iOS 14 - changes in configuration profiles

iOS 14 has been announced at WWDC20

New configuration profiles are available in iOS 14 at this stage.

Changes were made in the following profiles:

  • Restrictions
  • Notifications
  • Exchange
  • WiFi

New Payload

  • DNS Settings

Restrictions Payload

Keys below are supervised only, it will be possible to stop App Clips (https://developer.apple.com/app-clips/) installation on supervised devices

Key Type Description
allowAppClips Boolean If false , prevents a user from adding any App Clips, and removes any existing App Clips on the device. Available in iOS 14.0 and later.

https://developer.apple.com/documentation/devicemanagement/restrictions

Notifications Payload

It will be possible to define which apps have notifications visible when device is locked or unlocked.

Note: this is supervised only

Key Type Description
PreviewType integer The type previews for notifications. This key overrides the value at Settings>Notifications>Show Previews. 0 - Always: Previews will be shown when the device is locked and unlocked 1 - When Unlocked: Previews will only be shown when the device is unlocked 2 - Never: Previews will never be shown Available in iOS 14 and later. Possible values: 0, 1, 2

https://developer.apple.com/documentation/devicemanagement/notifications/notificationsettingsitem

Exchange Payload

Exchange profile will be able to use a per-app VPN
Unsure what the override previous password does at this stage

Key Type Description
OverridePreviousPassword boolean If true , overrides the previous user/EAS password with the new EAS password in the payload. Available in iOS 14 and later.
VPNUUID string The VPN UUID of the per-app VPN to use for this account’s network communication. Available in iOS 14 and later.

https://developer.apple.com/documentation/devicemanagement/exchangeactivesync

WiFi payload

Apple have announced that with iOS 14 devices will start randomizing mac addresses with known networks. It will be possible to disable randomization for networks configured by MDM.

Key Type Description
DisableAssociationMACRandomization boolean If true, disables MAC address randomization for that Wi-Fi network while associated with the network. This also shows a privacy warning in Settings indicating that the network has reduced privacy protections.

https://developer.apple.com/documentation/devicemanagement/wifi

DNS Settings Payload

Apple have added the ability for iOS devices to use DNS over HTTP/S (https://en.wikipedia.org/wiki/DNS_over_HTTPS) and the ability to set this on devices

DNS Settings

Key Type Description
DNSProtocol string (Required) The encrypted transport protocol used to communicate with the DNS server. Possible values: HTTPS, TLS
ServerAddresses string An unordered list of DNS server IP address strings. These IP addresses can be a mixture of IPv4 and IPv6 addresses.
ServerName string The hostname of a DNS-over-TLS server used to validate the server certificate, as defined in RFC 7858. If no ServerAddresses are provided, the hostname will be used to determine the server addresses. This key must be present only if the DNSProtocol is TLS .
ServerURL string The URI template of a DNS-over-HTTPS server, as defined in RFC 8484. This URL must use the https:// scheme, and the hostname or address in the URL will be used to validate the server certificate. If no ServerAddresses are provided, the hostname or address in the URL will be used to determine the server addresses. This key must be present only if the DNSProtocol is HTTPS .
SupplementalMatchDomains string A list of domain strings used to determine which DNS queries will use the DNS server. If this array is not provided, all domains will use the DNS server. A single wildcard * prefix is supported, but is not required. For example, both *.example.com and example.com match against mydomain.example.com and your.domain.example.com , but do not match against mydomain-example.com .

https://developer.apple.com/documentation/devicemanagement/dnssettings/dnssettings

On Demand Rules

Key Type Description
Action string (Required) The action to take if this dictionary matches the current network. Possible values are: Connect : Apply DNS Settings when the dictionary matches. Disconnect : Do not apply DNS Settings when the dictionary matches. EvaluateConnection : Apply DNS Settings with per-domain exceptions when the dictionary matches. Possible values: Connect, Disconnect, EvaluateConnection
ActionParameters array A dictionary that provides per-connection rules.This array is used only for settings where the Action value is EvaluateConnection
DNSDomainMatch string An array of domain names. This rule matches if any of the domain names in the specified list matches any domain in the device’s search domains list. A single wildcard * prefix is supported, but is not required. For example, both *.example.com and example.com match against mydomain.example.com and your.domain.example.com , but do not match against mydomain-example.com .
DNSServerAddressMatch string An array of IP addresses. This rule matches if any of the network’s specified DNS servers match any entry in the array. Matching with a single wildcard is supported. For example, 17.* matches any DNS server in the 17.0.0.0/8 subnet.
InterfaceTypeMatch string An interface type. If specified, this rule matches only if the primary network interface hardware matches the specified type. Possible values: Ethernet, WiFi, Cellular
SSIDMatch string An array of SSIDs to match against the current network. If the network is not a Wi-Fi network or if the SSID does not appear in this array, the match fails. Omit this key and the corresponding array to match against any SSID.
URLStringProbe string A URL to probe. If this URL is successfully fetched (returning a 200 HTTP status code) without redirection, this rule matches

ActionParameters Array

Key Type Description
DomainAction string (Required) The DNS settings behavior for the specified domains. Allowed values are:NeverConnect : Do not use the DNS Settings for the specified domains. ConnectIfNeeded : Allow using the DNS Settings for the specified domains. Possible values: NeverConnect, ConnectIfNeeded
Domains string (Required) The domains for which this evaluation applies.

https://developer.apple.com/documentation/devicemanagement/dnssettings/ondemandruleselement

Additional changes in iOS 14

iOS 14

Restrictions Payload

Key Type Description
allowApplePersonalizedAdvertising Boolean If false , limits Apple personalized advertising. Available in iOS 14 and later. Default: true.

https://developer.apple.com/documentation/devicemanagement/restrictions

Webclip Payload

Key Type Description
IgnoreManifestScope Boolean If true , a full screen web clip can navigate to an external web site without showing Safari UI. Otherwise, Safari UI appears when navigating away from the web clip’s URL. This key has no effect when FullScreen is false . Default: false
TargetApplicationBundleIdentifier string The application bundle identifier that specifies the application which opens the URL.


https://developer.apple.com/documentation/devicemanagement/webclip

Certificate Transparency Payload

Certificate transparency payload has been modified, DisabledForCerts now requires a sha256 hash
https://developer.apple.com/documentation/devicemanagement/certificatetransparency/subjectpublickeyinfohashdict

iOS 14.2

Restrictions Payload

Key Type Description
allowNFC Boolean If false , disables NFC. Requires a supervised device. Available in iOS 14.2 and later…

https://developer.apple.com/documentation/devicemanagement/restrictions

Certificate Revocation Payload

This looks to be a completely new profile payload made available in iOS 14.2

Key Type Description
Algorithm String (Required) The algorithm must be sha256 . Value: sha256.
Hash data (Required) The hash of the DER-encoding of the certificate’s subjectPublicKeyInfo . The hash field requires the data ( subjectPublicKeyInfo hash) in a specific format: a Base64 encoded (binary) SHA-256 hash of the certificate’s public key.

https://developer.apple.com/documentation/devicemanagement/certificaterevocation

VPN Payload

Key Type Description
EnforceRoutes integer If true , all the VPN’s non-default routes take precedence over any locally defined routes. If IncludeAllNetworks is true , the value of EnforceRoutes is ignored. Available in iOS 14.2 and later, and macOS 11 and later. Default: 0 Possible values: 0, 1

https://developer.apple.com/documentation/devicemanagement/vpn/vpn

iOS 14.5

It looks like new restrictions are coming with iOS 14.5

With iOS 14.5 it is possible to unlock an iOS device using an Apple Watch, more info here: https://9to5mac.com/2021/02/04/iphone-face-id-unlock-apple-watch-mask/
New restriction allowAutoUnlock is being shipped along with 14.5 to stop this functionality on managed devices.

Restrictions Payload

Key Type Description
allowAutoUnlock boolean If false , disallows auto unlock. Available in macOS 10.12 and later, and iOS 14.5 and later.
allowGameCenterFriendsSharingModification
allowUnpairedExternalBootToRecovery boolean If true , allows devices to be booted into recovery by an unpaired device. Requires a supervised device. Available in iOS 14.5 and later. Default: false
forceOnDeviceOnlyDictation boolean If true , disables connections to Siri servers for the purposes of dictation. Available in iOS 14.5 and later. Default: false
forceWiFiToAllowedNetworksOnl boolean If true , limits device to only join Wi-Fi networks set-up via configuration profile. Requires a supervised device. Available in iOS 14.5 and later. Default: false

New Shared iPad Commands

Key Type Description
TemporarySessionOnly boolean If true , the user only sees the Guest Welcome pane and can only log in as a guest user. If false , the user can sign in with a managed Apple ID (the existing behavior). Available in iOS 14.5 and later. Default: false
TemporarySessionTimeout integer The timeout, in seconds, for the temporary session. The temporary session logs out automatically after the specified period of inactivity. The minimum value is 30 seconds. Setting this value to 0 removes the timeout. Available in iOS 14.5 and later.
UserSessionTimeout integer The timeout, in seconds, for the user session. The user session logs out automatically after the specified period of inactivity. The minimum value is 30 seconds. Setting this value to 0 removes the timeout. Available in iOS 14.5 and later.

can I use this to secure the device via Checkm8 attacks ?

Not sure what you’re asking.
I assume this setting allows devices to be DFU’d from machines that they are not allowed to be paired to.

but what would help such a setting ? I can create this mode on the iOS device itself. If I then plug this into an untrusted computer, I have nothing gained with the setting.

Strange.It seems allowGameCenterFriendsSharingModification has been removed? I can’t seem to find it in the docs or in Apple Configurator.

if you have access to Apple Seed https://appleseed.apple.com it is mentioned in release notes

If not you can get access through an ABM account AppleSeed for IT being opened up for ABM and Apple School Manager accounts

1 Like

I assume it’s to avoid having to send devices back to Apple when you can DFU them locally to resolve the issue