Custom profiles for iOS 10.3, macOS 10.12.4, and tvOS 10.2

iOS 10.3, macOS 10.12.4, and tvOS 10.2 offer a variety of advanced MDM functionality that can be configured through Profiles in the AirWatch Admin Console.

The XML code for these custom profiles is listed below and can be implemented using the following procedure. 

Using Custom Profiles

The Custom Settings payload allows admins to enter their own XML into a profile and apply the profile to devices. Follow the steps below using the XML code found at the end of this document.

  1. Configure the General payload and deployment options as desired.
  2. If you would like to include any MDM functionality that are not available in the UI for your AirWatch version, you can add the associated XML below to the Custom Settings payload for your profile.  

This XML should contain the complete block of code as listed below, from <dict> to </dict>. 

Administrators should configure each setting from <true /> to <false /> as desired. 

If certificates are required, then configure a Certificate payload within the profile and reference the PayloadUUID in the Custom Settings payload. See further information within the examples below.

 

iOS 10.3 custom profiles

Allow Dictation (Supervised only)

This dictation on iOS 10.3 devices to restrict students to use keyboard and type than dictating the answers to the questions during assessment. Setting the value of "allowDictation" to "False" will disallow dictation.

<dict>
     <key>PayloadDescription</key>
     <string>Configures restrictions</string>
     <key>PayloadDisplayName</key>
     <string>Restrictions</string>
     <key>PayloadIdentifier</key>
     <string>com.apple.applicationaccess.701938A5-AD32-43B6-A045-2AC81C71XXXX</string>
     <key>PayloadType</key>
     <string>com.apple.applicationaccess</string>
     <key>PayloadUUID</key>
     <string>1C2BDF9D-8C8C-4248-B9E1-4D17EAD8XXXX</string>
     <key>PayloadVersion</key>
     <integer>1</integer>
     <key>allowDictation</key>
     <false />
</dict>

 

Force Wi-Fi Whitelisting (Supervised only)

This would force iOS 10.3 devices to only connect to managed Wi-Fi Networks so users are not given the ability to connect to unknown malicious networks. Setting value of "forceWiFiWhitelisting" to "true" will enforce restriction to connect only to networks available in configuration profile.

Note: Only push this restriction after there is a Wi-Fi configuration profile already present on the targeted devices. 

<dict>
     <key>PayloadDescription</key>
     <string>Configures restrictions</string>
     <key>PayloadDisplayName</key>
     <string>Restrictions</string>
     <key>PayloadIdentifier</key>
     <string>com.apple.applicationaccess.701938A5-AD32-43B6-A045-2AC81C71XXXX</string>
     <key>PayloadType</key>
     <string>com.apple.applicationaccess</string>
     <key>PayloadUUID</key>
     <string>1C2BDF9D-8C8C-4248-B9E1-4D17EAD8XXXX</string>
     <key>PayloadVersion</key>
     <integer>1</integer>
     <key>forceWiFiWhitelisting</key>
     <true />
</dict>

 

macOS 10.12.4 custom profiles

Allow Auto Unlock

This would disallow macOS Sierra devices to auto unlock.

<dict>
     <key>PayloadDescription</key>
     <string>Configures restrictions</string>
     <key>PayloadDisplayName</key>
     <string>Restrictions</string>
     <key>PayloadIdentifier</key>
     <string>com.apple.applicationaccess.701938A5-AD32-43B6-A045-2AC81C71XXXX</string>
     <key>PayloadType</key>
     <string>com.apple.applicationaccess</string>
     <key>PayloadUUID</key>
     <string>1C2BDF9D-8C8C-4248-B9E1-4D17EAD8XXXX</string>
     <key>PayloadVersion</key>
     <integer>1</integer>
     <key>allowAutoUnlock</key>
     <false />
</dict>

 

Allow Fingerprint for Unlock

This would disallow touchID from unlocking a macOS 10.12.4+ device (with touch bar).

<dict>
     <key>PayloadDescription</key>
     <string>Configures restrictions</string>
     <key>PayloadDisplayName</key>
     <string>Restrictions</string>
     <key>PayloadIdentifier</key>
     <string>com.apple.applicationaccess.701938A5-AD32-43B6-A045-2AC81C71XXXX</string>
     <key>PayloadType</key>
     <string>com.apple.applicationaccess</string>
     <key>PayloadUUID</key>
     <string>1C2BDF9D-8C8C-4248-B9E1-4D17EAD8XXXX</string>
     <key>PayloadVersion</key>
     <integer>1</integer>
     <key>allowFingerprintForUnlock</key>
     <false />
</dict>

 

Allow iCloud Desktop and Documents

This would disallow macOS cloud desktop and document services on macOS 10.12.4.

<dict>
     <key>PayloadDescription</key>
     <string>Configures restrictions</string>
     <key>PayloadDisplayName</key>
     <string>Restrictions</string>
     <key>PayloadIdentifier</key>
     <string>com.apple.applicationaccess.701938A5-AD32-43B6-A045-2AC81C71XXXX</string>
     <key>PayloadType</key>
     <string>com.apple.applicationaccess</string>
     <key>PayloadUUID</key>
     <string>1C2BDF9D-8C8C-4248-B9E1-4D17EAD8XXXX</string>
     <key>PayloadVersion</key>
     <integer>1</integer>
     <key>allowCloudDesktopAndDocuments</key>
     <false />
</dict>

 

SmartCard Settings

This payload controls restrictions and settings for SmartCard pairing on macOS 10.12.4+.

<dict>
     <key>PayloadDescription</key>
     <string>Controls restrictions and settings for SmartCard pairing</string>
     <key>PayloadDisplayName</key>
     <string>SmartCard Settings</string>
     <key>PayloadIdentifier</key>
     <string>com.apple.smartcard.701938A5-AD32-43B6-A045-2AC81C71XXXX</string>
     <key>PayloadType</key>
     <string>com.apple.smartcard</string>
     <key>PayloadUUID</key>
     <string>1C2BDD4C-8C8C-4248-B9E1-4D17EAD8XXXX</string>
     <key>PayloadVersion</key>
     <integer>1</integer>
     <key>UserPairing</key>
     <true />
     <key>allowSmartCard</key>
     <true />
     <key>checkCertificateTrust</key>
     <false />
     <key>oneCardPerUser</key>
     <false />
</dict>

 

System Migration

This payload must be single and exist only in a device profile. If the payload is present in a user profile, an error will be generated during installation and the profile will fail to install.

This payload is supported only on macOS 10.12 and later.

<dict>
     <key>PayloadDescription</key>
     <string>Customizes transfer of files from Windows to macOS</string>
     <key>PayloadDisplayName</key>
     <string>System Migration settings</string>
     <key>PayloadIdentifier</key>
     <string>com.apple.systemmigration.701938B6-AD32-43B6-A045-2AC81C71XXXX</string>
     <key>PayloadType</key>
     <string>com.apple.systemmigration</string>
     <key>PayloadUUID</key>
     <string>1C2BDD3D-8C8C-4248-B9E1-4D17EAD8XXXX</string>
     <key>PayloadVersion</key>
     <integer>1</integer>
     <key>CustomBehavior</key>
     <array>
          <dict>
               <key>Context</key>
               <string><UNKNOWN-EXPECTED-VALUES></string>
               <key>Paths</key>
               <array>
                    <dict>
                         <key>SourcePath</key>
                         <string>"afp://10.84.132.114/"</string>
                         <key>SourcePathInUserHome</key>
                         <false />
                         <key>TargetPath</key>
                         <string>"/Applications/"</string>
                         <key>TargetPathInUserHome</key>
                         <false />
                    </dict>
               </array>
          </dict>
     </array>
</dict>

 

tvOS 10.2 custom profiles

Conference Mode Display (Supervised Only)

This sets a managed Apple TV to force conference mode that forces the apple TV into Air-Play only device. A custom message can be set with connection instructions if needed in the place of "Connect here!". Message can be left empty is a custom message is not required. 

<dict>
     <key>Message</key>
     <string>Connect here!</string>
     <key>PayloadDescription</key>
     <string>Configures Conference Room Display mode</string>
     <key>PayloadDisplayName</key>
     <string>Conference Room Display</string>
     <key>PayloadIdentifier</key>
     <string>com.apple.conferenceroomdisplay.ED8318F5-DC95-45BD-98EB-A3EDD89DXXXX</string>
     <key>PayloadType</key>
     <string>com.apple.conferenceroomdisplay</string>
     <key>PayloadUUID</key>
     <string>57101853-5BAA-4639-846E-31DC69ADXXXX</string>
     <key>PayloadVersion</key>
     <integer>1</integer>
</dict>

 

Single App Mode (Supervised Only)

This locks down a managed Apple TV to an enterprise managed application with the mentioned bundleID in the configuration profile.

Specify the bundleID of the application that needs to be locked under "Identifier" and set the values for Options and UserEnabled options to further lock down other interactive settings.

<dict>
     <key>App</key>
     <dict>
          <key>Identifier</key>
          <string>com.test.test</string>
          <key>Options</key>
          <dict>
               <key>DisableTouch</key>
               <true />
               <key>DisableAutoLock</key>
               <true />
               <key>EnableVoiceOver</key>
               <false />
               <key>EnableZoom</key>
               <false />
               <key>EnableInvertColors</key>
               <false />
               <key>EnableAssistiveTouch</key>
               <false />
          </dict>
          <key>UserEnabledOptions</key>
          <dict>
               <key>VoiceOver</key>
               <true />
               <key>Zoom</key>
               <true />
               <key>InvertColors</key>
               <true />
          </dict>
     </dict>
     <key>PayloadDisplayName</key>
     <string>AppLock</string>
     <key>PayloadDescription</key>
     <string>SingleAppMode</string>
     <key>PayloadIdentifier</key>
     <string>e74e3913-0519-47a0-a662-fc0b46faXXXX.AppLock</string>
     <key>PayloadOrganization</key>
     <string></string>
     <key>PayloadType</key>
     <string>com.apple.app.lock</string>
     <key>PayloadUUID</key>
     <string>d9817c8b-23f7-4023-b125-de38ad64XXXX</string>
     <key>PayloadVersion</key>
     <integer>1</integer>
</dict>

 

Disallow Remote App Pairing (Supervised Only)

<dict>
     <key>PayloadDescription</key>
     <string>Configures restrictions</string>
     <key>PayloadDisplayName</key>
     <string>Restrictions</string>
     <key>PayloadIdentifier</key>
     <string>com.apple.applicationaccess.701938A5-AD32-43B6-A045-2AC81C71XXXX</string>
     <key>PayloadType</key>
     <string>com.apple.applicationaccess</string>
     <key>PayloadUUID</key>
     <string>1C2BDF9D-8C8C-4248-B9E1-4D17EAD8XXXX</string>
     <key>PayloadVersion</key>
     <integer>1</integer>
     <key>allowRemoteAppPairing</key>
     <false />
</dict>

 

Disallow Incoming AirPlay Requests (Supervised Only)

<dict>
     <key>PayloadDescription</key>
     <string>Configures restrictions</string>
     <key>PayloadDisplayName</key>
     <string>Restrictions</string>
     <key>PayloadIdentifier</key>
     <string>com.apple.applicationaccess.701938A5-AD32-43B6-A045-2AC81C71XXXX</string>
     <key>PayloadType</key>
     <string>com.apple.applicationaccess</string>
     <key>PayloadUUID</key>
     <string>1C2BDF9D-8C8C-4248-B9E1-4D17EAD8XXXX</string>
     <key>PayloadVersion</key>
     <integer>1</integer>
     <key>allowAirPlayIncomingRequests</key>
     <false />
</dict>

 

Disallow Keyboard Activity Continuation (Supervised Only)

<dict>
     <key>PayloadDescription</key>
     <string>Configures restrictions</string>
     <key>PayloadDisplayName</key>
     <string>Restrictions</string>
     <key>PayloadIdentifier</key>
     <string>com.apple.applicationaccess.701938A5-AD32-43B6-A045-2AC81C71XXXX</string>
     <key>PayloadType</key>
     <string>com.apple.applicationaccess</string>
     <key>PayloadUUID</key>
     <string>1C2BDF9D-8C8C-4248-B9E1-4D17EAD8XXXX</string>
     <key>PayloadVersion</key>
     <integer>1</integer>
     <key>allowKeyboardActivityContinuation</key>
     <false />
</dict>

 

Global HTTP Proxy (Supervised Only)

This behaves the same way it does on iOS. Configure the Global HTTP proxy for iOS with required settings, export the XML and use it for tvOS.

Have more questions? Submit a request

0 Comments

Article is closed for comments.