Configuration Profile Reference

Contents

Configuration Profile Key Reference 5

Configuration Profile Keys 6 Payload Dictionary Keys Common to All Payloads 8 Payload-Specific Property Keys 9 AirPlay Payload 9 AirPrint Payload 10 APN Payload 11 Per-App VPN Payload 12 App-to-Per-App VPN Mapping 13 App Lock Payload 13 CalDAV Payload 15 Calendar Subscription Payload 16 CardDAV Payload 16 Cellular Payload 17 Email Payload 18 Exchange Payload 21 FileVault 2 23 Font Payload 26 Global HTTP Proxy Payload 26 Identification Payload 27 LDAP Payload 28 Passcode Policy Payload 29 Profile Removal Password Payload 31 Restrictions Payload 31 SCEP Payload 35 Single Sign-On Account Payload 36 System Policy Control Payload 38 System Policy Rule Payload 38 System Policy Managed Payload 40 VPN Payload 40 Wallpaper Payload 47 Web Clip Payload 47 Web Content Filter Payload 48 Wi-Fi Payload 49

2014-01-14 | Copyright 2014 Apple Inc. All Rights Reserved.

Contents

Sample Configuration Profile 55

Document Revision History 58

2014-01-14 | Copyright 2014 Apple Inc. All Rights Reserved.

Tables

Configuration Profile Key Reference 5

Table 1-1 Keys in the ActionParameters dictionary 46

2014-01-14 | Copyright 2014 Apple Inc. All Rights Reserved.

Configuration Profile Key Reference

Note: This document was previously titled iPhone Configuration Profile Reference . It now supports both iOS and OS X.

A configuration profile is an XML file that allows you to distribute configuration information. If you need to configure a large number of devices or to provide lots of custom email settings, network settings, or certificates to a large number of devices, configuration profiles are an easy way to do it. A configuration profile contains a number of settings that you can specify, including: Restrictions on device features Wi-Fi settings VPN settings Email server settings Exchange settings LDAP directory service settings CalDAV calendar service settings Wallpaper Web clips Credentials and keys Configuration profiles are in property list format, with Data values stored in Base64 encoding. The .plist format can be read and written by any XML library. There are five ways to deploy configuration profiles:

Using Apple Configurator (iOS only) In an email message On a webpage Using over-the air configuration as described in Over-the-Air Profile Delivery and Configuration Over the air using a Mobile Device Management Server

2014-01-14 | Copyright 2014 Apple Inc. All Rights Reserved.

Configuration Profile Key Reference Configuration Profile Keys

Both iOS and OS X support using encryption to protect the contents of profiles. Profiles can also be signed to guarantee data integrity. To learn about encrypted profile delivery, read Over-the-Air Profile Delivery and Configuration . Devices running iOS 5 and later can be designated as supervised when preparing it for deployment with Apple Configurator or using the Device Enrollment Program. When a device is supervised, you are granted additional control over its configuration. For more information about Apple Configurator, see Apples iPad in Business page. This document describes the keys in a configuration profile and provides examples of the resulting XML payloads. Note: Before you get started working with configuration profiles, you should create a skeleton configuration profile. This provides a useful starting point that you can then modify as desired.

Configuration Profile Keys

At the top level, a profile property list contains the following keys:
Key HasRemovalPasscode IsEncrypted PayloadContent Type Content

Boolean Boolean Array

Optional. Set to true if there is a removal passcode. Optional. Set to true if the profile is encrypted. Optional. Array of payload dictionaries. Not present if IsEncrypted is true. Optional. A description of the profile, shown on the Detail screen for the profile. This should be descriptive enough to help the user decide whether to install the profile. Optional. A human-readable name for the profile. This value is displayed on the Detail screen. It does not have to be unique. Optional. A date on which a profile is considered to have expired and can be updated over the air. This key is only used if the profile is delivered via Over The Air profile delivery.

PayloadDescription

String

PayloadDisplayName

String

PayloadExpirationDate

Date

2014-01-14 | Copyright 2014 Apple Inc. All Rights Reserved.

Configuration Profile Key Reference Configuration Profile Keys

Key PayloadIdentifier

Type

Content

String

A reverse-DNS style identifier (com.example.myprofile, for example) that identifies the profile. This string is used to determine whether a new profile should replace an existing one or should be added. Optional. A human-readable string containing the name of the organization that provided the profile. A globally unique identifier for the profile. The actual content is unimportant, but it must be globally unique. In OS X, you can use uuidgen to generate reasonable UUIDs. Optional. If present and set to true, the user cannot delete the profile (unless the profile has a removal password and the user provides it). The only supported value is Configuration. The version number of the profile format. This describes the version of the configuration profile as a whole, not of the individual profiles within it. Currently, this value should be 1.

PayloadOrganization

String

PayloadUUID

String

PayloadRemovalDisallowed

Boolean

PayloadType PayloadVersion

String Number

PayloadScope

String

Optional. Determines if the profile should be installed for the system or the user. In many cases, it determines the location of the certificate items, such as keychains. Though it is not possible to declare different payload scopes, payloads, like VPN, may automatically install their items in both scopes if needed. Legal values are System and User, with User as the default value. Availability: Available in OS X 10.7 and later.

RemovalDate

date

Optional. The date on which the profile will be automatically removed. Optional. Number of seconds until the profile is automatically removed. If the RemovalDate keys is present, its value is used instead of this one.

DurationUntilRemoval

float

2014-01-14 | Copyright 2014 Apple Inc. All Rights Reserved.

Configuration Profile Key Reference Payload Dictionary Keys Common to All Payloads

Key ConsentText

Type

Content

Dictionary

Optional. This dictionarys keys must be locale strings that contain a canonicalized IETF BCP 47 language identifier. Additionally, the key default may be present to provide the default localization. The system chooses a localized version in the order of preference specified by the user (OS X) or based on the users current language setting (iOS). If no exact match is found, the default localization is used. If there is no default localization, the "en" localization is used. If there is no "en" localization, then the first available localization is used. You should provide a default localization. No warning will be displayed if the users locale does not match any of the localizations in the consentText dictionary.

Note: Profile payload dictionary keys that are prefixed with Payload are reserved key names and must never be treated as managed preferences. Any other key in the payload dictionary may be considered a managed preference for that preference domain.

Keys in the payload dictionary are described in detail in the next section.

Payload Dictionary Keys Common to All Payloads

If a PayloadContent value is provided in a payload, each entry in the array is a dictionary representing a configuration payload. The following keys are common to all payloads:
Key PayloadType Type Content

String

The payload type. The payload types are described in Payload-Specific Property Keys (page 9). The version number of the individual payload. A profile can consist of payloads with different version numbers. For example, changes to the VPN software in iOS might introduce a new payload version to support additional features, but Mail payload versions would not necessarily change in the same release.

PayloadVersion

Number

2014-01-14 | Copyright 2014 Apple Inc. All Rights Reserved.

Configuration Profile Key Reference Payload-Specific Property Keys

Key PayloadIdentifier

Type

Content

String

A reverse-DNS-style identifier for the specific payload. It is usually the same identifier as the root-level PayloadIdentifier value with an additional component appended. A globally unique identifier for the payload. The actual content is unimportant, but it must be globally unique. In OS X, you can use uuidgen to generate reasonable UUIDs. Optional. A human-readable name for the profile payload. This name is displayed on the Detail screen. It does not have to be unique. Optional. A human-readable description of this payload. This description is shown on the Detail screen. Optional. A human-readable string containing the name of the organization that provided the profile. The payload organization for a payload need not match the payload organization in the enclosing profile.

PayloadUUID

String

PayloadDisplayName

String

PayloadDescription

String

PayloadOrganization

String

Payload-Specific Property Keys

In addition to the standard payload keys (described in Payload Dictionary Keys Common to All Payloads (page 8)), each payload type contains keys that are specific to that payload type. The sections that follow describe those payload-specific keys.

AirPlay Payload
The AirPlay payload is designated by specifying com.apple.airplay as the PayloadType value. This payload is supported only on iOS 7.0 and later.
Key Whitelist Type Value

Array of dictionaries

Optional. Supervised only (ignored otherwise). If present, only AirPlay destinations present in this list are available to the device. The dictionary format is described below.

2014-01-14 | Copyright 2014 Apple Inc. All Rights Reserved.

Configuration Profile Key Reference Payload-Specific Property Keys

Key Passwords

Type

Value

Array of dictionaries

Optional. If present, sets passwords for known AirPlay destinations. The dictionary format is described below.

Each entry in the Whitelist array is a dictionary that can contain the following fields:
Key DeviceID Type Value

String

The Device ID of the AirPlay destination, in the format xx:xx:xx:xx:xx:xx. This field is not case sensitive.

Each entry in the Passwords array is a dictionary that can contain the following fields:
Key DeviceName Password Type Value

String String

The name of the AirPlay destination. The password for the AirPlay destination.

AirPrint Payload
The AirPrint payload adds AirPrint printers to the users AirPrint printer list. This makes it easier to support environments where the printers and the devices are on different subnets. An AirPrint payload is designated by specifying com.apple.airprint as the PayloadType value. This payload is supported only on iOS 7.0 and later.
Key AirPrint Type Value

Array of dictionaries

An array of AirPrint printers that should always be shown.

Each dictionary in the AirPrint array must contain the following keys and values:
Key IPAddress Type Value

String

The IP Address of the AirPrint destination.

2014-01-14 | Copyright 2014 Apple Inc. All Rights Reserved.

10

Configuration Profile Key Reference Payload-Specific Property Keys

Key ResourcePath

Type

Value

String

The Resource Path associated with the printer. This corresponds to the rp parameter of the _ipps.tcp Bonjour record. For example:
printers/Canon_MG5300_series printers/Xerox_Phaser_7600 ipp/print Epson_IPP_Printer

APN Payload
The APN (Access Point Name) payload is designated by specifying com.apple.apn.managed as the PayloadType value. In iOS 7 and later, the APN payload is deprecated in favor of the Cellular payload. The APN Payload is not supported in OS X. In addition to the settings common to all payloads, this payload defines the following keys:
Key DefaultsData DefaultsDomainName apns Type Value

Dictionary String Array

This dictionary contains two key/value pairs. The only allowed value is com.apple.managedCarrier. This array contains an arbitrary number of dictionaries, each describing an APN configuration, with the key/value pairs below. This string specifies the Access Point Name. This string specifies the user name for this APN. If it is missing, the device prompts for it during profile installation. Optional. This data represents the password for the user for this APN. For obfuscation purposes, the password is encoded. If it is missing from the payload, the device prompts for the password during profile installation. Optional. The IP address or URL of the APN proxy. Optional. The port number of the APN proxy.

apn username

String String

password

Data

proxy proxyPort

String Number

2014-01-14 | Copyright 2014 Apple Inc. All Rights Reserved.

11

Configuration Profile Key Reference Payload-Specific Property Keys

Per-App VPN Payload

The Per-App VPN payload is used for configuring add-on VPN software, and it works only on VPN services of type 'VPN'. It should not be confused with the standard VPN payload, described in VPN Payload (page 40). This payload is supported only in iOS 7.0 and later and OS X v10.9 and later. The VPN payload is designated by specifying com.apple.vpn.managed.applayer as the PayloadType value. The Per-App VPN payload supports all of the keys described in VPN Payload (page 40) plus the following additional keys:
Key VPNUUID Type Value

String

A globally-unique identifier for this VPN configuration. This identifier is used to configure apps so that they use the Per-App VPN service for all of their network communication. See App-to-Per-App VPN Mapping (page 13) and the managed app section of Mobile Device Management Protocol Reference to learn how to specify which apps should use this Per-App VPN service.

SafariDomains

Array

This optional key is a special case of App-to-Per App VPN Mapping. It sets up the app mapping for Safari (Webkit) with a specific identifier and a designated requirement. The array contains strings, each of which is a domain that should trigger this VPN connection in Safari. The rule matching behavior is as follows:

Before being matched against a host, all leading and trailing dots are stripped from the domain string. For example, if the domain string is ".com" the domain string used to match is "com". Each label in the domain string must match an entire label in the host string. For example, a domain of "apple.com" matches "www.apple.com", but not "foo.badapple.com". Domain strings with only one label must match the entire host string. For example, a domain of "com" matches "com", not "www.apple.com".

2014-01-14 | Copyright 2014 Apple Inc. All Rights Reserved.

12

Configuration Profile Key Reference Payload-Specific Property Keys

Key OnDemandMatchAppEnabled

Type

Value

Boolean

If true, the Per-App VPN connection starts automatically when apps linked to this Per-App VPN service initiate network communication. If false, the Per-App VPN connection must be started manually by the user before apps linked to this Per-App VPN service can initiate network communication. If this key is not present, the value of the OnDemandEnabled key is used to determine the status of Per-App VPN On Demand.

App-to-Per-App VPN Mapping

The App-to-Per-App mapping payload is designated by specifying com.apple.vpn.managed.appmapping as the PayloadType value. This payload is supported only in OS X v10.9 and later. It is not supported in iOS.
Key AppLayerVPNMapping Type Value

Array of dictionaries

An array of mapping dictionaries.

Each dictionary in the array can contain the following keys:

Key Identifier VPNUUID Type Value

String String

The apps bundle ID. The VPNUUID of the Per-App VPN defined in a Per-App VPN payload.

App Lock Payload

The App Lock payload is designated by specifying com.apple.app.lock as the PayloadType value. Only one of this payload type can be installed at any time. This payload can be installed only on a Supervised device. By installing an app lock payload, the device is locked to a single application until the payload is removed. The home button is disabled, and the device returns to the specified application automatically upon wake or reboot. This payload is supported only in iOS 6.0 and later. The payload contains the following key:

2014-01-14 | Copyright 2014 Apple Inc. All Rights Reserved.

13

Configuration Profile Key Reference Payload-Specific Property Keys

Key App

Type

Value

Dictionary

A dictionary containing information about the app.

The App dictionary, in turn, contains the following key:

Key Identifier Options Type Value

String Dictionary

The bundle identifier of the application. Optional. Described below. Availability: Available only in iOS 7.0 and later.

UserEnabledOptions

Dictionary

Optional. Described below. Availability: Available only in iOS 7.0 and later.

The Options dictionary, if present, can contain the following keys (in iOS 7.0 and later):
Key DisableTouch Type Value

String

Optional. If true, the touch screen is disabled. Default is false. Optional. If true, device rotation sensing is disabled. Default is false. Optional. If true, the volume buttons are disabled. Default to false. Optional. If true, the ringer switch is disabled. Default is false. When disabled, the ringer behavior depends on what position the switch was in when it was first disabled.

DisableDeviceRotation

String

DisableVolumeButtons

String

DisableRingerSwitch

String

DisableSleepWakeButton

String

Optional. If true, the sleep/wake button is disabled. Default is false. Optional. If true, the device will not automatically go to sleep after an idle period. Optional. If true, VoiceOver is turned on. Default is false. Optional. If true, Zoom is turned on. Default is false.

DisableAutoLock

String

EnableVoiceOver EnableZoom

String String

2014-01-14 | Copyright 2014 Apple Inc. All Rights Reserved.

14

Configuration Profile Key Reference Payload-Specific Property Keys

Key EnableInvertColors

Type

Value

String

Optional. If true, Invert Colors is turned on. Default is false. Optional. If true, AssistiveTouch is turned on. Default is false. Optional. If true, Speak Selection is turned on. Default is false. Optional. If true, Mono Audio is turned on. Default is false.

EnableAssistiveTouch

String

EnableSpeakSelection

String

EnableMonoAudio

String

The UserEnabledOptions dictionary, if present, can contain the following keys (in iOS 7.0 and later):
Key VoiceOver Zoom InvertColors AssistiveTouch Type Value

String String String String

Optional. If true, allow VoiceOver adjustment. Default is false. Optional. If true, allow Zoom adjustment. Default is false. Optional. If true, allow Invert Colors adjustment. Default is false. Optional. If true, allow AssistiveTouch adjustment. Default is false.

CalDAV Payload
This payload configures a CalDAV account. The payload is designated by specifying com.apple.caldav.account as the PayloadType In addition to the settings common to all payloads, this payload defines the following keys:
Key CalDAVAccountDescription CalDAVHostName Type Value

String

Optional. The description of the account.

String

The server address. In OS X, this key is required.

CalDAVUsername

String

The user's login name. In OS X, this key is required.

2014-01-14 | Copyright 2014 Apple Inc. All Rights Reserved.

15

Configuration Profile Key Reference Payload-Specific Property Keys

Key CalDAVPassword CalDAVUseSSL

Type

Value

String Boolean

Optional. The user's password Whether or not to use SSL. In OS X, this key is optional.

CalDAVPort CalDAVPrincipalURL

Number String

Optional. The port on which to connect to the server. Optional. The base URL to the users calendar. In OS X this URL is required if the user doesnt provide a password, because auto-discovery of the service will fail and the account wont be created.

Calendar Subscription Payload

The calendar subscription payload is designated by specifying com.apple.subscribedcalendar.account as the PayloadType value. A calendar subscription payload adds a subscribed calendar to the users calendars list. The calendar subscription payload is not supported in OS X. In addition to the settings common to all payloads, this payload defines the following keys:
Key SubCalAccountDescription SubCalAccountHostName SubCalAccountUsername SubCalAccountPassword SubCalAccountUseSSL Type Value

String String String String Boolean

Optional. Description of the account. The server address. The user's login name The user's password. Whether or not to use SSL.

CardDAV Payload
The CardDAV payload is designated by specifying com.apple.carddav.account as the PayloadType value. This payload is only available in OS X v10.8 and later. As of OS X v10.8 and later, this payload type supports obtaining CardDAVUsername and CardDAVPassword from an Identification Payload, if present.

2014-01-14 | Copyright 2014 Apple Inc. All Rights Reserved.

16

Configuration Profile Key Reference Payload-Specific Property Keys

In addition to the settings common to all payloads, this payload defines the following keys:
Key CardDAVAccountDescription CardDAVHostName CardDAVUsername CardDAVPassword CardDAVUseSSL CardDAVPort Type Value

String String String String Boolean Number

Optional. The description of the account. The server address. The user's login name. Optional. The user's password Optional. Whether or not to use SSL. Optional. The port on which to connect to the server. Optional. The base URL to the user's calendar.

CalDAVPrincipalURL

String

Cellular Payload
A cellular payload configures cellular network settings on the device. In iOS 7 and later, a cellular payload is designated by specifying com.apple.cellular as the PayloadType value. Cellular payloads have two important installation requirements:

No more than one cellular payload can be installed at any time. A cellular payload cannot be installed if an APN payload is already installed.

This payload replaces the com.apple.managedCarrier payload, which is supported, but deprecated. In addition to the settings common to all payloads, this payload defines the following keys:
Key AttachAPN APNs Type Value

Dictionary Array

Optional. An AttachAPN configuration dictionary, described below. Optional. An array of APN dictionaries, described below. Only the first entry is currently used.

The AttachAPN dictionary contains the following keys:

Key Name Type Value

String

Required. A name for this configuration.

2014-01-14 | Copyright 2014 Apple Inc. All Rights Reserved.

17

Configuration Profile Key Reference Payload-Specific Property Keys

Key AuthenticationType Username Password

Type

Value

String String String

Optional. Must contain either CHAP or PAP. Defaults to PAP. Optional. A user name used for authentication. Optional. A password used for authentication.

Each APN dictionary contains the following keys:

Key Name AuthenticationType Username Password ProxyServer ProxyServerPort Type Value

String String String String String String

Required. A name for this configuration. Optional. Must contain either CHAP or PAP. Defaults to PAP. Optional. A user name used for authentication. Optional. A password used for authentication. Optional. The proxy server's network address. Optional. The proxy server's port.

Email Payload
The email payload is designated by specifying com.apple.mail.managed as the PayloadType value. An email payload creates an email account on the device. In addition to the settings common to all payloads, this payload defines the following keys:
Key EmailAccountDescription EmailAccountName Type Value

String

Optional. A user-visible description of the email account, shown in the Mail and Settings applications. Optional. The full user name for the account. This is the user name in sent messages, etc. Allowed values are EmailTypePOP and EmailTypeIMAP. Defines the protocol to be used for that account.

String

EmailAccountType

String

2014-01-14 | Copyright 2014 Apple Inc. All Rights Reserved.

18

Configuration Profile Key Reference Payload-Specific Property Keys

Key EmailAddress

Type

Value

String

Designates the full email address for the account. If not present in the payload, the device prompts for this string during profile installation. Designates the authentication scheme for incoming mail. Allowed values are EmailAuthPassword and EmailAuthNone. Designates the incoming mail server host name (or IP address). Optional. Designates the incoming mail server port number. If no port number is specified, the default port for a given protocol is used. Optional. Default true. Designates whether the incoming mail server uses SSL for authentication. Designates the user name for the email account, usually the same as the email address up to the @ character. If not present in the payload, and the account is set up to require authentication for incoming email, the device will prompt for this string during profile installation. Optional. Password for the Incoming Mail Server. Use only with encrypted profiles. Optional. Password for the Outgoing Mail Server. Use only with encrypted profiles. Optional. If set, the user will be prompted for the password only once and it will be used for both outgoing and incoming mail. Designates the authentication scheme for outgoing mail. Allowed values are EmailAuthPassword and EmailAuthNone. Designates the outgoing mail server host name (or IP address). Optional. Designates the outgoing mail server port number. If no port number is specified, ports 25, 587 and 465 are used, in this order.

IncomingMailServerAuthentication

String

IncomingMailServerHostName IncomingMailServerPortNumber

String

Number

IncomingMailServerUseSSL IncomingMailServerUsername

Boolean

String

IncomingPassword

String

OutgoingPassword

String

OutgoingPasswordSameAsIncomingPassword

Boolean

OutgoingMailServerAuthentication

String

OutgoingMailServerHostName OutgoingMailServerPortNumber

String

Number

2014-01-14 | Copyright 2014 Apple Inc. All Rights Reserved.

19

Configuration Profile Key Reference Payload-Specific Property Keys

Key OutgoingMailServerUseSSL OutgoingMailServerUsername

Type

Value

Boolean

Optional. Default Yes. Designates whether the outgoing mail server uses SSL for authentication. Designates the user name for the email account, usually the same as the email address up to the @ character. If not present in the payload, and the account is set up to require authentication for outgoing email, the device prompts for this string during profile installation. Optional. Default false. If true, messages may not be moved out of this email account into another account. Also prevents forwarding or replying from a different account than the message was originated from. Availability: Available only in iOS 5.0 and later.

String

PreventMove

Boolean

PreventAppSheet

Boolean

Optional. Default false. If true, this account is not available for sending mail in third-party applications. Availability: Available only in iOS 5.0 and later.

SMIMEEnabled

Boolean

Optional. Default false. If true, this account supports S/MIME. Availability: Available only in iOS 5.0 and later.

SMIMESigningCertificateUUID

String

Optional. The PayloadUUID of the identity certificate used to sign messages sent from this account. Availability: Available only in iOS 5.0 and later.

SMIMEEncryptionCertificateUUID

String

Optional. The PayloadUUID of the identity certificate used to decrypt messages coming into this account. Availability: Available only in iOS 5.0 and later.

disableMailRecentsSyncing

Boolean

If true, this account is excluded from address Recents syncing. This defaults to false. Availability: Available only in iOS 6.0 and later.

2014-01-14 | Copyright 2014 Apple Inc. All Rights Reserved.

20

Configuration Profile Key Reference Payload-Specific Property Keys

Exchange Payload
In iOS, the Exchange payload is designated by specifying com.apple.eas.account as the PayloadType value. This payload configures an Exchange Active Sync account on the device. In OS X, the Exchange payload is designated by specifying com.apple.ews.account as the PayloadType value. This payload will configure an Exchange Web Services account for Contacts, Mail, Notes, Reminders, and Calendar. In addition to the settings common to all payloads, this payload defines the following keys:
Key Type Value

Available in both iOS and OS X

EmailAddress

String

Specifies the full email address for the account. If not present in the payload, the device prompts for this string during profile installation. In OS X, this key is required.

Host

String

Specifies the Exchange server host name (or IP address). In OS X, this key is required.

SSL

Boolean

Optional. Default YES. Specifies whether the Exchange server uses SSL for authentication. This string specifies the user name for this Exchange account. If missing, the devices prompts for it during profile installation. In OS X, this key is required.

UserName

String

Password

String

Optional. The password of the account. Use only with encrypted profiles. Available in iOS only

Certificate

NSData blob

Optional. For accounts that allow authentication via certificate, a .p12 identity certificate in NSData blob format. Optional. Specifies the name or description of the certificate. Optional. The password necessary for the p12 identity certificate. Use only with encrypted profiles.

CertificateName

String

CertificatePassword

data

2014-01-14 | Copyright 2014 Apple Inc. All Rights Reserved.

21

Configuration Profile Key Reference Payload-Specific Property Keys

Key PreventMove

Type

Value

Boolean

Optional. Default false. If set to true, messages may not be moved out of this email account into another account. Also prevents forwarding or replying from a different account than the message was originated from. Availability: Available in iOS 5.0 and later.

PreventAppSheet

Boolean

Optional. Default false. If set to true, this account will not be available for sending mail in third party applications. Availability: Available in iOS 5.0 and later.

PayloadCertificateUUID

String

UUID of the certificate payload to use for the identity credential. If this field is present, the Certificate field is not used. Availability: Available in iOS 5.0 and later.

SMIMEEnabled

Boolean

Optional. Default false. If set to true, this account supports S/MIME. Availability: Available in iOS 5.0 and later.

SMIMESigningCertificateUUID

String

Optional. The PayloadUUID of the identity certificate used to sign messages sent from this account. Availability: Available in iOS 5.0 and later.

SMIMEEncryptionCertificateUUID

String

Optional. The PayloadUUID of the identity certificate used to decrypt messages coming into this account. Availability: Available in iOS 5.0 and later.

disableMailRecentsSyncing

Boolean

If true, this account is excluded from address Recents syncing. This defaults to false. Availability: Available only in iOS 6.0 and later.

MailNumberOfPastDaysToSync HeaderMagic

String

The number of days since synchronization.

String

Optional. A magic string. If this field is provided, the string is sent as the value of the X-Apple-Config-Magic header in each EAS HTTP request. Availability: Available only in iOS 7.0 and later.

2014-01-14 | Copyright 2014 Apple Inc. All Rights Reserved.

22

Configuration Profile Key Reference Payload-Specific Property Keys

Key

Type

Value

Available in OS X Only
Path Port ExternalHost ExternalSSL ExternalPath ExternalPort

String Number String Boolean String Number

Optional. Optional. Optional. Optional. Optional. Optional.

Note: Note: As with VPN and Wi-Fi configurations, it is possible to associate an SCEP credential with an Exchange configuration via the PayloadCertificateUUID key.

FileVault 2
In OS X 10.9, you can use FileVault 2 to perform full disk, XTS-AES 128 encryption on the contents of your drive. FileVault 2 payloads are designated by specifying com.apple.MCX.FileVault2 as the PayloadType value. Removal of the FileVault payload does not disable FileVault.
Key Enable Type Value

String

Set to 'On' to enable FileVault. Set to 'Off' to disable FileVault. This value is required. Set to true to defer enabling FileVault until the designated user logs out. Set to true for manual profile installs to prompt for missing user name or password fields. Set to true to create a personal recovery key. Set to true to display the personal recovery key to the user after FileVault is enabled. Path to the location where the recovery key and computer information plist will be stored. DER-encoded certificate data if an institutional recovery key will be added.

Defer

Boolean

UserEntersMissingInfo UseRecoveryKey ShowRecoveryKey

Boolean

Boolean Boolean

OutputPath

String

Certificate

Data

2014-01-14 | Copyright 2014 Apple Inc. All Rights Reserved.

23

Configuration Profile Key Reference Payload-Specific Property Keys

Key PayloadCertificateUUID Username

Type

Value

String

UUID of the payload containing the asymmetric recovery key certificate payload. User name of the Open Directory user that will be added to FileVault. User password of the Open Directory user that will be added to FileVault. Use the UserEntersMissingInfo key if you want to prompt for this information. If set to true and no certificate information is provided in this payload, the keychain already created at /Library/Keychains/FileVaultMaster.keychain will be used when the institutional recovery key is added.

String

Password

String

UseKeychain

Boolean

A personal recovery user will normally be created unless the UseRecoveryKey key value is false. An institutional recovery key will be created only if either there is certificate data available in the Certificate key value, a specific certificate payload is referenced, or the UseKeychain key value is set to true and a valid FileVaultMaster.keychain file was created. In all cases, the certificate information must be set up properly for FileVault or it will be ignored and no institutional recovery key will be set up.

FileVault Recovery Key Redirection Payload

FileVault full-disk encryption (FDE) recovery keys are, by default, sent to Apple if the user requests it. With this key, you can redirect those recovery keys to a corporate server. FileVault Recovery Key Redirection payloads are designated by specifying com.apple.security.FDERecoveryRedirect as the PayloadType value. Only one payload of this type is allowed per system. A site providing support for archiving the recovery key must implement its own HTTPS server. The client issues a POST request to the server with XML data in the request body containing the recovery key and serial number of the client computer. The server must respond with XML data echoing the device's serial number and provide a RecordNumber, which can be any data that locates the recovery key. The SSL certificate chain of the server is evaluated by the client, which must trust it. If needed, the configuration profile can include an additional certificate to set up a chain of trust.
Key RedirectURL Type Value

String

The URL to which FDE recovery keys should be sent instead of Apple. Must begin with https://.

2014-01-14 | Copyright 2014 Apple Inc. All Rights Reserved.

24

Configuration Profile Key Reference Payload-Specific Property Keys

Key EncryptCertPayloadUUID

Type

Value

String

The UUID of a payload within the same profile that contains a certificate whose public key is used to encrypt the recovery key when it is sent to the redirected URL. The referenced payload must be of type com.apple.security.pkcs1.

Once installed, this payload causes any FileVault recovery keys to be redirected to the specified URL instead of being sent to Apple. This will require sites to implement their own HTTPS server that will receive the recovery keys via a POST request. This payload is valid only in system-scoped profiles (where PayloadScope is System). Installing more than one payload of this type per machine causes an error. The SSL certificate chain of the server is evaluated by the client, which must trust it. If needed, the configuration profile may contain another payload with the servers root certificate to be marked as trusted when the profile is installed.

FileVault Client Request

The client issues a HTTPS POST request to the server with XML data containing the following:
Key VersionNumber SerialNumber Type Value

String String

Currently set to '1.0'. The serial number of the client computer. The server must include this value in its response back to the client (see below). The recovery key encrypted using the encryption certificate provided in the configuration profile (referenced by the EncryptCertPayloadUUID key). The encrypted payload contains only the recovery key string without any XML wrapper. The encrypted data is wrapped in a CMS envelope and is then Base-64 encoded.

RecoveryKeyCMS64

String

These tags are enclosed within a parent FDECaptureRequest tag. An example of an XML message body is:
<FDECaptureRequest> <VersionNumber>1.0</VersionNumber> <SerialNumber>A02FE08UCC8X</SerialNumber> <RecoveryKeyCMS64>MIAGCSqGSIb3DQEHA ... AAAAAAAAA==</RecoveryKeyCMS64> </FDECaptureRequest>

2014-01-14 | Copyright 2014 Apple Inc. All Rights Reserved.

25

Configuration Profile Key Reference Payload-Specific Property Keys

FileVault Server Response

Upon receiving the clients request, the server must respond to the client with XML data containing:
Key SerialNumber Type Value

String

The serial number of the client computer. This value must be the same as the one sent in the request. This value must be nonempty but otherwise is up to the site to define it. This value will be displayed to the user along with the serial number on the EFI login screen when the user is asked to enter the recovery key. As an example, this could be a value to assist the site administrator in locating or verifying the user's recovery key in a database.

RecordNumber

Short string

Font Payload
A Font payload lets you add an additional font to an iOS device. Font payloads are designated by specifying com.apple.font as the PayloadType value. You can include multiple Font payloads, as needed. A Font payload contains the following keys:
Key Name Type Value

String

Optional. The user-visible name for the font. This field is replaced by the actual name of the font after installation. The contents of the font file.

Font

Data

Each payload must contain exactly one font file in TrueType (.ttf ) or OpenType (.otf ) format. Collection formats (.ttc or .otc) are not supported. Important: Fonts are identified by their embedded PostScript names. Two fonts with the same PostScript name are considered to be the same font even if their contents differ. Installing two different fonts with the same PostScript name is not supported, and the resulting behavior is undefined.

Global HTTP Proxy Payload

The Global HTTP Proxy payload is designated by specifying com.apple.proxy.http.global as the PayloadType. This payload allows you to specify global HTTP proxy settings.

2014-01-14 | Copyright 2014 Apple Inc. All Rights Reserved.

26

Configuration Profile Key Reference Payload-Specific Property Keys

There can only be one of this payload at any time. This payload can only be installed on a supervised device. In addition to the settings common to all payloads, this payload defines the following keys:
Key ProxyType Type Value

String

If you choose manual proxy type, you need the proxy server address including its port and optionally a username and password into the proxy server. If you choose auto proxy type, you can enter a proxy autoconfiguration (PAC) URL. The proxy servers network address. The proxy servers port Optional. The username used to authenticate to the proxy server. Optional. The password used to authenticate to the proxy server. Optional. The URL of the PAC file that defines the proxy configuration. Optional. If false, prevents the device from connecting directly to the destination if the PAC file is unreachable. Default is true. Availability: Available in iOS 7 and later.

ProxyServer ProxyServerPort ProxyUsername

String Integer String

ProxyPassword

String

ProxyPACURL

String

ProxyPACFallbackAllowed

Boolean

ProxyCaptiveLoginAllowed

Boolean

Optional. If true, allows the device to bypass the proxy server to display the login page for captive networks. Default is false. Availability: Available in iOS 7 and later.

If the ProxyType field is set to Auto and no ProxyPACURL value is specified, the device uses the web proxy autodiscovery protocol (WPAD) to discover proxies.

Identification Payload
The Removal Password payload is designated by specifying
com.apple.configurationprofile.identification value as the PayloadType value.

This payload allows you to save names of the account user and prompt text. If left blank, the user has to provide this information when he or she installs the profile.

2014-01-14 | Copyright 2014 Apple Inc. All Rights Reserved.

27

Configuration Profile Key Reference Payload-Specific Property Keys

The Identification payload is not supported in iOS. In addition to the settings common to all payloads, this payload defines the following keys:
Key FullName EmailAddress UserName Password Type Value

String String String String

The full name of the designated accounts. The address for the accounts. The UNIX user name for the accounts. You can provide the password or choose to have the user provide it when he or she installs the profile. Custom instruction for the user, if needed.

Prompt

String

LDAP Payload
The LDAP payload is designated by specifying com.apple.ldap.account as the PayloadType value. An LDAP payload provides information about an LDAP server to use, including account information if required, and a set of LDAP search policies to use when querying that LDAP server. In addition to the settings common to all payloads, this payload defines the following keys:
Key LDAPAccountDescription LDAPAccountHostName LDAPAccountUseSSL LDAPAccountUserName LDAPAccountPassword Type Value

String

Optional. Description of the account.

String Boolean String String

The host. Whether or not to use SSL. Optional. The username. Optional. Use only with encrypted profiles.

2014-01-14 | Copyright 2014 Apple Inc. All Rights Reserved.

28

Configuration Profile Key Reference Payload-Specific Property Keys

Key LDAPSearchSettings

Type

Value

Dictionary

Top level container object. Can have many of these for one account. Should have at least one for the account to be useful. Each LDAPSearchSettings object represents a node in the LDAP tree to start searching from, and tells what scope to search in (the node, the node plus one level of children, or the node plus all levels of children).

LDAPSearchSettingDescription LDAPSearchSettingSearchBase

String

Optional. Description of this search setting.

String

Conceptually, the path to the node to start a search at. For example:
ou=people,o=example corp

LDAPSearchSettingScope

String

Defines what recursion to use in the search. Can be one of the following 3 values: LDAPSearchSettingScopeBase: Just the immediate node pointed to by SearchBase LDAPSearchSettingScopeOneLevel: The node plus its immediate children. LDAPSearchSettingScopeSubtree: The node plus all children, regardless of depth.

Passcode Policy Payload

The Passcode Policy payload is designated by specifying com.apple.mobiledevice.passwordpolicy as the PayloadType value. The presence of this payload type prompts device to present the user with an alphanumeric passcode entry mechanism, which allows the entry of arbitrarily long and complex passcodes. In addition to the settings common to all payloads, this payload defines the following keys:
Key allowSimple Type Value

Boolean

Optional. Default true. Determines whether a simple passcode is allowed. A simple passcode is defined as containing repeated characters, or increasing/decreasing characters (such as 123 or CBA). Setting this value to false is synonymous to setting minComplexChars to "1".

2014-01-14 | Copyright 2014 Apple Inc. All Rights Reserved.

29

Configuration Profile Key Reference Payload-Specific Property Keys

Key forcePIN

Type

Value

Boolean

Optional. Default NO. Determines whether the user is forced to set a PIN. Simply setting this value (and not others) forces the user to enter a passcode, without imposing a length or quality. Optional. Default 10 (iOS only). Allowed range [1...10]. Specifies the number of allowed failed attempts to enter the passcode at the device's lock screen. Once this number is exceeded, the device is locked and must be connected to its designated iTunes in order to be unlocked. Optional. Default Infinity. Specifies the number of minutes for which the device can be idle (without being unlocked by the user) before it gets locked by the system. Once this limit is reached, the device is locked and the passcode must be entered. In OS X, this will be translated to screensaver settings.

maxFailedAttempts

Number

maxInactivity

Number

maxPINAgeInDays

Number

Optional. Default Infinity. Specifies the number of days for which the passcode can remain unchanged. After this number of days, the user is forced to change the passcode before the device is unlocked. Optional. Default 0. Specifies the minimum number of complex characters that a passcode must contain. A "complex" character is a character other than a number or a letter, such as &%$#. Optional. Default 0. Specifies the minimum overall length of the passcode. This parameter is independent of the also optional minComplexChars argument. Optional. Default NO. Specifies whether the user must enter alphabetic characters ("abcd"), or if numbers are sufficient. Optional. When the user changes the passcode, it has to be unique within the last N entries in the history. Minimum value is 1, maximum value is 50. Optional. The maximum grace period, in minutes, to unlock the phone without entering a passcode. Default is 0, that is no grace period, which requires a passcode immediately. In OS X, this will be translated to screensaver settings.

minComplexChars

Number

minLength

Number

requireAlphanumeric

Boolean

pinHistory

Number

maxGracePeriod

Number

2014-01-14 | Copyright 2014 Apple Inc. All Rights Reserved.

30

Configuration Profile Key Reference Payload-Specific Property Keys

Profile Removal Password Payload

The Removal Password payload is designated by specifying com.apple.profileRemovalPassword value as the PayloadType value. A password removal policy payload provides a password to allow users to remove a locked configuration profile from the device. If this payload is present and has a password value set, the device asks for the password when the user taps a profile's Remove button. This payload is encrypted with the rest of the profile.
Key RemovalPassword Type Value

String

Optional. Specifies the removal password for the profile.

Restrictions Payload
The Restrictions payload is designated by specifying com.apple.applicationaccess as the PayloadType value. A Restrictions payload allows the administrator to restrict the user from doing certain things with the device, such as using the camera. The Restrictions payload is not supported in OS X. In addition to the settings common to all payloads, this payload defines the following keys:
Key allowAccountModification Type Value

Boolean

Optional. Supervised only. If set to false, account modification is disabled. Availability: Available only in iOS 7.0 and later.

allowAirDrop

Boolean

Optional. Supervised only. If set to false, AirDrop is disabled. Availability: Available only in iOS 7.0 and later.

allowAppCellularDataModification

Boolean

Optional. Supervised only. If set to false, changes to cellular data usage for apps are disabled. Availability: Available only in iOS 7.0 and later.

allowAppInstallation

Boolean

Optional. When false, the App Store is disabled and its icon is removed from the Home screen. Users are unable to install or update their applications. Optional. When false, disables Siri. Defaults to true.

allowAssistant

Boolean

2014-01-14 | Copyright 2014 Apple Inc. All Rights Reserved.

31

Configuration Profile Key Reference Payload-Specific Property Keys

Key allowAssistantUserGeneratedContent

Type

Value

Boolean

Optional. Supervised only. When false, prevents Siri from querying user-generated content from the web. Availability: Available in iOS 7 and later.

allowAssistantWhileLocked

Boolean

Optional. When false, the user is unable to use Siri when the device is locked. Defaults to true. This restriction is ignored if the device does not have a passcode set. Availability: Available only in iOS 5.1 and later.

allowBookstore

Boolean

Optional. Supervised only. If set to false, iBookstore will be disabled. This will default to true. Availability: Available in iOS 6.0 and later.

allowBookstoreErotica

Boolean

Optional. Supervised only prior to iOS 6.1. If set to false, the user will not be able to download media from the iBookstore that has been tagged as erotica. This will default to true. Availability: Available in iOS 6.0 and later.

allowCamera

Boolean

Optional. When false, the camera is completely disabled and its icon is removed from the Home screen. Users are unable to take photographs. Optional. When false, disables backing up the device to iCloud. Availability: Available in iOS 5.0 and later.

allowCloudBackup

Boolean

allowCloudDocumentSync

Boolean

Optional. When false, disables document and key-value syncing to iCloud. Availability: Available in iOS 5.0 and later.

allowCloudKeychainSync

Boolean

Optional. If false, disables keychain syncing to iCloud. Default is true. Availability: Available only in iOS 7.0 and later.

allowDiagnosticSubmission

Boolean

Optional. When false, this prevents the device from automatically submitting diagnostic reports to Apple. Defaults to true. Availability: Available only in iOS 6.0 and later.

2014-01-14 | Copyright 2014 Apple Inc. All Rights Reserved.

32

Configuration Profile Key Reference Payload-Specific Property Keys

Key allowExplicitContent

Type

Value

Boolean

Optional. When false, explicit music or video content purchased from the iTunes Store is hidden. Explicit content is marked as such by content providers, such as record labels, when sold through the iTunes Store. Optional. Supervised only. If set to false, changes to Find My Friends are disabled. Availability: Available only in iOS 7.0 and later.

allowFindMyFriendsModification

Boolean

allowFingerprintForUnlock

Boolean

Optional. If false, prevents Touch ID from unlocking a device. Availability: Available in iOS 7 and later.

allowGameCenter

Boolean

Optional. Supervised only. When false, Game Center is disabled and its icon is removed from the Home screen. Default is true. Availability: Available only in iOS 6.0 and later.

allowHostPairing

Boolean

Supervised only. If set to false, host pairing is disabled with the exception of the supervision host. If no supervision host certificate has been configured, all pairing is disabled. Availability: Available only in iOS 7.0 and later.

allowLockScreenControlCenter

Boolean

Optional. If false, prevents Control Center from appearing on the Lock screen. Availability: Available in iOS 7 and later.

allowLockScreenNotificationsView

Boolean

Optional. If set to false, the Notifications view in Notification Center on the lock screen is disabled. Availability: Available only in iOS 7.0 and later.

allowLockScreenTodayView

Boolean

Optional. If set to false, the Today view in Notification Center on the lock screen is disabled. Availability: Available only in iOS 7.0 and later.

allowOpenFromManagedToUnmanaged

Boolean

Optional. If false, documents in managed apps and accounts only open in other managed apps and accounts. Default is true. Availability: Available only in iOS 7.0 and later.

2014-01-14 | Copyright 2014 Apple Inc. All Rights Reserved.

33

Configuration Profile Key Reference Payload-Specific Property Keys

Key allowOpenFromUnmanagedToManaged

Type

Value

Boolean

Optional. If set to false, documents in unmanaged apps and accounts will only open in other unmanaged apps and accounts. Default is true. Availability: Available only in iOS 7.0 and later.

allowOTAPKIUpdates

Boolean

Optional. If false, over-the-air PKI updates are disabled. Setting this restriction to false does not disable CRL and OCSP checks. Default is true. Availability: Available only in iOS 7.0 and later.

allowPassbookWhileLocked

Boolean

Optional. If set to false, Passbook notifications will not be shown on the lock screen.This will default to true. Availability: Available in iOS 6.0 and later.

allowPhotoStream

Boolean

Optional. When false, disables Photo Stream. Availability: Available in iOS 5.0 and later.

allowSafari

Boolean

Optional. When false, the Safari web browser application is disabled and its icon removed from the Home screen. This also prevents users from opening web clips. Optional. When false, users are unable to save a screenshot of the display. Optional. If set to false, Shared Photo Stream will be disabled. This will default to true. Availability: Available in iOS 6.0 and later.

allowScreenShot

Boolean

allowSharedStream

Boolean

allowUIConfigurationProfileInstallation

Boolean

Optional. Supervised only. If set to false, the user is prohibited from installing configuration profiles and certificates interactively. This will default to true. Availability: Available in iOS 6.0 and later.

allowUntrustedTLSPrompt

Boolean

Optional. When false, automatically rejects untrusted HTTPS certificates without prompting the user. Availability: Available in iOS 5.0 and later.

allowYouTube

Boolean

Optional. When false, the YouTube application is disabled and its icon is removed from the Home screen. This key is ignored in iOS 6 and later because the YouTube app is not provided.

2014-01-14 | Copyright 2014 Apple Inc. All Rights Reserved.

34

Configuration Profile Key Reference Payload-Specific Property Keys

Key allowiTunes

Type

Value

Boolean

Optional. When false, the iTunes Music Store is disabled and its icon is removed from the Home screen. Users cannot preview, purchase, or download content. Optional. Supervised only. If present, allows apps identified by the bundle IDs listed in the array to autonomously enter Single App Mode. Availability: Available only in iOS 7.0 and later.

autonomousSingleAppModePermittedAppIDs

Array of strings

forceITunesStorePasswordEntry

Boolean

Optional. When true, forces user to enter their iTunes password for each transaction. Availability: Available in iOS 5.0 and later.

forceLimitAdTracking

Boolean

Optional. If true, limits ad tracking. Default is false. Availability: Available only in iOS 7.0 and later.

SCEP Payload
The SCEP (Simple Certificate Enrollment Protocol) payload is designated by specifying com.apple.security.scep as the PayloadType value. An SCEP payload automates the request of a client certificate from an SCEP server, as described in Over-the-Air Profile Delivery and Configuration . In addition to the settings common to all payloads, this payload defines the following keys:
Key URL Type Value

String

The SCEP URL. See Over-the-Air Profile Delivery and Configuration for more information about SCEP. Optional. Any string that is understood by the SCEP server. For example, it could be a domain name like example.org. If a certificate authority has multiple CA certificates this field can be used to distinguish which is required.

Name

String

2014-01-14 | Copyright 2014 Apple Inc. All Rights Reserved.

35

Configuration Profile Key Reference Payload-Specific Property Keys

Key Subject

Type

Value

Array

Optional. The representation of a X.500 name represented as an array of OID and value. For example, /C=US/O=Apple Inc./CN=foo/1.2.5.3=bar, which would translate to:
[ [ ["C", "US"] ], [ ["O", "Apple Inc."] ], ..., [ [ "1.2.5.3", "bar" ] ] ]

OIDs can be represented as dotted numbers, with shortcuts for country (C), locality (L), state (ST), organization (O), organizational unit (OU), and common name (CN).
Challenge Keysize Key Type Key Usage

String Number String Number

Optional. A pre-shared secret. Optional. The key size in bits, either 1024 or 2048. Optional. Currently always "RSA". Optional. A bitmask indicating the use of the key. 1 is signing, 4 is encryption, 5 is both signing and encryption. Some certificate authorities, such as Windows CA, support only encryption or signing, but not both at the same time. Availability: Available only in iOS 4 and later.

SubjectAltName Dictionary Keys

The SCEP payload can specify an optional SubjectAltName dictionary that provides values required by the CA for issuing a certificate. You can specify a single string or an array of strings for each key. The values you specify depend on the CA you're using, but might include DNS name, URL, or email values. For an example, see Sample Configuration Profile (page 55) or read Over-the-Air Profile Delivery and Configuration .

GetCACaps Dictionary Keys

If you add a dictionary with the key GetCACaps, the device uses the strings you provide as the authoritative source of information about the capabilities of your CA. Otherwise, the device queries the CA for GetCACaps and uses the answer it gets in response.If the CA doesn't respond, the device defaults to GET 3DES and SHA-1 requests. For more information, read Over-the-Air Profile Delivery and Configuration . This feature is not supported in OS X.

Single Sign-On Account Payload

The Single Sign-On Account payload is designated by specifying com.apple.sso as the PayloadType.

2014-01-14 | Copyright 2014 Apple Inc. All Rights Reserved.

36

Configuration Profile Key Reference Payload-Specific Property Keys

This payload is supported only in iOS 7.0 and later. In addition to the settings common to all payloads, this payload defines the following keys:
Key Name Kerberos Type Value

String Dictionary

Human-readable name for the account. Kerberos-related information, described below.

The Kerberos dictionary can contain the following keys:

Key PrincipalName Type Value

String

Optional. The Kerberos principal name. If not provided, the user is prompted for one during profile installation. This field must be provided for MDM installation.

Realm

String

The Kerberos realm name. This value should be properly capitalized. List of URLs prefixes that must be matched in order to use this account for Kerberos authentication over HTTP. Optional. List of app identifiers that are allowed to use this login. If this field missing, this login matches all app identifiers. This array, if present, may not be empty.

URLPrefixMatches

Array of strings

AppIdentifierMatches

Array of strings

Each entry in the URLPrefixMatches array must contain a URL prefix. Only URLs that begin with one of the strings in this account are allowed to access the Kerberos ticket. URL matching patterns must include the schemefor example, http://www.example.com/. If a matching pattern does not end in /, a / is appended to it. The URL matching patterns must begin with either http:// or https://. A simple string match is performed, so the URL prefix http://www.example.com/ does not match http://www.example.com:80/. The pattern http:// and https:// matches all HTTP and HTTPS URLs, respectively.

2014-01-14 | Copyright 2014 Apple Inc. All Rights Reserved.

37

Configuration Profile Key Reference Payload-Specific Property Keys

The AppIdentifierMatches array must contain strings that match app bundle IDs. These strings may be exact matches (com.mycompany.myapp, for example) or may specify a prefix match on the bundle ID by using the * wildcard character. The wildcard character must appear after a period character (.), and may appear only at the end of the string (com.mycompany.*, for example). When a wildcard is given, any app whose bundle ID begins with the prefix is granted access to the account.

System Policy Control Payload

The System Policy Control payload is designated by specifying com.apple.systempolicy.control as the PayloadType. This payload allows control over configuring the Allowed applications downloaded from: option in the General tab of Security & Privacy in System Preferences. This payload must only exist in a device profile. If the payload is present in a user profile, an error will be generated during installation and the profile will fail to install. This payload is supported only on OS X v10.8 and later. In addition to the settings common to all payloads, this payload defines the following keys:
Key EnableAssessment Type Value

Boolean

Optional. If the key is present and has a value of YES, Gatekeeper is enabled. If the key is present and has a value of NO, Gatekeeper is disabled. Optional. If the key is present and has a value of YES, Gatekeepers Mac App Store and identified developers option is chosen. If the key is present and has a value of NO, Gatekeepers Mac App Store option is chosen. If EnableAssessment is not true, this key has no effect.

AllowIdentifiedDevelopers

Boolean

System Policy Rule Payload

The System Policy Rule payload is designated by specifying com.apple.systempolicy.rule as the PayloadType. This is one of three payloads that allows control of various GateKeeper settings. This payload allows control over Gatekeepers system policy rules. The keys and functionality are tightly related to the spctl command line tool. You should be read the manual page for spctl. This payload must only exist in a device profile. If the payload is present in a user profile, an error will be generated during installation and the profile will fail to install.

2014-01-14 | Copyright 2014 Apple Inc. All Rights Reserved.

38

Configuration Profile Key Reference Payload-Specific Property Keys

This payload is supported only on OS X v10.8 and later. In addition to the settings common to all payloads, this payload defines the following keys:
Key Requirement Type Value

String

The policy requirement. This key must follow the syntax described in Code Signing Requirement Language.
Optional. This string will appear in the System Policy UI. If it is missing, PayloadDisplayName or PayloadDescription will be put into this field before the rule is added to the System Policy database.

Comment

String

Expiration OperationType

Date String

Optional. An expiration date for rule(s) being processed. Optional. One of operation:execute, operation:install, or operation:lsopen. This will default to operation:execute.

The client has no way to display information about what certificate is being accepted by the signing requirement if the requirement keys is specified as:
certificate leaf = H"7696f2cbf7f7d43fceb879f52f3cdc8fadfccbd4"

You can embed the certificate within the payload itself, allowing the Profiles preference pane and System Profile report to display information about the certificate(s) being used. To do so, specify the Requirement key using a payload variable of the form $HASHCERT_xx$ where xx is the name of an additional key within the same payload that contains the certificate data in DER format. For example, if you specify:
<key>Requirement</key> <string>certificate leaf = $HASHCERT_Cert1Data$</string>

and then provide:

<key>Cert1Data</key> <data> MIIFTDCCBDSgAwIBAgIHBHXzxGzq8DANBgkqhkiG9w0BAQUFADCByjELMAkGA1UEBhMC ... z1I6yBET5qaGhpWexEp3baLbXLcrtgufmDSUtUnImavGyw== </data>

2014-01-14 | Copyright 2014 Apple Inc. All Rights Reserved.

39

Configuration Profile Key Reference Payload-Specific Property Keys

The client will get the value of Cert1Data key, perform a SHA1 hash on it and use the resulting requirement string of:
certificate leaf = H"7696f2cbf7f7d43fceb879f52f3cdc8fadfccbd4"

If you want, you may reference multiple $HASHCERT_xx$ within the requirement string.

System Policy Managed Payload

The System Policy Managed payload is designated by specifying com.apple.systempolicy.managed as the PayloadType. This is one of three payloads that allows control of various GateKeeper settings. This payload allows control to disable the Finders contextual menu that allows bypass of System Policy restrictions. This payload is supported only on OS X v10.8 and later. In addition to the settings common to all payloads, this payload defines the following keys:
Key DisableOverride Type Value

Boolean

Optional. If YES, the Finders contextual menu item will be disabled.

VPN Payload
The VPN payload is used for traditional systemwide VPNs based on L2TP, PPTP, and IPSec. This payload should not be confused with the Per-App VPN, described in Per-App VPN Payload (page 12). The VPN payload is designated by specifying com.apple.vpn.managed as the PayloadType value. In addition to the settings common to all payload types, the VPN payload defines the following keys:
Key UserDefinedName Type Value

String

Description of the VPN connection displayed on the device. Specifies whether to send all traffic through the VPN interface. If true, all network traffic is sent over VPN.

OverridePrimary

Boolean

2014-01-14 | Copyright 2014 Apple Inc. All Rights Reserved.

40

Configuration Profile Key Reference Payload-Specific Property Keys

Key VPNType

Type

Value

String

Determines the settings available in the payload for this type of VPN connection. It can have one of these values: "L2TP", "PPTP", or "IPSec", representing L2TP, PPTP and Cisco IPSec respectively. This key can also be VPN to support additional services via its VPNSubType key.

OnDemandEnabled

Integer

1 if the VPN connection should be brought up on demand, else 0.

OnDemandMatchDomainsAlways

Array of Strings

Deprecated. A list of domain names. In versions of iOS prior to iOS 7, if the hostname ends with one of these domain names, the VPN is started automatically. In iOS 7 and later, if this key is present, the associated domain names are treated as though they were associated with the OnDemandMatchDomainsOnRetry key. This behavior can be overridden by OnDemandRules.

OnDemandMatchDomainsNever

Array of Strings

Deprecated. A list of domain names. If the hostname ends with one of these domain names, the VPN is not started automatically. This might be used to exclude a subdomain within an included domain. This behavior can be overridden by OnDemandRules. In iOS 7 and later, this key is deprecated (but still supported) in favor of EvaluateConnection actions in the OnDemandRules dictionaries.

OnDemandMatchDomainsOnRetry

Array of Strings

Deprecated. A list of domain names. If the hostname ends with one of these domain names, if a DNS query for that domain name fails, the VPN is started automatically. This behavior can be overridden by OnDemandRules. In iOS 7 and later, this key is deprecated (but still supported) in favor of EvaluateConnection actions in the OnDemandRules dictionaries.

OnDemandRules

Array of Dictionaries

Determines when and how an on-demand VPN should be used. See On Demand Rules Dictionary Keys (page 43) for details.

2014-01-14 | Copyright 2014 Apple Inc. All Rights Reserved.

41

Configuration Profile Key Reference Payload-Specific Property Keys

Key VendorConfig

Type

Value

Dictionary

A dictionary for configuration information specific to a given third-party VPN solution.

There are two possible dictionaries present at the top level, under the keys "PPP" and "IPSec". The keys inside these two dictionaries are described below, along with the VPNType value under which the keys are used.

PPP Dictionary Keys

The following elements are for VPN payloads of type PPP.
Key AuthName AuthPassword Type Value

String String

The VPN account user name. Used for L2TP and PPTP. Optional. Only visible if TokenCard is false. Used for L2TP and PPTP. Whether to use a token card such as an RSA SecurID card for connecting. Used for L2TP. IP address or host name of VPN server. Used for L2TP and PPTP. Only present if RSA SecurID is being used, in which case it has one entry, a string with value "EAP-RSA". Used for L2TP and PPTP. Only present if RSA SecurID is being used, in which case it has one entry, a string with value "EAP". Used for L2TP and PPTP. See discussion under CCPEnabled. Used for PPTP. See discussion under CCPEnabled. Used for PPTP. Enables encryption on the connection. If this key and CCPMPPE40Enabled are true, represents automatic encryption level; if this key and CCPMPPE128Enabled are true, represents maximum encryption level. If no encryption is used, then none of the CCP keys are true. Used for PPTP.

TokenCard

Boolean

CommRemoteAddress AuthEAPPlugins

String Array

AuthProtocol

Array

CCPMPPE40Enabled CCPMPPE128Enabled CCPEnabled

Boolean Boolean Boolean

IPSec Dictionary Keys

The following elements are for VPN payloads of type IPSec.

2014-01-14 | Copyright 2014 Apple Inc. All Rights Reserved.

42

Configuration Profile Key Reference Payload-Specific Property Keys

Key RemoteAddress

Type

Value

String

IP address or host name of the VPN server. Used for Cisco IPSec. Either SharedSecret or Certificate. Used for L2TP and Cisco IPSec. User name for VPN account. Used for Cisco IPSec.
1 if Xauth is on, 0 if it is off. Used for Cisco IPSec.

AuthenticationMethod

String

XAuthName XAuthEnabled LocalIdentifier

String Integer String

Present only if AuthenticationMethod is SharedSecret. The name of the group to use. If Hybrid Authentication is used, the string must end with [hybrid]. Used for Cisco IPSec. Present only if AuthenticationMethod is SharedSecret. The value is KeyID. Used for L2TP and Cisco IPSec. The shared secret for this VPN account. Only present if AuthenticationMethod is SharedSecret. Used for L2TP and Cisco IPSec. The UUID of the certificate to use for the account credentials. Only present if AuthenticationMethod is Certificate. Used for Cisco IPSec. Tells whether to prompt for a PIN when connecting. Used for Cisco IPSec.

LocalIdentifierType

String

SharedSecret

Data

PayloadCertificateUUID

String

PromptForVPNPIN

Boolean

On Demand Rules Dictionary Keys

The OnDemandRules key in a VPN payload is associated with an array of dictionaries that define the network match criteria that identify a particular network location. In typical use, VPN On Demand matches the dictionaries in the OnDemandRules array against properties of your current network connection to determine whether domain-based rules should be used in determining whether to connect, then handles the connection as follows:

If domain-based matching is enabled for a matching OnDemandRules dictionary, then for each dictionary in that dictionarys EvaluateConnection array, VPN On Demand compares the requested domain against the domains listed in the Domains array. If domain-based matching is not enabled, the specified behavior (usually Connect, Disconnect, or Ignore) is used if the dictionary otherwise matches.

2014-01-14 | Copyright 2014 Apple Inc. All Rights Reserved.

43

Configuration Profile Key Reference Payload-Specific Property Keys

Note: For backwards compatibility, VPN On Demand also allows you to specify the Allow action, in which case the domains to match are determined by arrays in the VPN payload itself (OnDemandMatchDomainsAlways, OnDemandMatchDomainsOnRetry, and OnDemandMatchDomainsNever). However, this is deprecated in iOS 7.

Whenever a network change is detected, the VPN On Demand service compares the newly connected network against the match network criteria specified in each dictionary (in order) to determine whether VPN On Demand should be allowed or not on the newly joined network. The matching criteria can include any of the following:

DNS domain or DNS server settings (with wildcard matching) SSID Interface type reachable server detection

Dictionaries are checked sequentially, beginning with the first dictionary in the array. A dictionary matches the current network only if all of the specified policies in that dictionary match. You should always set a default behavior for unknown networks by specifying an action with no matching criteria as the last dictionary in the array. If a dictionary matches the current network, a server probe is sent if a URL is specified in the profile. VPN then acts according to the policy defined in the dictionary (for example, allow VPNOnDemand, ignore VPNOnDemand, connect, or disconnect). Important: Be sure to set a catch-all value. If you do not, the current default behavior is to allow the connection to occur, but this behavior is not guaranteed. The OnDemandRules dictionaries can contain one or more of the following keys:

2014-01-14 | Copyright 2014 Apple Inc. All Rights Reserved.

44

Configuration Profile Key Reference Payload-Specific Property Keys

Key Action

Type

Value

String

The action to take if this dictionary matches the current network. Possible values are: AllowDeprecated. Allow VPN On Demand to connect if triggered.
ConnectUnconditionally initiate a VPN connection

on the next network attempt.

DisconnectTear down the VPN connection and

do not reconnect on demand as long as this dictionary matches.

EvaluateConnectionEvaluate the ActionParameters array for each connection

attempt.
IgnoreLeave any existing VPN connection up, but

do not reconnect on demand as long as this dictionary matches.

ActionParameters

Array of dictionaries

A dictionary that provides rules similar to the OnDemandRules dictionary, but evaluated on each connection instead of when the network changes. These dictionaries are evaluated in order, and the behavior is determined by the first dictionary that matches. The keys allowed in each dictionary are described in Table 1-1 (page 46). Note: This array is used only for dictionaries in which EvaluateConnection is the Action value.

DNSDomainMatch

Array of strings

An array of domain names. This rule matches if any of the domain names in the specified list matches any domain in the devices search domains list. A wildcard '*' prefix is supported. For example, *.example.com matches against either mydomain.example.com or yourdomain.example.com.

2014-01-14 | Copyright 2014 Apple Inc. All Rights Reserved.

45

Configuration Profile Key Reference Payload-Specific Property Keys

Key DNSServerAddressMatch

Type

Value

Array of strings

An array of IP addresses. This rule matches if any of the networks specified DNS servers match any entry in the array. Matching with a single wildcard is supported. For example, 17.* matches any DNS server in the class A 17 subnet.

InterfaceTypeMatch

String

An interface type. If specified, this rule matches only if the primary network interface hardware matches the specified type. Supported values are Ethernet, WiFi, and Cellular.

SSIDMatch

String

An array of SSIDs to match against the current network. If the network is not a Wi-Fi network or if the SSID does not appear in this array, the match fails. Omit this key and the corresponding array to match against any SSID.

URLStringProbe

String

A URL to probe. If this URL is successfully fetched (returning a 200 HTTP status code) without redirection, this rule matches.

The keys allowed in each ActionParameters dictionary are described in Table 1-1.
Table 1-1 Key Domains Keys in the ActionParameters dictionary Type Value

Array of strings String

Required. The domains for which this evaluation applies.

DomainAction

Required. Defines the VPN behavior for the specified domains. Allowed values are: ConnectIfNeededThe specified domains should trigger a VPN connection attempt if domain name resolution fails, such as when the DNS server indicates that it cannot resolve the domain, responds with a redirection to a different server, or fails to respond (timeout). NeverConnectThe specified domains should never trigger a VPN connection attempt.

2014-01-14 | Copyright 2014 Apple Inc. All Rights Reserved.

46

Configuration Profile Key Reference Payload-Specific Property Keys

Key RequiredDNSServers

Type

Value

Array of strings

Optional. An array of IP addresses of DNS servers to be used for resolving the specified domains. These servers need not be part of the devices current network configuration. If these DNS servers are not reachable, a VPN connection is established in response. These DNS servers should be either internal DNS servers or trusted external DNS servers. Note: This key is valid only if the value of DomainAction is ConnectIfNeeded.

RequiredURLStringProbe

String

Optional. An HTTP or HTTPS (preferred) URL to probe, using a GET request. If the URLs hostname cannot be resolved, if the server is unreachable, or if the server does not respond with a 200 HTTP status code, a VPN connection is established in response. Note: This key is valid only if the value of DomainAction is ConnectIfNeeded.

Wallpaper Payload
The Wallpaper payload is designated by specifying com.apple.wallpaper.managed as the PayloadType value. This feature is not supported in OS X. A Wallpaper payload provides an image to be displayed on the users Home screen or Lock screen, or both. In addition to the settings common to all payloads, this payload defines the following keys:
Key Image Type Content

Base64-encoded image blob in PNG or JPG format Integer

The desired wallpaper image.

Where

1 = Lock screen, 2 = Home (icon list) screen, 3 = both Lock and Home screens.

Web Clip Payload

The Web Clip payload is designated by specifying com.apple.webClip.managed as the PayloadType value. A Web Clip payload provides a web clipping on the users home screen as though the user had saved a bookmark to the home screen. In addition to the settings common to all payloads, this payload defines the following keys:

2014-01-14 | Copyright 2014 Apple Inc. All Rights Reserved.

47

Configuration Profile Key Reference Payload-Specific Property Keys

Key URL

Type

Value

String

The URL that the Web Clip should open when clicked. The URL must begin with HTTP or HTTPS or it won't work. The name of the Web Clip as displayed on the Home screen. Optional. A PNG icon to be shown on the Home screen. Should be 59 x 60 pixels in size. If not specified, a white square will be shown. Optional. If No, the user cannot remove the Web Clip, but it will be removed if the profile is deleted. Not available in OS X.

Label Icon

String Data

IsRemovable

Boolean

Web Content Filter Payload

The Web Content Filter payload allows you to whitelist and blacklist specific web URLs. It is designated by specifying com.apple.webcontent-filter as the PayloadType value. This payload is supported only in iOS 7.0 and later, and only on supervised devices. In addition to the settings common to all payloads, this payload defines the following keys:
Key AutoFilterEnabled Type Value

Boolean

Optional. If true, automatic filtering is enabled. This function evaluates each web page as it is loaded and attempts to identify and block content not suitable for children. The search algorithm is complex and may vary from release to release, but it is basically looking for adult language, i.e. swearing and sexually explicit language. The default value is false. Optional. Used only when AutoFilterEnabled is true. Otherwise, this field is ignored. Each entry contains a URL that is accessible whether the automatic filter allows access or not.

PermittedURLs

Array of strings

WhitelistedBookmarks

Array of dictionaries

Optional. If present, these URLs are added to the browsers bookmarks, and the user is not allowed to visit any sites other than these. Optional. Access to the specified URLs is blocked.

BlacklistedURLs

Array of strings

2014-01-14 | Copyright 2014 Apple Inc. All Rights Reserved.

48

Configuration Profile Key Reference Payload-Specific Property Keys

Each entry in the WhitelistedBookmarks field contains a dictionary with the following keys:
Key URL BookmarkPath Type Value

String String

URL of the whitelisted bookmark. Optional. The folder into which the bookmark should be added in Safari/Interesting Topic Pages/Biology/, for example. If absent, the bookmark is added to the default bookmarks directory.

Title

String

The title of the bookmark.

When multiple content filter payloads are present:

The blacklist is the union of all blackliststhat is, any URL that appears in any blacklist is inaccessible. The permitted list is the intersection of all permitted liststhat is, only URLs that appear in every permitted list are accessible when they would otherwise be blocked by the automatic filter. The whitelist list is the intersection of all whiteliststhat is, only URLs that appear in every whitelist are accessible.

URLs are matched using string-based prefix matchingthat is, a URL matches a whitelist, blacklist, or permitted list pattern if the exact characters of the pattern appear at the beginning of the URL. No attempt is made to match aliases (IP address versus DNS names, for example) or to handle requests with explicit port numbers. URLs should begin with http:// or https://. If necessary, separate entries must be made for http:// and https:// versions of the same URL. If a profile does not contain an array for PermittedURLs or WhitelistedBookmarks, that profile is skipped when evaluating the missing array or arrays. As an exception, if a payload contains an AutoFilterEnabled key, but does not contain a PermittedURLs array, that profile is treated as containing an empty arraythat is, all websites are blocked. All filtering options are active simultaneously. Only URLs and sites that pass *all* rules are permitted.

Wi-Fi Payload
The Wi-Fi payload is designated by specifying com.apple.wifi.managed as the PayloadType value. In addition to the settings common to all payload types, the payload defines the following keys.

2014-01-14 | Copyright 2014 Apple Inc. All Rights Reserved.

49

Configuration Profile Key Reference Payload-Specific Property Keys

Key SSID_STR

Type

Value

String

SSID of the Wi-Fi network to be used. In iOS 7.0 and later, this is optional if a DomainName value is provided

HIDDEN_NETWORK

Boolean

Besides SSID, the device uses information such as broadcast type and encryption type to differentiate a network. By default (false), it is assumed that all configured networks are open or broadcast. To specify a hidden network, must be true. Optional. Default true. If true, the network is auto-joined. If false, the user has to tap the network name to join it. Availability: Available in iOS 5.0 and later.

AutoJoin

Boolean

EncryptionType

String

The possible values are WEP, WPA, Any, and None. WPA corresponds to WPA and WPA2 and applies to both encryption types. Make sure that these values exactly match the capabilities of the network access point. If you're unsure about the encryption type, or would prefer that it apply to all encryption types, use the value Any. Availability: Available in iOS 4.0 and later; the None value is available in iOS 5.0 and later.

IsHotspot

Boolean

Optional. Default false. If true, the network is treated as a hotspot. Availability: Available in iOS 7.0 and later.

DomainName

String

Optional. Domain Name used for Wi-Fi Hotspot 2.0 negotiation. This field can be provided instead of SSID_STR. Availability: Available in iOS 7.0 and later.

ServiceProviderRoamingEnabled

Boolean

Optional. If true, allows connection to roaming service providers. Availability: Available in iOS 7.0 and later.

RoamingConsortiumOIs

Array of strings

Optional. Array of Roaming Consortium Organization Identifiers used for Wi-Fi Hotspot 2.0 negotiation. Availability: Available in iOS 7.0 and later.

2014-01-14 | Copyright 2014 Apple Inc. All Rights Reserved.

50

Configuration Profile Key Reference Payload-Specific Property Keys

Key NAIRealmNames

Type

Value

Array of strings

Optional. Array of strings. List of Network Access Identifier Realm names used for Wi-Fi Hotspot 2.0 negotiation. Availability: Available in iOS 7.0 and later.

MCCAndMNCs

Array of strings

Optional. Array of strings. List of Mobile Country Code (MCC)/Mobile Network Code (MNC) pairs used for Wi-Fi Hotspot 2.0 negotiation. Each string must contain exactly six digits. Availability: Available in iOS 7.0 and later. This feature is not supported in OS X.

DisplayedOperatorName ProxyType

String

Availability: Available in iOS 7.0 and later.

String

Optional. Valid values are None, Manual, and Auto. Availability: Available in iOS 5.0 and later.

If the EncryptionType field is set to WEP, WPA, or ANY, the following fields may also be provided:
Key Password EAPClientConfiguration Type Value

String Dictionary

Optional. Described in EAPClientConfiguration Dictionary (page 52). Described in Certificates (page 54).

PayloadCertificateUUID

String

Note: The absence of a password does not prevent a network from being added to the list of known networks. The user is eventually prompted to provide the password when connecting to that network.

If the ProxyType field is set to Manual, the following fields must also be provided:
Key ProxyServer ProxyServerPort ProxyUsername Type Value

String Integer String

The proxy server's network address. The proxy server's port. Optional. The username used to authenticate to the proxy server.

2014-01-14 | Copyright 2014 Apple Inc. All Rights Reserved.

51

Configuration Profile Key Reference Payload-Specific Property Keys

Key ProxyPassword

Type

Value

String

Optional. The password used to authenticate to the proxy server. Optional. The URL of the PAC file that defines the proxy configuration. Optional. If false, prevents the device from connecting directly to the destination if the PAC file is unreachable. Default is true. Availability: Available in iOS 7 and later.

ProxyPACURL

String

ProxyPACFallbackAllowed

Boolean

If the ProxyType field is set to Auto and no ProxyPACURL value is specified, the device uses the web proxy autodiscovery protocol (WPAD) to discover proxies. For 802.1X enterprise networks, the EAP Client Configuration Dictionary must be provided.

EAPClientConfiguration Dictionary
In addition to the standard encryption types, it is possible to specify an enterprise profile for a given network via the "EAPClientConfiguration" key. If present, its value is a dictionary with the following keys.
Key UserName Type Value

String

Optional. Unless you know the exact user name, this property won't appear in an imported configuration. Users can enter this information when they authenticate. The following EAP types are accepted: 13 = TLS 17 = LEAP 21 = TTLS 25 = PEAP 43 = EAP-FAST

AcceptEAPTypes

Array of integers.

2014-01-14 | Copyright 2014 Apple Inc. All Rights Reserved.

52

Configuration Profile Key Reference Payload-Specific Property Keys

Key PayloadCertificateAnchorUUID

Type

Value

Array of strings

Optional. Identifies the certificates to be trusted for this authentication. Each entry must contain the UUID of a certificate payload. Use this key to prevent the device from asking the user if the listed certificates are trusted. Dynamic trust (the certificate dialogue) is disabled if this property is specified, unless TLSAllowTrustExceptions is also specified with the value true.

TLSTrustedServerNames

Array of strings

Optional. This is the list of server certificate common names that will be accepted. You can use wildcards to specify the name, such as wpa.*.example.com. If a server presents a certificate that isn't in this list, it won't be trusted. Used alone or in combination with TLSTrustedCertificates, the property allows someone to carefully craft which certificates to trust for the given network, and avoid dynamically trusted certificates. Dynamic trust (the certificate dialogue) is disabled if this property is specified, unless TLSAllowTrustExceptions is also specified with the value true.

TLSAllowTrustExceptions

Boolean

Optional. Allows/disallows a dynamic trust decision by the user. The dynamic trust is the certificate dialogue that appears when a certificate isn't trusted. If this is false, the authentication fails if the certificate isn't already trusted. See PayloadCertificateAnchorUUID and TLSTrustedNames above. The default value of this property is true unless either PayloadCertificateAnchorUUID or TLSTrustedServerNames is supplied, in which case the default value is false.

TLSCertificateIsRequired

Boolean

Optional. If true, allows for two-factor authentication for EAP-TTLS, PEAP, or EAP-FAST. If false, allows for zero-factor authentication for EAP-TLS. The default is true for EAP-TLS, and false for other EAP types. Availability: Available in iOS 7.0 and later.

TTLSInnerAuthentication

String

Optional. This is the inner authentication used by the TTLS module. The default value is "MSCHAPv2". Possible values are "PAP", "CHAP", "MSCHAP", and "MSCHAPv2".

2014-01-14 | Copyright 2014 Apple Inc. All Rights Reserved.

53

Configuration Profile Key Reference Payload-Specific Property Keys

Key OuterIdentity

Type String

Value

Optional. This key is only relevant to TTLS, PEAP, and EAP-FAST. This allows the user to hide his or her identity. The user's actual name appears only inside the encrypted tunnel. For example, it could be set to "anonymous" or "anon", or "[email protected]". It can increase security because an attacker can't see the authenticating user's name in the clear.

EAP-Fast Support
The EAP-FAST module uses the following properties in the EAPClientConfiguration dictionary.
Key EAPFASTUsePAC EAPFASTProvisionPAC EAPFASTProvisionPACAnonymously Type Value

Boolean Boolean Boolean

Optional. Optional. Optional.

These keys are hierarchical in nature: if EAPFASTUsePAC is false, the other two properties aren't consulted. Similarly, if EAPFASTProvisionPAC is false, EAPFASTProvisionPACAnonymously isn't consulted. If EAPFASTUsePAC is false, authentication proceeds much like PEAP or TTLS: the server proves its identity using a certificate each time. If EAPFASTUsePAC is true, then an existing PAC is used if present. The only way to get a PAC on the device currently is to allow PAC provisioning. So, you need to enable EAPFASTProvisionPAC, and if desired, EAPFASTProvisionPACAnonymously. EAPFASTProvisionPACAnonymously has a security weakness: it doesn't authenticate the server so connections are vulnerable to a man-in-the-middle attack.

Certificates
As with VPN configurations, it is possible to associate a certificate identity configuration with a Wi-Fi configuration. This is useful when defining credentials for a secure enterprise network. To associate an identity, specify its payload UUID via the "PayloadCertificateUUID" key.

2014-01-14 | Copyright 2014 Apple Inc. All Rights Reserved.

54

Configuration Profile Key Reference Sample Configuration Profile

Key PayloadCertificateUUID

Type

Value

String

UUID of the certificate payload to use for the identity credential.

Sample Configuration Profile

The following is a sample configuration profile containing an SCEP payload.
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple Inc//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadUUID</key> <string>Ignored</string> <key>PayloadType</key> <string>Configuration</string> <key>PayloadIdentifier</key> <string>Ignored</string> <key>PayloadContent</key> <array> <dict> <key>PayloadContent</key> <dict> <key>URL</key> <string>https://scep.example.com/scep</string> <key>Name</key> <string>EnrollmentCAInstance</string> <key>Subject</key> <array> <array> <array> <string>O</string>

2014-01-14 | Copyright 2014 Apple Inc. All Rights Reserved.

55

Configuration Profile Key Reference Sample Configuration Profile

<string>Example, Inc.</string> </array> </array> <array> <array> <string>CN</string> <string>User Device Cert</string> </array> </array> </array> <key>Challenge</key> <string>...</string> <key>Keysize</key> <integer>1024</integer> <key>Key Type</key> <string>RSA</string> <key>Key Usage</key> <integer>5</integer> </dict> <key>PayloadDescription</key> <string>Provides device encryption identity</string> <key>PayloadUUID</key> <string>fd8a6b9e-0fed-406f-9571-8ec98722b713</string> <key>PayloadType</key> <string>com.apple.security.scep</string> <key>PayloadDisplayName</key> <string>Encryption Identity</string> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadOrganization</key> <string>Example, Inc.</string> <key>PayloadIdentifier</key> <string>com.example.profileservice.scep</string> </dict>

2014-01-14 | Copyright 2014 Apple Inc. All Rights Reserved.

56

Configuration Profile Key Reference Sample Configuration Profile

</array> </dict> </plist>

2014-01-14 | Copyright 2014 Apple Inc. All Rights Reserved.

57

Document Revision History

This table describes the changes to Configuration Profile Reference .

Date 2014-01-14 2013-10-22 2013-10-01 2013-09-18 2012-12-13 2012-09-22

Notes Updated for iOS 7 and OS X v10.9. Added information about the keychain syncing restriction. Removed unsupported keys from document. Updated with a few additional iOS 7 keys. Corrected minor technical and typographical errors. Made minor typographical fixes and clarified a few details specific to OS X. Updated document for iOS 6 and added support for OS X 10.8. Removed extraneous iCloud key. Updated for iOS 5.0. Retitled document. Fixed typographical errors. New document that describes the property list keys used in iOS configuration profiles.

2012-09-19 2011-10-17 2011-10-12 2011-03-08 2010-09-21 2010-08-03

2014-01-14 | Copyright 2014 Apple Inc. All Rights Reserved.

58

Apple Inc. Copyright 2014 Apple Inc. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, mechanical, electronic, photocopying, recording, or otherwise, without prior written permission of Apple Inc., with the following exceptions: Any person is hereby authorized to store documentation on a single computer for personal use only and to print copies of documentation for personal use provided that the documentation contains Apples copyright notice. No licenses, express or implied, are granted with respect to any of the technology described in this document. Apple retains all intellectual property rights associated with the technology described in this document. This document is intended to assist application developers to develop applications only for Apple-labeled computers. Apple Inc. 1 Infinite Loop Cupertino, CA 95014 408-996-1010 Apple, the Apple logo, AirPlay, Bonjour, FileVault, Finder, iBook, iBooks, iPad, iPhone, iTunes, Keychain, Mac, OS X, Pages, Passbook, Safari, Siri, and TrueType are trademarks of Apple Inc., registered in the U.S. and other countries. AirDrop and AirPrint are trademarks of Apple Inc. iCloud, iTunes Music Store, and iTunes Store are service marks of Apple Inc., registered in the U.S. and other countries. App Store, iBookstore, and Mac App Store are service marks of Apple Inc. DEC is a trademark of Digital Equipment Corporation. UNIX is a registered trademark of The Open Group. Xerox is a registered trademark of Xerox Corporation. iOS is a trademark or registered trademark of Cisco in the U.S. and other countries and is used under license.
Even though Apple has reviewed this document, APPLE MAKES NO WARRANTY OR REPRESENTATION, EITHER EXPRESS OR IMPLIED, WITH RESPECT TO THIS DOCUMENT, ITS QUALITY, ACCURACY, MERCHANTABILITY, OR FITNESS FOR A PARTICULAR PURPOSE. AS A RESULT, THIS DOCUMENT IS PROVIDED AS IS, AND YOU, THE READER, ARE ASSUMING THE ENTIRE RISK AS TO ITS QUALITY AND ACCURACY. IN NO EVENT WILL APPLE BE LIABLE FOR DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES RESULTING FROM ANY DEFECT OR INACCURACY IN THIS DOCUMENT, even if advised of the possibility of such damages. THE WARRANTY AND REMEDIES SET FORTH ABOVE ARE EXCLUSIVE AND IN LIEU OF ALL OTHERS, ORAL OR WRITTEN, EXPRESS OR IMPLIED. No Apple dealer, agent, or employee is authorized to make any modification, extension, or addition to this warranty.

Some states do not allow the exclusion or limitation of implied warranties or liability for incidental or consequential damages, so the above limitation or exclusion may not apply to you. This warranty gives you specific legal rights, and you may also have other rights which vary from state to state.