Table of Contents
Apple Platform Security
- Welcome
- Intro to Apple platform security
-
- Hardware security overview
- Apple SoC security
- Secure Enclave
-
- Face ID and Touch ID security
- Magic Keyboard with Touch ID
- Face ID, Touch ID, passcodes, and passwords
- Facial matching security
- Uses for Face ID and Touch ID
- Secure intent and connections to the Secure Enclave
- Hardware microphone disconnect
- Express Cards with power reserve
-
- System security overview
-
- Boot process for iPhone and iPad devices
- Memory safe iBoot implementation
-
- Boot process
- Boot modes
- Paired recoveryOS restrictions
- Startup Disk security policy control
- LocalPolicy signing-key creation and management
- Contents of a LocalPolicy file for a Mac with Apple silicon
-
- Boot process
- Boot modes
- Startup Security Utility
- Firmware password protection
- recoveryOS and diagnostics environments
- Signed system volume security
- Secure software updates
- Operating system integrity
- Activating data connections securely
- Verifying accessories
- BlastDoor for Messages and IDS
- Lockdown Mode security
-
- Additional macOS system security capabilities
- System Integrity Protection
- Trust caches
- Peripheral processor security
- Rosetta 2 on a Mac with Apple silicon
- Direct memory access protections
- Securely extending the kernel
- Option ROM security
- UEFI firmware security in an Intel-based Mac
- System security for watchOS
- Random number generation
- Apple Security Research Device
-
- Encryption and Data Protection overview
- Passcodes and passwords
-
- Data Protection overview
- Data Protection
- Data Protection classes
- Keybags for Data Protection
- Protecting keys in alternate boot modes
- Protecting user data in the face of attack
- Sealed Key Protection (SKP)
- Role of Apple File System
- Keychain data protection
-
- Volume encryption with FileVault
- Managing FileVault
-
- Protecting app access to user data
- Protecting access to user’s health data
- Digital signing and encryption
-
- App security overview
-
- Intro to app security for iOS and iPadOS
- About App Store security
- App code signing process
- Security of runtime process
- Supporting extensions
- App protection and app groups
-
- Intro to app security for macOS
- App code signing process
- Gatekeeper and runtime protection
- Protecting against malware
- Controlling app access to files
- Secure features in the Notes app
- Secure features in the Shortcuts app
-
- Services security overview
-
- Apple ID security
- Managed Apple ID security
-
- iCloud security overview
- iCloud encryption
- Advanced Data Protection for iCloud
- Security of iCloud Backup
- iCloud Private Relay security
- Account recovery contact security
- Legacy Contact security
-
- Passcode security overview
- Sign in with Apple security
- Automatic strong passwords
- Password AutoFill security
- App access to saved passwords
- Password security recommendations
- Password Monitoring
- Sending passwords
- Credential provider extensions
-
- iCloud Keychain security overview
- Secure keychain syncing
- Secure iCloud Keychain recovery
- Escrow security for iCloud Keychain
-
- Apple Pay security overview
- Apple Pay component security
- How Apple Pay keeps users’ purchases protected
-
- Card provisioning security overview
- Adding credit or debit cards to Apple Pay
- Payment authorization with Apple Pay
- Paying with cards using Apple Pay
- Contactless passes in Apple Pay
- Rendering cards unusable with Apple Pay
- Apple Card security
- Apple Cash security
- Tap to Pay on iPhone
-
- Access using Apple Wallet
- Access key types
- Car key security
- Adding transit and eMoney cards to Apple Wallet
-
- IDs in Apple Wallet
- Security of IDs in Apple Wallet
-
- iMessage security overview
- How iMessage sends and receives messages
- Secure iMessage name and photo sharing
- Secure Apple Messages for Business
- FaceTime security
-
- Find My security
- Locating missing devices
-
- Continuity security overview
- Handoff security
- iPhone cellular call relay security
- iPhone Text Message Forwarding security
- Instant Hotspot security
-
- Network security overview
- TLS security
- IPv6 security
- VPN security
-
- Secure access to wireless networks
- Wi-Fi privacy
- Bluetooth security
- Ultra Wideband security in iOS
- Single sign-on security
- AirDrop security
- Wi-Fi password sharing security on iPhone and iPad
- Firewall security in macOS
-
- Developer kit security overview
-
- Communication security
- Data security
- Securing routers with HomeKit
- Camera security
- Security with Apple TV
- SiriKit security
- WidgetKit security
- DriverKit security
- ReplayKit security
- ARKit security
-
- Secure device management overview
- Pairing model security
-
- MDM security overview
- Configuration enforcement
- Automated Device Enrollment
- Activation Lock security
- Managed Lost Mode and remote wipe
- Shared iPad security
- Apple Configurator security
- Screen Time security
- Glossary
- Document revision history
- Copyright
Configurations are the primary way that an MDM solution delivers and manages policies and restrictions on managed devices. If organizations need to configure a large number of devices—or to provide lots of custom email settings, network settings, or certificates to a large number of devices—configurations are a safe and secure way to do it.
Configurations
A configuration is an XML profile or json formatted file following a certain structure and consists of payloads that load settings and authorization information onto Apple devices. Configurations automate the configuration of settings, accounts, restrictions, and credentials. These files can be created by an MDM solution or Apple Configurator for Mac, or they can be created manually. Before organizations send a configuration to an Apple device, they must enroll the device in the MDM solution using an enrollment profile.
Note: Apple Configurator for Mac can only be used to manage configuration profiles on iPhone, iPad, and Apple TV devices.
Enrollment profiles
An enrollment profile is a configuration with an MDM payload that enrolls the device in the MDM solution specified for that device. This allows the MDM solution to send commands and configurations to the device and to query certain aspects of the device. When a user removes an enrollment profile, all configurations, their settings, and depending on the enrollment type and used configuration also managed apps based on that enrollment profile are removed with it. There can be only one enrollment profile on a device at a time.
Example configurations
A configuration contains a number of settings in specific payloads that can be specified, including (but not limited to):
Passcode and password policies
Restrictions on device features (for example, disabling the camera)
Network and VPN settings
Microsoft Exchange settings
Mail settings
Account settings
LDAP directory service settings
CalDAV calendar service settings
Credentials and identities
Certificates
Software updates
Profile signing and encryption
Configuration profiles can be signed, to validate their origin, and encrypted, to help ensure their integrity and protect their contents. Configuration profiles for iOS and iPadOS are encrypted using the Cryptographic Message Syntax (CMS) specified in RFC 5652, supporting 3DES and AES128.
Profile installation
Configurations can be installed on devices using an MDM solution or manually by the users. Alternatively, Apple Configurator for Mac can be used to deploy configurations to iOS, iPadOS, and tvOS devices. Some configurations require the installation using an MDM solution. For information on how to remove profiles, see Intro to mobile device management in Apple Platform Deployment.
Note: On supervised devices, configuration profiles can also be locked to a device. This is designed to prevent their removal or to allow removal only with a passcode.
See alsoMDM payload list for IT administratorsMDM payload list for developers
Download this guide as a PDF
Thanks for your feedback.
