iOS 9.3 new EMM polices


#1

Apple has recently released iOS 9.3 that has added a number of new MDM policies and addressed a number of security vulnerabilities.


Below is taken from the new version of Apple Configurator 2 (2.2 3C56) which added new capability added in iOS 9.3 all of these are also configurable via MDM. IF the MDM solution has not implemented the functionality yet you may be able to create a custom XML file to push these settings to a device.

Modify Home Screen Layout

You can now modify the home screen layout on supervised iOS 9.3 devices


Modify Google Account

OS X Server Account

Lock Screen Message

Notifications


Safari Password Autofill Domains
This is located under domains

Restrict App Usage

Allow Music Service & Allow Radio Service
This is available under restrictions


#2

AirWatch have also published 4 custom profiles to allow the functionality on current AW platforms.

Notification Settings
Blacklist/Whitelist Apps
Home Screen layout
Lock Screen text

Notifications settings
<dict>
        <key>NotificationSettings</key>
        <array>
          <dict>
            <key>BundleIdentifier</key>
            <string>com.apple.MobileAddressBook</string>
            <key>NotificationsEnabled</key>
            <true />
            <key>ShowInNotificationCenter</key>
            <true />
            <key>ShowInLockScreen</key>
            <true />
            <key>BadgesEnabled</key>
            <true />
            <key>SoundsEnabled</key>
            <false />
            <key>AlertType</key>
            <integer>1</integer>
          </dict>
        </array>
        <key>PayloadDisplayName</key>
        <string>Notifications</string>
        <key>PayloadDescription</key>
        <string>Notifications</string>
        <key>PayloadIdentifier</key>
        <string>48cb263f-d26a-4c44-9ed6-777ddf28f6f6.Notifications</string>
        <key>PayloadOrganization</key>
        <string></string>
        <key>PayloadType</key>
        <string>com.apple.notificationsettings</string>
        <key>PayloadUUID</key>
        <string>ae06e457-dfe8-4d2f-92a8-a11ecade30c4</string>
        <key>PayloadVersion</key>
        <integer>1</integer>
</dict>
 
Configurable options
This feature is for Supervised devices only.  The following options are configurable in this profile:
•	BundleIdentifier - The identifier of each app being configured.
•	NotificationsEnabled - Are notifications allowed for this app?  Set to true by default.
•	ShowInNotificationCenter - Can notifications be shown in notification center?  Set to true by default.
•	ShowInLockScreen - Are notifications shown in the lock screen?  Set to true by default.
•	AlertType - 0:None, 1:Banner, 2:Modal Alert
•	BadgesEnabled - Are badges enabled?  Set to true by default.
•	SoundsEnabled - Are sounds enabled?  Set to true by default.
 
Blacklist/Whitelist apps
<dict>
        <key>blacklistedAppBundleIDs</key>
        <array>
          <string>com.apple.mobilecal</string>
          <string>com.apple.MobileAddressBook</string>
        </array>
        <key>whitelistedAppBundleIDs</key>
        <array>
          <string>com.apple.MobileSMS</string>
        </array>
        <key>PayloadDisplayName</key>
        <string>Restrictions</string>
        <key>PayloadDescription</key>
        <string>RestrictionSettings</string>
        <key>PayloadIdentifier</key>
        <string>4313979d-13b4-424c-b902-c1da7ff0fb83.Restrictions</string>
        <key>PayloadOrganization</key>
        <string></string>
        <key>PayloadType</key>
        <string>com.apple.applicationaccess</string>
        <key>PayloadUUID</key>
        <string>21a3fd1c-6364-491e-92ca-e655a0a59b3b</string>
        <key>PayloadVersion</key>
        <integer>1</integer>
</dict>
 
Configurable options
This feature is for Supervised devices only.  The following options are configurable in this profile:
•	blacklistedAppBundleIDs - If present, all bundleIDs listed in the array will not be shown on the device.
•	whitelistedAppBundleIDs - If present, only bundleIDs listed in the array will be shown on the device.
 
Homescreen layout
<dict>
    <key>PayloadContent</key>
    <array>
      <dict>
        <key>Dock</key>
        <array>
          <dict>
            <key>Type</key>
            <string>Application</string>
            <key>BundleID</key>
            <string>com.apple.MobileAddressBook</string>
          </dict>
        </array>
        <key>Pages</key>
        <array>
          <array>
            <dict>
              <key>Type</key>
              <string>Application</string>
              <key>BundleID</key>
              <string>com.apple.mobilecal</string>
            </dict>
            <dict>
              <key>Type</key>
              <string>Folder</string>
              <key>DisplayName</key>
              <string>Photography</string>
              <key>Pages</key>
              <array>
                <array>
                  <dict>
                    <key>Type</key>
                    <string>Application</string>
                    <key>BundleID</key>
                    <string>com.apple.mobileslideshow</string>
                  </dict>
                  <dict>
                    <key>Type</key>
                    <string>Application</string>
                    <key>BundleID</key>
                    <string>com.apple.camera</string>
                  </dict>
                </array>
              </array>
            </dict>
          </array>
          <array>
            <dict>
              <key>Type</key>
              <string>Application</string>
              <key>BundleID</key>
              <string>com.apple.Preferences</string>
            </dict>
          </array>
        </array>
        <key>PayloadDisplayName</key>
        <string>Home Screen Layout</string>
        <key>PayloadDescription</key>
        <string>HomeScreenLayout</string>
        <key>PayloadIdentifier</key>
        <string>47b294b1-c14c-4446-9299-e5349ef0705e.Home Screen Layout</string>
        <key>PayloadOrganization</key>
        <string></string>
        <key>PayloadType</key>
        <string>com.apple.homescreenlayout</string>
        <key>PayloadUUID</key>
        <string>d0dbcad2-d2ee-4901-83ef-1a65c9af6324</string>
        <key>PayloadVersion</key>
        <integer>1</integer>
      </dict>
 
Configurable options
This feature is for Supervised devices only.  The following options are configurable in this profile:
•	Dock/Pages - Configure whether you are setting apps that appear on the Dock or in the main home screen.
•	Type - Must be set to Application, Folder, or Webclip.
•	DisplayName - Name below the icon to be shown to the user.
•	BundleID - Required for Application type.  The BundleID of the app.
•	Pages - Required for Folder type.  Used to specify the icons within the folder.  This is an array of arrays of dictionaries.
•	URL - Required for Webclip type.  The web address that the webclip points to.
 
Lockscreen text
<dict>
    <key>IfLostReturnToMessage</key>
    <string>Return to AirWatch</string>
    <key>AssetTagInformation</key>
    <string>AW-123-456-789</string>
    <key>PayloadDescription</key>
    <string>Configures lockscreen with asset info</string>
    <key>PayloadDisplayName</key>
    <string>Shared</string>
    <key>PayloadIdentifier</key>
    <string>com.apple.shareddeviceconfiguration.9AD88C7B-7478-44D0-BEDD-4B1709002917</string>
    <key>PayloadType</key>
    <string>com.apple.shareddeviceconfiguration</string>
    <key>PayloadUUID</key>
    <string>9AD88C7B-7478-44D0-BEDD-4B1709002917</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
</dict>
 
 Configurable options:
This feature is for Supervised devices only.  The following options are configurable in this profile:
•	 IfLostReturnToMessage - The text displayed on the login window and lock screen.
•	AssetTagInformation - Asset tag information for the device displayed on the login window and lock screen.

#3

Other profiles that are not published by Airwatch

Google Account

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>PayloadContent</key>
	<array>
		<dict>
			<key>AccountDescription</key>
			<string>Google</string>
			<key>AccountName</key>
			<string>Google User</string>
			<key>EmailAddress</key>
			<string>user@gmail.com</string>
			<key>PayloadDescription</key>
			<string>Configures a Google account</string>
			<key>PayloadDisplayName</key>
			<string>Google Account</string>
			<key>PayloadIdentifier</key>
			<string>com.apple.google-oauth.FD6A29C7-073D-44E8-8383-318F80667CF0</string>
			<key>PayloadType</key>
			<string>com.apple.google-oauth</string>
			<key>PayloadUUID</key>
			<string>9CF2843B-74C4-4227-B853-63E973116E19</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
		</dict>
	</array>
	<key>PayloadDisplayName</key>
	<string>Google Account</string>
	<key>PayloadIdentifier</key>
	<string>Google Account</string>
	<key>PayloadRemovalDisallowed</key>
	<false/>
	<key>PayloadType</key>
	<string>Configuration</string>
	<key>PayloadUUID</key>
	<string>C955F088-582B-4D49-B033-3601A393F24E</string>
	<key>PayloadVersion</key>
	<integer>1</integer>
</dict>
</plist>

Safari Auto Fill

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>PayloadContent</key>
	<array>
		<dict>
			<key>PayloadDescription</key>
			<string>Configures Managed Domains</string>
			<key>PayloadDisplayName</key>
			<string>Domains</string>
			<key>PayloadIdentifier</key>
			<string>com.apple.domains.53EC4ACA-2CF3-45BD-A0F8-D8D3A584A7A7</string>
			<key>PayloadType</key>
			<string>com.apple.domains</string>
			<key>PayloadUUID</key>
			<string>D6BD22D3-2792-4B1A-9491-8931777CAF8A</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
			<key>SafariPasswordAutoFillDomains</key>
			<array>
				<string>test.website.com</string>
			</array>
		</dict>
	</array>
	<key>PayloadDisplayName</key>
	<string>Safari Auto Fill</string>
	<key>PayloadIdentifier</key>
	<string>Safari Auto Fill</string>
	<key>PayloadRemovalDisallowed</key>
	<false/>
	<key>PayloadType</key>
	<string>Configuration</string>
	<key>PayloadUUID</key>
	<string>36F38A96-49B5-410E-B2E7-120D466E5F86</string>
	<key>PayloadVersion</key>
	<integer>1</integer>
</dict>
</plist>

OSX Server Account

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>PayloadContent</key>
	<array>
		<dict>
			<key>AccountDescription</key>
			<string>My OS X Server Account</string>
			<key>ConfiguredAccounts</key>
			<array>
				<dict>
					<key>Port</key>
					<integer>8071</integer>
					<key>Type</key>
					<string>com.apple.osxserver.documents</string>
				</dict>
			</array>
			<key>HostName</key>
			<string>OSX.server.com</string>
			<key>Password</key>
			<string>password</string>
			<key>PayloadDescription</key>
			<string>Configures an OS X Server account</string>
			<key>PayloadDisplayName</key>
			<string>OS X Server Account</string>
			<key>PayloadIdentifier</key>
			<string>com.apple.osxserver.account.6C362F63-1C1E-47F2-9628-86419BCEEC6A</string>
			<key>PayloadType</key>
			<string>com.apple.osxserver.account</string>
			<key>PayloadUUID</key>
			<string>69FB26DA-05E3-4C6A-971D-CEAFA9A72EC1</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
			<key>UserName</key>
			<string>user.name</string>
		</dict>
	</array>
	<key>PayloadDisplayName</key>
	<string>OSX Server Account</string>
	<key>PayloadIdentifier</key>
	<string>OSX Server Account</string>
	<key>PayloadRemovalDisallowed</key>
	<false/>
	<key>PayloadType</key>
	<string>Configuration</string>
	<key>PayloadUUID</key>
	<string>3A3FAC8E-CA0D-4B86-B4F9-AFE8634E12BE</string>
	<key>PayloadVersion</key>
	<integer>1</integer>
</dict>
</plist>

Allow Music Service & Allow Radio Service
The below are part of the restrictions profile
Additional keys are:

Music

<key>allowMusicService</key>
			<false/>

Radio

<key>allowRadioService</key>
			<false/>

#4

I’ve discovered that if you deploy restrict app usage policies to an device that is older then iOS 9.3 policies will deploy successfully but not apply.
Once you update device to 9.3 (or greater) policies will still not apply even if deployed and you need to re-enrol (or factory restore if DEP) and start again