Posted on 20th October 2016 by Richard Mallion

Management changes to iOS and OSX Sierra

With all new OS updates from Apple, new management features which are made available via configuration profiles. In this blog is a list of the management changes to iOS and OSX Sierra.

Below are the new payloads / keys available for each OS.

iOS 10

The additions to iOS 10 are smaller this time around. The reason for this , is that most of the new features where released early with iOS 9.3. The blog for this changes can be found iOS 9.3.

IKEv2 VPN

The following keys have been added to this existing payload.

ServerAddresses:    An array of DNS server IP address strings. These IP addresses can be a mixture of IPv4 and IPv6 addresses.

SearchDomains:    An array of domain strings used to fully qualify single-label host names.

DomainName:    The primary domain of the tunnel

SupplementalMatchDomains:    An array of domain strings used to determine which DNS queries will use the DNS resolver settings contained in ServerAddresses. This key is used to create a split DNS configuration where only hosts in certain domains are resolved using the tunnel’s DNS resolver. Hosts not in one of the domains in this list are resolved using the system’s default resolver.

SupplementalMatch- DomainsNoSearch:    Whether (0) or not (1) the domains in the SupplementalMatchDomains list should be appended to the resolver’s list of search domains. Default is 0.

Wi-Fi
The following keys have been added to this existing payload.

CaptiveBypass:    If set to true, Captive Network detection will be bypassed when the device connects to the network. Defaults to false.

QoSMarkingPolicy:    When this dictionary is not present for a Wi-Fi network, all apps are whitelisted to use Layer 2 and Layer 3 marking when the Wi-Fi network supports Cisco QoS fast lane. When present in the Wi-Fi payload, the QoSMarkingPolicy dictionary should contain the list of apps that are allowed to benefit from Layer 2 and Layer 3 marking.

Restrictions
The following key have been added to this existing payload.

allowBluetoothModification:     Supervised only. If set to false, prevents modification of Bluetooth settings. Defaults to true.

macOS 10.12

The following are the new additions to macOS 10.12

Certificate Preference Payload

This is a new payload. A Certificate Preference payload lets you identify a Certificate Preference item in the user’s keychain that references a certificate payload included in the same profile. It can only appear in a user profile, not a device profile. You can include multiple Certificate Preference payloads as needed.

Name:   An email address (RFC822) or other name for which a preferred certificate is requested.

PayloadCertificateUUID:    The UUID of another payload within the same profile that installed the certificate; for example, a ‘com.apple.security.root’ payload

Firewall Payload

This is a new payload. A Firewall payload manages the Application Firewall settings accessible in the Security Preferences pane

EnableFirewall:    Whether the firewall should be enabled or not

BlockAllIncoming:    Corresponds to the “Block all incoming connections”

EnableStealthMode:    Corresponds to “Enable stealth mode.”

Applications:     The array of applications.

 

Identity Preference Payload
This is a new payload. An Identity Preference payload lets you identify an Identity Preference item in the user’s keychain that references a identity payload included in the same profile. It can only appear in a user profile, not a device profile.

Name:    An email address (RFC822), DNS hostname, or other name that uniquely identifies a service requiring this identity

PayloadCertificateUUID:    The UUID of another payload within the same profile that installed the identity; for example, a ‘com.apple.security.pkcs12’ or ‘com.apple.security.scep’ payload

 

Restrictions Payload

These are the new keys added to this existing payload.

allowCloudBTMM:    When false, disallows macOS Back to My Mac iCloud service.

allowCloudFMM:    When false, disallows macOS Find My Mac iCloud service

allowCloudBookmarks:    When false, disallows macOS iCloud Bookmark sync

allowCloudMail:    When false, disallows macOS Mail iCloud services

allowCloudCalendar:    When false, disallows macOS iCloud Calendar services

allowCloudReminders:    When false, disallows iCloud Reminder services

allowCloudAddressBook:    When false, disallows macOS iCloud Address Book services

allowCloudNotes:   When false, disallows macOS iCloud Notes services

allowCloudKeychainSync:    If false, disables iCloud keychain synchronization. Default is true

allowMusicService:    If set to false, Music service is disabled and Music app reverts to classic mode. Defaults to true

 

IKEv2 VPN

The following keys have been added to this existing payload.

ServerAddresses:    An array of DNS server IP address strings. These IP addresses can be a mixture of IPv4 and IPv6 addresses.

SearchDomains:    An array of domain strings used to fully qualify single-label host names.

DomainName:    The primary domain of the tunnel

SupplementalMatchDomains:    An array of domain strings used to determine which DNS queries will use the DNS resolver settings contained in ServerAddresses. This key is used to create a split DNS configuration where only hosts in certain domains are resolved using the tunnel’s DNS resolver. Hosts not in one of the domains in this list are resolved using the system’s default resolver.

SupplementalMatch- DomainsNoSearch:    Whether (0) or not (1) the domains in the SupplementalMatchDomains list should be appended to the resolver’s list of search domains. Default is 0.