iOS 13 - changes in configuration profiles

Apple iOS
1

iOS 13 has been announced at WWDC19 yesterday

New configuration profiles are available in iOS 13 at this stage.

Changes were made in the following profiles:

  • Restrictions
  • WiFi
  • Exchange

New Payload:

  • Single Sign-On Extensions

Restrictions Payload

New Keys

Keys below are supervised only

Key Type Description
allowWiFiPowerModification Boolean Allow turning WiFi on or off
allowContinuousPathKeyboard Boolean

Following keys are now supervised only

Key Type Description
allowCamera Boolean Optional. When false, the camera is completely disabled and its icon is removed from the Home screen. Users are unable to take photographs.
allowVideoConferencing Boolean Optional. When false, disables video conferencing (FaceTime). This key is deprecated on unsupervised devices.

WiFi Payload

Support for WPA 3 Added

Exchnage Payload

Enable Mail, Calendar, Contacts, and Reminders individually for managed accounts

Key Type Description
EnableCalendars Boolean
EnableMail Boolean
EnableNotes Boolean
EnableReminders Boolean
EnableContacts Boolean

Single Sign-On Extensions Payload

This is a new payload, I’ve not seen much information on how this can be leveraged yet but the concept looks interesting.

image
image674Ă—842 50.7 KB

image
image674Ă—842 47.5 KB

<dict>
	<key>ExtensionIdentifier</key>
	<string>com.test.bundle</string>
	<key>PayloadDescription</key>
	<string>Configures Single Sign-On Extensions</string>
	<key>PayloadDisplayName</key>
	<string>Single Sign-On Extensions</string>
	<key>PayloadIdentifier</key>
	<string>com.apple.extensiblesso.D4EEDD72-6057-4E51-8A35-E22116E0800D</string>
	<key>PayloadType</key>
	<string>com.apple.extensiblesso</string>
	<key>PayloadUUID</key>
	<string>D4EEDD72-6057-4E51-8A35-E22116E0800D</string>
	<key>PayloadVersion</key>
	<integer>1</integer>
	<key>Type</key>
	<string>Credential</string>
</dict>

More information on this payload: https://developer.apple.com/documentation/devicemanagement/extensiblesinglesignonsso

Apple Configurator 2.10 beta release notes

Simple MDM also have a great blog post about new functionality in iOS 13

2 Likes
2

I’ve noticed a couple of new keys I’ve not seen before

OAuth Sing In URL & OAuth Token Request URL

image

			<key>OAuth</key>
			<true/>
			<key>OAuthSignInURL</key>
			<string>https://test.com</string>
			<key>OAuthTokenRequestURL</key>
			<string>https://test.com/url</string>
Key Type Description
OAuthSignInURL string The URL that this account should use for signing in via OAuth. When this URL is specified, auto-discovery is not used for this account so you must also specify a host. This field is ignored unless OAuth is true .
OAuthTokenRequestURL string The URL that this account should use for token requests via OAuth. This field is ignored unless OAuth is true .

Restrictions

New Restrictions

There are some new restriction keys, looks like allowWiFiPowerModification has been replaced with forceWiFiPowerOn

Key Type Description
allowFilesNetworkDriveAccess boolean If false , prevents connecting to network drives in the Files app. Available in iOS 13.0 and later.
allowFilesUSBDriveAccess boolean If false , prevents connecting to any connected USB devices in the Files app. Available in iOS 13.0 and later.
allowFindMyDevice boolean If false , disables Find My Device in the Find My app. Requires a supervised device. Available in iOS 13 and later.
allowFindMyFriends boolean If false , disables Find My Friends in the Find My app. Requires a supervised device. Available in iOS 13 and later.
forceWiFiPowerOn boolean If false , prevents Wi-Fi from being turned off in Settings or Control Center, even by entering or leaving Airplane Mode. It does not prevent selecting which Wi-Fi network to use. Available in iOS 13.0 and later.

Restrictions that require supervision as of iOS 13

Key Type Description
allowAddingGameCenterFriends boolean If false , prohibits adding friends to Game Center. As of iOS 13, requires a supervised device. Available in iOS 4.2.1 and later, and macOS 10.13 and later.
allowAppInstallation boolean If false , disables the App Store, and its icon is removed from the Home screen. Users are unable to install or update their apps. In iOS 10 and later, MDM commands can override this restriction. As of iOS 13, this restriction requires a supervised device. Available in iOS 4 and later.
allowCamera boolean If false , disables the camera, and its icon is removed from the Home screen. Users are unable to take photographs. As of iOS 13, requires a supervised device. Available in iOS 4 and later, and macOS 10.11 and later.
allowCloudBackup boolean If false , disables backing up the device to iCloud. As of iOS 13, requires a supervised device. Available in iOS 5 and later.
allowCloudDocumentSync boolean If false , disables document and key-value syncing to iCloud. As of iOS 13, this restriction requires a supervised device. Available in iOS 5 and later, and macOS 10.11 and later.
allowExplicitContent boolean If false , hides explicit music or video content purchased from the iTunes Store. Explicit content is marked as such by content providers, such as record labels, when sold through the iTunes Store. As of iOS 13, requires a supervised device. Available in iOS 4 and later, and tvOS 11.3 and later.
allowiTunes boolean If false , disables the iTunes Music Store, and its icon is removed from the Home screen. Users cannot preview, purchase, or download content. As of iOS 13, requires a supervised device. Available in iOS 4 and later.
allowRemoteScreenObservation boolean If false , disables remote screen observation by the Classroom app. Nest this key beneath allowScreenShot as a subrestriction. If allowScreenShot is set to false , the Classroom app doesn’t observe remote screens. Required a supervised device until iOS 13 and macOS 10.15. Available in iOS 12 and later, and macOS 10.14.4 and later.
allowSafari boolean If false , disables the Safari web browser app, and its icon is removed from the Home screen. This setting also prevents users from opening web clips. As of iOS 13, requires a supervised device. Available in iOS 4 and later.
allowVideoConferencing boolean If false , hides the FaceTime app. As of iOS 13, requires a supervised device. Available in iOS 4 and later.
safariAllowAutoFill boolean If false , disables Safari autofill. As of iOS 13, requires a supervised device. Available in iOS 4 and later, and macOS 10.13 and later.
4

Where I will found the screen that showing Single Sign-on Extensions Payload options?

5

any changes or new items added in iOS 13.3.1?

6

Not seen anything in terms of profiles
Here is the official Apple changelog

7

Apple have released a beta 1 of iOS 13.4 yesterday, looks like there are some new configuration profiles available and there are some changes in how iOS operates.

Commands
Looks like Apple are releasing shared iPad functionality for Apple Business Manager
New command is being added for dynamic quote management for users and apps.
SharedDeviceConfiguraiton

Apple documentation below: SettingsCommand.Command.Settings.SharedDeviceConfiguration | Apple Developer Documentation

Restrictions
Safari will not connect (instead of displaying a block message) to websites that present TLS 1.0 or TLS 1.1

New setting exists in restriction profile to allow this connection

image

<key>allowDeprecatedWebKitTLS</key>
<true/>

Looks like the following has also been added, Apple is releasing Shared iPad functionality for enterprises and below is designed to control temporary “Shared iPad Sessions” on the device.

<key>allowSharedDeviceTemporarySession</key>

Restrictions are documented by Apple here:

Key Type Description
allowDeprecatedWebKitTLS boolean If true , the deprecated TLS 1.0/1.1 behavior in Safari is allowed. Available in iOS 13.4 and later, and macOS 10.15.4 and later.
allowSharedDeviceTemporarySession boolean If false , temporary sessions are not available on Shared iPad. Available in iOS 13.4 and later.

VPN
VPN profiles for SSL VPN have a new key to send all traffic through the VPN and to exclude local networks

image

		<key>VPN</key>
		<dict>
			<key>ExcludeLocalNetworks</key>
			<integer>1</integer>
			<key>IncludeAllNetworks</key>
			<integer>1</integer>
		</dict>
Key Type Description
ExcludeLocalNetworks integer If true and includeAllNetworks is true , routes all local network traffic outside the VPN.
IncludeAllNetworks integer If true , routes all traffic through the VPN.

These keys are documented by Apple here:

1 Like
8

as of iOS 13.4 is_multi_user is now available for the DEP profiles using Apple Business Manager
Meaning that you can use shared iPad with ABM

https://developer.apple.com/documentation/devicemanagement/profile

9

HI Danill, et all

Any one have setup Shared iPad with any MDM or intune?