iOS 13 - changes in configuration profiles

iOS 13 has been announced at WWDC19 yesterday

New configuration profiles are available in iOS 13 at this stage.

Changes were made in the following profiles:

  • Restrictions
  • WiFi
  • Exchange

New Payload:

  • Single Sign-On Extensions

Restrictions Payload

New Keys

Keys below are supervised only

Key Type Description
allowWiFiPowerModification Boolean Allow turning WiFi on or off
allowContinuousPathKeyboard Boolean

Following keys are now supervised only

Key Type Description
allowCamera Boolean Optional. When false, the camera is completely disabled and its icon is removed from the Home screen. Users are unable to take photographs.
allowVideoConferencing Boolean Optional. When false, disables video conferencing (FaceTime). This key is deprecated on unsupervised devices.

WiFi Payload

Support for WPA 3 Added

Exchnage Payload

Enable Mail, Calendar, Contacts, and Reminders individually for managed accounts

Key Type Description
EnableCalendars Boolean
EnableMail Boolean
EnableNotes Boolean
EnableReminders Boolean
EnableContacts Boolean

Single Sign-On Extensions Payload

This is a new payload, I’ve not seen much information on how this can be leveraged yet but the concept looks interesting.


<dict>
	<key>ExtensionIdentifier</key>
	<string>com.test.bundle</string>
	<key>PayloadDescription</key>
	<string>Configures Single Sign-On Extensions</string>
	<key>PayloadDisplayName</key>
	<string>Single Sign-On Extensions</string>
	<key>PayloadIdentifier</key>
	<string>com.apple.extensiblesso.D4EEDD72-6057-4E51-8A35-E22116E0800D</string>
	<key>PayloadType</key>
	<string>com.apple.extensiblesso</string>
	<key>PayloadUUID</key>
	<string>D4EEDD72-6057-4E51-8A35-E22116E0800D</string>
	<key>PayloadVersion</key>
	<integer>1</integer>
	<key>Type</key>
	<string>Credential</string>
</dict>

More information on this payload: https://developer.apple.com/documentation/devicemanagement/extensiblesinglesignonsso

Apple Configurator 2.10 beta release notes
https://download.developer.apple.com/Documentation/Apple_Configurator_2.10_beta_Notes/Apple_Configurator_2.10_beta_Release_Notes.pdf

Simple MDM also have a great blog post about new functionality in iOS 13

2 Likes

I’ve noticed a couple of new keys I’ve not seen before

OAuth Sing In URL & OAuth Token Request URL

image

			<key>OAuth</key>
			<true/>
			<key>OAuthSignInURL</key>
			<string>https://test.com</string>
			<key>OAuthTokenRequestURL</key>
			<string>https://test.com/url</string>
Key Type Description
OAuthSignInURL string The URL that this account should use for signing in via OAuth. When this URL is specified, auto-discovery is not used for this account so you must also specify a host. This field is ignored unless OAuth is true .
OAuthTokenRequestURL string The URL that this account should use for token requests via OAuth. This field is ignored unless OAuth is true .

Restrictions

New Restrictions

There are some new restriction keys, looks like allowWiFiPowerModification has been replaced with forceWiFiPowerOn

Key Type Description
allowFilesNetworkDriveAccess boolean If false , prevents connecting to network drives in the Files app. Available in iOS 13.0 and later.
allowFilesUSBDriveAccess boolean If false , prevents connecting to any connected USB devices in the Files app. Available in iOS 13.0 and later.
allowFindMyDevice boolean If false , disables Find My Device in the Find My app. Requires a supervised device. Available in iOS 13 and later.
allowFindMyFriends boolean If false , disables Find My Friends in the Find My app. Requires a supervised device. Available in iOS 13 and later.
forceWiFiPowerOn boolean If false , prevents Wi-Fi from being turned off in Settings or Control Center, even by entering or leaving Airplane Mode. It does not prevent selecting which Wi-Fi network to use. Available in iOS 13.0 and later.

Restrictions that require supervision as of iOS 13

Key Type Description
allowAddingGameCenterFriends boolean If false , prohibits adding friends to Game Center. As of iOS 13, requires a supervised device. Available in iOS 4.2.1 and later, and macOS 10.13 and later.
allowAppInstallation boolean If false , disables the App Store, and its icon is removed from the Home screen. Users are unable to install or update their apps. In iOS 10 and later, MDM commands can override this restriction. As of iOS 13, this restriction requires a supervised device. Available in iOS 4 and later.
allowCamera boolean If false , disables the camera, and its icon is removed from the Home screen. Users are unable to take photographs. As of iOS 13, requires a supervised device. Available in iOS 4 and later, and macOS 10.11 and later.
allowCloudBackup boolean If false , disables backing up the device to iCloud. As of iOS 13, requires a supervised device. Available in iOS 5 and later.
allowCloudDocumentSync boolean If false , disables document and key-value syncing to iCloud. As of iOS 13, this restriction requires a supervised device. Available in iOS 5 and later, and macOS 10.11 and later.
allowExplicitContent boolean If false , hides explicit music or video content purchased from the iTunes Store. Explicit content is marked as such by content providers, such as record labels, when sold through the iTunes Store. As of iOS 13, requires a supervised device. Available in iOS 4 and later, and tvOS 11.3 and later.
allowiTunes boolean If false , disables the iTunes Music Store, and its icon is removed from the Home screen. Users cannot preview, purchase, or download content. As of iOS 13, requires a supervised device. Available in iOS 4 and later.
allowRemoteScreenObservation boolean If false , disables remote screen observation by the Classroom app. Nest this key beneath allowScreenShot as a subrestriction. If allowScreenShot is set to false , the Classroom app doesn’t observe remote screens. Required a supervised device until iOS 13 and macOS 10.15. Available in iOS 12 and later, and macOS 10.14.4 and later.
allowSafari boolean If false , disables the Safari web browser app, and its icon is removed from the Home screen. This setting also prevents users from opening web clips. As of iOS 13, requires a supervised device. Available in iOS 4 and later.
allowVideoConferencing boolean If false , hides the FaceTime app. As of iOS 13, requires a supervised device. Available in iOS 4 and later.
safariAllowAutoFill boolean If false , disables Safari autofill. As of iOS 13, requires a supervised device. Available in iOS 4 and later, and macOS 10.13 and later.