diff --git a/Manifests/ManifestsApple/com.apple.extensiblesso.plist b/Manifests/ManifestsApple/com.apple.extensiblesso.plist index 6029b5e5..2616de00 100644 --- a/Manifests/ManifestsApple/com.apple.extensiblesso.plist +++ b/Manifests/ManifestsApple/com.apple.extensiblesso.plist @@ -3,9 +3,7 @@ pfm_description - Single Sign-On Extension settings. User-level payload support for macOS 11.x and later. - pfm_description_reference - The payload for configuring an app extension that performs single sign-on. + Configures an app extension to handle SSO. pfm_documentation_url https://developer.apple.com/documentation/devicemanagement/extensiblesinglesignon pfm_domain @@ -17,7 +15,7 @@ pfm_ios_min 13.0 pfm_last_modified - 2024-02-16T13:07:59Z + 2024-03-01T15:25:39Z pfm_macos_min 10.15 pfm_platforms @@ -31,9 +29,7 @@ pfm_default Configures an app extension that performs single sign-on pfm_description - Description of the payload. - pfm_description_reference - Optional. A human-readable description of this payload. This description is shown on the Detail screen. + The human-readable description of this payload. This description appears on the Detail screen. pfm_name PayloadDescription pfm_title @@ -45,9 +41,7 @@ pfm_default Single Sign-On Extensions pfm_description - Name of the payload. - pfm_description_reference - A human-readable name for the profile payload. This name is displayed on the Detail screen. It does not have to be unique. + The human-readable name for the profile payload. The name appears on the Detail screen and doesn't need to be unique. pfm_name PayloadDisplayName pfm_require @@ -61,9 +55,7 @@ pfm_default com.apple.extensiblesso pfm_description - A unique identifier for the payload, dot-delimited. Usually root PayloadIdentifier+subidentifier. - pfm_description_reference - A reverse-DNS-style identifier for the specific payload. It is usually the same identifier as the root-level PayloadIdentifier value with an additional component appended. + The reverse-DNS-style identifier for the payload. This identifier is usually the same as the TopLevel value, with an additional appended component. This string must be unique within the profile. During a profile replacement, the system updates payloads with the same 'PayloadIdentifier' and 'PayloadUUID' in the old and new profiles. pfm_name PayloadIdentifier pfm_require @@ -77,9 +69,7 @@ pfm_default com.apple.extensiblesso pfm_description - The type of the payload, a reverse dns string. - pfm_description_reference - The payload type. + The payload type, which each payload domain's reference page specifies. pfm_name PayloadType pfm_require @@ -93,9 +83,7 @@ pfm_default pfm_description - Unique identifier for the payload (format 01234567-89AB-CDEF-0123-456789ABCDEF). - pfm_description_reference - A globally unique identifier for the payload. The actual content is unimportant, but it must be globally unique. In macOS, you can use uuidgen to generate reasonable UUIDs. + The globally unique identifier for the payload. The actual content is unimportant, but must be globally unique. In macOS, use 'uuidgen' to generate UUIDs. During a profile replacement, the system updates payloads with the same 'PayloadIdentifier' and 'PayloadUUID' in the old and new profiles. pfm_format ^[0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}$ pfm_name @@ -111,10 +99,7 @@ pfm_default 1 pfm_description - The version of the whole configuration profile. - pfm_description_reference - The version number of the individual payload. -A profile can consist of payloads with different version numbers. For example, changes to the VPN software in iOS might introduce a new payload version to support additional features, but Mail payload versions would not necessarily change in the same release. + The version of this specific payload. pfm_name PayloadVersion pfm_require @@ -126,10 +111,7 @@ A profile can consist of payloads with different version numbers. For example, c pfm_description - This value describes the issuing organization of the profile, as displayed to the user. - pfm_description_reference - Optional. A human-readable string containing the name of the organization that provided the profile. -The payload organization for a payload need not match the payload organization in the enclosing profile. + The human-readable string containing the name of the organization that provides the profile. This value doesn't need to match the organization payload value in the enclosing dictionary. pfm_name PayloadOrganization pfm_title @@ -139,7 +121,7 @@ The payload organization for a payload need not match the payload organization i pfm_description - The bundle identifier of the app extension that performs single sign-on (SSO) for the specified URLs. Enter com.apple.AppSSOKerberos.KerberosExtension to use Apple's Kerberos SSO extension. + The bundle identifier of the app extension that performs SSO for the specified URLs. pfm_ios_min 13.0 pfm_macos_min @@ -200,7 +182,8 @@ The payload organization for a payload need not match the payload organization i pfm_description - The team identifier of the app extension. This key is required on macOS and ignored elsewhere. + The team identifier of the app extension. +This key is required on macOS and ignored elsewhere. pfm_ios_min 13.0 pfm_macos_min @@ -213,6 +196,14 @@ The payload organization for a payload need not match the payload organization i Team Identifier pfm_type string + pfmx_supported_oses + + iOS + + pfmx_introduced + n/a + + pfm_conditionals @@ -232,7 +223,10 @@ The payload organization for a payload need not match the payload organization i pfm_description - An array of host names or domain names that can be authenticated through the app extension. Required for Credential payloads. Ignored for Redirect payloads. + An array of host names or domain names that apps can authenticate through the app extension. +Required for 'Credential' payloads. Ignored for 'Redirect' payloads. +Host or domain names are matched case-insensitively, and all the host/domain names of all installed Extensible SSO payloads must be unique. +Hosts that begin with a “.” are wildcard suffixes and match all subdomains; otherwise the host must be an exact match. pfm_ios_min 13.0 pfm_macos_min @@ -277,7 +271,8 @@ Hosts that begin with a "." are wildcard suffixes and will match all subdomains, pfm_description - The realm name for Credential payloads. This value should be properly capitalized. This key is ignored for Redirect payloads. + The realm name for 'Credential' payloads. Use proper capitalization for this value. +This key is ignored for 'Redirect' payloads. pfm_ios_min 13.0 pfm_macos_min @@ -307,7 +302,9 @@ Hosts that begin with a "." are wildcard suffixes and will match all subdomains, pfm_description - The realm name for Credential payloads. This value should be properly capitalized. This key is ignored for Redirect payloads. + An array of URL prefixes of identity providers where the app extension performs SSO. +Required for 'Redirect' payloads. Ignored for 'Credential' payloads. +The URLs must begin with 'http://' or 'https://', the scheme and host name are matched case-insensitively, query parameters and URL fragments are not allowed, and the URLs of all installed Extensible SSO payloads must be unique. pfm_ios_min 13.0 pfm_macos_min @@ -339,6 +336,9 @@ Hosts that begin with a "." are wildcard suffixes and will match all subdomains, array + pfm_description + An array of bundle identifiers of apps that don't use SSO provided by this extension. +Available in iOS 15 and later and macOS 12 and later. pfm_ios_min 15.0 pfm_macos_min @@ -362,10 +362,26 @@ Hosts that begin with a "." are wildcard suffixes and will match all subdomains, Denied Bundle Identifiers pfm_type array + pfmx_supported_oses + + iOS + + pfmx_introduced + 15.0 + + macOS + + pfmx_introduced + 12.0 + + pfm_default Cancel + pfm_description + If set to 'Cancel', the system cancels authentication requests when the screen is locked. If set to 'DoNotHandle', the request continues without SSO instead. This does not apply to requests where 'userInterfaceEnabled' is set to 'false' or background NSURLSession requests. +Available in iOS 15 and later and macOS 12 and later. pfm_ios_min 15.0 pfm_macos_min @@ -386,6 +402,19 @@ Hosts that begin with a "." are wildcard suffixes and will match all subdomains, Screen Locked Behavior pfm_type string + pfmx_supported_oses + + iOS + + pfmx_introduced + 15.0 + + macOS + + pfmx_introduced + 12.0 + + pfm_conditionals @@ -405,7 +434,7 @@ Hosts that begin with a "." are wildcard suffixes and will match all subdomains, pfm_description - Used by the Apple built-in Kerberos extension. + A dictionary of arbitrary data passed through to the app extension. pfm_exclude @@ -436,7 +465,7 @@ Hosts that begin with a "." are wildcard suffixes and will match all subdomains, pfm_default pfm_description - If false, passwords are not allowed to be saved to the keychain. + If 'false', passwords are not allowed to be saved to the keychain. pfm_exclude @@ -468,7 +497,7 @@ Hosts that begin with a "." are wildcard suffixes and will match all subdomains, pfm_default pfm_description - If false, disables password changes. Available in macOS 10.15 and later. + If 'false', disables password changes. Available in macOS 10.15 and later. pfm_exclude @@ -498,7 +527,8 @@ Hosts that begin with a "." are wildcard suffixes and will match all subdomains, pfm_default pfm_description - If true, the configured SSO extension must use a ticket-granting ticket (TGT) from Platform SSO. + If 'true', requires this configuration uses a TGT from Platform SSO instead of requesting a new one. +Available in macOS 13 and later. pfm_exclude @@ -532,7 +562,8 @@ Hosts that begin with a "." are wildcard suffixes and will match all subdomains, pfm_default pfm_description - If true, allows manual sign-ins as fallback. + If 'true' and 'usePlatformSSOTGT' is 'true', allows the user to manually sign in. +Available in macOS 13 and later. pfm_exclude @@ -579,7 +610,8 @@ Hosts that begin with a "." are wildcard suffixes and will match all subdomains, pfm_default pfm_description - If true, the configured extension only handles Kerberos requests and does not check for or show the expiration of the password, does not check external password changes, does not sync passwords, and does not retrieve the user's home directory. + If 'true', the Kerberos Extension handles Kerberos requests only. It doesn't check for password expiration, show the password expiration in the menu, check for external password changes, perform password sync, or retrieve the home directory. +Available in macOS 13 and later. pfm_exclude @@ -724,7 +756,11 @@ Hosts that begin with a "." are wildcard suffixes and will match all subdomains, pfm_default always pfm_description - This setting affects how the Kerberos Extension credential is used by other processes. Available in macOS 11 and later. + This setting affects how the Kerberos Extension credential is used by other processes. Use of the following: +* 'always -' The extension credential will always be used if the SPN matches the Kerberos Extension 'Hosts' array. The credential will not be used if the calling app is not in the 'credentialBundleIDACL'. +* 'whenNotSpecified -' The credential will only be used when another credential has not been specified by the caller and the SPN matches the Kerberos Extensions 'Hosts' array. The credential will not be used if the calling app is not in the 'credentialBundleIDACL'. +* 'kerberosDefault - 'The default Kerberos processes for selecting credentials is used which normally uses the default Kerberos credential. This is the same as turning off this capability. +Available in macOS 11 and later. pfm_exclude @@ -770,7 +806,7 @@ kerberosDefault - The default Kerberos processes for selecting credentials is us pfm_description - The custom user name label used in the Kerberos extension instead of "Username". For example, "Company ID". Available on macOS 11 and later. + The custom user name label used in the Kerberos extension instead of “Username”. For example, “Company ID”. Available in macOS 11 and later. pfm_exclude @@ -800,7 +836,7 @@ kerberosDefault - The default Kerberos processes for selecting credentials is us pfm_default pfm_description - If true, doesn't prompt the user to setup the Kerberos extension until either the administrator enables it with the app-sso tool or a Kerberos challenge is received. Available in macOS 11 and later. + If 'true', doesn't prompt the user to setup the Kerberos extension until either the administrator enables it with the 'app-sso' tool or a Kerberos challenge is received. Available in macOS 11 and later. pfm_exclude @@ -892,7 +928,7 @@ kerberosDefault - The default Kerberos processes for selecting credentials is us pfm_default pfm_description - If true, the Kerberos extension will allow only managed apps to access and use the credential. This is in addition to the credentialBundleIDACL, if it is specified. Available in iOS 14 and later. + If 'true', the Kerberos extension allows only managed apps to access and use the credential. This is in addition to the 'credentialBundleIDACL', if it is specified. Available in iOS 14 and later, and macOS 12 and later. pfm_exclude @@ -924,7 +960,8 @@ kerberosDefault - The default Kerberos processes for selecting credentials is us pfm_default pfm_description - If true, the Kerberos extension will allow standard Kerberos utilities such as TicketViewer and klist to access and use the credential. This is in addition to either includeManagedAppsInBundleIdACL or credentialBundleIDACL, if any are specified. + If 'true', the Kerberos extension allows the standard kerberos utilities including 'TicketViewer' and 'klist' to access and use the credential. This is in addition to 'includeManagedAppsInBundleIdACL' or the 'credentialBundleIdACL', if it is specified. +Available in macOS 12 and later. pfm_exclude @@ -954,7 +991,8 @@ kerberosDefault - The default Kerberos processes for selecting credentials is us pfm_default pfm_description - If false, the credential is requested on the next matching Kerberos challenge or network state change. If the credential is expired or missing, a new one will be created. Available in macOS 11 and later. + If 'false', the credential is requested on the next matching Kerberos challenge or network state change. +If the credential is expired or missing, a new one will be created. Available in macOS 11 and later. pfm_exclude @@ -1012,7 +1050,10 @@ kerberosDefault - The default Kerberos processes for selecting credentials is us pfm_description - Preferred Key Distribution Centers for Kerberos traffic when the servers cannot be discovered via DNS. + The ordered list of preferred Key Distribution Centers (KDCs) to use for Kerberos traffic. Use this if the servers are not discoverable via DNS. If the servers are specified, then they are used for both connectivity checks and attempted first for Kerberos traffic. If the servers do not respond, then the device falls back to DNS discovery. Each entry is formatted the same as it would be in a 'krb5.conf' file. Examples of entries are: +* 'adserver1.example.com' +* 'tcp/adserver1.example.com:88' +* 'kkdcp://kerberosproxy.example.com:443/kkdcp' pfm_exclude @@ -1151,7 +1192,7 @@ kerberosDefault - The default Kerberos processes for selecting credentials is us pfm_default pfm_description - If true, passwords must meet Active Directory's definition of "complex". Available in macOS 10.15 and later. + If 'true', passwords must meet Active Directory's definition of 'complex'.Available in macOS 10.15 and later. pfm_exclude @@ -1179,7 +1220,7 @@ kerberosDefault - The default Kerberos processes for selecting credentials is us pfm_description - The number of prior passwords that cannot be re-used on this domain. Available in macOS 10.15 and later. + The number of prior passwords that cannot be re-used on this domain.Available in macOS 10.15 and later. pfm_exclude @@ -1209,7 +1250,7 @@ kerberosDefault - The default Kerberos processes for selecting credentials is us pfm_description - The minimum length of passwords on the domain. Available in macOS 10.15 and later. + The minimum length of passwords on the domain.Available in macOS 10.15 and later. pfm_exclude @@ -1269,7 +1310,7 @@ kerberosDefault - The default Kerberos processes for selecting credentials is us pfm_description - The text version of the domain's password requirements. Only for use if pwReqComplexity or pwReqLength aren't specified. Available in macOS 10.15 and later. + The text version of the domain's password requirements. Only for use if 'pwReqComplexity' or 'pwReqLength' aren't specified. Available in macOS 10.15 and later. pfm_exclude @@ -1361,7 +1402,7 @@ kerberosDefault - The default Kerberos processes for selecting credentials is us pfm_default pfm_description - If true, requires the user to provide Touch ID, Face ID or their passcode to access the keychain entry. + If 'true', requires the user to provide Touch ID, Face ID or their passcode to access the keychain entry. pfm_exclude @@ -1423,7 +1464,7 @@ kerberosDefault - The default Kerberos processes for selecting credentials is us pfm_default pfm_description - If false, disables password sync. Note that this will not work if the user is logged in with a mobile account. Available in macOS 10.15 and later. + If 'false', disables password sync. Note that this will not work if the user is logged in with a mobile account. Available in macOS 10.15 and later. pfm_exclude @@ -1453,7 +1494,7 @@ kerberosDefault - The default Kerberos processes for selecting credentials is us pfm_default pfm_description - If false, the Kerberos extension doesn't automatically use LDAP and DNS to determine its AD site name. + If 'false', the Kerberos extension doesn't automatically use LDAP and DNS to determine its AD site name. pfm_exclude @@ -1862,7 +1903,8 @@ kerberosDefault - The default Kerberos processes for selecting credentials is us pfm_description - Platform SSO authentication method supported and used by the configured SSO extension. + The Platform SSO authentication method the extension uses. Requires that the SSO Extension also supports the method. +Available in macOS 13 and later and deprecated in macOS 14. pfm_macos_deprecated 14.0 pfm_macos_min @@ -1887,10 +1929,26 @@ kerberosDefault - The default Kerberos processes for selecting credentials is us Authentication Method pfm_type string + pfmx_supported_oses + + iOS + + pfmx_introduced + n/a + + macOS + + pfmx_deprecated + 14.0 + pfmx_introduced + 13.0 + + pfm_description - Platform SSO token for use in silent registration. + The token this device uses for registration with Platform SSO. Use it for silent registration with the Identity Provider. Requires that 'PlatformSSO' 'AuthenticationMethod' isn't empty. +Available in macOS 13 and later. pfm_exclude @@ -1917,10 +1975,23 @@ kerberosDefault - The default Kerberos processes for selecting credentials is us Registration Token pfm_type string + pfmx_supported_oses + + iOS + + pfmx_introduced + n/a + + macOS + + pfmx_introduced + 13.0 + + pfm_description - This is the dictionary used to configure PlatformSSO. + The dictionary to configure Platform SSO. pfm_macos_min 14.0 pfm_name @@ -1933,7 +2004,7 @@ kerberosDefault - The default Kerberos processes for selecting credentials is us pfm_description - The Platform SSO authentication method to be used with the extension. Requires that the SSO Extension also support the method. + The Platform SSO authentication method to use with the extension. Requires that the SSO Extension also support the method. pfm_name AuthenticationMethod pfm_range_list @@ -1949,11 +2020,19 @@ kerberosDefault - The default Kerberos processes for selecting credentials is us pfm_default pfm_description - If set to true, Platform SSO will use the same signing and encryption keys for all users. + If 'true', the system uses the same signing and encryption keys for all users. Only supported on the device channel. pfm_name UseSharedDeviceKeys pfm_type boolean + pfmx_supported_oses + + macOS + + pfmx_user_channel + + + pfm_description @@ -1967,7 +2046,7 @@ kerberosDefault - The default Kerberos processes for selecting credentials is us pfm_default 64800 pfm_description - The frequency where a full login is required instead of a refresh. Default is 18 hours. Must be > 1 hour. + The duration, in seconds, until the system requires a full login instead of a refresh. The default value is 64,800 (18 hours). The minimum value is 3600 (1 hour). pfm_name LoginFrequency pfm_range_min @@ -1979,7 +2058,7 @@ kerberosDefault - The default Kerberos processes for selecting credentials is us pfm_default pfm_description - Enables creating new users at the login window with either Passwords or SmartCards. Requires 'UseSharedDeviceKeys' is true. + Enables creating new users at the login window with an 'AuthenticationMethod' of either 'Password' or 'SmartCard'. Requires that 'UseSharedDeviceKeys' is 'true'. pfm_name EnableCreateUserAtLogin pfm_type @@ -1989,7 +2068,7 @@ kerberosDefault - The default Kerberos processes for selecting credentials is us pfm_default pfm_description - Enables using identity provider accounts at authorization prompts. Requires 'UseSharedDeviceKeys' is true. The account will be assigned groups using the 'AdministratorGroups', 'AdditionalGroups', or 'AuthorizationGroups'. + Enables using identity provider accounts at authorization prompts. Requires that 'UseSharedDeviceKeys' is 'true'. The system assigns groups using 'AdministratorGroups', 'AdditionalGroups', or 'AuthorizationGroups'. pfm_name EnableAuthorization pfm_type @@ -1997,7 +2076,7 @@ kerberosDefault - The default Kerberos processes for selecting credentials is us pfm_description - The attribute mapping used when creating new users or for authorization. + The attribute mapping to use when creating new users or for authorization. pfm_name TokenToUserMapping pfm_subkeys @@ -2024,13 +2103,10 @@ kerberosDefault - The default Kerberos processes for selecting credentials is us pfm_description - This setting affects the permissions for accounts created at login by Platform SSO. It is only used when the account is created. Use of the following: -* Standard - The account will be a standard user. -* Admin - The account will be added to the local administrators group. -* Groups - The account will be assigned groups using the 'AdministratorGroups', 'AdditionalGroups', or 'AuthorizationGroups'. + The permission to apply to newly created accounts at login, which has the following values: +* 'Standard': The account is a standard user. +* 'Admin': The system adds the account to the local administrators group. +* 'Groups': The system assigns group to the account using 'AdministratorGroups', 'AdditionalGroups', or 'AuthorizationGroups'. pfm_name NewUserAuthorizationMode pfm_range_list @@ -2044,13 +2120,10 @@ kerberosDefault - The default Kerberos processes for selecting credentials is us pfm_description - This setting affects the permissions after authentication by Platform SSO. It is applied each time user authenticates. Use of the following: -* Standard - The account will be a standard user. It will be removed from the 'admin' group. -* Admin - The account will be added to the local administrators group. -* Groups - The account will be assigned groups using the 'AdministratorGroups', 'AdditionalGroups', or 'AuthorizationGroups'. + The permission to apply to an account each time the user authenticates, which has the following values: +* 'Standard': The account is a standard user. +* 'Admin': The system adds the account to the local administrators group. +* 'Groups': The system assigns group to the account using 'AdministratorGroups', 'AdditionalGroups', or 'AuthorizationGroups'. pfm_name UserAuthorizationMode pfm_range_list @@ -2064,7 +2137,7 @@ kerberosDefault - The default Kerberos processes for selecting credentials is us pfm_description - The list of groups that are used for administrator access. Membership will be requested during authentication. + The list of groups to use for administrator access. The system requests membership during authentication. pfm_name AdministratorGroups pfm_subkeys @@ -2083,7 +2156,7 @@ kerberosDefault - The default Kerberos processes for selecting credentials is us pfm_description - The list of groups that are created and do not have administrator access. + The list of created groups that don't have administrator access. pfm_name AdditionalGroups pfm_subkeys @@ -2102,7 +2175,7 @@ kerberosDefault - The default Kerberos processes for selecting credentials is us pfm_description - The pairing of Authorization Rights to group names. The Authorization Right will be updated to use the group when used. + The pairing of Authorization Rights to group names. The system updates the Authorization Right to use the group when used. pfm_name AuthorizationGroups pfm_subkeys @@ -2134,6 +2207,19 @@ kerberosDefault - The default Kerberos processes for selecting credentials is us pfm_type dictionary + pfmx_supported_oses + + iOS + + pfmx_introduced + n/a + + macOS + + pfmx_introduced + 14.0 + + pfm_targets @@ -2149,5 +2235,55 @@ kerberosDefault - The default Kerberos processes for selecting credentials is us pfm_version 6 + pfmx_supported_oses + + iOS + + pfmx_allow_manual_install + + pfmx_introduced + 13.0 + pfmx_multiple + + pfmx_shared_ipad + + pfmx_device_channel + + pfmx_mode + allowed + pfmx_user_channel + + + pfmx_supervised + + pfmx_user_enrollment + + pfmx_mode + allowed + + + macOS + + pfmx_allow_manual_install + + pfmx_device_channel + + pfmx_introduced + 10.15 + pfmx_multiple + + pfmx_requires_dep + + pfmx_user_approved_mdm + + pfmx_user_channel + + pfmx_user_enrollment + + pfmx_mode + allowed + + +