Configuration Profile Reference - Apple Developer

1 ConfigurationProfileReference |Copyright |Copyright ,networksettings,orcertificatestoalargen umberofdevices, ,including: Restrictionsondevicefeatures Wi-Fisettings VPNsettings Emailserversettings Exchangesettings LDAP directoryservicesettings CalDAVcalendarservicesettings Webclips , ,withPayloadRemovalDisallowedsettotrue,c anberemovedmanually, , : UsingAppleConfigurator2,availableintheAp pStore Inanemailmessage Onawebpage Usingover-the-airconfigurationasdescribe dinOver-the-AirProfileDeliveryandConfigu ration OvertheairusingaMobileDeviceManagementSe rver2019-05-03|Copyright , (iOS5orlater)orbyusingtheDeviceEnrollmen tProgram(iOS7orlater).Forinformationabou tAppleConfigurator, ,visitApple , , , ,aprofilepropertylistcontainsthefollowin gkeys:KeyType ContentPayloadContentArray , Areverse-DNSstyleidentifier( ,forexample) |Copyright ContentPayloadUUIDS tring , , ,theusercannotdeletetheprofile(unlessthe profilehasaremovalpasswordandtheuserprov idesit).

2 PayloadTypeString , , ,itdeterminesthelocationofthecertificate items, ,payloads,likeVPN, , , : Foreachlanguageinwhichaconsentorlicensea greementisavailable,akeyconsistingoftheI ETFBCP47identifierforthatlanguage(forexa mple,enorjp) Theoptionalkeydefaultwithitsvalueconsist ingoftheunlocalizedagreement(usuallyinen ).Thesystemchoosesalocalizedversioninthe orderofpreferencespecifiedbytheuser(macO S)orbasedontheuser scurrentlanguagesetting(iOS).Ifnoexactma tchisfound, , , |Copyright Payload :KeyType ContentPayloadTypeString ,changestotheVPNsoftwareiniOSmightintrod uceanewpayloadversiontosupportadditional features, , , (describedinPayloadDictionaryKeysCommont oAllPayloads), |Copyright (CA)usingDCE/ :KeyType ValueAllowAllAppsAccessBoolean Iftrue, TemplateNameasitappearsintheGeneraltabof thetemplate sobjectintheCertificateTemplates Webenrollment, (CN)oftheActiveDirectoryentry:CN=<yourCAname>,CN= CertificationAuthorities ,CN= PublicKeyServices ,CN= Services ,orCN= Configuration ,<yourbaseDomainName>.

3 CertificateRenewalTimeIntervalInteger Iftrue, , Optional; (CSR). , |Copyright Type (ignoredotherwise).Ifpresent, , :Key Type ValueDeviceIDString TheDeviceIDoftheAirPlaydestination,inthe formatxx:xx:xx:xx: :Key Type ValueDeviceNameString ThenameoftheAirPlaydestination(usedoniOS ).DeviceIDString TheDeviceIDoftheAirPlaydestination(usedo nmacOS).PasswordString |Copyright ,thispayloaddefinesthefollowingkeys:KeyT ype ValueSecurityTypeString :PASSCODE_ONCE,PASSCODE_ALWAYS, |Copyright :KeyType ValueIPAddressString : printers/Canon_MG5300_series printers/Xerox_Phaser_7600 ipp/print Epson_IPP_PrinterPortInteger IftrueAirPrintconnectionsaresecuredbyTra nsportLayerSecurity(TLS). |Copyright , , , :Key Type ValueAppDictionary ,inturn,containsthefollowingkey:KeyType ValueIdentifierString ,ifpresent,cancontainthefollowingkeys( ):KeyType ValueDisableTouchBoolean , , , , , , , |Copyright ValueDisableAutoLockBoolean , , , , , , , , , , , ,ifpresent,cancontainthefollowingkeys( ):KeyType ValueVoiceOverBoolean , , , , , , , |Copyright :KeyType Valuerestrict-store-require-admin-to-ins tallBoolean |Copyright userapproved ,including,butnotlimitedto,keyloggingand userinterfacemanipulationoutsideoftheapp lication ,thispayloaddefinesthefollowingkey:KeyTy pe ValueAllowedApplicationsArray :KeyType ValueBundleIdentifierString Theapplication , Thedeveloper , |Copyright ,thispayloaddefinesthefollowingkeys.

4 KeyType ValueCalDAVA ccountDescriptionString , Theuser , , tprovideapassword,becauseauto-discoveryo ftheservicewillfailandtheaccountwon ,thispayloaddefinesthefollowingkeys:KeyT ype ValueSubCalAccountDescriptionString Theuser Theuser |Copyright ,thispayloadtypesupportsobtainingCardDAV U sernameandCardDAVP asswordfromanIdentificationPayload, ,thispayloaddefinesthefollowingkeys:KeyT ype ValueCardDAVA ccountDescriptionString Theuser |Copyright : Nomorethanonecellularpayloadcanbeinstall edatanytime. ,whichissupported, ,thispayloaddefinesthefollowingkeys:Key Type ValueAttachAPND ictionary , , :KeyType ValueNameString :1=IPv4,2=IPv6,and3= :1=IPv4,2=IPv6,and3= |Copyright ValueAllowedProtocolMaskInRoamingInteger :1=IPv4,2=IPv6,and3= :1=IPv4,2=IPv6,and3= #1(.cer) #1(.cer) #1(.cer) #12(.p12) ,allCertificatepayloadsdefinethefollowin gkeys:KeyType ValuePayloadCertificateFileNameString #12certificates, #12certificates,iftrue, , |Copyright , ,thispayloaddefinesthefollowingkeys:KeyT ype ValueNameString (RFC822) TheUUID ofanotherpayloadwithinthesameprofilethat installedthecertificate;forexample,a |Copyright Itcanonlyappearinadeviceprofile, , , , ,thispayloaddefinesthefollowingkeys:KeyT ype ,butadomainmatchingrulemustnotmatchalldo mainswithinatopleveldomain(.)

5 And . areallowedwhile .com and . arenotallowed). ,oneofthefollowingconditionsmustbemet: Thehashisoftheservercertificate ssubjectPublicKeyInfo. ThehashisofasubjectPublicKeyInfothatappe arsinaCAcertificateinthecertificatechain , ,oneormoredirectoryNamenameConstraintsar epresentinthepermittedSubtrees,andthedir ectoryNamecontainsanorganizationNameattr ibute. ThehashisofasubjectPublicKeyInfothatappe arsinaCAcertificateinthecertificatechain ,theCAcertificatehasoneormoreorganizatio nNameattributesinthecertificateSubject,a ndtheserver scertificatecontainsthesamenumberoforgan izationNameattributes,inthesameorder, :Key Type ValueAlgorithmString ,mustbe sha256 .HashData |Copyright ,usethiscommandforaPEMencodedcertificate :openssl x509 -pubkey -in -inform pem | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | base64 IfyourcertificateisDERencoded,usethiscom mand:openssl x509 -pubkey -in -inform der | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | ,usethefilecommandtoidentifyitsencodingt ype.

6 $ file : PEM certificate$ file : ,thispayloaddefinesthefollowingkey:Key Type ValueMessageString ,ConferenceRoomDisplaymodeisactiveandthe usercan |Copyright ,thispayloaddefinesthefollowingkeys:KeyT ype ValueAllowPersonalCachingBoolean ,cachestheuser (hours,days)toreacttochangestothissettin g; ,cachesnon-iCloudcontent, (hours,days)toreacttochangestothissettin g; , ,usetheSharingpreference ,orendwith,/Library/ApplicationSupport/A pple/ (anditsintermediates) (../Library/ApplicationSupport/ Apple /Ass etCache)willbeownedby_ |Copyright ValueDenyTetheredCachingBoolean , , , ,theContentCacheprovidescontenttotheclie ntsintheunionoftheListenRanges, , , , , , |Copyright ValueParentSelectionPolicyString ,parentcachesthataretemporarilyunavailab leareskipped. first- ,secondary,andsubsequentparents. url-path- round- sticky-available:Startingwiththefirstpar entintheParentslist, , ,secondary, , ,theContentCachewillonlypeerwithotherCon tentCachesonthesameimmediatelocalnetwork , , , , |Copyright ValuePortInteger , :Key Type ValuetypeString (IPv4orIPv6).

7 |Copyright ,thispayloaddefinesthefollowingkeys:KeyT ype ValuelockedBoolean , , ,thispayloaddefinesthefollowingkeys:KeyT ype ValueAppBundleIdentifierString ,exceptforAllowDockFixupOverride, ,thispayloaddefinesthefollowingkeys:KeyT ype ValueorientationString ,left, , , , |Copyright Valueminimize-to-applicationBoolean , , , , , , , , , ,AddDockMCXD ocumentsFolder,AddDockMCXS haredFolder, MyApplications OriginalNetworkHome ,usethefilein/Library/ , , |Copyright Valuecontents-immutableBoolean , :Key Type Valuetile-dataDictionary ,directory-tile, , :Key Type ValuelabelString , ,0=URL,1= ,groups, , , ,thispayloaddefinesthefollowingkeys:KeyT ype ValueOrganizationUUIDS tring , |Copyright ValueLeaderPayloadCertificateAnchorUUIDA rray (caseinsensitive) (caseinsensitive) ,suchas, :Anarrayofdictionariesthatdefineuserstha taremembersoftheleader , ,studentsenrolledinmanagedclassescanmodi fytheirteacher :2019-05-03|Copyright ValueNameString :KeyType ValueBeaconIDInteger ; ,SIS, :KeyType ValueIdentifierString (512x512pixelsona2xdevice).

8 TherecommendedformatsareJPEG,PNG, |Copyright ;possiblevaluesarecomplex,four, :KeyType ContentIdentifierString , : AllidentitiesmustbeconfiguredasbothSSLcl ientsandservers. Leadercertificatesmusthavethecommonnamep refixleader(caseinsensitive). Membercertificatesmusthavethecommonnamep refixmember(caseinsensitive).2019-05-03| Copyright ,thispayloaddefinesthefollowingkeys:KeyT ype ValueEmailAccountDescriptionString , , , ,EmailAuthCRAMMD5,EmailAuthNTLM,EmailAut hHTTPMD5, Designatestheincomingmailserverhostname( orIPaddress).IncomingMailServerIMAPPathP refixString , , ,EmailAuthCRAMMD5,EmailAuthNTLM,EmailAut hHTTPMD5, |Copyright ValueOutgoingMailServerHostNameString Designatestheoutgoingmailserverhostname( orIPaddress).OutgoingMailServerPortNumbe rInteger ,ports25,587and465areused, , , , , , , , , |Copyright ValueSMIMEE nablePerMessageSwitchBoolean , , Iftrue, , , , , , , , , |Copyright : [default] ,thispayloaddefinesthefollowingkeys:Key Type ValueInterfaceString ; active , active ,includetheEAPC lientConfigurationkeyinthepay-load, |Copyright , , ,Mail,Notes,Reminders, ,thispayloaddefinesthefollowingkeys:KeyT ype ValueAvailableinbothiOSandmacOSEmailAddr essString , , SpecifiestheExchangeserverhostname(orIPa ddress).

9 , (likeMDMoniOS).PasswordString , , , |Copyright ValuePreventAppSheetBoolean , , , , , , , , , , , , |Copyright ValueSMIMEE ncryptByDefaultBoolean , , , , , , Iftrue, ; |Copyright , |Copyright , ValueEnableString Setto On Off ,seefdesetup(8). Ifsettotrueandnocertificateinformationis providedinthispayload,thekeychainalready createdat/Library/ ,itwillalwaysprompttoenableFileVaultunti litisenabled, WhenusingtheDeferoption, Aninsti-tutionalrecoverykeywillbecreated onlyifeitherthereiscertificatedataavaila bleintheCertificatekeyvalue,aspecificcer tificatepayloadisreferenced,ortheUseKeyc hainkeyvalueissettotrueandavalid2019-05- 03|Copyright , (FDE)recoverykeysare,bydefault, , ,theFileVaultPRKwillbeencryptedwiththesp ecifiedcertificate,wrappedwithaCMSenvelo peandstoredat/var/ ,ifasiteusesitsownadministrationsoftware , , : Thepayloadmustexistinasystem-scopedprofi le.

10 Installingmorethanonepayloadofthistypepe rmachinewillcauseanerror. Thepreviouspayload( ) , Ifonlyanold-styleredirectionpayloadisins talledatthetimeFileVaultisturnedon(bymea nsoftheSecurityPreferencespane),anerrorw illbedisplayedandFileVaultwillnotbeenabl ed. ,it :KeyType ValueLocationString , , |Copyright ,thispayloadwillcauseanyFDE(FullDiskEncr yption) : Thepayloadmustexistinasystem-scopedprofi le. :KeyType ValueRedirectURLS tring ://.EncryptCertPayloadUUIDS tring :KeyType ValueVersionNumberString Currentlysetto .SerialNumberString (seebelow).RecoveryKeyCMS64 String Therecoverykeyencryptedusingtheencryptio ncertificateprovidedintheconfigurationpr ofile(referencedbytheEncryptCertPayloadU UIDkey). :<FDEC aptureRequest> <VersionNumber> </VersionNumber> <SerialNumber>A02FE08 UCC8X</SerialNumber> <RecoveryKeyCMS64>MIAGCSqGSIb3 DQEHA .. AAAAAAAAA==</RecoveryKeyCMS64> </FDEC aptureRequest>2019-05-03|Copyright srequest,theservermustrespondtotheclient withXMLdatacontaining:KeyType ValueSerialNumberString ,thiscouldbeavaluetoassistthesiteadminis tratorinlocatingorverifyingtheuser : Thepayloadmustexistinasystem-scopedprofi le.