The payload that configures relay settings.
| Setting | Type | Required | Default | Manual Install | Supported OS |
|---|---|---|---|---|---|
Relays Relays An array of dictionaries that describe one or more relay servers that the system can chain together. 1 subkey | array | required | — | ✓Yes | iOS (17.0+)macOS (14.0+)tvOS (17.0+)visionOS (1.0+) |
└─ Network Relay Relay 5 subkeys | dictionary | — | ✓Yes | iOS (17.0+)macOS (14.0+)tvOS (17.0+)visionOS (1.0+) | |
└─ └─ HTTP/3 Relay URL HTTP3RelayURL The URL or URI template, as defined in RFC 9298, of a relay server that's reachable using HTTP/3 and supports proxying TCP and UDP using the CONNECT method.
Each relay needs to include either `HTTP2RelayURL` or `HTTP3RelayURL`, or it can include both. | string | optional | — | ✓Yes | iOS (17.0+)macOS (14.0+)tvOS (17.0+)visionOS (1.0+) |
└─ └─ HTTP/2 Relay URL HTTP2RelayURL The URL or URI template, as defined in RFC 9298, of a relay server that's reachable using HTTP/2 and supports proxying TCP and UDP using the CONNECT method.
Each relay needs to include either `HTTP2RelayURL` or `HTTP3RelayURL`, or it can include both. | string | optional | — | ✓Yes | iOS (17.0+)macOS (14.0+)tvOS (17.0+)visionOS (1.0+) |
└─ └─ Additional HTTP Header Fields AdditionalHTTPHeaderFields A dictionary that contains custom HTTP header keys and values to add to each request. The dictionary key name represents the HTTP header field name to use, and the dictionary value is the string to use as the HTTP header field value. 1 subkey | dictionary | optional | — | ✓Yes | iOS (17.0+)macOS (14.0+)tvOS (17.0+)visionOS (1.0+) |
└─ └─ └─ ANY ANY The HTTP header field value for the corresponding header field name. | string | required | — | ✓Yes | iOS (17.0+)macOS (14.0+)tvOS (17.0+)visionOS (1.0+) |
└─ └─ Certificate UUID PayloadCertificateUUID The UUID that points to an identity certificate payload, which the system uses to authenticate the user to the relay server. | string | optional | — | ✓Yes | iOS (17.0+)macOS (14.0+)tvOS (17.0+)visionOS (1.0+) |
└─ └─ Raw Public Keys RawPublicKeys An array of DER-encoded raw public keys that the system uses to authenticate the server during a TLS handshake. The server needs to use one of the keys in the handshake to authenticate.
If this array is empty, the system uses the default TLS trust evaluation. 1 subkey | array | optional | — | ✓Yes | iOS (17.0+)macOS (14.0+)tvOS (17.0+)visionOS (1.0+) |
└─ └─ └─ Raw Public Key Element RawPublicKeysElement | data | — | ✓Yes | iOS (17.0+)macOS (14.0+)tvOS (17.0+)visionOS (1.0+) | |
Match Domains MatchDomains A list of domain strings that the system uses to determine which connection to route through the servers in `Relays`.
Any connection that matches a domain in the list exactly or is a subdomain of the listed domain uses the relay servers, unless it matches a domain in `ExcludedDomains`.
If this list and `MatchFQDNs` are empty, the system routes traffic to all domains to the relay servers, except those that match an excluded domain or excluded FQDN. 1 subkey | array | optional | — | ✓Yes | iOS (17.0+)macOS (14.0+)tvOS (17.0+)visionOS (1.0+) |
└─ Match Domains Element MatchDomainsElement | string | — | ✓Yes | iOS (17.0+)macOS (14.0+)tvOS (17.0+)visionOS (1.0+) | |
Excluded Domains ExcludedDomains A list of domain strings to exclude from routing through the servers in `Relays`. Any connection that matches a domain in the list exactly or is a subdomain of the listed domain won't use the relay server. 1 subkey | array | optional | — | ✓Yes | iOS (17.0+)macOS (14.0+)tvOS (17.0+)visionOS (1.0+) |
└─ Excluded Domains Element ExcludedDomainsElement | string | — | ✓Yes | iOS (17.0+)macOS (14.0+)tvOS (17.0+)visionOS (1.0+) | |
Match FQDNs MatchFQDNs A list of Fully Qualified Domain Names (FQDNs) to be routed through the servers contained in `Relays`. Any connection that matches an FQDN in the list exactly uses the relay servers. If this list and `MatchDomains` are empty, the system routes traffic to all domains to the relay servers, except those that match an excluded domain or excluded FQDN. 1 subkey | array | optional | — | ✓Yes | iOS (18.4+)macOS (15.4+)tvOS (18.4+)visionOS (2.4+) |
└─ Match FQDNs Element MatchFQDNsElement | string | — | ✓Yes | iOS (17.0+)macOS (14.0+)tvOS (17.0+)visionOS (1.0+) | |
Excluded FQDNs ExcludedFQDNs A list of Fully Qualified Domain Names (FQDNs) to exclude from routing through the servers contained in `Relays`. Any connection that matches an FQDN in the list exactly won't use the relay server. When `MatchDomains` is also present, any FQDN listed in the list should be a subdomain of at least one `MatchDomain` value, otherwise it will not have any effect. 1 subkey | array | optional | — | ✓Yes | iOS (18.4+)macOS (15.4+)tvOS (18.4+)visionOS (2.4+) |
└─ Excluded FQDNs Element ExcludedFQDNsElement | string | — | ✓Yes | iOS (17.0+)macOS (14.0+)tvOS (17.0+)visionOS (1.0+) | |
RelayUUID RelayUUID A globally unique identifier for this relay configuration. The system uses this UUID to route managed apps through the servers in `Relays`. This key is required for user enrollment. | string | optional | — | ✓Yes | iOS (17.0+)macOS (14.0+)tvOS (17.0+)visionOS (1.0+) |
UI Toggle Enabled UIToggleEnabled If `true`, the device allows the user to disable this network relay configuration. | boolean | optional | true | ✓Yes | iOS (26.0+)macOS (26.0+)tvOS (26.0+)visionOS (26.0+) |
Allow DNS Failover AllowDNSFailover If `true`, the device allows the relay to failover to the default system DNS resolver. | boolean | optional | false | ✓Yes | iOS (26.0+)macOS (26.0+)tvOS (26.0+)visionOS (26.0+) |
