The payload that configures certificate transparency enforcement.
| Setting | Type | Required | Default | Manual Install | Supported OS |
|---|---|---|---|---|---|
Disabled Certs DisabledForCerts An array of certificates for which certificate transparency is disabled. One of the following conditions needs to be met to disable certificate transparency enforcement when this policy is set:
- The hash is of the server certificate's `subjectPublicKeyInfo`.
- The hash is of a `subjectPublicKeyInfo` that appears in a CA certificate in the certificate chain; the CA certificate is constrained through the X.509v3 `nameConstraints` extension. One or more `directoryName` `nameConstraints` are present in the `permittedSubtrees`, and the `directoryName` contains an `organizationName` attribute.
- The hash is of a `subjectPublicKeyInfo` that appears in a CA certificate in the certificate chain. The CA certificate has one or more `organizationName` attributes in the certificate `Subject`, and the server's certificate contains the same number of `organizationName` attributes, in the same order, and with byte-for-byte identical values. 1 subkey | array | optional | — | ✓Yes | iOS (12.1.1+)macOS (10.14.2+)tvOS (12.1.1+)visionOS (1.0+)watchOS (5.1.1+) |
└─ SubjectPublicKeyInfoHashDict SubjectPublicKeyInfoHashDict A dictionary of hashed public keys. 2 subkeys | dictionary | — | ✓Yes | iOS (12.1.1+)macOS (10.14.2+)tvOS (12.1.1+)visionOS (1.0+)watchOS (5.1.1+) | |
└─ └─ Algorithm Algorithm The algorithm must be `sha256`. | string | required | — | ✓Yes | iOS (12.1.1+)macOS (10.14.2+)tvOS (12.1.1+)visionOS (1.0+)watchOS (5.1.1+) |
└─ └─ Hash Hash The hash of the DER-encoding of the certificate's `subjectPublicKeyInfo`.
The hash field requires the data (`subjectPublicKeyInfo` hash) in a specific format: a Base64 encoded (binary) SHA-256 hash of the certificate's public key. | data | required | — | ✓Yes | iOS (12.1.1+)macOS (10.14.2+)tvOS (12.1.1+)visionOS (1.0+)watchOS (5.1.1+) |
Disabled domains DisabledForDomains An array of strings that represent the domains to exclude from certificate transparency enforcement. The system supports using a leading period (`.`) to signify subdomains. However, the system doesn't support wildcards. If you include a leading period, the domain can't be a top-level domain, such as `.com` and `.co.uk`. 1 subkey | array | optional | — | ✓Yes | iOS (12.1.1+)macOS (10.14.2+)tvOS (12.1.1+)visionOS (1.0+)watchOS (5.1.1+) |
└─ domain domain | string | — | ✓Yes | iOS (12.1.1+)macOS (10.14.2+)tvOS (12.1.1+)visionOS (1.0+)watchOS (5.1.1+) |
Explore the full catalogue of Apple Mobile Device Management (MDM) and Declarative Device Management (DDM) policies for macOS and iOS. Search, filter, and reference policy keys for use with Microsoft Intune, Jamf, or any standards-compliant MDM solution.
com.apple.wifi.managed – Wi-Fi network configurationcom.apple.vpn.managed – VPN configurationcom.apple.applicationaccess – App and feature restrictionscom.apple.security.pkcs1 – Certificate (PKCS#1) payloadcom.apple.security.pkcs12 – Identity certificate (PKCS#12) payloadcom.apple.security.scep – SCEP certificate enrolmentcom.apple.mail.managed – Mail account configurationcom.apple.eas.account – Exchange ActiveSync accountcom.apple.MCX – Managed Client (macOS) preferencescom.apple.MCX.FileVault2 – FileVault 2 disk encryptioncom.apple.dock – macOS Dock configurationcom.apple.screensaver – Screensaver configurationcom.apple.loginwindow – macOS login window configurationcom.apple.systempolicy.managed – Gatekeeper / system policycom.apple.systempreferences – System Preferences pane restrictionscom.apple.SoftwareUpdate – Software update behaviourcom.apple.TCC.configuration-profile-policy – Privacy Preferences Policy Control (PPPC)com.apple.notificationsettings – Per-app notification settingscom.apple.webcontent-filter – Web content filtercom.apple.dnsSettings.managed – DNS settings (DoH / DoT)com.apple.relay.managed – Network relay configurationcom.apple.extensiblesso – Extensible Single Sign-Oncom.apple.configuration.passcode.settings – DDM: passcode policycom.apple.configuration.softwareupdate.enforcement.specific – DDM: enforced software updatecom.apple.configuration.services.configuration-files – DDM: service configuration filescom.apple.configuration.management.status-subscriptions – DDM: status subscriptionscom.apple.activation.simple – DDM: simple activation predicatecom.apple.management.organization-info – DDM: organization information