 10.11 and later.
Enforced Software Update Delay
This restriction allows the admin to set how many days a software update on the device will be delayed. With this restriction in place, the user will not see a software update until the specified number of days after the software update release date. The max is 90 days and the default value is 30. Available in iOS 11.3 and macOS 10.13.4
Force Classroom Automatically Join Classes
If set to true, automatically give permission to the teacherʼs requests without prompting the student. Defaults to false Available only in iOS 11.0 and macOS 10 .14.4 and later
Force Classroom Request Permission To Leave Classes
If set to true, a student enrolled in an unmanaged course via Classroom will request permission from the teacher when attempting to leave the course. Defaults to false. Available only in iOS 11.3 and macOS 10.14.4 and later.
Force Classroom Unprompted App And Device Lock
If set to true, allow the teacher to lock apps or the device without prompting the student. Defaults to false Available only in iOS 11.0 and macOS 10.14.4 and later.
Force Classroom Unprompted Screen Observation
If set to true, and ScreenObservationPermissionModificationAllowed is also true in the Education payload, a student enrolled in a managed course via the Classroom app will automatically give permission to that courseʼs teacherʼs requests to observe the studentʼs screen without prompting the student. Defaults to false. Available only in iOS 11.0 and macOS 10.14.4 and later.
Allow Password Auto Fill
If set to false, users will not be able to use the AutoFill Passwords feature on iOS and will not be prompted to use a saved password in Safari or in apps. If set to false, Automatic Strong Passwords will also be disabled and strong passwords will not be suggested to users. Defaults to true. Available only in iOS 12.0 and macOS 10 .14 and later.
Allow Password Proximity Requests
If set to false, a userʼs device will not request passwords from nearby devices. Defaults to true. Available only in iOS 12.0 and macOS 10.14
Allow Password Sharing
If set to false, users can not share their passwords with the Airdrop Passwords feature. Defaults to true. Available only in iOS 12.0 and macOS 10.14 and later.
Allow definition lookup
If set to false, disables definition lookup. Defaults to true. Available in iOS 8.1.3 and later and in macOS 10.11.2 and later
Allow music service
If set to false, Music service is disabled and Music app reverts to classic mode. Defaults to true. Available in iOS 9.3 and later and macOS 10.12 and later
Restrictions on iOS device
Allow Siri while device is locked
When false, the user is unable to use Siri when the device is locked. Defaults to true. This restriction is ignored if the device does not have a passcode set.
Allow removing apps
[This key is deprecated on unsupervised devices .]
When false, disables removal of apps from iOS device. This key is deprecated on unsupervised devices.
Allow iCloud backup
When false, disables backing up the device to iCloud.
Allow diagnostic submission
When false, this prevents the device from automatically submitting diagnostic reports to Apple. Defaults to true. Available only in iOS 6.0 and later.
Allow explicit content
[This key is deprecated on unsupervised devices .]
When false, explicit music or video content purchased from the iTunes Store is hidden. Explicit content is marked as such by content providers, such as record labels, when sold through the iTunes Store. This key is deprecated on unsupervised devices. Available in iOS and in tvOS 11.3 and later
Allow global background fetch when roaming
When false, disables global background fetch activity when an iOS phone is roaming.
Show Notifications Center in lock screen
If set to false, the Notifications history view on the lock screen is disabled and users canʼt view past notifications. Though, when the device is locked, the user will still be able to view notifications when they arrive. Available only in iOS 7.0 and later.
Show Today view in lock screen
If set to false, the Today view in Notification Center on the lock screen is disabled. Available only in iOS 7.0 and later.
Allow documents from managed sources in unmanaged destinations
If false, documents in managed apps and accounts only open in other managed apps and accounts. Default is true. Available only in iOS 7.0 and later
Allow documents from unmanaged sources in managed destinations
If set to false, documents in unmanaged apps and accounts will only open in other unmanaged apps and accounts. Default is true. Available only in iOS 7.0 and later.
Show Passbook notifications in lock screen
If set to false, Passbook notifications will not be shown on the lock screen.This will default to true. Available in iOS 6.0 and later.
Allow Photo Stream
When false, disables Photo Stream. Available in iOS 5.0 and later.
Force Fraud warning
When true, Safari fraud warning is enabled. Defaults to false Available in iOS 4.0 and later.
Enable Javascript
When false, Safari will not execute JavaScript. Defaults to true. Available in iOS 4.0 and later.
Enable Pop-ups
When false, Safari will not allow pop-up tabs. Defaults to true. Available in iOS 4.0 and later.
Accept cookies
Determines conditions under which the device will accept cookies. The user facing settings changed in iOS 11, though the possible values remain the same:
• 0: Prevent Cross-Site Tracking and Block All Cookies are enabled and the user canʼt disable either setting.
• 1 or 1.5: Prevent Cross-Site Tracking is enabled and the user canʼt disable it. Block All Cookies is not enabled, though the user can enable it.
• 2: Prevent Cross-Site Tracking is enabled and Block All Cookies is not enabled. The user can toggle either setting. (Default)
These are the allowed values and settings in iOS 10 and earlier:
• 0: Never
• 1: Allow from current website only
• 1.5: Allow from websites visited (Available in iOS 8.0 and later); enter ’ 1.5’
• 2: Always (Default)
In iOS 10 and earlier, users can always pick an option that is more restrictive than the payload policy, but not a less restrictive policy. For example, with a payload value of 1.5, a user could switch to Never, but not Always Allow.
Allow Shared Photo Stream
If set to false, Shared Photo Stream will be disabled.This will default to true. Available in iOS 6.0 and later.
Allow untrusted TLS prompt
When false, automatically rejects untrusted HTTPS certificates without prompting the user. Available in iOS 5.0 and later.
Require iTunes store password for all purchases
When true, forces user to enter their iTunes password for each transaction Available in iOS 5.0 and later.
Limit ad tracking
If true, limits ad tracking. Default is false Available only in iOS 7.0 and later
Force a pairing password for Airplay outgoing requests
If set to true, forces all devices receiving AirPlay requests from this device to use a pairing password. Default is false. Available only in iOS 7.1 and later.
Force air drop unmanaged
If set to true, causes AirDrop to be considered an unmanaged drop target. Defaults to false. Available in iOS 9.0 and later.
Force watch wrist detection
If set to true, a paired Apple Watch will be forced to use Wrist Detection. Defaults to false. Available in iOS 8.2 and later.
Allow over-the-air PKI updates
If false, over-the-air PKI updates are disabled. Setting this restriction to false does not disable CRL and OCSP checks. Default is true. Available only in iOS 7.0 and later.
Ratings region
This 2-letter key is used by profile tools to display the proper ratings for given region. It is not recognized or reported by the client. Possible values:
• au: Australia
• ca: Canada
• fr: France
• de: Germany
• ie: Ireland
• jp: Japan
• nz: New Zealand
• gb: United Kingdom
• us: United States
Available in iOS and tvOS 11.3 and later
Allow content ratings
(Having this checked would allow to set the maximum allowed ratings)
Allowed content ratings for movies
This value defines the maximum level of movie content that is allowed on the device. Possible values (with the US description of the rating level): • 1000: All • 500: NC-17 • 400: R • 300: PG-13 • 200: PG • 100: G • 0: None Available only in iOS and tvOS 11.3 and later
Allowed content ratings for TV shows
This value defines the maximum level of TV content that is allowed on the device. Possible values (with the US description of the rating level): • 1000: All • 600: TV-MA • 500: TV-14 • 400: TV-PG • 300: TV-G • 200: TV-Y7 • 100: TV-Y • 0: None Available only in iOS and tvOS 11.3 and later.
Allowed content ratings for apps
This value defines the maximum level of app content that is allowed on the device. Possible values (with the US description of the rating level): • 1000: All • 600: 17+ • 300: 12+ • 200: 9+ • 100: 4+ • 0: None Available only in iOS 5 and tvOS 11.3 and later.
Allow enterprise app trust
If set to false removes the Trust Enterprise Developer button in Settings->General->Profiles & Endpoint Management, preventing apps from being provisioned by universal provisioning profiles. This restriction applies to free developer accounts but it does not apply to enterprise app developers who are trusted because their apps were pushed via MDM, nor does it revoke previously granted trust. Defaults to true. Available in iOS 9.0 and later.
Show Control Center in lock screen
If false, prevents Control Center from appearing on the Lock screen. Available in iOS 7 and later.
Read unmanaged apps from managed contact accounts.
If set to true, unmanaged apps can read from managed contacts accounts. Defaults to false. if allowOpenFromManagedToUnmanaged is true, this restriction has no effect. A payload that sets this to true must be installed via MDM. Available only in iOS 12.0 and later
Following are DEP(Supervised) only
Allow user prompted profile installation
If set to false, the user is prohibitedfrom installing configuration profiles and certificates interactively. This will default to true. Available in iOS 6.0 and later
Allow Chat
When false, disables the use of iMessage with supervised devices. If the device supports text messaging, the user can still send and receive text messages Available in iOS 6.0 and later.
Allow Cellular Plan Modification
If set to false, users canʼt change any settings related to their cellular plan. Defaults to true Available in iOS 11.0 and later.
Allow USB Restricted Mode
If set to false, device will always be able to connect to USB accessories while locked. Defaults to true. Available only in iOS 11.4.1 and later
Allow ESIM Modification
If set to false, the user may not remove or add a cellular plan to the eSIM on the device. Defaults to true Available only in iOS 12.1 and later.
Modify Personal Hotspot Modification
If set to false, the user may not modify the personal hotspot setting. Defaults to true. Available only in iOS 12.2 and later.
Automatically set Date and Time
If set to true, the Date & Time “Set Automatically” feature is turned on and canʼt be turned off by the user. Defaults to false.
Note: The deviceʼs time zone will only be updated when the device can determine its location (cellular connection or wifi with location services enabled).
Available only in iOS 12.0
Allow modifying account settings
If set to false, account modification is disabled. Available only in iOS 7.0 and later.
Allow modifying cellular data app settings
f set to false, changes to cellular data usage for apps are disabled. : Available only in iOS 7.0 and later.
Allow Siri to query user-generated content from web
When false, prevents Siri from querying user-generated content from the web. Available in iOS 7 and later.
Enable iBookStore
If set to false, Apple Books will be disabled. This will default to true. Available in iOS 6.0 and later.
Enable iBookStore Erotica
If set to false, the user will not be able to download media from Apple Books that has been tagged as erotica. This will default to true. Available in iOS and in tvOS 11.3 and later.
Allow Find My Friends modification
If set to false, changes to Find My Friends are disabled. Available only in iOS 7.0 and later.
Allow use of Game Center
When false, Game Center is disabled and its icon is removed from the Home screen. Default is true. Available only in iOS 6.0 and later.
Allow Host Pairing
If set to false, host pairing is disabled with the exception of the supervision host. If no supervision host certificate has been configured, all pairing is disabled. Host pairing lets the administrator control which devices an iOS 7 device can pair with. Available only in iOS 7.0 and later.
Allow Enable Restrictions option
If set to false, disables the ”Enable Restrictions” option in the Restrictions UI in Settings. Default is true. On iOS 12 or later, if set to false disables the ”Enable ScreenTime” option in the ScreenTime UI in Settings and disables ScreenTime if already enabled. Available in iOS 8.0 and later.
Allow News
If set to false, disables News. Defaults to true Available in iOS 9 .0 and later.
Allow use of Podcasts
If set to false, disables podcasts. Defaults to true. Available in iOS 8.0 and later.
Allow keyboard auto-correction
If set to false, disables keyboard auto-correction. Defaults to true . Available in iOS 8.1.3 and later
Allow keyboard spell-check
If set to false, disables keyboard spell-check. Defaults to true. Available in iOS 8.1.3 and later.
Allow UI app installation
When false, the App Store is disabled and its icon is removed from the Home screen. However, users may continue to use Host apps (iTunes, Configurator) to install or update their apps. Defaults to true. In iOS 10 and later, MDM commands can override this restriction. Available in iOS 9 .0 and later
Allow keyboard shortcuts
If set to false, keyboard shortcuts cannot be used. Defaults to true. Available in iOS 9.0 and later.
Allow passcode modification
If set to false, prevents the device passcode from being added, changed, or removed. Defaults to true. This restriction is ignored by shared iPads . Available in iOS 9.0 and later.
Allow device name modification
If set to false, prevents device name from being changed. Defaults to true. Available in iOS 9.0
Allow wallpaper modification
If set to false, prevents wallpaper from being changed. Defaults to true . Available in iOS 9.0 and later.
Allow automatic app downloads
If set to false, prevents automatic downloading of apps purchased on other devices. Does not affect updates to existing apps. Defaults to true. Available in iOS 9.0 and later.
Allow radio service
If set to false, Apple Music Radio is disabled. Defaults to true. Available in iOS 9.3 and later.
Blacklisted app bundle Ids(comma separated)
If present, prevents bundle IDs listed in the array from being shown or launchable. Include the value com.apple.webapp to blacklist all webclips. Available in iOS 9.3 and later.
Whitelisted app bundle Ids(comma separated)
If present, allows only bundle IDs listed in the array from being shown or launchable. Include the value com.apple.webapp to whitelist all webclips. Available in iOS 9.3 and later
Allow diagnostic bluetooth modification
If set to false, prevents modification of Bluetooth settings. Defaults to true. Available in iOS 10.0 and later.
Allow dictation
If set to false, disallows dictation input. Defaults to true. Available only in iOS 10.3 and later
Force WiFi white listing (Warning, wrong configuration could break communication)
If set to true, the device can join Wi-Fi networks only if they were set up through a configuration profile. Defaults to false. Available only in iOS 10.3 and later.
Allow air print
If set to false, disallow AirPrint. Defaults to true. Available in iOS 11.0 and later.
Allow air print credentials storage
If set to false, disallows keychain storage of username and password for Airprint. Defaults to true. Available in iOS 11.0 and later.
Force air print trusted TLS requirement
If set to true, requires trusted certificates for TLS printing communication. Defaults to false. Available in iOS 11.0 and later.
Allow air print iBeacon discovery
If set to false, disables iBeacon discovery of AirPrint printers. This prevents spurious AirPrint Bluetooth beacons from phishing for network traffic. Defaults to true. Available in iOS 11.0 and later.
Allow system app removal
If set to false, disables the removal of system apps from the device. Defaults to true. Available only in iOS 11.0 and later.
Allow VPN creation
If set to false, disallow the creation of VPN configurations. Defaults to true. Available only in iOS 11.0 and later.
Allow proximity setup to new device
If set to false, disables the prompt to setup new devices that are nearby . Defaults to true. Available only in iOS 11.0 and later.
Allow installing apps
When false, the App Store is disabled and its icon is removed from the Home screen. Users are unable to install or update their applications. This key is deprecated on unsupervised devices. MDM commands can override this restriction. Available only in iOS 10 and later
Allow AirDrop
If set to false, AirDrop is disabled. Available only in iOS 7.0 and later.
Permitted Applications in Autonomous Single App Mode
If present, allows apps identified by the bundle IDs listed in the array to autonomously enter Single App Mode. Available only in iOS 7.0 and later. Application Bundle ID:
Allow diagnostic submission modification
When false, this prevents the device from automatically submitting diagnostic reports to Apple. Defaults to true. Available only in iOS 6.0 and later.
Allow diagnostic submission modification
If set to false, the diagnostic submission and app analytics settings in the Diagnostics & Usage pane in Settings cannot be modified. Defaults to true . Available in iOS 9.3.2 and later
Allow notifications modification
If set to false, notification settings cannot be modified. Defaults to true. Available in iOS 9.3 and later.
Allow predictive keyboard
If set to false, disables predictive keyboards. Defaults to true. Available in iOS 8.1.3 and later.
Force Authentication Before Auto Fill
If set to true, the user will have to authenticate before passwords or credit card information can be autofilled in Safari and Apps. If this restriction is not enforced, the user can toggle this feature in settings. Only supported on devices with FaceID or TouchID. Defaults to true. Available only in iOS 11.0 and later
Restrictions on mac OS device
Allow macOS iCloud Bookmark sync
When false, disallows macOS iCloud Bookmark sync. Available in macOS 10 .12 and later.
Allow macOS Mail iCloud services
When false, disallows macOS Mail iCloud services. Available in macOS 10 .12 and later
Allow macOS Mail iCloud Calender services
When false, disallows macOS iCloud Calendar services. Available in macOS 10.12 and later.
Allow macOS Mail iCloud Reminder services
When false, disallows iCloud Reminder services. Available in macOS 10 .12 and later.
Allow macOS Mail iCloud Address Book services
(Available in macOS 10.12 and later.)
Allow macOS Mail iCloud Notes services
When false, disallows macOS iCloud Notes services. Available in macOS 10.12 and later.
Allow content caching
When false, this disallows content caching. Defaults to true. Available only in macOS 10.13 and later.
Allow iTunes application file sharing
When false, iTunes application file sharing services are disabled. Available in macOS 10.13 and later.
NOTE Refer to Publish policy for instructions on how to publish an applied policy in an >iOS device.
Wifi Settings Policy
Refer to Add policy for instructions on how to add a policy to an iOS device.
Data Keys of Policy and its Descriptions
Service Set Identifier (SSID)
SSID of the Wi-Fi network to be used. In iOS 7.0 and later, this is optional if a DomainName value is provided.
Domain Name
This field can be provided instead of SSID_STR. Available in iOS 7.0 and later.( For Wi-Fi Hotspot 2.0 negotiation )
Hidden Network
Besides SSID, the device uses information such as broadcast type and encryption type to differentiate a network. By default (false), it is assumed that all configured networks are open or broadcast. To specify a hidden network, must be true.
Hot Spot
If true, the network is treated as a hotspot. Available in iOS 7.0 and later.
Enable Service Provider Roaming
If true, allows connection to roaming service providers. Defaults to false. Available in iOS 7.0 and later.
Auto Join
If true, the network is auto-joined. If false, the user has to tap the network name to join it. Available in iOS 5.0 and later.
Displayed Operator Name
The operator name to display when connected to this network. Used only with Wi-Fi Hotspot 2.0 access points. Available in iOS 7.0 and later.
Proxy Setup
Valid values are None, Manual, and Auto. Available in iOS 5.0 and later. If the ProxyType field is set to Manual, the following fields must also be provided
-
Proxy Server: The proxy serverʼs network address.( Server URL or IP Address )
-
Proxy Server Port: The proxy serverʼs port.
-
Proxy Username: The username used to authenticate to the proxy server.
-
Proxy Password: The password used to authenticate to the proxy server.
-
Proxy PAC URL: The URL of the PAC file that defines the proxy configuration.
-
Allow Proxy PAC FallBack: . If false, prevents the device from connecting directly to the destination if the PAC file is unreachable. Default is false. Available in iOS 7 and later
Encryption Security Type
Encryption Security Type field is set to WEP, WPA, or ANY, the following fields may also be provided
-
Wi-Fi Password: Password used for encryption security. Absence of a password does not prevent a network from being added to the list of known networks. The user is eventually prompted to provide the password when connecting to that network.
-
EAP Client Configuration: In addition to the standard encryption types, it is possible to specify an enterprise profile for a given network via the EAP Client Configuration key. If present, its value is a dictionary with the following keys: The following EAP types are accepted: 13 = TLS 17 = LEAP 18 = EAP-SIM 21 = TTLS 23 = EAP-AKA 25 = PEAP 43 = EAP-FAST
For EAP-TLS authentication without a network payload, install the necessary identity certificates and have your users select EAP-TLS mode in the 802.1X credentials dialog that appears when they connect to the network. For other EAP types, a network payload is necessary and must specify the correct settings for the network.
- Username: Unless you enter a user name, this property won't appear in an imported configuration. Users can enter this information by themselves when they authenticate.
- Password: If not provided, the user will be prompted during login.
- One Time Password: If checked, the user will be prompted for a password each time they connect to the network.
- TLS Trusted Server Certificate Names: This is the list of server certificate common names that will be accepted. You can use wildcards to specify the name, such as wpa.*.example.com. If a server presents a certificate that isn't in this list, it won't be trusted. Used alone or in combination with TLSTrustedCertificates, the property allows someone to carefully craft which certificates to trust for the given network, and avoid dynamically trusted certificates.
- Allow TLS Trust Exceptions: Allows / disallows a dynamic trust decision by the user. The dynamic trust is the certificate dialogue that appears when a certificate isn't trusted. If this is unchecked, the authentication fails if the certificate isn't already trusted.
- Require TLS Certificate: If checked, allows for two-factor authentication for EAP-TTLS, PEAP or EAP-FAST. If unchecked, allows for zero factor authentication for EAP-TLS. By default this is enabled for EAP-TLS and disabled for other EAP types. Available in iOS 7.0 and later.
- TTLS Inner Authentication Type: Specifies the inner authentication used by the TTLS module. Possible values are PAP, CHAP, MSCHAP and MSCHAPv2.
- Outer Identity: This key is only relevant to TTLS, PEAP, and EAP-FAST. This allows the user to hide his or her identity. The userʼs actual name appears only inside the encrypted tunnel. For example, it could be set to ”anonymous” or ”anon”, or ”anon@mycompany.net”. It can increase security because an attacker canʼt see the authenticating userʼs name in the clear.
-
EAP-Fast Support:
Use existing PAC for EAP-FAST
Allow PAC Provisioning
Allow Anonymous PAC Provisioning
These keys are hierarchical in nature. : If Use existing PAC for EAP-FAST is false, the other two properties arenʼt consulted. Similarly, if Allow PAC Provisioning is false, Allow Anonymous PAC Provisioning isnʼt consulted. If Use existing PAC for EAP-FAST is false, authentication proceeds much like PEAP or TTLS: the server proves its identity using a certificate each time.If checked, the device will use an existing PAC. Otherwise, the server must present its identity using a certificate.
If Allow PAC Provisioning is checked, allows PAC provisioning. This particular attribute must be enabled for EAP-FAST PAC usage to succeed, because there is no other way to provision a PAC.
If Allow Anonymous PAC Provisioning is checked, provisions the device anonymously. Note that there are known man-in-the-middle attacks for anonymous provisioning.
-
Number of expected RANDs for EAP-SIM: Number of expected RANDs for EAPSIM. Valid values are 2 and 3. Defaults to 3.
-
Certificate Payload UUID: UUID of the certificate payload to use for the identity credential.
Roaming Consortium OIs
Roaming Consortium Organization Identifiers used for Wi-Fi Hotspot 2.0negotiation. Requires 6 or 10 hexadecimal characters. Available in iOS 7.0 and later.
Network Access Identifier ( NAI ) Realm Names
List of Network Access Identifier Real names used for Wi-Fi Hotspot 2.0 negotiation. Available in iOS 7.0 and later.
Mobile Country Code ( MCC ) / Mobile Network Code ( MNC ) Configuration
List of Mobile Country Code (MCC)/Mobile Network Code (MNC) pairs used for Wi-Fi Hotspot 2.0 negotiation. Each string must contain exactly six digits. Available in iOS 7.0 and later.
NOTE Refer to Publish policy for instructions on how to publish an applied policy in an >iOS device.
Global Proxy Settings
Refer to Add policy for instructions on how to add a policy to an iOS device.
Configure a global HTTP proxy to direct all HTTP traffic from Supervised iOS 7 and higher devices through a designated proxy server. Once this configuration profile is installed on a device, all the network traffic will be routed through the proxy server
This policy is only applicable for the devices enrolled in supervised mode.
Data Keys of Policy and its Descriptions
Proxy Configuration Type
If you choose manual proxy type, you need the proxy server address including its port and optionally a username and password into the proxy server. If you choose auto proxy type, you can enter a proxy autoconfiguration (PAC) URL.
Proxy Host
The proxy serverʼs network address.(Host name/IP address of the proxy server.)
Proxy Port
The proxy serverʼs port
Username
The username used to authenticate to the proxy server.
Password
The password used to authenticate to the proxy server
Allow Captive Login
When checked, Allows the device to bypass the proxy server to display the login page for captive networks.
NOTE Refer to Publish policy for instructions on how to publish an applied policy in an >iOS device.
Email Settings
Refer to Add policy for instructions on how to add a policy to an iOS device.
These configurations can be used to define settings for connecting to your POP or IMAP email accounts. Once this configuration profile is installed on an iOS device, corresponding users will not be able to modify these settings on their devices.
Data Keys of Policy | Description |
---|---|
Account Description | A user-visible description of the email account, shown in the Mail and Settings applications. |
Account Type | Defines the protocol to be used for that account. |
Path Prefix | The path prefix for the IMAP mail server |
Email Account Name | The full user name for the account. This is the user name in sent messages, etc. |
Email Address | Designates the full email address for the account. If not present in the payload, the device prompts for this string during profile installation. |
Prevent move | If true, messages may not be moved out of this email account into another account. Also prevents forwarding or replying from a different account than the message was originated from. Availability: Available only in iOS 5.0 and later. |
Prevent App Sheet | If true, this account is not available for sending mail in any app other than the Apple Mail app. Availability: Available only in iOS 5.0 and later |
Enable S/MIME | If true, this account supports S/MIME. As of iOS 10.0, this key is ignored. Availability: Available only in iOS 5.0 through iOS 9.3.3. |
S/MIME Signing Certificate UUID | The Payload UUID of the identity certificate used to sign messages sent from this account. Availability: Available only in iOS 5.0 and later |
Enable Per-message Signing and Encryption Switch | If set to true, display the per-message encryption switch in the Mail Compose UI. Availability: Available only in iOS 12.0 and later |
Allow Recent Address Syncing | If true, this account is excluded from address Recents syncing. This defaults to false Availability: Available only in iOS 6.0 and later. |
Incoming | Mail Settings |
---|---|
Mail Server Hostname | Designates the incoming mail server host name (or IP address). |
Use Secure Socket Layer(SSL) | Designates whether the incoming mail server uses SSL for authentication. |
Mail Server Port | Designates the incoming mail server port number. If no port number is specified, the default port for a given protocol is used. |
Authentication Type | Designates the authentication scheme for incoming mail. Allowed values are EmailAuthPassword, EmailAuthCRAMMD5, EmailAuthNTLM, EmailAuthHTTPMD5, and EmailAuthNone. |
Username | Designates the user name for the email account, usually the same as the email address up to the @ character. If not present in the payload, and the account is set up to require authentication for incoming email, the device will prompt for this string during profile installation. |
Password | Password for the Incoming Mail Server. Use only with encrypted profiles. |
Outgoing | Mail Settings |
---|---|
Mail Server Hostname | Designates the outgoing mail server host name (or IP address). |
Use Server Socket Layer(SSL) | Default false. Designates whether the outgoing mail server uses SSL for authentication. |
Mail Server Port | Designates the outgoing mail server port number. If no port number is specified, ports 25, 587 and 465 are used, in this order. |
Authentication Type | Designates the authentication scheme for outgoing mail. Allowed values are EmailAuthPassword, EmailAuthCRAMMD5, EmailAuthNTLM, EmailAuthHTTPMD5, and EmailAuthNone. |
Username | Designates the user name for the email account, usually the same as the email address up to the @ character. If not present in the payload, and the account is set up to require authentication for outgoing email, the device prompts for this string during profile installation |
Password | Password for the Outgoing Mail Server. Use only with encrypted profiles. |
Data Keys of Policy and its Descriptions
Account Description
A user-visible description of the email account, shown in the Mail and Settings applications.
Account Type
Defines the protocol to be used for that account.
Path Prefix
The path prefix for the IMAP mail server
Email Account Name
The full user name for the account. This is the user name in sent messages, etc.
Email Address
Designates the full email address for the account. If not present in the payload, the device prompts for this string during profile installation.
Prevent move
If true, messages may not be moved out of this email account into another account. Also prevents forwarding or replying from a different account than the message was originated from.
Availability: Available only in iOS 5.0 and later.
Prevent App Sheet
If true, this account is not available for sending mail in any app other than the Apple Mail app. Availability: Available only in iOS 5.0 and later
Enable S/MIME
If true, this account supports S/MIME. As of iOS 10.0, this key is ignored. Availability: Available only in iOS 5.0 through iOS 9.3.3.
S/MIME Signing Certificate UUID
The PayloadUUID of the identity certificate used to sign messages sent from this account. Availability: Available only in iOS 5.0 and later
Enable Per-message Signing and Encryption Switch
If set to true, display the per-message encryption switch in the Mail Compose UI. Availability: Available only in iOS 12.0 and later
Allow Recent Address Syncing
If true, this account is excluded from address Recents syncing. This defaults to false. Availability: Available only in iOS 6.0 and later.
Incomming Mail Settings
Mail Server Hostname
Designates the incoming mail server host name (or IP address).
Use Secure Socket Layer(SSL)
Designates whether the incoming mail server uses SSL for authentication.
Mail Server Port
Designates the incoming mail server port number. If no port number is specified, the default port for a given protocol is used.
Authentication Type
Designates the authentication scheme for incoming mail. Allowed values are EmailAuthPassword, EmailAuthCRAMMD5, EmailAuthNTLM, EmailAuthHTTPMD5, and EmailAuthNone.
Username
Designates the user name for the email account, usually the same as the email address up to the @ character. If not present in the payload, and the account is set up to require authentication for incoming email, the device will prompt for this string during profile installation.
Password
Password for the Incoming Mail Server. Use only with encrypted profiles.
Outgoing Mail Settings
Mail Server Hostname
Designates the outgoing mail server host name (or IP address).
Use Server Socket Layer(SSL)
Default false. Designates whether the outgoing mail server uses SSL for authentication.
Mail Server Port
Designates the outgoing mail server port number. If no port number is specified, ports 25, 587 and 465 are used, in this order.
Authentication Type
Designates the authentication scheme for outgoing mail. Allowed values are EmailAuthPassword, EmailAuthCRAMMD5, EmailAuthNTLM, EmailAuthHTTPMD5, and EmailAuthNone.
Username
Designates the user name for the email account, usually the same as the email address up to the @ character. If not present in the payload, and the account is set up to require authentication for outgoing email, the device prompts for this string during profile installation
Password
Password for the Outgoing Mail Server. Use only with encrypted profiles.
NOTE Refer to Publish policy for instructions on how to publish an applied policy in an >iOS device.
AirPlay Settings
Refer to Add policy for instructions on how to add a policy to an iOS device.
This configuration can be used to define settings for connecting to AirPlay destinations. Once this configuration profile is installed on an iOS device, corresponding users will not be able to modify these settings on their devices.
Data Keys of Policy and its Descriptions
AirPlay Credentials
(If present, sets passwords for known AirPlay destinations.)
Device Name
The name of the AirPlay destination (used on iOS).
Password
The password for the AirPlay destination.
AirPlay Destinations Whitelist
(Supervised only. If present, only AirPlay destinations present in this list are available to the device.)
Destination
The Device ID of the AirPlay destination, in the format xx:xx:xx:xx:xx:xx. This field is not case sensitive.
NOTE Refer to Publish policy for instructions on how to publish an applied policy in an >iOS device.
Manage Domains
Refer to Add policy for instructions on how to add a policy to an iOS device.
This payload defines web domains that are under an enterprise’s management.
Data Keys of Policy and its Descriptions
Unmarked Email Domains
(Any email address that does not have a suffix that matches one of the unmarked email domains specified by the key EmailDomains will be considered out-of-domain and will be highlighted as such in the Mail app.)
Email Domains
An array of strings. An email address lacking a suffix that matches any of these strings will be considered out-of-domain.
Managed Safari Web Domains
(Supervised only. If present, only AirPlay destinations present in this list are available to the device.)
Managed Safari Web Domains
An array of URL strings. URLs matching the patterns listed here will be considered managed.
Refer to Publish policy for instructions on how to publish an applied policy in an iOS device.
LDAP Settings
This configuration can be used to define settings for connecting to LDAP servers. Once this configuration profile is installed on an iOS device, corresponding users will not be able to modify these settings on their devices.
Refer to Add policy for instructions on how to add a policy to an iOS device.
Data Keys of Policy | Descriptions |
---|---|
Account Description | Display name of the account |
Account Hostname | LDAP Host name or IP address |
Use Secure Socket Layer(SSL) | Having this checked, would enable Secure Socket Layer communication. |
Account Username | User name for this LDAP account |
Account Password | Password for this LDAP account |
Search Settings | Search settings for this LDAP account. Can have many of these for one account. Should have at least one for the account to be useful. |
Description | Description of this search setting |
Search Base | Conceptually, the path to the node where a search should start. For example: ou=people,o=example corp |
Scope | Defines what recursion to use in the search. Can be one of the following 3 values: LDAPSearchSettingScopeBase: Just the immediate node pointed to by SearchBase. LDAPSearchSettingScopeOneLevel: The node plus its immediate children. LDAPSearchSettingScopeSubtree: The node plus all children, regardless of depth. |
Refer to Publish policy for instructions on how to publish an applied policy in an iOS device.
ActiveSync Configurations
Refer to Add policy for instructions on how to add a policy to an iOS device.
This configuration can be used to provision ActiveSync Configurations for iOS devices.
Data Keys of Policy and its Descriptions
Email Address
Specifies the full email address for the account. If not present in the payload, the device prompts for this string during profile installation.
Exchange Server Hostname
Specifies the Exchange server host name (or IP address).
Use Secure Socket Layer(SSL)
Specifies whether the Exchange server uses SSL for authentication.
Account Username
This string specifies the user name for this Exchange account. Required in non-interactive installations (like MDM on iOS).
Account Password
The password of the account. Use only with encrypted profiles.
Use OAuth
Specifies whether the connection should use OAuth for authentication. If enabled, a password should not be specified. This defaults to false. Availability: Available only in iOS 12.0 and later.
Available in iOS only
ActiveSync Certificate file
For accounts that allow authentication via certificate, a .p12 identity certificate in NSData blob format
Certificate Name
Specifies the name or description of the certificate
Certificate Password
The password necessary for the p12 identity certificate. Used with mandatory encryption of profiles.
Prevent Move
If set to true, messages may not be moved out of this email account into another account. Also prevents forwarding or replying from a different account than the message was originated from. Availability: Available in iOS 5.0 and later.
Prevent App Sheet
If set to true, this account will not be available for sending mail in any app other than the Apple Mail app. Availability: Available in iOS 5.0 and later
Payload Certificate UUID
UUID of the certificate payload to use for the identity credential. If this field is present, the Certificate field is not used. Availability: Available in iOS 5.0 and later
SMIME Enabled
If true, this account supports S/MIME. As of iOS 10.0, this key is ignored. Availability: Available only in iOS 5.0 through 9.3.3.
SMIME Signing Enabled
If set to true, S/MIME signing is enabled for this account. Availability: Available only in iOS 10.3 and later
SMIME Signing Certificate UUID
The PayloadUUID of the identity certificate used to sign messages sent from this account. Availability: Available only in iOS 5.0 and later.
SMIME Encryption Enabled
If set to true, S/MIME encryption is on by default for this account. Availability: Available only in iOS 10.3 and later. As of iOS 12.0, this key is deprecated. It is recommended to use SMIMEEncryptByDefault instead.
SMIME Encryption Certificate UUID
The PayloadUUID of the identity certificate used to decrypt messages sent to this account. The public certificate is attached to outgoing mail to allow encrypted mail to be sent to this user. When the user sends encrypted mail, the public certificate is used to encrypt the copy of the mail in their Sent mailbox. Availability: Available only in iOS 5.0 and later.
SMIME Enable PerMessage Switch
The password necessary for the p12 identity certificate. Used with mandatory encryption of profiles.
SMIME Signing User Overrideable
T If set to true, the user can toggle S/MIME signing on or off in Settings. Availability: Available only in iOS 12.0 and later.
SMIME Signing Certificate UUID UserOverrideable
If set to true, the user can select the signing identity. Availability: Available only in iOS 12.0 and later.
SMIME Encrypt By Default
If set to true, S/MIME encryption is enabled by default. If SMIMEEnableEncryptionPerMessageSwitch is false, this default cannot be changed by the user. Availability: Available only in iOS 12.0 and later.
SMIME Encrypt By Default User Overrideable
If set to true, the user can toggle the encryption by default setting. Availability: Available only in iOS 12.0 and later.
SMIME Encryption Certificate UUID User Overrideable
If set to true, the user can select the S/MIME encryption identity and encryption is enabled. Availability: Available only in iOS 12.0 and later.
SMIME Enable Encryption Per-Message Switch
If set to true, displays the per-message encryption switch in the Mail Compose UI. Availability: Available only in iOS 12.0 and later
Allow Mail drop
If true, this account is allowed to use Mail Drop. The default is false. Availability: Available only in macOS 10.12 and later.
Disable Mail Recents Syncing
If true, this account is excluded from address Recents syncing. Availability: Available only in iOS 6.0 and later.
Mail Number Of PastDays To Sync
The number of days since synchronization.
Bundle ID of Default Application Handling Audio Calls
The communication service handler rules for this account. The CommunicationServiceRules dictionary currently contains only a DefaultServiceHandlers key; its value is a dictionary which contains an AudioCall key whose value is a string containing the bundle identifier for the default application that handles audio calls made to contacts from this account.
NOTE Refer to Publish policy for instructions on how to publish an applied policy in an >iOS device.
Calendar
Refer to Add policy for instructions on how to add a policy to an iOS device.
This configuration can be used to define settings for connecting to CalDAV servers. Once this configuration profile is installed on an iOS device, corresponding users will not be able to modify these settings on their devices.
Data Keys of Policy and its Descriptions
Account Description
Display name of the account. Eg: Company CalDAV Account
Account Hostname
CalDAV Host name or IP address
Use Secure Socket Layer(SSL)
Having this checked, would enable Secure Socket Layer communication with CalDAV server.
Account Port
CalDAV account Host Port number
Principal URL
Principal URL for the CalDAV account
Account Username
CalDAV account user name
Account Password
CalDAV account password
NOTE Refer to Publish policy for instructions on how to publish an applied policy in an >iOS device.
Calendar Subscriptions
Refer to Add policy for instructions on how to add a policy to an iOS device.
This configuration can be used to define settings for calendar subscriptions. Once this configuration profile is installed on an iOS device, corresponding users will not be able to modify these settings on their devices.
Data Keys of Policy and its Descriptions
Description
Description of the account.
Account Hostname URL
The server address.
Use Secure Socket Layer (SSL)
Having this checked, would enable Secure Socket Layer communication.
Username
The userʼs login name.
Password
The userʼs password.
NOTE Refer to Publish policy for instructions on how to publish an applied policy in an >iOS device.
Cellular Network Settings
Refer to Add policy for instructions on how to add a policy to an iOS device.
These configurations can be used to specify Cellular Network Settings on an iOS device. Cellular settings cannot be installed if an APN setting is already installed and upon successful installation, corresponding users will not be able to modify these settings on their devices.
(This feature is supported only on iOS 7.0 and later.)
Data Keys of Policy and its Descriptions
Cellular Configuration Name
The Access Point Name.
Authentication Type
Must contain either CHAP or PAP. Defaults to PAP.
Username
A user name used for authentication.
Password
A password used for authentication.
APN Configurations
APN
The Access Point Name.
Auth.Type
Must contain either CHAP or PAP. Defaults to PAP.
Username
A user name used for authentication.
Password
A password used for authentication.
Proxy
The proxy serverʼs network address.
Port
The proxy serverʼs port.
NOTE Refer to Publish policy for instructions on how to publish an applied policy in an >iOS device.
Network Usage Rules
Refer to Add policy for instructions on how to add a policy to an iOS device.
Network Usage Rules allow enterprises to specify how managed apps use networks, such as cellular data networks.
These rules only apply to managed apps.
Data Keys of Policy and its Descriptions
Allow cellular data when roaming
(Common to all rule configuration types)
If set to false, matching managed apps will not be allowed to use cellular data when roaming.
Allow Cellular Data
(Common to all rule configuration types)
If set to false, matching managed apps will not be allowed to use cellular data at any time.
Applly to specified managed apps
(Set network usage rules to specific applications)
Application Identifier Match
A list of managed app identifiers, as strings, that must follow the associated rules. If this key is missing, the rules will apply to all managed apps on the device Each string in the Application Identifier Match may either be an exact app identifier match, [e.g . com.mycompany.myapp] or it may specify a prefix match for the Bundle ID by using the * wildcard character. The wildcard character, if used, must appear after a period character (.), and may only appear once, at the end of the string [e.g. com .mycompany ..]*
NOTE Refer to Publish policy for instructions on how to publish an applied policy in an >iOS device.
Certificate Install
This configurations can be used to install certificate on an iOS device.
Please note that * sign represents required fields of data.
Refer to Add policy for instructions on how to add a policy to an iOS device.
Data Keys of Policy and its Descriptions
Certificate name
The file name of the enclosed certificate.
Certificate file
The base64 representation of the payload with a line length of 52.
Certificate Password
For PKCS#12 certificates, contains the password to the identity.
Certificate type
The Payload Type of a certificate payload must be one of the following:
Payload type | Container format | Certificate type |
---|---|---|
com.apple.security.root | PKCS#1(.cer) | Alias for com.apple.security.pkcs1. |
com.apple.security.pkcs1 | PKCS#1(.cer) | DER-encoded certificate without private key. May contain root certificates. |
com.apple.security.pem | PKCS#1(.cer) | PEM-encoded certificate without private key. May contain root certificates |
com.apple.security.pkcs12 | PKCS#12(.p12) | Password-protected identity certificate. Only one certificate may be included. |
NOTE Refer to Publish policy for instructions on how to publish an applied policy in an >iOS device.
VPN (Virtual Private Network) Settings
Refer to Add policy for instructions on how to add a policy to an iOS device.
This configurations can be used to configure VPN settings on an iOS device. Once this configuration profile is installed on a device, corresponding users will not be able to modify these settings on their devices.
Please note that * sign represents required fields of data.
Data Keys of Policy and its Descriptions
Connection Name
Description of the VPN connection displayed on the device.
Override Primary
Specifies whether to send all traffic through the VPN interface. If true, all network traffic is sent over VPN.
On-demand Enabled
Check if the VPN connection should be brought up on demand, else leave un-checked.
VPN Type
Determines the settings available in the payload for this type of VPN connection. It can have one of the following values: * L2TP
-
PPTP
-
IPSec (Cisco)
-
IKEv2 (see IKEv2 Dictionary Keys)
-
AlwaysOn (see AlwaysOn Dictionary Keys)
-
VPN (solution uses a VPN plugin or NetworkExtension, so the VPNSubType key is required (see below)).
NOTE Refer to Publish policy for instructions on how to publish an applied policy in an >iOS device.
Wi-Fi Settings Policy
Refer to Add policy for instructions on how to add a policy to an iOS device.
Data Keys of Policy | Description |
---|---|
Service Set Identifier (SSID) | SSID of the Wi-Fi network to be used. In iOS 7.0 and later, this is optional if a DomainName value is provided. |
Domain Name | This field can be provided instead of SSID_STR. Available in iOS 7.0 and later.( For Wi-Fi Hotspot 2.0 negotiation ) |
Hidden Network | Besides SSID, the device uses information such as broadcast type and encryption type to differentiate a network. By default (false), it is assumed that all configured networks are open or broadcast. To specify a hidden network, must be true. |
Hot Spot | If true, the network is treated as a hotspot. Available in iOS 7.0 and later. |
Enable Service Provider Roaming | If true, allows connection to roaming service providers. Defaults to false. Available in iOS 7.0 and later. |
Auto Join | If true, the network is auto-joined. If false, the user has to tap the network name to join it. Available in iOS 5.0 and later. |
Displayed Operator Name | The operator name to display when connected to this network. Used only with Wi-Fi Hotspot 2.0 access points. Available in iOS 7.0 and later. |
Proxy Setup | Valid values are None, Manual, and Auto. Available in iOS 5.0 and later. If the ProxyType field is set to Manual, the following fields must also be provided |
Encryption Security Type | Refer to the notes below for details on this. |
Roaming Consortium OIs | Roaming Consortium Organization Identifiers used for Wi-Fi Hotspot 2.0negotiation. Requires 6 or 10 hexadecimal characters. Available in iOS 7.0 and later. |
Network Access Identifier ( NAI ) Realm Names | List of Network Access Identifier Real names used for Wi-Fi Hotspot 2.0 negotiation. Available in iOS 7.0 and later. |
Mobile Country Code ( MCC ) / Mobile Network Code ( MNC ) Configuration | List of Mobile Country Code (MCC)/Mobile Network Code (MNC) pairs used for Wi-Fi Hotspot 2.0 negotiation. Each string must contain exactly six digits. Available in iOS 7.0 and later. |
Encryption Security Type field is set to WEP, WPA, or ANY, the following fields may also be provided.
Wi-Fi Password: Password used for encryption security. Absence of a password does not prevent a network from being added to the list of known networks. The user is eventually prompted to provide the password when connecting to that network.
EAP Client Configuration: In addition to the standard encryption types, it is possible to specify an enterprise profile for a given network via the EAP Client Configuration key. If present, its value is a dictionary with the following keys: The following EAP types are accepted:
13 = TLS 17 = LEAP 18 = EAP-SIM 21 = TTLS 23 = EAP-AKA 25 = PEAP 43 = EAP-FAST For EAP-TLS authentication without a network payload, install the necessary identity certificates and have your users select EAP-TLS mode in the 802.1X credentials dialog that appears when they connect to the network. For other EAP types, a network payload is necessary and must specify the correct settings for the network.
Username: Unless you enter a user name, this property won't appear in an imported configuration. Users can enter this information by themselves when they authenticate.
Password: If not provided, the user will be prompted during login.
One Time Password: If checked, the user will be prompted for a password each time they connect to the network.
TLS Trusted Server Certificate Names: This is the list of server certificate common names that will be accepted. You can use wildcards to specify the name, such as wpa.*.example.com. If a server presents a certificate that isn't in this list, it won't be trusted. Used alone or in combination with TLSTrustedCertificates, the property allows someone to carefully craft which certificates to trust for the given network, and avoid dynamically trusted certificates.
Allow TLS Trust Exceptions: Allows / disallows a dynamic trust decision by the user. The dynamic trust is the certificate dialogue that appears when a certificate isn't trusted. If this is unchecked, the authentication fails if the certificate isn't already trusted.
Require TLS Certificate: If checked, allows for two-factor authentication for EAP-TTLS, PEAP or EAP-FAST. If unchecked, allows for zero factor authentication for EAP-TLS. By default this is enabled for EAP-TLS and disabled for other EAP types. Available in iOS 7.0 and later. TTLS Inner Authentication Type: Specifies the inner authentication used by the TTLS module. Possible values are PAP, CHAP, MSCHAP and MSCHAPv2.
Outer Identity: This key is only relevant to TTLS, PEAP, and EAP-FAST. This allows the user to hide his or her identity. The userʼs actual name appears only inside the encrypted tunnel. For example, it could be set to ”anonymous” or ”anon”, or ”anon@mycompany.net”. It can increase security because an attacker canʼt see the authenticating userʼs name in the clear.
EAP-Fast Support: Use existing PAC for EAP-FAST Allow PAC Provisioning Allow Anonymous PAC Provisioning
These keys are hierarchical in nature.: If Use existing PAC for EAP-FAST is false, the other two properties arenʼt consulted. Similarly, if Allow PAC Provisioning is false, Allow Anonymous PAC Provisioning isnʼt consulted. If Use existing PAC for EAP-FAST is false, authentication proceeds much like PEAP or TTLS: the server proves its identity using a certificate each time.If checked, the device will use an existing PAC. Otherwise, the server must present its identity using a certificate.
If Allow PAC Provisioning is checked, allows PAC provisioning. This particular attribute must be enabled for EAP-FAST PAC usage to succeed, because there is no other way to provision a PAC. If Allow Anonymous PAC Provisioning is checked, provisions the device anonymously. Note that there are known man-in-the-middle attacks for anonymous provisioning.
Number of expected RANDs for EAP-SIM: Number of expected RANDs for EAPSIM. Valid values are 2 and 3. Defaults to 3.
Certificate Payload UUID: UUID of the certificate payload to use for the identity credential.
Refer to Publish policy for instructions on how to publish an applied policy in an iOS device.
Font Install
Refer to Add policy for instructions on how to add a policy to an iOS device.
This configurations can be used to add an additional font to an iOS device.
Please note that * sign represents required fields of data.
Data Keys of Policy and its Descriptions
Font name
The user-visible name for the font. This field is replaced by the actual name of the font after installation.
Font file
The contents of the font file.
Each payload must contain exactly one font file in TrueType (.ttf) or OpenType ( .otf) format. Collection formats (.ttc or .otc) are not supported.
NOTE Refer to Publish policy for instructions on how to publish an applied policy in an >iOS device.
App Lock (Kiosk)
Refer to Add policy for instructions on how to add a policy to an iOS device.
This configuration can be used to enforce the iOS device to a single application i.e to make a device act as a Kiosk.
This configuration will be applied only on Supervised devices having iOS 7.0 and later.
Data Keys of Policy and its Descriptions
Identifier
The bundle identifier of the application.
Options
Disable touch
If true, the touch screen is disabled.
Disable Device Rotation
If true, device rotation sensing is disabled
Disable volume buttons
If true, the volume buttons are disabled.
Disable ringer switch
If true, the ringer switch is disabled.
Disable sleep wake button
If true, the sleep/wake button is disabled.
Disable auto lock
If true, the device will not automatically go to sleep after an idle period.
Enable voice over
If true, VoiceOver is turned on.
Enable zoom
If true, Zoom is turned on.
Enable invert colors
If true, Invert Colors is turned on.
Enable assistive touch
If true, AssistiveTouch is turned on.
Enable speak selection
If true, Speak Selection is turned on.
Enable mono audio
If true, Mono Audio is turned on.
User Enabled Options
Voice over
If true, allow VoiceOver adjustment.
Zoom
If true, allow Zoom adjustment.
Invert colors
If true, allow Invert Colors adjustment.
Assisstive touch
If true, allow AssistiveTouch adjustment.
NOTE Refer to Publish policy for instructions on how to publish an applied policy in an >iOS device.
App Store Restriction
Refer to Add policy for instructions on how to add a policy to an iOS device.
These configurations can be used to restrict the app store on a mac-os device. Once this configuration profile is installed on a device, corresponding users will not be able to access the app store of the device.
This configuration will be applied only on macOS devices.
Data Keys of Policy and its Descriptions
Restrict App Installation.
Restrict app installations to admin users.
Available on macOS 10.9 and later.
Restrict app installations to software updates only.
Restrict app installations to software updates only.
Available on macOS 10.10 and later
Disable App Adoption by users.
Disable App Adoption by users.
Available on macOS 10.10 and later
Disable software update notifications
Disable software update notifications.
Available on macOS 10.10 and later.
NOTE Refer to Publish policy for instructions on how to publish an applied policy in an >iOS device.
Login Window Preference
Refer to Add policy for instructions on how to add a policy to an iOS device.
This payload creates managed preferences on all versions of macOS for system and device profiles. Multiple Login window payloads may be installed together. This configuration will be applied only on macOS devices.
This configuration will be applied only on macOS devices.
Data Keys of Policy and its Descriptions
Restrict App Installation.
Restrict app installations to admin users.
Available on macOS 10.9 and later.
Restrict app installations to software updates only.
Restrict app installations to software updates only.
Available on macOS 10.10 and later
Disable App Adoption by users.
Disable App Adoption by users.
Available on macOS 10.10 and later
Disable software update notifications
Disable software update notifications.
Available on macOS 10.10 and later.
NOTE Refer to Publish policy for instructions on how to publish an applied policy in an >iOS device.
Firewall Policy
Refer to Add policy for instructions on how to add a policy to an iOS device.
A Firewall policy manages the Application Firewall settings that are accessible in the Security Preferences pane. This policy is available in macOS 10.12 and later.
This configuration will be applied only on macOS devices.
The ”Automatically allow downloaded signed software” and ”Automatically allow built-in software” options are not supported, but both will be forced ON when this payload is present.
Data Keys of Policy and its Descriptions
Enable Firewall
Whether the firewall should be enabled or not.
Block all incoming connections
Corresponds to the “Block all incoming connections” option. When it is enabled incoming new connections are blocked
Enable stealth mode.
Corresponds to “Enable stealth mode.” When stealth mode is turned on, your Mac does not respond to “ping” requests and does not answer connection attempts from a closed TCP or UDP network.
Applications
The list of applications. Each dictionary contains these keys:
Bundle ID
Identifies the application. It should be a string value.
Allowed
Specifies whether or not incoming connections are allowed
NOTE Refer to Publish policy for instructions on how to publish an applied policy in an >iOS device.