New configuration profiles are available in iOS 12 at this stage.
Changes were made in the following profiles:
Exchange
Notifications
Restrictions
Exchange Payload
Deprecated keys
Deprecate Key
Replacement Key
Type
Description
SMIMEEncryptionEnabled
SMIMEEncryptByDefault
Boolean
Optional. Default false. If set to true, S/MIME encryption is on by default for this account. Availability: Available only in iOS 10.3 and later. As of iOS 12.0, this key is deprecated. It is recommended to use SMIMEEncryptByDefault instead.
SMIMEEnablePerMessageSwitch
SMIMEEnableEncryptionPerMessageSwitch
Boolean
Optional. Default false. If set to true, displays the per-message encryption switch in the Mail Compose UI. Availability: Available only in iOS 8.0 and later. As of iOS 12.0, this key is deprecated. It is recommended to use SMIMEEnableEncryptionPerMessageSwitch instead.
New Keys
Key
Type
Description
SMIMESigningUserOverrideable
Boolean
Optional. Default false. If set to true, the user can toggle S/MIME signing on or off in Settings.
SMIMESigningCertificateUUIDUserOverrideable
Boolean
Optional. Default false. If set to true, the user can select the signing identity.
SMIMEEncryptByDefault
Boolean
Optional. Default false. If set to true, S/MIME encryption is enabled by default. If SMIMEEnableEncryptionPerMessageSwitch is false, this default cannot be changed by the user.
SMIMEEncryptByDefaultUserOverrideable
Boolean
Optional. Default false. If set to true, the user can toggle the encryption by default setting.
SMIMEEncryptionCertificateUUIDUserOverrideable
Boolean
Optional. Default false. If set to true, the user can select the S/MIME encryption identity and encryption is enabled.
SMIMEEnableEncryptionPerMessageSwitch
Boolean
Optional. Default false. If set to true, enable the per-message encryption switch in the compose view and encryption is enabled.
OAuth
Boolean
Optional. Specifies whether the connection should use OAuth for authentication. If enabled, a password should not be specified. This defaults to false.
Notifications Payload
Key
Type
Description
ShowInCarPlay
Boolean
Optional. Whether notifications can be shown in CarPlay. Default is true.
CriticalAlertEnabled
Boolean
Optional. Whether an app can mark a notification as a critical notification that will ignore Do Not Disturb and ringer settings. Default is false.
Restrictions Payload
Key
Type
Description
forceAutomaticDateAndTime
boolean
Optional. Supervised only. If set to true, the Date & Time “Set Automatically” feature is turned on and can’t be turned off by the user. Defaults to false. Note: The device’s time zone will only be updated when the device can determine its location (cellular connection or wifi with location services enabled).
Optional. Supervised only. If set to false, users will not be able to use the AutoFill Passwords feature on iOS and will not be prompted to use a saved password in Safari or in apps. If set to false, Automatic Strong Passwords will also be disabled and strong passwords will not be suggested to users. Defaults to true.
allowPasswordProximityRequests
Boolean
Optional. Supervised only. If set to false, a userĘĽs device will not request passwords from nearby devices. Defaults to true.
allowPasswordSharing
Boolean
Optional. Supervised only. If set to false, users can not share their passwords with the Airdrop Passwords feature. Defaults to true.
SCEP Payload
Key
Type
Description
AllowAllAppsAccess
Boolean
Optional. If true, all apps have access to the private key. Default is false
Note: this is very interesting and requires further testing but potentially this payload may allow the certificates pushed by MDM to be used across other applications (not just Apple signed applications).
Notifications
Key
Type
Description
GroupingType
Integer
Optional. The type of grouping for notifications for this app:• 0:Automatic-groupnotificationsintoapp-specifiedgroups. (Default)1:Byapp-groupnotificationsintoonegroup.2:Off-donotgroupnotifications.
CriticalAlertEnabled
Boolean
Optional. Whether an app can mark a notification as a critical notification that will ignore Do Not Disturb and ringer settings. Default is false.
Two new restrictions were added on 06-Aug, 2018. Apple Configurator 2.8 (Beta). Both seem to depend on allowOpenFromManagedToUnmanaged introduced in iOS 7.
If set to true, managed apps can write contacts to unmanaged contacts accounts. Defaults to false. If allowOpenFromManagedToUnmanaged is true, this restriction has no effect.
allowUnmanagedToReadManagedContacts - Boolean. Optional. Supervised only* (see below)
If set to true, unmanaged apps can read from managed contacts accounts. Defaults to false. If allowOpenFromManagedToUnmanaged is true, this restriction has no effect.
*allowUnmanagedToReadManagedContacts - Does not seem to require supervision in the iOS 12 final release.
Daniil, I first thought it was a bug too, but in the end what they did is just to rename the title of the restriction. The key actually remains unchanged.
Users can’t set their own restrictions on their device for iOS 11.4.1 and earlier.
Users can’t set their own Screen Time settings on their device for iOS 12 or later.
Somehow it seems the the AC2 is still messing up the payloads too.
Has anyone tested the new payloads?
.allowManagedToWriteUnmanagedContacts.
.allowUnmanagedToReadManagedContacts.
Contact export from the managed app works, but unmanaged apps can still read the managed contacts!?
Has anyone a working config on this?
There are keys available in iOS 12.1 and 12.2 (beta 1)
New keys in 12.1
Key
Type
Description
allowESIMModification
Boolean
Optional. Supervised only. If set to false, the user may not remove or add a cellular plan to the eSIM on the device. Defaults to true.
New keys in 12.1.1
Note these keys are for apple.security.certificatetransparency payload type
Key
Type
Value
DisabledForDomains
Array of Strings
Optional. List of domains where certificate transparency is disabled. A leading period can be used to match subdomains, but a domain matching rule must not match all domains within a top level domain (”.example.com” and ”.example.co.uk” are allowed while ”.com” and”.co.uk” are not allowed).
DisabledForCerts
Array of Dictionaries
Optional. A list of hashed subjectPublicKeyInfo dictionaries defining the certificates where certificate transparency is disabled. For certificate transparency enforcement to be disabled, one of the following conditions must be met: The hash is of the server certificateĘĽs subjectPublicKeyInfo. The hash is of a subject PublicKeyInfo that appears in a CA certificate in the certificate chain, that CA certificate is constrained via the X.509v3 nameConstraints extension, one or more directoryName nameConstraints are present in the permittedSubtrees, and the directoryName contains an organizationName attribute. The hash is of a subject PublicKeyInfo that appears in a CA certificate in the certificate chain, the CA certificate has one or more organizationName attributes in the certificate Subject, and the serverĘĽs certificate contains the same number of organizationName attributes, in the same order, and with byte-for-byte identical values.
New keys in 12.2 (beta 1)
Key
Type
Description
allowPersonalHotspotModification
Boolean
Optional. Supervised only. If set to false, the user may not modify the personal hotspot setting. Defaults to true.
allowSiriServerLogging
Boolean
Optional. If set to false, server-side Siri logging is disabled. Defaults to true.