Skip to content

Apple Device Management

This section explains about how to apply operations and policies to Apple devices.

Features

Apple Device Operations

Add Operations to an Apple Device

Prerequisites

Server has to be downloaded and started.

Must have been logged on to the server's Endpoint Management Portal.

View the device that you have enrolled.

Steps

  1. Click on the operation that you need to apply to the device. In this tutorial, let us apply the Voice Roaming operation.

  2. A pop up message will be displayed on the screen. Select the Enable voice roaming check box.

  3. Click Send to Device.

The Voice Roaming operation will now be acitaved on the device.

The following table lists out the operations that can be applied to the macOS devices:

{insert table}

Apple Device Polices

Add a Policy

Prerequisites

Server has to be downloaded and started.

Must have been logged on to the server's Endpoint Management Portal.

Steps

  1. Click Add Policies. (https://{IP}:{port}/devicemgt/policy/add).
  2. Click iOS from DEVICE TYPES.
  3. Create your policy. In this tutorial, let us create a passcode policy. After defining the settings, click CONTINUE.

NOTE

A profile in the context of WSO2 IoT Server refers to a collection of policies. For example, in this use case you are only creating one policy that is the passcode policy. If you want to, you can add an restrictions policy too. All these policies will be bundled as a profile and then pushed to the devices.

  1. Define the user groups that the passcode policy needs to be assigned to:

NOTE Select the set user role/s or set user/s option and then select the users/roles from the item list. Let's select set user role/s and then select ANY.

  1. Click CONTINUE.

  2. Define the policy name and the description of the policy.

  3. Click SAVE AND PUBLISH to save and publish the configured profile as an active policy to the database.

NOTE If you SAVE the configured profile, it will be in the inactive state and will not be applied to any devices. If you SAVE AND PUBLISH the configured profile of policies, it will be in the active state.

  1. To publish the policy to the existing devices, click APPLY CHANGES TO DEVICES from the policy management page.

View a Policy

  1. Go to Endpoint Management portal and click View Policies (https://{IP}:{port}/devicemgt/devicemgt/policies.

Publish a Policy

  1. Click View under Policies to get the list of the available policies.

  2. Click Select to select the policies you wish to publish that have not been published arleady.

  3. Click Publish.

Unpublish a Policy

  1. Go to Endpoint Management portal and click View policies. (https://{IP}:{port}/devicemgt/devicemgt/policies.
  2. Click Select to select the policies that you wish to unpublish from those that have already been published.
  3. Click Unpublish.
  4. Click YES to confirm that you want to unpublish the policy.
  5. Now your policy is unpublished and is in the inactive/updated state. Therefore, the policy will not be applied on devices that enroll newly with Entgra IoT Server.

Verify the Policy Enforced on a Device

  1. Click View under DEVICES.
  2. Click on your device to view the device details. Click Policy Compliance.
  3. You will see the policy that is currently applied to your device.

Manage the Policy Priority Order

You can change the priority order of the policies and make sure the policy that you want is applied on devices that register with Entgra IoT Server.

  1. Click View under POLICIES to get the list of the available policies.
  2. Click POLICY PRIORITY.
  3. Manage the policy priority: Drag and drop the policies to prioritize the policies accordingly. Manage the policy priority order by defining the order using the edit box.
  4. Click SAVE NEW PRIORITY ORDER to save the changes.
  5. Click APPLY CHANGES to push the changes, to the existing devices.

Updating a Policy

  1. Click View under POLICIES to get the list of the available policies.
  2. On the policy, you wish to edit, click on the edit icon.
  3. Edit the policy:

a. Edit current profile and click CONTINUE.

b. Edit assignment groups and click CONTINUE.

c. Optionally, edit the policy name and description.

d. Click SAVE to save the configured profile or click SAVE AND PUBLISH to save and publish the configured profile as an active policy to the database.

{Insert list of policies??}

Applicable Apple Device Polices

Passcode Policy

Refer to Add policy for instructions on how to add a policy to an iOS device.

The Passcode policy ensures better security by setting a passcode for the device which needs to be entered to unlock the device. The following configuration can be used to set up this policy in an iOS device. Once this configuration profile is installed on a device, corresponding users will not be able to modify these settings on their devices.

Data Keys of Policy and its Descriptions

Force Passcode

Determines whether the user is forced to set a PIN. Simply setting this value (and not others) forces the user to enter a passcode, without imposing a length or quality

Allow Simple Value

Determines whether a simple passcode is allowed. A simple passcode is defined as containing repeated characters, or increasing/decreasing characters (such as 123 or CBA). Setting this value to false is synonymous to setting minComplexChars to ”1”.

Allow Alphanumeric Value

Specifies whether the user must also enter alphabetic characters (”abcd”) along with numbers, or if numbers only are sufficient.

Minimum passcode length

Specifies the minimum overall length of the passcode.

Passcode history

When the user changes the passcode, it has to be unique within the last N entries in the history. Minimum value is 1, maximum value is 50. ( Should be in between 1-to-50 passcodes or none )

Auto Lock Time in minutes

Specifies the maximum number of minutes for which the device can be idle (without being unlocked by the user) before it gets locked by the system. Once this limit is reached, the device is locked and the passcode must be entered. The user can edit this setting, but the value cannot exceed the maxInactivity value.

Grace period in minutes for device lock

The maximum grace period, in minutes, to unlock without entering a passcode. Default is 0, that is no grace period, which requires entering a passcode immediately.

Maximum number of failed attempts

Allowed range [2...11]. Specifies the number of allowed failed attempts to enter the passcode at the deviceʼs lock screen. After six failed attempts, there is a time delay imposed before a passcode can be entered again. The delay increases with each attempt.Once this number is exceeded,on iOS the device is wiped.

NOTE Refer to Publish policy for instructions on how to publish an applied policy in an >iOS device.

Restrictions Policy

These configurations can be used to restrict apps, device features and media content available on an iOS device. Once this configuration profile is installed on a device, corresponding users will not be able to modify these settings on their devices.

Refer to Add policy for instructions on how to add a policy to an iOS device.

Data Keys of Policy and its Descriptions

Allow Siri

When false, disables Siri. Defaults to true.

Allow use of camera

Having this checked would enable Usage of phone camera in the device

Allow iCloud documents and data

[This key is deprecated on unsupervised devices.]

Having this checked would enable syncing iCloud documents and data in the device. This is deprecated on unsupervised devices Available in iOS 5.0 and later and in macOS 10.11and later.

Allow iCloud keychain

When false, disables iCloud keychain synchronization. Default is true. Available in iOS 7.0 and later and macOS 10 .12 and later.

Allow fingerprint for unlock

If false, prevents Touch ID from unlocking a device. Available in iOS 7 and later and in macOS 10.12.4 and later.

Allow in-app purchase

Having this checked would allow in-app purchase in the device.

Allow screenshots

If set to false, users canʼt save a screenshot of the display and are prevented from capturing a screen recording; it also prevents the Classroom app from observing remote screens.

Enable AutoFill

When false, Safari auto-fill is disabled. Defaults to true.

Allow voice dialing while device is locked

When false, disables voice dialing if the device is locked with a passcode. Default is true.

Force encrypting all backups

Having this checked would force encrypting all backups.

Allow managed apps to store data in iCloud

If set to false, prevents managed applications from using iCloud sync.

Allow Activity Continuation

If set to false, Activity Continuation will be disabled. Defaults to true.

Allow backup of enterprise books

If set to false, Enterprise books will not be backed up. Defaults to true

Allow enterprise books data sync

If set to false, Enterprise books notes and highlights will not be synced. Defaults to true.

Allow cloud photo library

If set to false, disables iCloud Photo Library. Any photos not fully downloaded from iCloud Photo Library to the device will be removed from local storage.

Allow remote screen observation

If set to false, remote screen observation by the Classroom app is disabled. Defaults to true. This key should be nested beneath allowScreenShot as a sub-restriction. If allowScreenShot is set to false, it also Available in iOS 9.3 and macOS 10.14.4 and later.

Allow adding Game Center friends

[This key is deprecated on unsupervised devices.]

When false, prohibits adding friends to Game Center. This key is deprecated on unsupervised devices.

Allow Siri to query user-generated content from web

Supervised only. When false, prevents Siri from querying user-generated content from the web. Available in iOS 7 and later.

Allow video conferencing

[This key is deprecated on unsupervised devices.]

When false, disables video conferencing. This key is deprecated on unsupervised devices

Allow Safari

[This key is deprecated on unsupervised devices.]

When false, the Safari web browser application is disabled and its icon removed from the Home screen. This also prevents users from opening web clips. This key is deprecated on unsupervised devices.

Allow multiplayer gaming

[This key is deprecated on unsupervised devices.]

When false, prohibits multiplayer gaming. This key is deprecated on unsupervised devices.

Allow use of iTunes Store

When false, the iTunes Music Store is disabled and its icon is removed from the Home screen. Users cannot preview, purchase, or download content. This key is deprecated on unsupervised devices.

Following are DEP(Supervised) only

Force Delayed Software Updates

If set to true, delays user visibility of Software Updates. Defaults to false. On macOS, seed build updates will be allowed, without delay. Available in iOS 11.3 and macOS 10.13

Allow Erase All Content And Settings

If set to false, disables the “Erase All Content And Settings” option in the Reset UI.

Allow Spotlight Internet results

If set to false, Spotlight will not return Internet search results. Available in iOS and in macOS 10.11 and later.

Enforced Software Update Delay

This restriction allows the admin to set how many days a software update on the device will be delayed. With this restriction in place, the user will not see a software update until the specified number of days after the software update release date. The max is 90 days and the default value is 30. Available in iOS 11.3 and macOS 10.13.4

Force Classroom Automatically Join Classes

If set to true, automatically give permission to the teacherʼs requests without prompting the student. Defaults to false Available only in iOS 11.0 and macOS 10 .14.4 and later

Force Classroom Request Permission To Leave Classes

If set to true, a student enrolled in an unmanaged course via Classroom will request permission from the teacher when attempting to leave the course. Defaults to false. Available only in iOS 11.3 and macOS 10.14.4 and later.

Force Classroom Unprompted App And Device Lock

If set to true, allow the teacher to lock apps or the device without prompting the student. Defaults to false Available only in iOS 11.0 and macOS 10.14.4 and later.

Force Classroom Unprompted Screen Observation

If set to true, and ScreenObservationPermissionModificationAllowed is also true in the Education payload, a student enrolled in a managed course via the Classroom app will automatically give permission to that courseʼs teacherʼs requests to observe the studentʼs screen without prompting the student. Defaults to false. Available only in iOS 11.0 and macOS 10.14.4 and later.

Allow Password Auto Fill

If set to false, users will not be able to use the AutoFill Passwords feature on iOS and will not be prompted to use a saved password in Safari or in apps. If set to false, Automatic Strong Passwords will also be disabled and strong passwords will not be suggested to users. Defaults to true. Available only in iOS 12.0 and macOS 10 .14 and later.

Allow Password Proximity Requests

If set to false, a userʼs device will not request passwords from nearby devices. Defaults to true. Available only in iOS 12.0 and macOS 10.14

Allow Password Sharing

If set to false, users can not share their passwords with the Airdrop Passwords feature. Defaults to true. Available only in iOS 12.0 and macOS 10.14 and later.

Allow definition lookup

If set to false, disables definition lookup. Defaults to true. Available in iOS 8.1.3 and later and in macOS 10.11.2 and later

Allow music service

If set to false, Music service is disabled and Music app reverts to classic mode. Defaults to true. Available in iOS 9.3 and later and macOS 10.12 and later

Restrictions on iOS device

Allow Siri while device is locked

When false, the user is unable to use Siri when the device is locked. Defaults to true. This restriction is ignored if the device does not have a passcode set.

Allow removing apps

[This key is deprecated on unsupervised devices .]

When false, disables removal of apps from iOS device. This key is deprecated on unsupervised devices.

Allow iCloud backup

When false, disables backing up the device to iCloud.

Allow diagnostic submission

When false, this prevents the device from automatically submitting diagnostic reports to Apple. Defaults to true. Available only in iOS 6.0 and later.

Allow explicit content

[This key is deprecated on unsupervised devices .]

When false, explicit music or video content purchased from the iTunes Store is hidden. Explicit content is marked as such by content providers, such as record labels, when sold through the iTunes Store. This key is deprecated on unsupervised devices. Available in iOS and in tvOS 11.3 and later

Allow global background fetch when roaming

When false, disables global background fetch activity when an iOS phone is roaming.

Show Notifications Center in lock screen

If set to false, the Notifications history view on the lock screen is disabled and users canʼt view past notifications. Though, when the device is locked, the user will still be able to view notifications when they arrive. Available only in iOS 7.0 and later.

Show Today view in lock screen

If set to false, the Today view in Notification Center on the lock screen is disabled. Available only in iOS 7.0 and later.

Allow documents from managed sources in unmanaged destinations

If false, documents in managed apps and accounts only open in other managed apps and accounts. Default is true. Available only in iOS 7.0 and later

Allow documents from unmanaged sources in managed destinations

If set to false, documents in unmanaged apps and accounts will only open in other unmanaged apps and accounts. Default is true. Available only in iOS 7.0 and later.

Show Passbook notifications in lock screen

If set to false, Passbook notifications will not be shown on the lock screen.This will default to true. Available in iOS 6.0 and later.

Allow Photo Stream

When false, disables Photo Stream. Available in iOS 5.0 and later.

Force Fraud warning

When true, Safari fraud warning is enabled. Defaults to false Available in iOS 4.0 and later.

Enable Javascript

When false, Safari will not execute JavaScript. Defaults to true. Available in iOS 4.0 and later.

Enable Pop-ups

When false, Safari will not allow pop-up tabs. Defaults to true. Available in iOS 4.0 and later.

Accept cookies

Determines conditions under which the device will accept cookies. The user facing settings changed in iOS 11, though the possible values remain the same:

• 0: Prevent Cross-Site Tracking and Block All Cookies are enabled and the user canʼt disable either setting.

• 1 or 1.5: Prevent Cross-Site Tracking is enabled and the user canʼt disable it. Block All Cookies is not enabled, though the user can enable it.

• 2: Prevent Cross-Site Tracking is enabled and Block All Cookies is not enabled. The user can toggle either setting. (Default)

These are the allowed values and settings in iOS 10 and earlier:

• 0: Never

• 1: Allow from current website only

• 1.5: Allow from websites visited (Available in iOS 8.0 and later); enter ’ 1.5’

• 2: Always (Default)

In iOS 10 and earlier, users can always pick an option that is more restrictive than the payload policy, but not a less restrictive policy. For example, with a payload value of 1.5, a user could switch to Never, but not Always Allow.

Allow Shared Photo Stream

If set to false, Shared Photo Stream will be disabled.This will default to true. Available in iOS 6.0 and later.

Allow untrusted TLS prompt

When false, automatically rejects untrusted HTTPS certificates without prompting the user. Available in iOS 5.0 and later.

Require iTunes store password for all purchases

When true, forces user to enter their iTunes password for each transaction Available in iOS 5.0 and later.

Limit ad tracking

If true, limits ad tracking. Default is false Available only in iOS 7.0 and later

Force a pairing password for Airplay outgoing requests

If set to true, forces all devices receiving AirPlay requests from this device to use a pairing password. Default is false. Available only in iOS 7.1 and later.

Force air drop unmanaged

If set to true, causes AirDrop to be considered an unmanaged drop target. Defaults to false. Available in iOS 9.0 and later.

Force watch wrist detection

If set to true, a paired Apple Watch will be forced to use Wrist Detection. Defaults to false. Available in iOS 8.2 and later.

Allow over-the-air PKI updates

If false, over-the-air PKI updates are disabled. Setting this restriction to false does not disable CRL and OCSP checks. Default is true. Available only in iOS 7.0 and later.

Ratings region

This 2-letter key is used by profile tools to display the proper ratings for given region. It is not recognized or reported by the client. Possible values:

• au: Australia

• ca: Canada

• fr: France

• de: Germany

• ie: Ireland

• jp: Japan

• nz: New Zealand

• gb: United Kingdom

• us: United States

Available in iOS and tvOS 11.3 and later

Allow content ratings

(Having this checked would allow to set the maximum allowed ratings)

Allowed content ratings for movies

This value defines the maximum level of movie content that is allowed on the device. Possible values (with the US description of the rating level): • 1000: All • 500: NC-17 • 400: R • 300: PG-13 • 200: PG • 100: G • 0: None Available only in iOS and tvOS 11.3 and later

Allowed content ratings for TV shows

This value defines the maximum level of TV content that is allowed on the device. Possible values (with the US description of the rating level): • 1000: All • 600: TV-MA • 500: TV-14 • 400: TV-PG • 300: TV-G • 200: TV-Y7 • 100: TV-Y • 0: None Available only in iOS and tvOS 11.3 and later.

Allowed content ratings for apps

This value defines the maximum level of app content that is allowed on the device. Possible values (with the US description of the rating level): • 1000: All • 600: 17+ • 300: 12+ • 200: 9+ • 100: 4+ • 0: None Available only in iOS 5 and tvOS 11.3 and later.

Allow enterprise app trust

If set to false removes the Trust Enterprise Developer button in Settings->General->Profiles & Endpoint Management, preventing apps from being provisioned by universal provisioning profiles. This restriction applies to free developer accounts but it does not apply to enterprise app developers who are trusted because their apps were pushed via MDM, nor does it revoke previously granted trust. Defaults to true. Available in iOS 9.0 and later.

Show Control Center in lock screen

If false, prevents Control Center from appearing on the Lock screen. Available in iOS 7 and later.

Read unmanaged apps from managed contact accounts.

If set to true, unmanaged apps can read from managed contacts accounts. Defaults to false. if allowOpenFromManagedToUnmanaged is true, this restriction has no effect. A payload that sets this to true must be installed via MDM. Available only in iOS 12.0 and later

Following are DEP(Supervised) only

Allow user prompted profile installation

If set to false, the user is prohibitedfrom installing configuration profiles and certificates interactively. This will default to true. Available in iOS 6.0 and later

Allow Chat

When false, disables the use of iMessage with supervised devices. If the device supports text messaging, the user can still send and receive text messages Available in iOS 6.0 and later.

Allow Cellular Plan Modification

If set to false, users canʼt change any settings related to their cellular plan. Defaults to true Available in iOS 11.0 and later.

Allow USB Restricted Mode

If set to false, device will always be able to connect to USB accessories while locked. Defaults to true. Available only in iOS 11.4.1 and later

Allow ESIM Modification

If set to false, the user may not remove or add a cellular plan to the eSIM on the device. Defaults to true Available only in iOS 12.1 and later.

Modify Personal Hotspot Modification

If set to false, the user may not modify the personal hotspot setting. Defaults to true. Available only in iOS 12.2 and later.

Automatically set Date and Time

If set to true, the Date & Time “Set Automatically” feature is turned on and canʼt be turned off by the user. Defaults to false.

Note: The deviceʼs time zone will only be updated when the device can determine its location (cellular connection or wifi with location services enabled).

Available only in iOS 12.0

Allow modifying account settings

If set to false, account modification is disabled. Available only in iOS 7.0 and later.

Allow modifying cellular data app settings

f set to false, changes to cellular data usage for apps are disabled. : Available only in iOS 7.0 and later.

Allow Siri to query user-generated content from web

When false, prevents Siri from querying user-generated content from the web. Available in iOS 7 and later.

Enable iBookStore

If set to false, Apple Books will be disabled. This will default to true. Available in iOS 6.0 and later.

Enable iBookStore Erotica

If set to false, the user will not be able to download media from Apple Books that has been tagged as erotica. This will default to true. Available in iOS and in tvOS 11.3 and later.

Allow Find My Friends modification

If set to false, changes to Find My Friends are disabled. Available only in iOS 7.0 and later.

Allow use of Game Center

When false, Game Center is disabled and its icon is removed from the Home screen. Default is true. Available only in iOS 6.0 and later.

Allow Host Pairing

If set to false, host pairing is disabled with the exception of the supervision host. If no supervision host certificate has been configured, all pairing is disabled. Host pairing lets the administrator control which devices an iOS 7 device can pair with. Available only in iOS 7.0 and later.

Allow Enable Restrictions option

If set to false, disables the ”Enable Restrictions” option in the Restrictions UI in Settings. Default is true. On iOS 12 or later, if set to false disables the ”Enable ScreenTime” option in the ScreenTime UI in Settings and disables ScreenTime if already enabled. Available in iOS 8.0 and later.

Allow News

If set to false, disables News. Defaults to true Available in iOS 9 .0 and later.

Allow use of Podcasts

If set to false, disables podcasts. Defaults to true. Available in iOS 8.0 and later.

Allow keyboard auto-correction

If set to false, disables keyboard auto-correction. Defaults to true . Available in iOS 8.1.3 and later

Allow keyboard spell-check

If set to false, disables keyboard spell-check. Defaults to true. Available in iOS 8.1.3 and later.

Allow UI app installation

When false, the App Store is disabled and its icon is removed from the Home screen. However, users may continue to use Host apps (iTunes, Configurator) to install or update their apps. Defaults to true. In iOS 10 and later, MDM commands can override this restriction. Available in iOS 9 .0 and later

Allow keyboard shortcuts

If set to false, keyboard shortcuts cannot be used. Defaults to true. Available in iOS 9.0 and later.

Allow passcode modification

If set to false, prevents the device passcode from being added, changed, or removed. Defaults to true. This restriction is ignored by shared iPads . Available in iOS 9.0 and later.

Allow device name modification

If set to false, prevents device name from being changed. Defaults to true. Available in iOS 9.0

Allow wallpaper modification

If set to false, prevents wallpaper from being changed. Defaults to true . Available in iOS 9.0 and later.

Allow automatic app downloads

If set to false, prevents automatic downloading of apps purchased on other devices. Does not affect updates to existing apps. Defaults to true. Available in iOS 9.0 and later.

Allow radio service

If set to false, Apple Music Radio is disabled. Defaults to true. Available in iOS 9.3 and later.

Blacklisted app bundle Ids(comma separated)

If present, prevents bundle IDs listed in the array from being shown or launchable. Include the value com.apple.webapp to blacklist all webclips. Available in iOS 9.3 and later.

Whitelisted app bundle Ids(comma separated)

If present, allows only bundle IDs listed in the array from being shown or launchable. Include the value com.apple.webapp to whitelist all webclips. Available in iOS 9.3 and later

Allow diagnostic bluetooth modification

If set to false, prevents modification of Bluetooth settings. Defaults to true. Available in iOS 10.0 and later.

Allow dictation

If set to false, disallows dictation input. Defaults to true. Available only in iOS 10.3 and later

Force WiFi white listing (Warning, wrong configuration could break communication)

If set to true, the device can join Wi-Fi networks only if they were set up through a configuration profile. Defaults to false. Available only in iOS 10.3 and later.

Allow air print

If set to false, disallow AirPrint. Defaults to true. Available in iOS 11.0 and later.

Allow air print credentials storage

If set to false, disallows keychain storage of username and password for Airprint. Defaults to true. Available in iOS 11.0 and later.

Force air print trusted TLS requirement

If set to true, requires trusted certificates for TLS printing communication. Defaults to false. Available in iOS 11.0 and later.

Allow air print iBeacon discovery

If set to false, disables iBeacon discovery of AirPrint printers. This prevents spurious AirPrint Bluetooth beacons from phishing for network traffic. Defaults to true. Available in iOS 11.0 and later.

Allow system app removal

If set to false, disables the removal of system apps from the device. Defaults to true. Available only in iOS 11.0 and later.

Allow VPN creation

If set to false, disallow the creation of VPN configurations. Defaults to true. Available only in iOS 11.0 and later.

Allow proximity setup to new device

If set to false, disables the prompt to setup new devices that are nearby . Defaults to true. Available only in iOS 11.0 and later.

Allow installing apps

When false, the App Store is disabled and its icon is removed from the Home screen. Users are unable to install or update their applications. This key is deprecated on unsupervised devices. MDM commands can override this restriction. Available only in iOS 10 and later

Allow AirDrop

If set to false, AirDrop is disabled. Available only in iOS 7.0 and later.

Permitted Applications in Autonomous Single App Mode

If present, allows apps identified by the bundle IDs listed in the array to autonomously enter Single App Mode. Available only in iOS 7.0 and later. Application Bundle ID:

Allow diagnostic submission modification

When false, this prevents the device from automatically submitting diagnostic reports to Apple. Defaults to true. Available only in iOS 6.0 and later.

Allow diagnostic submission modification

If set to false, the diagnostic submission and app analytics settings in the Diagnostics & Usage pane in Settings cannot be modified. Defaults to true . Available in iOS 9.3.2 and later

Allow notifications modification

If set to false, notification settings cannot be modified. Defaults to true. Available in iOS 9.3 and later.

Allow predictive keyboard

If set to false, disables predictive keyboards. Defaults to true. Available in iOS 8.1.3 and later.

Force Authentication Before Auto Fill

If set to true, the user will have to authenticate before passwords or credit card information can be autofilled in Safari and Apps. If this restriction is not enforced, the user can toggle this feature in settings. Only supported on devices with FaceID or TouchID. Defaults to true. Available only in iOS 11.0 and later

Restrictions on mac OS device

Allow macOS iCloud Bookmark sync

When false, disallows macOS iCloud Bookmark sync. Available in macOS 10 .12 and later.

Allow macOS Mail iCloud services

When false, disallows macOS Mail iCloud services. Available in macOS 10 .12 and later

Allow macOS Mail iCloud Calender services

When false, disallows macOS iCloud Calendar services. Available in macOS 10.12 and later.

Allow macOS Mail iCloud Reminder services

When false, disallows iCloud Reminder services. Available in macOS 10 .12 and later.

Allow macOS Mail iCloud Address Book services

(Available in macOS 10.12 and later.)

Allow macOS Mail iCloud Notes services

When false, disallows macOS iCloud Notes services. Available in macOS 10.12 and later.

Allow content caching

When false, this disallows content caching. Defaults to true. Available only in macOS 10.13 and later.

Allow iTunes application file sharing

When false, iTunes application file sharing services are disabled. Available in macOS 10.13 and later.

NOTE Refer to Publish policy for instructions on how to publish an applied policy in an >iOS device.

Wifi Settings Policy

Refer to Add policy for instructions on how to add a policy to an iOS device.

Data Keys of Policy and its Descriptions

Service Set Identifier (SSID)

SSID of the Wi-Fi network to be used. In iOS 7.0 and later, this is optional if a DomainName value is provided.

Domain Name

This field can be provided instead of SSID_STR. Available in iOS 7.0 and later.( For Wi-Fi Hotspot 2.0 negotiation )

Hidden Network

Besides SSID, the device uses information such as broadcast type and encryption type to differentiate a network. By default (false), it is assumed that all configured networks are open or broadcast. To specify a hidden network, must be true.

Hot Spot

If true, the network is treated as a hotspot. Available in iOS 7.0 and later.

Enable Service Provider Roaming

If true, allows connection to roaming service providers. Defaults to false. Available in iOS 7.0 and later.

Auto Join

If true, the network is auto-joined. If false, the user has to tap the network name to join it. Available in iOS 5.0 and later.

Displayed Operator Name

The operator name to display when connected to this network. Used only with Wi-Fi Hotspot 2.0 access points. Available in iOS 7.0 and later.

Proxy Setup

Valid values are None, Manual, and Auto. Available in iOS 5.0 and later. If the ProxyType field is set to Manual, the following fields must also be provided

  • Proxy Server: The proxy serverʼs network address.( Server URL or IP Address )

  • Proxy Server Port: The proxy serverʼs port.

  • Proxy Username: The username used to authenticate to the proxy server.

  • Proxy Password: The password used to authenticate to the proxy server.

  • Proxy PAC URL: The URL of the PAC file that defines the proxy configuration.

  • Allow Proxy PAC FallBack: . If false, prevents the device from connecting directly to the destination if the PAC file is unreachable. Default is false. Available in iOS 7 and later

Encryption Security Type

Encryption Security Type field is set to WEP, WPA, or ANY, the following fields may also be provided

  • Wi-Fi Password: Password used for encryption security. Absence of a password does not prevent a network from being added to the list of known networks. The user is eventually prompted to provide the password when connecting to that network.

  • EAP Client Configuration: In addition to the standard encryption types, it is possible to specify an enterprise profile for a given network via the EAP Client Configuration key. If present, its value is a dictionary with the following keys: The following EAP types are accepted: 13 = TLS 17 = LEAP 18 = EAP-SIM 21 = TTLS 23 = EAP-AKA 25 = PEAP 43 = EAP-FAST

For EAP-TLS authentication without a network payload, install the necessary identity certificates and have your users select EAP-TLS mode in the 802.1X credentials dialog that appears when they connect to the network. For other EAP types, a network payload is necessary and must specify the correct settings for the network.

  • Username: Unless you enter a user name, this property won't appear in an imported configuration. Users can enter this information by themselves when they authenticate.
  • Password: If not provided, the user will be prompted during login.
  • One Time Password: If checked, the user will be prompted for a password each time they connect to the network.
  • TLS Trusted Server Certificate Names: This is the list of server certificate common names that will be accepted. You can use wildcards to specify the name, such as wpa.*.example.com. If a server presents a certificate that isn't in this list, it won't be trusted. Used alone or in combination with TLSTrustedCertificates, the property allows someone to carefully craft which certificates to trust for the given network, and avoid dynamically trusted certificates.
  • Allow TLS Trust Exceptions: Allows / disallows a dynamic trust decision by the user. The dynamic trust is the certificate dialogue that appears when a certificate isn't trusted. If this is unchecked, the authentication fails if the certificate isn't already trusted.
  • Require TLS Certificate: If checked, allows for two-factor authentication for EAP-TTLS, PEAP or EAP-FAST. If unchecked, allows for zero factor authentication for EAP-TLS. By default this is enabled for EAP-TLS and disabled for other EAP types. Available in iOS 7.0 and later.
  • TTLS Inner Authentication Type: Specifies the inner authentication used by the TTLS module. Possible values are PAP, CHAP, MSCHAP and MSCHAPv2.
  • Outer Identity: This key is only relevant to TTLS, PEAP, and EAP-FAST. This allows the user to hide his or her identity. The userʼs actual name appears only inside the encrypted tunnel. For example, it could be set to ”anonymous” or ”anon”, or ”anon@mycompany.net”. It can increase security because an attacker canʼt see the authenticating userʼs name in the clear.
  • EAP-Fast Support:

    Use existing PAC for EAP-FAST

    Allow PAC Provisioning

    Allow Anonymous PAC Provisioning

These keys are hierarchical in nature. : If Use existing PAC for EAP-FAST is false, the other two properties arenʼt consulted. Similarly, if Allow PAC Provisioning is false, Allow Anonymous PAC Provisioning isnʼt consulted. If Use existing PAC for EAP-FAST is false, authentication proceeds much like PEAP or TTLS: the server proves its identity using a certificate each time.If checked, the device will use an existing PAC. Otherwise, the server must present its identity using a certificate.

If Allow PAC Provisioning is checked, allows PAC provisioning. This particular attribute must be enabled for EAP-FAST PAC usage to succeed, because there is no other way to provision a PAC.

If Allow Anonymous PAC Provisioning is checked, provisions the device anonymously. Note that there are known man-in-the-middle attacks for anonymous provisioning.

  • Number of expected RANDs for EAP-SIM: Number of expected RANDs for EAPSIM. Valid values are 2 and 3. Defaults to 3.

  • Certificate Payload UUID: UUID of the certificate payload to use for the identity credential.

Roaming Consortium OIs

Roaming Consortium Organization Identifiers used for Wi-Fi Hotspot 2.0negotiation. Requires 6 or 10 hexadecimal characters. Available in iOS 7.0 and later.

Network Access Identifier ( NAI ) Realm Names

List of Network Access Identifier Real names used for Wi-Fi Hotspot 2.0 negotiation. Available in iOS 7.0 and later.

Mobile Country Code ( MCC ) / Mobile Network Code ( MNC ) Configuration

List of Mobile Country Code (MCC)/Mobile Network Code (MNC) pairs used for Wi-Fi Hotspot 2.0 negotiation. Each string must contain exactly six digits. Available in iOS 7.0 and later.

NOTE Refer to Publish policy for instructions on how to publish an applied policy in an >iOS device.

Global Proxy Settings

Refer to Add policy for instructions on how to add a policy to an iOS device.

Configure a global HTTP proxy to direct all HTTP traffic from Supervised iOS 7 and higher devices through a designated proxy server. Once this configuration profile is installed on a device, all the network traffic will be routed through the proxy server

This policy is only applicable for the devices enrolled in supervised mode.

Data Keys of Policy and its Descriptions

Proxy Configuration Type

If you choose manual proxy type, you need the proxy server address including its port and optionally a username and password into the proxy server. If you choose auto proxy type, you can enter a proxy autoconfiguration (PAC) URL.

Proxy Host

The proxy serverʼs network address.(Host name/IP address of the proxy server.)

Proxy Port

The proxy serverʼs port

Username

The username used to authenticate to the proxy server.

Password

The password used to authenticate to the proxy server

Allow Captive Login

When checked, Allows the device to bypass the proxy server to display the login page for captive networks.

NOTE Refer to Publish policy for instructions on how to publish an applied policy in an >iOS device.

Email Settings

Refer to Add policy for instructions on how to add a policy to an iOS device.

These configurations can be used to define settings for connecting to your POP or IMAP email accounts. Once this configuration profile is installed on an iOS device, corresponding users will not be able to modify these settings on their devices.

Data Keys of Policy Description
Account Description A user-visible description of the email account, shown in the Mail and Settings applications.
Account Type Defines the protocol to be used for that account.
Path Prefix The path prefix for the IMAP mail server
Email Account Name The full user name for the account. This is the user name in sent messages, etc.
Email Address Designates the full email address for the account. If not present in the payload, the device prompts for this string during profile installation.
Prevent move If true, messages may not be moved out of this email account into another account. Also prevents forwarding or replying from a different account than the message was originated from. Availability: Available only in iOS 5.0 and later.
Prevent App Sheet If true, this account is not available for sending mail in any app other than the Apple Mail app. Availability: Available only in iOS 5.0 and later
Enable S/MIME If true, this account supports S/MIME. As of iOS 10.0, this key is ignored. Availability: Available only in iOS 5.0 through iOS 9.3.3.
S/MIME Signing Certificate UUID The Payload UUID of the identity certificate used to sign messages sent from this account. Availability: Available only in iOS 5.0 and later
Enable Per-message Signing and Encryption Switch If set to true, display the per-message encryption switch in the Mail Compose UI. Availability: Available only in iOS 12.0 and later
Allow Recent Address Syncing If true, this account is excluded from address Recents syncing. This defaults to false Availability: Available only in iOS 6.0 and later.
Incoming Mail Settings
Mail Server Hostname Designates the incoming mail server host name (or IP address).
Use Secure Socket Layer(SSL) Designates whether the incoming mail server uses SSL for authentication.
Mail Server Port Designates the incoming mail server port number. If no port number is specified, the default port for a given protocol is used.
Authentication Type Designates the authentication scheme for incoming mail. Allowed values are EmailAuthPassword, EmailAuthCRAMMD5, EmailAuthNTLM, EmailAuthHTTPMD5, and EmailAuthNone.
Username Designates the user name for the email account, usually the same as the email address up to the @ character. If not present in the payload, and the account is set up to require authentication for incoming email, the device will prompt for this string during profile installation.
Password Password for the Incoming Mail Server. Use only with encrypted profiles.
Outgoing Mail Settings
Mail Server Hostname Designates the outgoing mail server host name (or IP address).
Use Server Socket Layer(SSL) Default false. Designates whether the outgoing mail server uses SSL for authentication.
Mail Server Port Designates the outgoing mail server port number. If no port number is specified, ports 25, 587 and 465 are used, in this order.
Authentication Type Designates the authentication scheme for outgoing mail. Allowed values are EmailAuthPassword, EmailAuthCRAMMD5, EmailAuthNTLM, EmailAuthHTTPMD5, and EmailAuthNone.
Username Designates the user name for the email account, usually the same as the email address up to the @ character. If not present in the payload, and the account is set up to require authentication for outgoing email, the device prompts for this string during profile installation
Password Password for the Outgoing Mail Server. Use only with encrypted profiles.

Data Keys of Policy and its Descriptions

Account Description

A user-visible description of the email account, shown in the Mail and Settings applications.

Account Type

Defines the protocol to be used for that account.

Path Prefix

The path prefix for the IMAP mail server

Email Account Name

The full user name for the account. This is the user name in sent messages, etc.

Email Address

Designates the full email address for the account. If not present in the payload, the device prompts for this string during profile installation.

Prevent move

If true, messages may not be moved out of this email account into another account. Also prevents forwarding or replying from a different account than the message was originated from.

Availability: Available only in iOS 5.0 and later.

Prevent App Sheet

If true, this account is not available for sending mail in any app other than the Apple Mail app. Availability: Available only in iOS 5.0 and later

Enable S/MIME

If true, this account supports S/MIME. As of iOS 10.0, this key is ignored. Availability: Available only in iOS 5.0 through iOS 9.3.3.

S/MIME Signing Certificate UUID

The PayloadUUID of the identity certificate used to sign messages sent from this account. Availability: Available only in iOS 5.0 and later

Enable Per-message Signing and Encryption Switch

If set to true, display the per-message encryption switch in the Mail Compose UI. Availability: Available only in iOS 12.0 and later

Allow Recent Address Syncing

If true, this account is excluded from address Recents syncing. This defaults to false. Availability: Available only in iOS 6.0 and later.

Incomming Mail Settings

Mail Server Hostname

Designates the incoming mail server host name (or IP address).

Use Secure Socket Layer(SSL)

Designates whether the incoming mail server uses SSL for authentication.

Mail Server Port

Designates the incoming mail server port number. If no port number is specified, the default port for a given protocol is used.

Authentication Type

Designates the authentication scheme for incoming mail. Allowed values are EmailAuthPassword, EmailAuthCRAMMD5, EmailAuthNTLM, EmailAuthHTTPMD5, and EmailAuthNone.

Username

Designates the user name for the email account, usually the same as the email address up to the @ character. If not present in the payload, and the account is set up to require authentication for incoming email, the device will prompt for this string during profile installation.

Password

Password for the Incoming Mail Server. Use only with encrypted profiles.

Outgoing Mail Settings

Mail Server Hostname

Designates the outgoing mail server host name (or IP address).

Use Server Socket Layer(SSL)

Default false. Designates whether the outgoing mail server uses SSL for authentication.

Mail Server Port

Designates the outgoing mail server port number. If no port number is specified, ports 25, 587 and 465 are used, in this order.

Authentication Type

Designates the authentication scheme for outgoing mail. Allowed values are EmailAuthPassword, EmailAuthCRAMMD5, EmailAuthNTLM, EmailAuthHTTPMD5, and EmailAuthNone.

Username

Designates the user name for the email account, usually the same as the email address up to the @ character. If not present in the payload, and the account is set up to require authentication for outgoing email, the device prompts for this string during profile installation

Password

Password for the Outgoing Mail Server. Use only with encrypted profiles.

NOTE Refer to Publish policy for instructions on how to publish an applied policy in an >iOS device.

AirPlay Settings

Refer to Add policy for instructions on how to add a policy to an iOS device.

This configuration can be used to define settings for connecting to AirPlay destinations. Once this configuration profile is installed on an iOS device, corresponding users will not be able to modify these settings on their devices.

Data Keys of Policy and its Descriptions

AirPlay Credentials

(If present, sets passwords for known AirPlay destinations.)

Device Name

The name of the AirPlay destination (used on iOS).

Password

The password for the AirPlay destination.

AirPlay Destinations Whitelist

(Supervised only. If present, only AirPlay destinations present in this list are available to the device.)

Destination

The Device ID of the AirPlay destination, in the format xx:xx:xx:xx:xx:xx. This field is not case sensitive.

NOTE Refer to Publish policy for instructions on how to publish an applied policy in an >iOS device.

Manage Domains

Refer to Add policy for instructions on how to add a policy to an iOS device.

This payload defines web domains that are under an enterprise’s management.

Data Keys of Policy and its Descriptions

Unmarked Email Domains

(Any email address that does not have a suffix that matches one of the unmarked email domains specified by the key EmailDomains will be considered out-of-domain and will be highlighted as such in the Mail app.)

Email Domains

An array of strings. An email address lacking a suffix that matches any of these strings will be considered out-of-domain.

Managed Safari Web Domains

(Supervised only. If present, only AirPlay destinations present in this list are available to the device.)

Managed Safari Web Domains

An array of URL strings. URLs matching the patterns listed here will be considered managed.

Refer to Publish policy for instructions on how to publish an applied policy in an iOS device.

LDAP Settings

This configuration can be used to define settings for connecting to LDAP servers. Once this configuration profile is installed on an iOS device, corresponding users will not be able to modify these settings on their devices.

Refer to Add policy for instructions on how to add a policy to an iOS device.

Data Keys of Policy Descriptions
Account Description Display name of the account
Account Hostname LDAP Host name or IP address
Use Secure Socket Layer(SSL) Having this checked, would enable Secure Socket Layer communication.
Account Username User name for this LDAP account
Account Password Password for this LDAP account
Search Settings Search settings for this LDAP account. Can have many of these for one account. Should have at least one for the account to be useful.
Description Description of this search setting
Search Base Conceptually, the path to the node where a search should start. For example: ou=people,o=example corp
Scope Defines what recursion to use in the search. Can be one of the following 3 values: LDAPSearchSettingScopeBase: Just the immediate node pointed to by SearchBase. LDAPSearchSettingScopeOneLevel: The node plus its immediate children. LDAPSearchSettingScopeSubtree: The node plus all children, regardless of depth.

Refer to Publish policy for instructions on how to publish an applied policy in an iOS device.

ActiveSync Configurations

Refer to Add policy for instructions on how to add a policy to an iOS device.

This configuration can be used to provision ActiveSync Configurations for iOS devices.

Data Keys of Policy and its Descriptions

Email Address

Specifies the full email address for the account. If not present in the payload, the device prompts for this string during profile installation.

Exchange Server Hostname

Specifies the Exchange server host name (or IP address).

Use Secure Socket Layer(SSL)

Specifies whether the Exchange server uses SSL for authentication.

Account Username

This string specifies the user name for this Exchange account. Required in non-interactive installations (like MDM on iOS).

Account Password

The password of the account. Use only with encrypted profiles.

Use OAuth

Specifies whether the connection should use OAuth for authentication. If enabled, a password should not be specified. This defaults to false. Availability: Available only in iOS 12.0 and later.

Available in iOS only

ActiveSync Certificate file

For accounts that allow authentication via certificate, a .p12 identity certificate in NSData blob format

Certificate Name

Specifies the name or description of the certificate

Certificate Password

The password necessary for the p12 identity certificate. Used with mandatory encryption of profiles.

Prevent Move

If set to true, messages may not be moved out of this email account into another account. Also prevents forwarding or replying from a different account than the message was originated from. Availability: Available in iOS 5.0 and later.

Prevent App Sheet

If set to true, this account will not be available for sending mail in any app other than the Apple Mail app. Availability: Available in iOS 5.0 and later

Payload Certificate UUID

UUID of the certificate payload to use for the identity credential. If this field is present, the Certificate field is not used. Availability: Available in iOS 5.0 and later

SMIME Enabled

If true, this account supports S/MIME. As of iOS 10.0, this key is ignored. Availability: Available only in iOS 5.0 through 9.3.3.

SMIME Signing Enabled

If set to true, S/MIME signing is enabled for this account. Availability: Available only in iOS 10.3 and later

SMIME Signing Certificate UUID

The PayloadUUID of the identity certificate used to sign messages sent from this account. Availability: Available only in iOS 5.0 and later.

SMIME Encryption Enabled

If set to true, S/MIME encryption is on by default for this account. Availability: Available only in iOS 10.3 and later. As of iOS 12.0, this key is deprecated. It is recommended to use SMIMEEncryptByDefault instead.

SMIME Encryption Certificate UUID

The PayloadUUID of the identity certificate used to decrypt messages sent to this account. The public certificate is attached to outgoing mail to allow encrypted mail to be sent to this user. When the user sends encrypted mail, the public certificate is used to encrypt the copy of the mail in their Sent mailbox. Availability: Available only in iOS 5.0 and later.

SMIME Enable PerMessage Switch

The password necessary for the p12 identity certificate. Used with mandatory encryption of profiles.

SMIME Signing User Overrideable

T If set to true, the user can toggle S/MIME signing on or off in Settings. Availability: Available only in iOS 12.0 and later.

SMIME Signing Certificate UUID UserOverrideable

If set to true, the user can select the signing identity. Availability: Available only in iOS 12.0 and later.

SMIME Encrypt By Default

If set to true, S/MIME encryption is enabled by default. If SMIMEEnableEncryptionPerMessageSwitch is false, this default cannot be changed by the user. Availability: Available only in iOS 12.0 and later.

SMIME Encrypt By Default User Overrideable

If set to true, the user can toggle the encryption by default setting. Availability: Available only in iOS 12.0 and later.

SMIME Encryption Certificate UUID User Overrideable

If set to true, the user can select the S/MIME encryption identity and encryption is enabled. Availability: Available only in iOS 12.0 and later.

SMIME Enable Encryption Per-Message Switch

If set to true, displays the per-message encryption switch in the Mail Compose UI. Availability: Available only in iOS 12.0 and later

Allow Mail drop

If true, this account is allowed to use Mail Drop. The default is false. Availability: Available only in macOS 10.12 and later.

Disable Mail Recents Syncing

If true, this account is excluded from address Recents syncing. Availability: Available only in iOS 6.0 and later.

Mail Number Of PastDays To Sync

The number of days since synchronization.

Bundle ID of Default Application Handling Audio Calls

The communication service handler rules for this account. The CommunicationServiceRules dictionary currently contains only a DefaultServiceHandlers key; its value is a dictionary which contains an AudioCall key whose value is a string containing the bundle identifier for the default application that handles audio calls made to contacts from this account.

NOTE Refer to Publish policy for instructions on how to publish an applied policy in an >iOS device.

Calendar

Refer to Add policy for instructions on how to add a policy to an iOS device.

This configuration can be used to define settings for connecting to CalDAV servers. Once this configuration profile is installed on an iOS device, corresponding users will not be able to modify these settings on their devices.

Data Keys of Policy and its Descriptions

Account Description

Display name of the account. Eg: Company CalDAV Account

Account Hostname

CalDAV Host name or IP address

Use Secure Socket Layer(SSL)

Having this checked, would enable Secure Socket Layer communication with CalDAV server.

Account Port

CalDAV account Host Port number

Principal URL

Principal URL for the CalDAV account

Account Username

CalDAV account user name

Account Password

CalDAV account password

NOTE Refer to Publish policy for instructions on how to publish an applied policy in an >iOS device.

Calendar Subscriptions

Refer to Add policy for instructions on how to add a policy to an iOS device.

This configuration can be used to define settings for calendar subscriptions. Once this configuration profile is installed on an iOS device, corresponding users will not be able to modify these settings on their devices.

Data Keys of Policy and its Descriptions

Description

Description of the account.

Account Hostname URL

The server address.

Use Secure Socket Layer (SSL)

Having this checked, would enable Secure Socket Layer communication.

Username

The userʼs login name.

Password

The userʼs password.

NOTE Refer to Publish policy for instructions on how to publish an applied policy in an >iOS device.

Cellular Network Settings

Refer to Add policy for instructions on how to add a policy to an iOS device.

These configurations can be used to specify Cellular Network Settings on an iOS device. Cellular settings cannot be installed if an APN setting is already installed and upon successful installation, corresponding users will not be able to modify these settings on their devices.

(This feature is supported only on iOS 7.0 and later.)

Data Keys of Policy and its Descriptions

Cellular Configuration Name

The Access Point Name.

Authentication Type

Must contain either CHAP or PAP. Defaults to PAP.

Username

A user name used for authentication.

Password

A password used for authentication.

APN Configurations

APN

The Access Point Name.

Auth.Type

Must contain either CHAP or PAP. Defaults to PAP.

Username

A user name used for authentication.

Password

A password used for authentication.

Proxy

The proxy serverʼs network address.

Port

The proxy serverʼs port.

NOTE Refer to Publish policy for instructions on how to publish an applied policy in an >iOS device.

Network Usage Rules

Refer to Add policy for instructions on how to add a policy to an iOS device.

Network Usage Rules allow enterprises to specify how managed apps use networks, such as cellular data networks.

These rules only apply to managed apps.

Data Keys of Policy and its Descriptions

Allow cellular data when roaming

(Common to all rule configuration types)

If set to false, matching managed apps will not be allowed to use cellular data when roaming.

Allow Cellular Data

(Common to all rule configuration types)

If set to false, matching managed apps will not be allowed to use cellular data at any time.

Applly to specified managed apps

(Set network usage rules to specific applications)

Application Identifier Match

A list of managed app identifiers, as strings, that must follow the associated rules. If this key is missing, the rules will apply to all managed apps on the device Each string in the Application Identifier Match may either be an exact app identifier match, [e.g . com.mycompany.myapp] or it may specify a prefix match for the Bundle ID by using the * wildcard character. The wildcard character, if used, must appear after a period character (.), and may only appear once, at the end of the string [e.g. com .mycompany ..]*

NOTE Refer to Publish policy for instructions on how to publish an applied policy in an >iOS device.

Certificate Install

This configurations can be used to install certificate on an iOS device.

Please note that * sign represents required fields of data.

Refer to Add policy for instructions on how to add a policy to an iOS device.

Data Keys of Policy and its Descriptions

Certificate name

The file name of the enclosed certificate.

Certificate file

The base64 representation of the payload with a line length of 52.

Certificate Password

For PKCS#12 certificates, contains the password to the identity.

Certificate type

The Payload Type of a certificate payload must be one of the following:

Payload type Container format Certificate type
com.apple.security.root PKCS#1(.cer) Alias for com.apple.security.pkcs1.
com.apple.security.pkcs1 PKCS#1(.cer) DER-encoded certificate without private key. May contain root certificates.
com.apple.security.pem PKCS#1(.cer) PEM-encoded certificate without private key. May contain root certificates
com.apple.security.pkcs12 PKCS#12(.p12) Password-protected identity certificate. Only one certificate may be included.

NOTE Refer to Publish policy for instructions on how to publish an applied policy in an >iOS device.

VPN (Virtual Private Network) Settings

Refer to Add policy for instructions on how to add a policy to an iOS device.

This configurations can be used to configure VPN settings on an iOS device. Once this configuration profile is installed on a device, corresponding users will not be able to modify these settings on their devices.

Please note that * sign represents required fields of data.

Data Keys of Policy and its Descriptions

Connection Name

Description of the VPN connection displayed on the device.

Override Primary

Specifies whether to send all traffic through the VPN interface. If true, all network traffic is sent over VPN.

On-demand Enabled

Check if the VPN connection should be brought up on demand, else leave un-checked.

VPN Type

Determines the settings available in the payload for this type of VPN connection. It can have one of the following values: * L2TP

  • PPTP

  • IPSec (Cisco)

  • IKEv2 (see IKEv2 Dictionary Keys)

  • AlwaysOn (see AlwaysOn Dictionary Keys)

  • VPN (solution uses a VPN plugin or NetworkExtension, so the VPNSubType key is required (see below)).

NOTE Refer to Publish policy for instructions on how to publish an applied policy in an >iOS device.

Wi-Fi Settings Policy

Refer to Add policy for instructions on how to add a policy to an iOS device.

Data Keys of Policy Description
Service Set Identifier (SSID) SSID of the Wi-Fi network to be used. In iOS 7.0 and later, this is optional if a DomainName value is provided.
Domain Name This field can be provided instead of SSID_STR. Available in iOS 7.0 and later.( For Wi-Fi Hotspot 2.0 negotiation )
Hidden Network Besides SSID, the device uses information such as broadcast type and encryption type to differentiate a network. By default (false), it is assumed that all configured networks are open or broadcast. To specify a hidden network, must be true.
Hot Spot If true, the network is treated as a hotspot. Available in iOS 7.0 and later.
Enable Service Provider Roaming If true, allows connection to roaming service providers. Defaults to false. Available in iOS 7.0 and later.
Auto Join If true, the network is auto-joined. If false, the user has to tap the network name to join it. Available in iOS 5.0 and later.
Displayed Operator Name The operator name to display when connected to this network. Used only with Wi-Fi Hotspot 2.0 access points. Available in iOS 7.0 and later.
Proxy Setup Valid values are None, Manual, and Auto. Available in iOS 5.0 and later. If the ProxyType field is set to Manual, the following fields must also be provided
Encryption Security Type Refer to the notes below for details on this.
Roaming Consortium OIs Roaming Consortium Organization Identifiers used for Wi-Fi Hotspot 2.0negotiation. Requires 6 or 10 hexadecimal characters. Available in iOS 7.0 and later.
Network Access Identifier ( NAI ) Realm Names List of Network Access Identifier Real names used for Wi-Fi Hotspot 2.0 negotiation. Available in iOS 7.0 and later.
Mobile Country Code ( MCC ) / Mobile Network Code ( MNC ) Configuration List of Mobile Country Code (MCC)/Mobile Network Code (MNC) pairs used for Wi-Fi Hotspot 2.0 negotiation. Each string must contain exactly six digits. Available in iOS 7.0 and later.

Encryption Security Type

Encryption Security Type field is set to WEP, WPA, or ANY, the following fields may also be provided.

Wi-Fi Password: Password used for encryption security. Absence of a password does not prevent a network from being added to the list of known networks. The user is eventually prompted to provide the password when connecting to that network.

EAP Client Configuration: In addition to the standard encryption types, it is possible to specify an enterprise profile for a given network via the EAP Client Configuration key. If present, its value is a dictionary with the following keys: The following EAP types are accepted:

13 = TLS 17 = LEAP 18 = EAP-SIM 21 = TTLS 23 = EAP-AKA 25 = PEAP 43 = EAP-FAST For EAP-TLS authentication without a network payload, install the necessary identity certificates and have your users select EAP-TLS mode in the 802.1X credentials dialog that appears when they connect to the network. For other EAP types, a network payload is necessary and must specify the correct settings for the network.

Username: Unless you enter a user name, this property won't appear in an imported configuration. Users can enter this information by themselves when they authenticate.

Password: If not provided, the user will be prompted during login.

One Time Password: If checked, the user will be prompted for a password each time they connect to the network.

TLS Trusted Server Certificate Names: This is the list of server certificate common names that will be accepted. You can use wildcards to specify the name, such as wpa.*.example.com. If a server presents a certificate that isn't in this list, it won't be trusted. Used alone or in combination with TLSTrustedCertificates, the property allows someone to carefully craft which certificates to trust for the given network, and avoid dynamically trusted certificates.

Allow TLS Trust Exceptions: Allows / disallows a dynamic trust decision by the user. The dynamic trust is the certificate dialogue that appears when a certificate isn't trusted. If this is unchecked, the authentication fails if the certificate isn't already trusted.

Require TLS Certificate: If checked, allows for two-factor authentication for EAP-TTLS, PEAP or EAP-FAST. If unchecked, allows for zero factor authentication for EAP-TLS. By default this is enabled for EAP-TLS and disabled for other EAP types. Available in iOS 7.0 and later. TTLS Inner Authentication Type: Specifies the inner authentication used by the TTLS module. Possible values are PAP, CHAP, MSCHAP and MSCHAPv2.

Outer Identity: This key is only relevant to TTLS, PEAP, and EAP-FAST. This allows the user to hide his or her identity. The userʼs actual name appears only inside the encrypted tunnel. For example, it could be set to ”anonymous” or ”anon”, or ”anon@mycompany.net”. It can increase security because an attacker canʼt see the authenticating userʼs name in the clear.

EAP-Fast Support: Use existing PAC for EAP-FAST Allow PAC Provisioning Allow Anonymous PAC Provisioning

These keys are hierarchical in nature.: If Use existing PAC for EAP-FAST is false, the other two properties arenʼt consulted. Similarly, if Allow PAC Provisioning is false, Allow Anonymous PAC Provisioning isnʼt consulted. If Use existing PAC for EAP-FAST is false, authentication proceeds much like PEAP or TTLS: the server proves its identity using a certificate each time.If checked, the device will use an existing PAC. Otherwise, the server must present its identity using a certificate.

If Allow PAC Provisioning is checked, allows PAC provisioning. This particular attribute must be enabled for EAP-FAST PAC usage to succeed, because there is no other way to provision a PAC. If Allow Anonymous PAC Provisioning is checked, provisions the device anonymously. Note that there are known man-in-the-middle attacks for anonymous provisioning.

Number of expected RANDs for EAP-SIM: Number of expected RANDs for EAPSIM. Valid values are 2 and 3. Defaults to 3.

Certificate Payload UUID: UUID of the certificate payload to use for the identity credential.

Refer to Publish policy for instructions on how to publish an applied policy in an iOS device.

Font Install

Refer to Add policy for instructions on how to add a policy to an iOS device.

This configurations can be used to add an additional font to an iOS device.

Please note that * sign represents required fields of data.

Data Keys of Policy and its Descriptions

Font name

The user-visible name for the font. This field is replaced by the actual name of the font after installation.

Font file

The contents of the font file.

Each payload must contain exactly one font file in TrueType (.ttf) or OpenType ( .otf) format. Collection formats (.ttc or .otc) are not supported.

NOTE Refer to Publish policy for instructions on how to publish an applied policy in an >iOS device.

App Lock (Kiosk)

Refer to Add policy for instructions on how to add a policy to an iOS device.

This configuration can be used to enforce the iOS device to a single application i.e to make a device act as a Kiosk.

This configuration will be applied only on Supervised devices having iOS 7.0 and later.

Data Keys of Policy and its Descriptions

Identifier

The bundle identifier of the application.

Options

Disable touch

If true, the touch screen is disabled.

Disable Device Rotation

If true, device rotation sensing is disabled

Disable volume buttons

If true, the volume buttons are disabled.

Disable ringer switch

If true, the ringer switch is disabled.

Disable sleep wake button

If true, the sleep/wake button is disabled.

Disable auto lock

If true, the device will not automatically go to sleep after an idle period.

Enable voice over

If true, VoiceOver is turned on.

Enable zoom

If true, Zoom is turned on.

Enable invert colors

If true, Invert Colors is turned on.

Enable assistive touch

If true, AssistiveTouch is turned on.

Enable speak selection

If true, Speak Selection is turned on.

Enable mono audio

If true, Mono Audio is turned on.

User Enabled Options

Voice over

If true, allow VoiceOver adjustment.

Zoom

If true, allow Zoom adjustment.

Invert colors

If true, allow Invert Colors adjustment.

Assisstive touch

If true, allow AssistiveTouch adjustment.

NOTE Refer to Publish policy for instructions on how to publish an applied policy in an >iOS device.

App Store Restriction

Refer to Add policy for instructions on how to add a policy to an iOS device.

These configurations can be used to restrict the app store on a mac-os device. Once this configuration profile is installed on a device, corresponding users will not be able to access the app store of the device.

This configuration will be applied only on macOS devices.

Data Keys of Policy and its Descriptions

Restrict App Installation.

Restrict app installations to admin users.

Available on macOS 10.9 and later.

Restrict app installations to software updates only.

Restrict app installations to software updates only.

Available on macOS 10.10 and later

Disable App Adoption by users.

Disable App Adoption by users.

Available on macOS 10.10 and later

Disable software update notifications

Disable software update notifications.

Available on macOS 10.10 and later.

NOTE Refer to Publish policy for instructions on how to publish an applied policy in an >iOS device.

Login Window Preference

Refer to Add policy for instructions on how to add a policy to an iOS device.

This payload creates managed preferences on all versions of macOS for system and device profiles. Multiple Login window payloads may be installed together. This configuration will be applied only on macOS devices.

This configuration will be applied only on macOS devices.

Data Keys of Policy and its Descriptions

Restrict App Installation.

Restrict app installations to admin users.

Available on macOS 10.9 and later.

Restrict app installations to software updates only.

Restrict app installations to software updates only.

Available on macOS 10.10 and later

Disable App Adoption by users.

Disable App Adoption by users.

Available on macOS 10.10 and later

Disable software update notifications

Disable software update notifications.

Available on macOS 10.10 and later.

NOTE Refer to Publish policy for instructions on how to publish an applied policy in an >iOS device.

Firewall Policy

Refer to Add policy for instructions on how to add a policy to an iOS device.

A Firewall policy manages the Application Firewall settings that are accessible in the Security Preferences pane. This policy is available in macOS 10.12 and later.

This configuration will be applied only on macOS devices.

The ”Automatically allow downloaded signed software” and ”Automatically allow built-in software” options are not supported, but both will be forced ON when this payload is present.

Data Keys of Policy and its Descriptions

Enable Firewall

Whether the firewall should be enabled or not.

Block all incoming connections

Corresponds to the “Block all incoming connections” option. When it is enabled incoming new connections are blocked

Enable stealth mode.

Corresponds to “Enable stealth mode.” When stealth mode is turned on, your Mac does not respond to “ping” requests and does not answer connection attempts from a closed TCP or UDP network.

Applications

The list of applications. Each dictionary contains these keys:

Bundle ID

Identifies the application. It should be a string value.

Allowed

Specifies whether or not incoming connections are allowed

NOTE Refer to Publish policy for instructions on how to publish an applied policy in an >iOS device.