MDM ¶

This payload, when installed, will attempt to enroll the device into an MDM server.

Contents

MDM

Summary ¶

Supervised Only:
PayloadType:	com.apple.mdm
	N/A
macOS:	N/A
macOS Deprecated:
	N/A
iOS:	N/A
iOS Deprecated:	N/A
Highlander:	N/A

Keys ¶

IdentityCertificateUUID ¶

Identity Certificate UUID

UUID of the certificate payload for the device’s identity. It may also point to a SCEP payload.

Type	Default	Required	Regex	iOS	macOS	Supervised
string	N/A	N/A	^[0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}$	N/A	N/A	N/A

Topic ¶

Topic

The topic that MDM will listen to for Push notifications. The certificate that the server uses to send push notifications must have the same topic in its subject.

Type	Default	Required	Regex	iOS	macOS	Supervised
string	N/A	N/A	N/A	N/A	N/A	N/A

ServerURL ¶

Server URL

The URL that the device will contact to retrieve device management instructions.

Type	Default	Required	Regex	iOS	macOS	Supervised
string	N/A	N/A	^https://.*$	N/A	N/A	N/A

Must begin with the https:// URL scheme, and may contain a port number (:1234, for example).

Optional. An array of strings indicating server capabilities. If the server manages OS X devices or a shared iPad, this field is mandatory and must contain the value com.apple.mdm.per-user-connections. This indicates that the server supports both device and user connections.

Type	Default	Required	Regex	iOS	macOS	Supervised
array	N/A	N/A	N/A	N/A	N/A	N/A

Valid Choices¶

com.apple.mdm.per-user-connections

SignMessage ¶

Sign Message

If set, each message coming from the device will carry the additional HTTP header Mdm-Signature

Type	Default	Required	Regex	iOS	macOS	Supervised
boolean	False	N/A	N/A	N/A	N/A	N/A

CheckInURL ¶

Check In URL

The URL that the device will use to check in during installation. If this URL is not given, the ServerURL will be used for both purposes.

Type	Default	Required	Regex	iOS	macOS	Supervised
string	N/A	N/A	^https://.*$	N/A	N/A	N/A

CheckOutWhenRemoved ¶

Check Out when removed

If true, the device attempts to send a CheckOut message to the check-in server when the profile is removed. Defaults to false. Note: OS X v10.8 acts as though this setting is always true.

Type	Default	Required	Regex	iOS	macOS	Supervised
boolean	N/A	N/A	N/A	5.0	N/A	N/A

AccessRights ¶

Access Rights

Logical OR of several bit-flags. If 2 is specified, then 1 must also be specified. If 128 is specified, then 64 must also be specified.

Type	Default	Required	Regex	iOS	macOS	Supervised
integer	N/A	N/A	N/A	N/A	N/A	N/A

UseDevelopmentAPNS ¶

Use Development APNS

If set, will use the development APNS servers. Otherwise, the device will use the production servers.

Type	Default	Required	Regex	iOS	macOS	Supervised
boolean	False	N/A	N/A	N/A	N/A	N/A

Access Rights ¶

MDM Access Rights can be constructed from a bitmask by ORing the following values:

1: Allow inspection of installed configuration profiles.
2: Allow installation and removal of configuration profiles.
4: Allow device lock and passcode removal.
8: Allow device erase.
16: Allow query of Device Information (device capacity, serial number).
32: Allow query of Network Information (phone/SIM numbers, MAC addresses).
64: Allow inspection of installed provisioning profiles.
128: Allow installation and removal of provisioning profiles.
256: Allow inspection of installed applications.
512: Allow restriction-related queries.
1024: Allow security-related queries.
2048: Allow manipulation of settings. Availability: Available in iOS 5.0 and later. Available in OS X 10.9 for certain commands.
4096: Allow app management. Availability: Available in iOS 5.0 and later. Available in OS X 10.9 for certain commands.

May not be zero. If 2 is specified, 1 must also be specified. If 128 is specified, 64 must also be specified.

Links ¶

Structure of MDM Payloads.