iOS 14 - changes in configuration profiles

iOS 14 has been announced at WWDC20

New configuration profiles are available in iOS 14 at this stage.

Changes were made in the following profiles:

  • Restrictions
  • Notifications
  • Exchange
  • WiFi

New Payload

  • DNS Settings

Restrictions Payload

Keys below are supervised only, it will be possible to stop App Clips (https://developer.apple.com/app-clips/) installation on supervised devices

Key Type Description
allowAppClips Boolean If false , prevents a user from adding any App Clips, and removes any existing App Clips on the device. Available in iOS 14.0 and later.

https://developer.apple.com/documentation/devicemanagement/restrictions

Notifications Payload

It will be possible to define which apps have notifications visible when device is locked or unlocked.

Note: this is supervised only

Key Type Description
PreviewType integer The type previews for notifications. This key overrides the value at Settings>Notifications>Show Previews. 0 - Always: Previews will be shown when the device is locked and unlocked 1 - When Unlocked: Previews will only be shown when the device is unlocked 2 - Never: Previews will never be shown Available in iOS 14 and later. Possible values: 0, 1, 2

https://developer.apple.com/documentation/devicemanagement/notifications/notificationsettingsitem

Exchange Payload

Exchange profile will be able to use a per-app VPN
Unsure what the override previous password does at this stage

Key Type Description
OverridePreviousPassword boolean If true , overrides the previous user/EAS password with the new EAS password in the payload. Available in iOS 14 and later.
VPNUUID string The VPN UUID of the per-app VPN to use for this account’s network communication. Available in iOS 14 and later.

https://developer.apple.com/documentation/devicemanagement/exchangeactivesync

WiFi payload

Apple have announced that with iOS 14 devices will start randomizing mac addresses with known networks. It will be possible to disable randomization for networks configured by MDM.

Key Type Description
DisableAssociationMACRandomization boolean If true, disables MAC address randomization for that Wi-Fi network while associated with the network. This also shows a privacy warning in Settings indicating that the network has reduced privacy protections.

https://developer.apple.com/documentation/devicemanagement/wifi

DNS Settings Payload

Apple have added the ability for iOS devices to use DNS over HTTP/S (https://en.wikipedia.org/wiki/DNS_over_HTTPS) and the ability to set this on devices

DNS Settings

Key Type Description
DNSProtocol string (Required) The encrypted transport protocol used to communicate with the DNS server. Possible values: HTTPS, TLS
ServerAddresses string An unordered list of DNS server IP address strings. These IP addresses can be a mixture of IPv4 and IPv6 addresses.
ServerName string The hostname of a DNS-over-TLS server used to validate the server certificate, as defined in RFC 7858. If no ServerAddresses are provided, the hostname will be used to determine the server addresses. This key must be present only if the DNSProtocol is TLS .
ServerURL string The URI template of a DNS-over-HTTPS server, as defined in RFC 8484. This URL must use the https:// scheme, and the hostname or address in the URL will be used to validate the server certificate. If no ServerAddresses are provided, the hostname or address in the URL will be used to determine the server addresses. This key must be present only if the DNSProtocol is HTTPS .
SupplementalMatchDomains string A list of domain strings used to determine which DNS queries will use the DNS server. If this array is not provided, all domains will use the DNS server. A single wildcard * prefix is supported, but is not required. For example, both *.example.com and example.com match against mydomain.example.com and your.domain.example.com , but do not match against mydomain-example.com .

https://developer.apple.com/documentation/devicemanagement/dnssettings/dnssettings

On Demand Rules

Key Type Description
Action string (Required) The action to take if this dictionary matches the current network. Possible values are: Connect : Apply DNS Settings when the dictionary matches. Disconnect : Do not apply DNS Settings when the dictionary matches. EvaluateConnection : Apply DNS Settings with per-domain exceptions when the dictionary matches. Possible values: Connect, Disconnect, EvaluateConnection
ActionParameters array A dictionary that provides per-connection rules.This array is used only for settings where the Action value is EvaluateConnection
DNSDomainMatch string An array of domain names. This rule matches if any of the domain names in the specified list matches any domain in the device’s search domains list. A single wildcard * prefix is supported, but is not required. For example, both *.example.com and example.com match against mydomain.example.com and your.domain.example.com , but do not match against mydomain-example.com .
DNSServerAddressMatch string An array of IP addresses. This rule matches if any of the network’s specified DNS servers match any entry in the array. Matching with a single wildcard is supported. For example, 17.* matches any DNS server in the 17.0.0.0/8 subnet.
InterfaceTypeMatch string An interface type. If specified, this rule matches only if the primary network interface hardware matches the specified type. Possible values: Ethernet, WiFi, Cellular
SSIDMatch string An array of SSIDs to match against the current network. If the network is not a Wi-Fi network or if the SSID does not appear in this array, the match fails. Omit this key and the corresponding array to match against any SSID.
URLStringProbe string A URL to probe. If this URL is successfully fetched (returning a 200 HTTP status code) without redirection, this rule matches

ActionParameters Array

Key Type Description
DomainAction string (Required) The DNS settings behavior for the specified domains. Allowed values are:NeverConnect : Do not use the DNS Settings for the specified domains. ConnectIfNeeded : Allow using the DNS Settings for the specified domains. Possible values: NeverConnect, ConnectIfNeeded
Domains string (Required) The domains for which this evaluation applies.

https://developer.apple.com/documentation/devicemanagement/dnssettings/ondemandruleselement