iOS 12 - changes in configuration profiles


#1

iOS 12 has been announced today at WWDC18

New configuration profiles are available in iOS 12 at this stage.

Changes were made in the following profiles:

  • Exchange
  • Notifications
  • Restrictions

Exchange Payload

Deprecated keys

Deprecate Key Replacement Key Type Description
SMIMEEncryptionEnabled SMIMEEncryptByDefault Boolean Optional. Default false. If set to true, S/MIME encryption is on by default for this account. Availability: Available only in iOS 10.3 and later. As of iOS 12.0, this key is deprecated. It is recommended to use SMIMEEncryptByDefault instead.
SMIMEEnablePerMessageSwitch SMIMEEnableEncryptionPerMessageSwitch Boolean Optional. Default false. If set to true, displays the per-message encryption switch in the Mail Compose UI. Availability: Available only in iOS 8.0 and later. As of iOS 12.0, this key is deprecated. It is recommended to use SMIMEEnableEncryptionPerMessageSwitch instead.

New Keys

Key Type Description
SMIMESigningUserOverrideable Boolean Optional. Default false. If set to true, the user can toggle S/MIME signing on or off in Settings.
SMIMESigningCertificateUUIDUserOverrideable Boolean Optional. Default false. If set to true, the user can select the signing identity.
SMIMEEncryptByDefault Boolean Optional. Default false. If set to true, S/MIME encryption is enabled by default. If SMIMEEnableEncryptionPerMessageSwitch is false, this default cannot be changed by the user.
SMIMEEncryptByDefaultUserOverrideable Boolean Optional. Default false. If set to true, the user can toggle the encryption by default setting.
SMIMEEncryptionCertificateUUIDUserOverrideable Boolean Optional. Default false. If set to true, the user can select the S/MIME encryption identity and encryption is enabled.
SMIMEEnableEncryptionPerMessageSwitch Boolean Optional. Default false. If set to true, enable the per-message encryption switch in the compose view and encryption is enabled.
OAuth Boolean Optional. Specifies whether the connection should use OAuth for authentication. If enabled, a password should not be specified. This defaults to false.

Notifications Payload

Key Type Description
ShowInCarPlay Boolean Optional. Whether notifications can be shown in CarPlay. Default is true.
CriticalAlertEnabled Boolean Optional. Whether an app can mark a notification as a critical notification that will ignore Do Not Disturb and ringer settings. Default is false.

Restrictions Payload

Key Type Description
forceAutomaticDateAndTime boolean Optional. Supervised only. If set to true, the Date & Time “Set Automatically” feature is turned on and can’t be turned off by the user. Defaults to false. Note: The device’s time zone will only be updated when the device can determine its location (cellular connection or wifi with location services enabled).

Full list of profiles available here: https://developer.apple.com/library/archive/featuredarticles/iPhoneConfigurationProfileRef/Introduction/Introduction.html


#2

Thanks for this review!


#3

Apple have since added additional keys

Restrictions

Key Type Description
allowPasswordAutoFill Boolean Optional. Supervised only. If set to false, users will not be able to use the AutoFill Passwords feature on iOS and will not be prompted to use a saved password in Safari or in apps. If set to false, Automatic Strong Passwords will also be disabled and strong passwords will not be suggested to users. Defaults to true.
allowPasswordProximityRequests Boolean Optional. Supervised only. If set to false, a userʼs device will not request passwords from nearby devices. Defaults to true.
allowPasswordSharing Boolean Optional. Supervised only. If set to false, users can not share their passwords with the Airdrop Passwords feature. Defaults to true.

SCEP Payload

Key Type Description
AllowAllAppsAccess Boolean Optional. If true, all apps have access to the private key. Default is false

Note: this is very interesting and requires further testing but potentially this payload may allow the certificates pushed by MDM to be used across other applications (not just Apple signed applications).

Notifications

Key Type Description
GroupingType Integer Optional. The type of grouping for notifications for this app:• 0:Automatic-groupnotificationsintoapp-specifiedgroups. (Default)1:Byapp-groupnotificationsintoonegroup.2:Off-donotgroupnotifications.
CriticalAlertEnabled Boolean Optional. Whether an app can mark a notification as a critical notification that will ignore Do Not Disturb and ringer settings. Default is false.

#4

These keys are now available in Apple Configurator 2.8 (Beta)

Restrictions

2018-07-31_13-56-30

<key>forceAutomaticDateAndTime</key>
<false/>

2018-07-31_13-56-53

<key>allowPasswordProximityRequests</key>
<true/>
<key>allowPasswordSharing</key>
<true/>

2018-07-31_14-02-41

<key>allowPasswordAutoFill</key>
<false/>

Exchange
2018-07-31_14-06-30

2018-07-31_14-08-07

<key>OAuth</key>
<false/>

Notifications
2018-07-31_14-33-26


#5

Two new restrictions were added on 06-Aug, 2018. Apple Configurator 2.8 (Beta). Both seem to depend on allowOpenFromManagedToUnmanaged introduced in iOS 7.

allowManagedToWriteUnmanagedContacts - Boolean. Optional. 

If set to true, managed apps can write contacts to unmanaged contacts accounts. Defaults to false. If allowOpenFromManagedToUnmanaged is true, this restriction has no effect.

allowUnmanagedToReadManagedContacts - Boolean. Optional. Supervised only* (see below)

If set to true, unmanaged apps can read from managed contacts accounts. Defaults to false. If allowOpenFromManagedToUnmanaged is true, this restriction has no effect.


*allowUnmanagedToReadManagedContacts - Does not seem to require supervision in the iOS 12 final release.


#6

The following new restriction was added in the latest Apple Configurator.

allowESIMModification  - Boolean. Supervised. 

If set to true, allows modifying eSIM settings.

Additionally, the following restriction was renamed from:

51

to:

32

(This change has been available since iOS 12 Beta)


#7

Wow looks like a configurator bug

I’ve created a profile in configurator and looking through the xml I can see that the key is still there

		<key>allowEnablingRestrictions</key>
		<true/>

They key is also referenced in Apple configuration profile reference


#8

Daniil, I first thought it was a bug too, but in the end what they did is just to rename the title of the restriction. The key actually remains unchanged.

The only place I found this documented is in the MDM IT documentation.

Modify restrictions or Screen Time settings

Users can’t set their own restrictions on their device for iOS 11.4.1 and earlier.
Users can’t set their own Screen Time settings on their device for iOS 12 or later.


#9

This terminology is also used in the Apple Profile Manager (part of Apple sever)
Strange decision from Apple :confused:


#10

Somehow it seems the the AC2 is still messing up the payloads too.
Has anyone tested the new payloads?
.allowManagedToWriteUnmanagedContacts.
.allowUnmanagedToReadManagedContacts.

Contact export from the managed app works, but unmanaged apps can still read the managed contacts!?
Has anyone a working config on this?


#11

There are keys available in iOS 12.1 and 12.2 (beta 1)

New keys in 12.1

Key Type Description
allowESIMModification Boolean Optional. Supervised only. If set to false, the user may not remove or add a cellular plan to the eSIM on the device. Defaults to true.

New keys in 12.1.1

Note these keys are for apple.security.certificatetransparency payload type

Key Type Value
DisabledForDomains Array of Strings Optional. List of domains where certificate transparency is disabled. A leading period can be used to match subdomains, but a domain matching rule must not match all domains within a top level domain (”.example.com” and ”.example.co.uk” are allowed while ”.com” and”.co.uk” are not allowed).
DisabledForCerts Array of Dictionaries Optional. A list of hashed subjectPublicKeyInfo dictionaries defining the certificates where certificate transparency is disabled. For certificate transparency enforcement to be disabled, one of the following conditions must be met: The hash is of the server certificateʼs subjectPublicKeyInfo. The hash is of a subject PublicKeyInfo that appears in a CA certificate in the certificate chain, that CA certificate is constrained via the X.509v3 nameConstraints extension, one or more directoryName nameConstraints are present in the permittedSubtrees, and the directoryName contains an organizationName attribute. The hash is of a subject PublicKeyInfo that appears in a CA certificate in the certificate chain, the CA certificate has one or more organizationName attributes in the certificate Subject, and the serverʼs certificate contains the same number of organizationName attributes, in the same order, and with byte-for-byte identical values.

New keys in 12.2 (beta 1)

Key Type Description
allowPersonalHotspotModification Boolean Optional. Supervised only. If set to false, the user may not modify the personal hotspot setting. Defaults to true.
allowSiriServerLogging Boolean Optional. If set to false, server-side Siri logging is disabled. Defaults to true.

#12

These keys are now available in the restrictions payload in new version of Apple Configurator 2 (2.9)
image
image

The certificate transparency payload is also available now

As of iOS 12.2 the ClearRestrictionsPassword command also clears the ScreenTime passcode


#13

Hi,
Can anyone explain what is server-side Siri logging?


#14

I believe it’s to stop Siri recordings being stored with Apple. It seems like Apple keep a record of all Siri commands for a period of time.