iOS 14

daniil_michine · July 8, 2020, 6:56pm

iOS 14 has been announced at WWDC20

New configuration profiles are available in iOS 14 at this stage.

Changes were made in the following profiles:

Restrictions
Notifications
Exchange
WiFi

New Payload

DNS Settings

Restrictions Payload

Keys below are supervised only, it will be possible to stop App Clips (App Clips Overview - Apple Developer) installation on supervised devices

Key	Type	Description
allowAppClips	Boolean	If `false` , prevents a user from adding any App Clips, and removes any existing App Clips on the device. Available in iOS 14.0 and later.

https://developer.apple.com/documentation/devicemanagement/restrictions

Notifications Payload

It will be possible to define which apps have notifications visible when device is locked or unlocked.

Note: this is supervised only

Key	Type	Description
PreviewType	integer	The type previews for notifications. This key overrides the value at Settings>Notifications>Show Previews. 0 - Always: Previews will be shown when the device is locked and unlocked `1` - When Unlocked: Previews will only be shown when the device is unlocked `2` - Never: Previews will never be shown Available in iOS 14 and later. Possible values: `0, 1, 2`

https://developer.apple.com/documentation/devicemanagement/notifications/notificationsettingsitem

Exchange Payload

Exchange profile will be able to use a per-app VPN
Unsure what the override previous password does at this stage

Key	Type	Description
OverridePreviousPassword	boolean	If `true` , overrides the previous user/EAS password with the new EAS password in the payload. Available in iOS 14 and later.
VPNUUID	string	The VPN UUID of the per-app VPN to use for this account’s network communication. Available in iOS 14 and later.

https://developer.apple.com/documentation/devicemanagement/exchangeactivesync

WiFi payload

Apple have announced that with iOS 14 devices will start randomizing mac addresses with known networks. It will be possible to disable randomization for networks configured by MDM.

Key	Type	Description
DisableAssociationMACRandomization	boolean	If `true,` disables MAC address randomization for that Wi-Fi network while associated with the network. This also shows a privacy warning in Settings indicating that the network has reduced privacy protections.

https://developer.apple.com/documentation/devicemanagement/wifi

DNS Settings Payload

Apple have added the ability for iOS devices to use DNS over HTTP/S (DNS over HTTPS - Wikipedia) and the ability to set this on devices

DNS Settings

Key	Type	Description
DNSProtocol	string	(Required) The encrypted transport protocol used to communicate with the DNS server. Possible values: `HTTPS, TLS`
ServerAddresses	string	An unordered list of DNS server IP address strings. These IP addresses can be a mixture of IPv4 and IPv6 addresses.
ServerName	string	The hostname of a DNS-over-TLS server used to validate the server certificate, as defined in RFC 7858. If no `ServerAddresses` are provided, the hostname will be used to determine the server addresses. This key must be present only if the DNSProtocol is `TLS` .
ServerURL	string	The URI template of a DNS-over-HTTPS server, as defined in RFC 8484. This URL must use the `https://` scheme, and the hostname or address in the URL will be used to validate the server certificate. If no `ServerAddresses` are provided, the hostname or address in the URL will be used to determine the server addresses. This key must be present only if the `DNSProtocol` is `HTTPS` .
SupplementalMatchDomains	string	A list of domain strings used to determine which DNS queries will use the DNS server. If this array is not provided, all domains will use the DNS server. A single wildcard `` prefix is supported, but is not required. For example, both `.example.com` and `example.com` match against `mydomain.example.com` and `your.domain.example.com` , but do not match against `mydomain-example.com` .

https://developer.apple.com/documentation/devicemanagement/dnssettings/dnssettings

On Demand Rules

Key	Type	Description
Action	string	(Required) The action to take if this dictionary matches the current network. Possible values are: `Connect` : Apply DNS Settings when the dictionary matches. `Disconnect` : Do not apply DNS Settings when the dictionary matches. `EvaluateConnection` : Apply DNS Settings with per-domain exceptions when the dictionary matches. Possible values: `Connect, Disconnect, EvaluateConnection`
ActionParameters	array	A dictionary that provides per-connection rules.This array is used only for settings where the `Action` value is `EvaluateConnection`
DNSDomainMatch	string	An array of domain names. This rule matches if any of the domain names in the specified list matches any domain in the device’s search domains list. A single wildcard `` prefix is supported, but is not required. For example, both `.example.com` and `example.com` match against `mydomain.example.com` and `your.domain.example.com` , but do not match against `mydomain-example.com` .
DNSServerAddressMatch	string	An array of IP addresses. This rule matches if any of the network’s specified DNS servers match any entry in the array. Matching with a single wildcard is supported. For example, 17.* matches any DNS server in the 17.0.0.0/8 subnet.
InterfaceTypeMatch	string	An interface type. If specified, this rule matches only if the primary network interface hardware matches the specified type. Possible values: `Ethernet, WiFi, Cellular`
SSIDMatch	string	An array of SSIDs to match against the current network. If the network is not a Wi-Fi network or if the SSID does not appear in this array, the match fails. Omit this key and the corresponding array to match against any SSID.
URLStringProbe	string	A URL to probe. If this URL is successfully fetched (returning a 200 HTTP status code) without redirection, this rule matches

ActionParameters Array

Key	Type	Description
DomainAction	string	(Required) The DNS settings behavior for the specified domains. Allowed values are:`NeverConnect` : Do not use the DNS Settings for the specified domains. `ConnectIfNeeded` : Allow using the DNS Settings for the specified domains. Possible values: `NeverConnect, ConnectIfNeeded`
Domains	string	(Required) The domains for which this evaluation applies.

https://developer.apple.com/documentation/devicemanagement/dnssettings/ondemandruleselement

daniil_michine · February 10, 2021, 2:58am

Additional changes in iOS 14

Restrictions Payload

Key	Type	Description
allowApplePersonalizedAdvertising	Boolean	If `false` , limits Apple personalized advertising. Available in iOS 14 and later. Default: `true`.
Restrictions \| Apple Developer Documentation

Webclip Payload

Key	Type	Description
IgnoreManifestScope	Boolean	If `true` , a full screen web clip can navigate to an external web site without showing Safari UI. Otherwise, Safari UI appears when navigating away from the web clip’s URL. This key has no effect when `FullScreen` is `false` . Default: `false`
TargetApplicationBundleIdentifier	string	The application bundle identifier that specifies the application which opens the URL.

Certificate Transparency Payload

Certificate transparency payload has been modified, DisabledForCerts now requires a sha256 hash

iOS 14.2

Restrictions Payload

Key	Type	Description
allowNFC	Boolean	If `false` , disables NFC. Requires a supervised device. Available in iOS 14.2 and later…
Restrictions \| Apple Developer Documentation

Certificate Revocation Payload

This looks to be a completely new profile payload made available in iOS 14.2

Key	Type	Description
Algorithm	String	(Required) The algorithm must be `sha256` . Value: `sha256`.
Hash	data	(Required) The hash of the DER-encoding of the certificate’s `subjectPublicKeyInfo` . The hash field requires the data ( `subjectPublicKeyInfo` hash) in a specific format: a Base64 encoded (binary) SHA-256 hash of the certificate’s public key.

VPN Payload

Key	Type	Description
EnforceRoutes	integer	If `true` , all the VPN’s non-default routes take precedence over any locally defined routes. If `IncludeAllNetworks` is `true` , the value of `EnforceRoutes` is ignored. Available in iOS 14.2 and later, and macOS 11 and later. Default: `0` Possible values: `0, 1`
VPN.VPN \| Apple Developer Documentation

daniil_michine · February 21, 2021, 9:35pm

iOS 14.5

It looks like new restrictions are coming with iOS 14.5

With iOS 14.5 it is possible to unlock an iOS device using an Apple Watch, more info here: How to use the new 'Unlock with Apple Watch' iPhone feature - 9to5Mac
New restriction allowAutoUnlock is being shipped along with 14.5 to stop this functionality on managed devices.

Restrictions Payload

Key	Type	Description
allowAutoUnlock	boolean	If `false` , disallows auto unlock. Available in macOS 10.12 and later, and iOS 14.5 and later.
allowGameCenterFriendsSharingModification
allowUnpairedExternalBootToRecovery	boolean	If `true` , allows devices to be booted into recovery by an unpaired device. Requires a supervised device. Available in iOS 14.5 and later. Default: `false`
forceOnDeviceOnlyDictation	boolean	If `true` , disables connections to Siri servers for the purposes of dictation. Available in iOS 14.5 and later. Default: `false`
forceWiFiToAllowedNetworksOnl	boolean	If `true` , limits device to only join Wi-Fi networks set-up via configuration profile. Requires a supervised device. Available in iOS 14.5 and later. Default: `false`

New Shared iPad Commands

Key	Type	Description
TemporarySessionOnly	boolean	If `true` , the user only sees the Guest Welcome pane and can only log in as a guest user. If `false` , the user can sign in with a managed Apple ID (the existing behavior). Available in iOS 14.5 and later. Default: `false`
TemporarySessionTimeout	integer	The timeout, in seconds, for the temporary session. The temporary session logs out automatically after the specified period of inactivity. The minimum value is 30 seconds. Setting this value to `0` removes the timeout. Available in iOS 14.5 and later.
UserSessionTimeout	integer	The timeout, in seconds, for the user session. The user session logs out automatically after the specified period of inactivity. The minimum value is 30 seconds. Setting this value to `0` removes the timeout. Available in iOS 14.5 and later.

Darth2021 · March 25, 2021, 10:43am

can I use this to secure the device via Checkm8 attacks ?

daniil_michine · March 29, 2021, 1:08am

Not sure what you’re asking.
I assume this setting allows devices to be DFU’d from machines that they are not allowed to be paired to.

Darth2021 · March 29, 2021, 6:34am

but what would help such a setting ? I can create this mode on the iOS device itself. If I then plug this into an untrusted computer, I have nothing gained with the setting.

petar · March 29, 2021, 12:23pm

Strange.It seems allowGameCenterFriendsSharingModification has been removed? I can’t seem to find it in the docs or in Apple Configurator.

daniil_michine · March 30, 2021, 1:35am

if you have access to Apple Seed https://appleseed.apple.com it is mentioned in release notes

If not you can get access through an ABM account AppleSeed for IT being opened up for ABM and Apple School Manager accounts

daniil_michine · March 30, 2021, 1:36am

I assume it’s to avoid having to send devices back to Apple when you can DFU them locally to resolve the issue

daniil_michine · April 27, 2021, 12:02am

Looks like allowGameCenterFriendsSharingModification did not make it in the 14.5 release, do not see it in the developer notes.

daniil_michine · April 27, 2021, 12:03am

it seems forceWiFiToAllowedNetworksOnly is replacing forceWiFiWhitelisting key in iOS 14.5

Apple docs: Restrictions | Apple Developer Documentation