User Enrollment MDM information
Payload settings for User Enrollment can be used on various operating systems, as well as by users who bring their own devices into their organization. In addition, on iPhone and iPad devices owned by users in a mobile device management (MDM) solution, you can set certain restrictions. Finally, with User Enrollment you can also query an MDM solution’s information—for example, a list of installed profiles and the status of Managed Apps on the device (except for user-installed apps from the App Store).
MDM payloads for User Enrollment
Payloads can be used on various operating systems, and with users who bring their own devices into their organization. Payload information for User Enrollment is detailed in the table below, which contains the following columns. Before you review the table below, understand what each column contains.
Supported payload name and identifiers: This column notes name of the payload and the identifiers. If you’re using a third-party mobile device management (MDM) solution, the payload name may be different, but the identifiers should be the same.
Supported operating systems and channels: This column notes the supported operating system and specifies whether the payload can be used for a device configuration profile or a user configuration profile. Because Shared iPad and Mac can have more than one user, a payload can be applied to the device channel (all users) or the user channel (specific users).
Duplicates allowed: This column notes whether one specified payload (False) or more than one specified payload (True) can be delivered to a user or device. For example, you can add more than one Subscribed Calendars payload to a single configuration profile. This allows you to subscribe the user to, in this case, more than one calendar.
Note: For devices with iOS and iPadOS, if payloads have the same account description (or display name), they’re treated as exclusive payloads.
Note: Not all payloads and their respective settings are available in all MDM solutions. To learn which MDM payloads are available for your devices, consult your MDM vendor’s documentation.
Payload and identifiers | Supported operating systems and channels | Duplicates allowed | |||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
com.apple.ADCertificate.managed | macOS device macOS user | True | |||||||||
com.apple.airplay | iOS iPadOS Shared iPad device macOS device macOS user | True | |||||||||
com.apple.airprint | iOS iPadOS Shared iPad device macOS device macOS user | True | |||||||||
com.apple.vpn.managed.applayer | iOS iPadOS Shared iPad device macOS device macOS user | False | |||||||||
com.apple.associated-domains | macOS device macOS user | True | |||||||||
Automated Certificate Management Environment (ACME) com.apple.security.acme | iOS iPadOS Shared iPad device macOS device macOS user tvOS | True | |||||||||
com.apple.caldav.account | iOS iPadOS Shared iPad user macOS user | True | |||||||||
com.apple.cellularprivatenetwork.managed | iOS iPadOS Shared iPad device | False | |||||||||
com.apple.security.certificatepreference | macOS user | True | |||||||||
com.apple.security.certificaterevocation | iOS iPadOS | True | |||||||||
com.apple.security.certificatetransparency | iOS iPadOS Shared iPad device macOS device tvOS watchOS | True | |||||||||
com.apple.security.pem com.apple.security.pkcs1 com.apple.security.pkcs12 com.apple.security.root | iOS iPadOS Shared iPad device macOS device macOS user tvOS watchOS | True | |||||||||
com.apple.carddav.account | iOS iPadOS Shared iPad user macOS user | True | |||||||||
com.apple.DirectoryService.managed | macOS device | True | |||||||||
com.apple.globalethernet.managed com.apple.firstactiveethernet.managed com.apple.firstethernet.managed com.apple.secondactiveethernet.managed com.apple.secondethernet.managed com.apple.thirdactiveethernet.managed com.apple.thirdethernet.managed | macOS device macOS user tvOS | False | |||||||||
com.apple.eas.account | iOS iPadOS Shared iPad user | True | |||||||||
com.apple.ews.account | macOS user | True | |||||||||
com.apple.extensiblesso Requires an MDM solution to install. | iOS iPadOS Shared iPad user macOS device macOS user | True | |||||||||
Extensible Single Sign-On Kerberos com.apple.extensiblesso(kerberos) Requires an MDM solution to install. | iOS iPadOS Shared iPad user macOS device macOS user | True | |||||||||
com.apple.font | iOS iPadOS Shared iPad device macOS device macOS user | True | |||||||||
com.apple.google-oauth | iOS iPadOS Shared iPad user | True | |||||||||
com.apple.configurationprofile.identification | macOS device macOS user | False | |||||||||
com.apple.security.identitypreference | macOS user | True | |||||||||
com.apple.ldap.account | iOS iPadOS Shared iPad user macOS user | True | |||||||||
com.apple.loginitems.managed | macOS user macOS device | True | |||||||||
com.apple.mail.managed | iOS iPadOS Shared iPad user macOS user | True | |||||||||
com.apple.mobiledevice.passwordpolicy | iOS iPadOS | False | |||||||||
com.apple.applicationaccess | iOS iPadOS Shared iPad device macOS device macOS user | True | |||||||||
com.apple.security.scep | iOS iPadOS Shared iPad device macOS device macOS user tvOS | True | |||||||||
com.apple.SetupAssistant.managed | iOS iPadOS Shared iPad device macOS device macOS user | False | |||||||||
com.apple.sso | iOS iPadOS | False | |||||||||
com.apple.subscribedcalendar.account | iOS iPadOS Shared iPad user | True | |||||||||
com.apple.webClip.managed | iOS iPadOS Shared iPad user macOS user | True | |||||||||
com.apple.MCX(WiFi) com.apple.builtinwireless.managed com.apple.wifi.managed | iOS iPadOS Shared iPad device macOS device macOS user tvOS watchOS | True |
MDM restrictions for User Enrollment
You can set certain restrictions on devices owned by users enrolled in a mobile device management (MDM) solution. For a complete list of restrictions that are available no matter what kind of enrollment, see Review MDM restrictions for Apple devices.
Setting | Minimum supported operating system versions | Restriction functionality | |||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Managed pasteboard | iOS 15 iPadOS 15 visionOS 2.0 | Helps control the pasting of content from an app that’s using Open In management by following the Managed Open In restrictions in force. Apple apps that work with the managed pasteboard include Calendar, Files, Mail, and Notes. Third-party apps are controlled based on whether they’re managed. When a user attempts to paste content where it isn’t permitted, a Paste Not Allowed notice appears along with the organization’s name (which can be changed using the Settings command). Apps also can’t request items from the pasteboard when this restriction is used and the content crosses the managed boundary. Default is off. | |||||||||
Force on-device-only translation | iOS 15 iPadOS 15 | Won’t let the device connect to Siri servers for the purposes of translation. Default is off. | |||||||||
Force on-device-only dictation | iOS 14.5 iPadOS 14.5 macOS 14 watchOS 10 visionOS 2.0 | Prevents dictated content from being sent to Siri servers for processing. Supported on the following devices:
Default is off. | |||||||||
Allow personalized ads delivered by Apple | iOS 14 iPadOS 14 macOS 12.0.1 visionOS 2.0 | Users’ data won’t be used by the Apple advertising platform to deliver personalized ads. | |||||||||
Unmanaged apps to read managed contacts | iOS 12 iPadOS 13.1 | Unmanaged apps can read contacts from managed accounts, even if unmanaged apps are prevented from reading to managed destinations. Default is off. | |||||||||
Managed Apps to edit unmanaged contacts | iOS 12 iPadOS 13.1 visionOS 2.0 | Managed Apps can edit contacts to unmanaged accounts, even if Managed Apps are prevented from editing unmanaged destinations. Default is off. | |||||||||
AirPlay, View Screen by Classroom, and screen sharing | iPadOS 13.1 macOS 10.14.4 | Teachers using Classroom can’t use AirPlay with students’ screens, view students’ screens, or share students’ screens. | |||||||||
Enforce Face ID or Touch ID timeout | iOS 11 (Face ID) iOS 7 (Touch ID) iPadOS 13.1 (Face ID or Touch ID) macOS 12.0.1 (Touch ID) | The value, in seconds, after which the biometric unlock requires a passcode or password to authenticate. The default value is 48 hours (or 172,800 seconds). | |||||||||
Treat AirDrop as unmanaged destination | iOS 9 iPadOS 13.1 | Users see AirDrop as an option from a Managed App. For this restriction to work when it’s turned on, you must also disable “Allow documents from managed sources in unmanaged destinations.”
Default is off. | |||||||||
Force Apple Watch wrist detection | iOS 8.2 iPadOS 13.1 | Apple Watch locks automatically when it’s removed from the user’s wrist. It can be unlocked with its passcode or the paired iPhone. Default is off. | |||||||||
Managed App’s stored data in iCloud | iOS 8 iPadOS 13.1 | Users can’t store data from Managed Apps in iCloud. | |||||||||
Backup proprietary in-house books | iOS 8 iPadOS 13.1 | Users can’t back up books distributed by their organization using the Finder (macOS 10.15 or later), using iTunes (macOS 10.14 or earlier), or stored in iCloud. | |||||||||
Notes and highlights sync for proprietary in-house books | iOS 8 iPadOS 13.1 | Users can’t sync notes or highlights to other devices using iCloud. | |||||||||
Require passcode on first AirPlay pairing | iOS 7.1 iPadOS 13.1 | A passcode is required when an iOS, iPadOS, or tvOS device is first paired for AirPlay. Default is off. | |||||||||
Documents from managed sources appear in unmanaged destinations | iOS 7 iPadOS 13.1 | Documents created or downloaded from managed sources can’t be opened in unmanaged destinations.
| |||||||||
Documents from unmanaged sources appear in managed destinations | iOS 7 iPadOS 13.1 | Documents created or downloaded from unmanaged sources can’t be opened in managed destinations.
| |||||||||
Notification Center in Lock Screen | iOS 7 iPadOS 13.1 | Users can’t view the Notification history when the screen is locked; however, they can still view a Notification when it appears. | |||||||||
Today view in Lock Screen | iOS 7 iPadOS 13.1 | Users can’t swipe down to see Notification Center using Today View in the Lock Screen. | |||||||||
Control Center in Lock Screen | iOS 7 iPadOS 13.1 | Users can’t swipe up to view Control Center. | |||||||||
Send diagnostic and usage data to Apple | iOS 6 iPadOS 13.1 macOS 10.13 | Users can’t choose to send diagnostic information to Apple. | |||||||||
Siri while device locked | iOS 5.1 iPadOS 13.1 | Siri responds only when the device is unlocked. | |||||||||
Siri | iOS 5 iPadOS 13.1 macOS 14 visionOS 2.0 | Siri can’t be used. | |||||||||
Force encrypted backups | iOS 5 iPadOS 13.1 | Users can’t choose whether device backups performed in the Finder (macOS 10.15 or later) or in iTunes (macOS 10.14 or earlier) are stored in encrypted format on the user’s Mac. If any profile is encrypted and this option is turned off, encryption of backups is required and enforced by the Finder or iTunes. Default is off. | |||||||||
Force fraud warning | iOS 5 iPadOS 13.1 | Safari attempts to prevent the user from visiting websites identified as being fraudulent or compromised. Default is off. | |||||||||
Screenshots and screen recordings | iOS 5 iPadOS 13.1 macOS 10.14.4 | Users can’t save a screenshot or recording of the screen. |
MDM commands for User Enrollment
Mobile device management (MDM) solutions can send commands to manage Apple devices that are enrolled in MDM with User Enrollment.
Note: Not all commands are available in all MDM solutions. To learn which MDM payloads are available for your devices, consult your MDM vendor’s documentation.
User Enrollment command | Supported operating system |
---|---|
Lock device | iOS iPadOS |
Push apps | iOS iPadOS macOS |
Push books | iOS iPadOS |
Push proprietary in-house apps | macOS |
Push settings | iOS iPadOS macOS |
Remove apps | iOS iPadOS |
Remove books | iOS iPadOS |
Remove settings | iOS iPadOS macOS |
Request AirPlay mirroring | iOS iPadOS macOS |
Update device information | iOS iPadOS macOS |
Validate apps | iOS iPadOS |
MDM queries for User Enrollment
User Enrollment queries return an MDM solution’s information—for example, a list of installed profiles and the status of Managed Apps on the device (except user-installed apps from the App Store). User Enrollment queries can return the following values.
Query | Supported operating system | Value returned |
---|---|---|
Get app attributes | iOS iPadOS | Get app attributes from a Managed App on the device. |
Get app configuration | iOS iPadOS | Get app configuration from a Managed App on the device. |
Get app feedback | iOS iPadOS | Get app feedback from a Managed App on the device. |
Get device information | iOS iPadOS macOS | Get details about the device. |
Get security-related information | iOS iPadOS macOS | Get security-related information about the device. |
List installed certificates | iOS iPadOS macOS | Get a list of installed certificates. |
List the installed apps | iOS iPadOS | Get a list of the installed third-party apps on the device (except user-installed apps from the App Store). |
List the installed Managed Apps | iOS iPadOS | Get the status of all the installed Managed Apps on the device. |
List the installed profiles | iOS iPadOS macOS | Get a list of installed profiles on the device. |
List the installed provisioning profiles | iOS iPadOS | Get a list of installed provisioning profiles on the device. |
List the managed media | iOS iPadOS | Get a list of the managed media on the device. |