Page tree
Skip to end of metadata
Go to start of metadata

Custom Settings profile payload allows admins to enter their own XML into a profile and apply the profile to devices.

External link:

Custom XML profile samples for macOS - https://github.com/vmware-samples/euc-samples/tree/master/macOS-Samples

(For iOS 11.3 and macOS 10.13.4)

  • XML should contain the complete block of code as listed below, from <dict> to </dict>. 
  • Administrators should configure each setting from <true /> to <false /> as desired.
  • If certificates are required, then configure a Certificate payload within the profile and reference the Payload UUID in the Custom Settings payload.

iOS 11.3

Restrictions 

<dict>
         <key>allowUSBRestrictedMode</key>
         <true/>
         <key>forceClassroomRequestPermissionToLeaveClasses</key>
         <true/>
         <key>forceDelayedSoftwareUpdates</key>
         <true/>
         <key>enforcedSoftwareUpdateDelay</key>
         <integer>30</integer>
         <key>PayloadDisplayName</key>
         <string>Restrictions</string>
         <key>PayloadDescription</key>
         <string>RestrictionSettings</string>
         <key>PayloadIdentifier</key>
         <string>7480b205-2e1c-40fe-bd59-b53db434652d.Restrictions</string>
         <key>PayloadOrganization</key>
         <string></string>
         <key>PayloadType</key>
         <string>com.apple.applicationaccess</string>
         <key>PayloadUUID</key>
         <string>99b5b40b-5683-4315-9ec2-f9e014a6XXXX</string>
         <key>PayloadVersion</key>
         <integer>1</integer>
 </dict>

Home Screen Layout

NOTE: Web clips should be configured and deployed using the current web clip payload UI

<dict>
    <key>Dock</key>
    <array>
        <dict>
            <key>Type</key>
            <string>WebClip</string>
            <key>URL</key>
            <string>https://google.com</string>
        </dict>
    </array>
    <key>Pages</key>
    <array>
        <array>
            <dict>
                <key>Type</key>
                <string>WebClip</string>
                <key>URL</key>
                <string>https://yahoo.com</string>
            </dict>
            <dict>
                <key>Type</key>
                <string>Folder</string>
                <key>DisplayName</key>
                <string>My Web Clip</string>
                <key>Pages</key>
                <array>
                    <array>
                        <dict>
                            <key>Type</key>
                            <string>WebClip</string>
                            <key>URL</key>
                            <string>https://www.vmware.com</string>
                        </dict>
                    </array>
                </array>
            </dict>
        </array>
    </array>
    <key>PayloadDisplayName</key>
    <string>Home Screen Layout</string>
    <key>PayloadDescription</key>
    <string>HomeScreenLayout</string>
    <key>PayloadIdentifier</key>
    <string>97213d06-b750-466b-8a89-782d8a406f86.Home Screen Layout</string>
    <key>PayloadOrganization</key>
    <string></string>
    <key>PayloadType</key>
    <string>com.apple.homescreenlayout</string>
    <key>PayloadUUID</key>
    <string>2fa8fe03-30fa-4189-aa00-ba752eabXXXX</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
</dict

Enable Bluetooth Command

Unlike custom profiles, the payload content and UUID are not required for custom commands. This command will not take place if the Allow Bluetooth Settings Modification restriction is enforced. 

<dict>
  <key>RequestType</key>
  <string>Settings</string>
  <key>Settings</key>
  <array>
    <dict>
      <key>Item</key>
      <string>Bluetooth</string>
      <key>Enabled</key>
      <true/>
    </dict>
  </array>
</dict>

Disable Bluetooth Command

<dict>
  <key>RequestType</key>
  <string>Settings</string>
  <key>Settings</key>
  <array>
    <dict>
      <key>Item</key>
      <string>Bluetooth</string>
      <key>Enabled</key>
      <false/>
    </dict>
  </array>
</dict>

macOS 10.13.4 Custom XML

Restrictions 

<dict>
         <key>forceDelayedSoftwareUpdates</key>
         <true/>
         <key>enforcedSoftwareUpdateDelay</key>
         <integer>30</integer>
         <key>PayloadDisplayName</key>
         <string>Restrictions</string>
         <key>PayloadDescription</key>
         <string>RestrictionSettings</string>
         <key>PayloadIdentifier</key>
         <string>7480b205-2e1c-40fe-bd59-b53db434652d.Restrictions</string>
         <key>PayloadOrganization</key>
         <string></string>
         <key>PayloadType</key>
         <string>com.apple.applicationaccess</string>
         <key>PayloadUUID</key>
         <string>99b5b40b-5683-4315-9ec2-f9e014a6XXXX</string>
         <key>PayloadVersion</key>
         <integer>1</integer>
 </dict>

Autonomous Single App (ASA) Mode

<dict>
    <key>AllowedApplications</key>
    <array>
      <dict>
        <key>BundleIdentifier</key>
        <string>com.sample.app1</string>
        <key>TeamIdentifier</key>
        <string>ABCDEFG1HI</string>
      </dict>
      <dict>
        <key>BundleIdentifier</key>
        <string>com.sample.app2</string>
        <key>TeamIdentifier</key>
        <string>ABCDEFG1HI</string>
      </dict>
    </array>
    <key>PayloadDisplayName</key>
    <string>Autonomous Single App Mode</string>
    <key>PayloadDescription</key>
    <string>AutonomousSingleAppMode</string>
    <key>PayloadIdentifier</key>
    <string>7480b205-2e1c-40fe-bd59-b53db434652d.AutonomousSingleAppMode</string>
    <key>PayloadOrganization</key>
    <string></string>
    <key>PayloadType</key>
    <string>com.apple.asam</string>
    <key>PayloadUUID</key>
    <string>91b5e40b-5683-4376-9ec2-f9e214a6XXXX</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
</dict



  • Can only be installed on User Approved MDM Enrolled devices. Must be installed as Device profile. Only one payload allowed per machine.
  • To be granted access, applications must be signed with the specified Bundle Identifier and Team Identifier using an Apple-issued production developer certificate. Applications must specify the com.apple.developer.assessment entitlement with a value of true.
  • The application’s bundle identifier. BundleIdentifier must be unique. If two dictionaries contain the same BundleIdentifier but different TeamIdentifiers, this will be considered a hard error and the payload will not be installed.


To check if the .app has the correct entitlement noted above:

codesign –d --entitlements - /Applications/Example.app

This will print out XML with the entitlements. It needs to have the com.apple.developer.assessment entitlement with a value of true.


To get the Bundle & Team Identifier for an .app:

codesign –dvvvv /Applications/Example.app

The Bundle Identifier will be in the ‘Identifier’ field. The Team Identifier will be a 10 character string in the ‘TeamIdentifier’ field. 

Content Caching

<dict>
    <key>AllowPersonalCaching</key>
    <true/>
    <key>AllowSharedCaching</key>
    <true/>
    <key>AutoActivation</key>
    <true/>
    <key>CacheLimit</key>
    <integer>100000000</integer> <!--100 MB example-->
    <key>DataPath</key>
    <string>/Library/Application Support/Apple/AssetCache/Data</string>
    <key>DenyTetheredCaching</key>
    <false/>
    <key>ListenRanges</key>
    <array>
      <dict>
        <key>type</key>
        <string>IPV4</string>
        <key>first</key>
        <string>0.0.0.0</string>
        <key>last</key>
        <string>255.255.255.255</string>
      </dict>
    </array>
    <key>ListenRangesOnly</key>
    <false/>
    <key>ListenWithPeersAndParents</key>
    <true/>
    <key>LocalSubnetsOnly</key>
    <true/>
    <key>LogClientIdentity</key>
    <false/>
    <key>Parents</key>
    <array>
      <string>1.1.1.1</string>
      <string>2.2.2.2</string>
    </array>
    <key>ParentSelectionPolicy</key>
   
 <string>round-robin</string> <!-- Possible values are 
round-robin, first-available, url-path-hash, random, and 
sticky-available-->
    <key>PeerFilterRanges</key>
    <array>
      <dict>
        <key>type</key>
        <string>IPV4</string>
        <key>first</key>
        <string>0.0.0.0</string>
        <key>last</key>
        <string>255.255.255.255</string>
      </dict>
    </array>
    <key>PeerListenRanges</key>
    <array>
      <dict>
        <key>type</key>
        <string>IPV4</string>
        <key>first</key>
        <string>0.0.0.0</string>
        <key>last</key>
        <string>255.255.255.255</string>
      </dict>
    </array>
    <key>PeerLocalSubnetsOnly</key>
    <true/>
    <key>Port</key>
    <integer>0</integer>
    <key>PublicRanges</key>
    <array>
      <dict>
        <key>type</key>
        <string>IPV4</string>
        <key>first</key>
        <string>0.0.0.0</string>
        <key>last</key>
        <string>255.255.255.255</string>
      </dict>
    </array>
    <key>PayloadDisplayName</key>
    <string>Content Caching</string>
    <key>PayloadDescription</key>
    <string>ContentCaching</string>
    <key>PayloadIdentifier</key>
    <string>7480b205-2e1c-40fe-bd59-b53db434652d.ContentCaching</string>
    <key>PayloadOrganization</key>
    <string></string>
    <key>PayloadType</key>
    <string>com.apple.AssetCache.managed</string>
    <key>PayloadUUID</key>
    <string>98f5b40b-5683-2415-9ec2-f9e014a6XXXX</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
</dict>