A Property List (PList) contains keys and values that are used to manage a variety of settings for iOS devices. Refer to Apple’s documentation for an Information Property List Key Reference.
You can copy and paste Property Lists to a blueprint. Settings defined in the PList take precedence over other settings in the blueprint. Some settings that are already defined in a blueprint (such as camera or screenshots) are not available to be set via a PList.
Find out more about these properties, including version requirements, by reviewing Apple’s MDM restrictions. Property Lists are limited to 128,000 characters.
In this article:
- Creating a Property List
- Adding a Property List to a Blueprint
- Common Property List Configurations
- Viewing Active Property Lists
Creating a Property List
Property Lists are enabled through a blueprint. Property Lists will need to be in the correct format.
The following is an example of a Property Lists are generated with a UUID payload. Use a program such as Xcode or iMazing Profile Editor to create a valid PList.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDisplayName</key>
<string>Restrictions</string>
<key>PayloadIdentifier</key>
<string>com.apple.applicationaccess.{UUID}</string>
<key>PayloadType</key>
<string>com.apple.applicationaccess</string>
<key>PayloadUUID</key>
<string>{UUID}</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>{PayloadDisplayName}</string>
<key>PayloadIdentifier</key>
<string>{User}--{UUID}</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>{UUID}</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
When you create a Property List with iMazing Profile Editor, use “save” rather than “export” to generate the full Property List
- Convert ampersands (&) to &
- Convert less than signs (<) to <
- Convert greater than signs (>) to >
Adding a Property List to a Blueprint
After you’ve created a Property List, you can paste it into a blueprint. In a blueprint, navigate to Esper Settings, click on the iOS tab, and enable the Property List (PList) setting. Then paste the Property List in the input box.
The screenshot above is an example. You’ll need to generate valid UUIDs with a program such as iMazing Profile Editor or Xcode.
Then save and publish the blueprint and converge devices to it.
You can modify the Plist in the blueprint at any time.
Common Plist Configurations
Delay Software Updates
Software updates can be delayed for up to 90 days after the software release. There are two keys:
- enforcedSoftwareUpdateDelay: set the value for any integer up to 90 days.
- forceDelayedSoftwareUpdates: set to true.
<key>enforcedSoftwareUpdateDelay</key>
<integer>90</integer>
<key>forceDelayedSoftwareUpdates</key>
<true/>
Block Apps
When you block apps, those apps can no longer be accessed on the device. Use the blockedAppBundleIDs key when there’s a selection of apps you don’t want users to access. All other apps will be accessible. The key accepts an array of package names. Settings and Phone cannot be blocked.
Some apps rely on browsers, so we recommend providing an alternative browser when blocking Safari.
<key>blockedAppBundleIDs</key>
<array>
<string>com.apple.mobilesafari</string>
</array>
Block Preloaded Apps
You can block most preloaded apps with the following list. You may need to add additional app packages depending on the device. Safari, the camera app, and the Settings app have been omitted. On iPads, the Settings app cannot be blocked. On iPhones, the Settings and Phone apps cannot be blocked.
<key>allowAppClips</key>
<false/>
<key>allowAppInstallation</key>
<false/>
<key>allowAppRemoval</key>
<false/>
<key>allowBookstore</key>
<false/>
<key>allowChat</key>
<false/>
<key>allowGameCenter</key>
<false/>
<key>allowInAppPurchases</key>
<false/>
<key>allowMusicService</key>
<false/>
<key>allowNews</key>
<false/>
<key>allowPodcasts</key>
<false/>
<key>allowRadioService</key>
<false/>
<key>allowSystemAppRemoval</key>
<false/>
<key>allowiTunes</key>
<false/>
<key>blockedAppBundleIDs</key>
<array>
<string>com.apple.MobileStore</string>
<string>com.apple.iBooks</string>
<string>com.apple.calculator</string>
<string>com.apple.mobilecal</string>
<string>com.apple.clips</string>
<string>com.apple.mobiletimer</string>
<string>com.apple.MobileAddressBook</string>
<string>com.apple.facetime</string>
<string>com.apple.DocumentsApp</string>
<string>com.apple.findmy</string>
<string>com.apple.Fitness</string>
<string>com.apple.freeform</string>
<string>com.apple.mobilegarageband</string>
<string>com.apple.Health</string>
<string>com.apple.Home</string>
<string>com.apple.iCloudDriveApp</string>
<string>com.apple.iMovie</string>
<string>com.apple.journal</string>
<string>com.apple.Keynote</string>
<string>com.apple.Magnifier</string>
<string>com.apple.mobilemail</string>
<string>com.apple.Maps</string>
<string>com.apple.measure</string>
<string>com.apple.MobileSMS</string>
<string>com.apple.Music</string>
<string>com.apple.news</string>
<string>com.apple.mobilenotes</string>
<string>com.apple.Numbers</string>
<string>com.apple.Pages</string>
<string>com.apple.mobilephone</string>
<string>com.apple.Photo-Booth</string>
<string>com.apple.mobileslideshow</string>
<string>com.apple.podcasts</string>
<string>com.apple.reminders</string>
<string>com.apple.shortcuts</string>
<string>com.apple.stocks</string>
<string>com.apple.Playgrounds</string>
<string>com.apple.tips</string>
<string>com.apple.Translate</string>
<string>com.apple.tv</string>
<string>com.apple.VoiceMemos</string>
<string>com.apple.Passbook</string>
<string>com.apple.Bridge</string>
<string>com.apple.weather</string>
</array>
Allow Apps
When apps are allowed, only those apps may be accessed on the device. Use the allowListAppBundleIDs if there’s a selection of apps you want users to access. All other apps will be inaccessible. The key accepts an array of package names.
Some apps may have specific keys. See Apple’s documentation for a full list of specific keys.
<key>allowListedAppBundleIDs</key>
<array>
<string>com.apple.camera</string>
<string>com.apple.mobilesafari</string>
</array>
Block URLs
Prevent users from navigating to sites in a web browser. Accepts up to 500 URLs or 64MB.
<key>DenyListURLs</key>
<array>
<string>google.com</string>
<string>youtube.com</string>
<string>reddit.com</string>
<string>facebook.com</string>
<string>amazon.com</string>
<string>yahoo.com</string>
<string>duckduckgo.com</string>
<string>apple.com</string>
<string>wikipedia.com</string>
<string>bing.com</string>
<string>instagram.com</string>
<string>weather.com</string>
<string>twitter.com</string>
<string>fandom.com</string>
<string>cnn.com</string>
<string>nytimes.com</string>
<string>linkedin.com</string>
<string>tiktok.com</string>
</array>
<key>FilterType</key>
<string>BuiltIn</string>
Restrict Files USB Drive Access
Prevent users from using USBs with their iOS devices. Set the key to false.
<key>allowUSBRestrictedMode</key>
<false/>
Prevent Airdrop
By default, Airdrop is permitted. Prevent users from using Airdrop with the following key-value. Set the key to false.
<key>allowAirDrop</key>
<false/>
Prevent Name Modification
By default, name modification is permitted. This name appears in Settings > General > About. The Esper console alias name doesn’t control and isn’t necessarily related to this name. Set the key to false.
<key>allowDeviceNameModification</key>
<false/>
Block Copy and Paste for Unmanaged Apps
Prevent users from pasting content to unmanaged apps (apps not defined in the blueprint). Set the key to true.
<key>requireManagedPasteboard</key>
<true/>
Some apps, such as those preloaded to the device, can’t be managed by a blueprint. This setting is applied to all unmanaged apps, so you may need to define a web browser or other necessary apps in the blueprint if you enable this setting.
Prevent Apple ID Modification
Prevent users from creating their own Apple ID account and changing their usernames, passwords, and other account settings. Set the key to false.
<key>allowAccountModification</key>
<false/>
If a device user tries to log into the Apple App Store, for example, they'll see a blank account screen.
Viewing Active Property List
On your iOS device, go to Settings > MDM Management > Configuration Profile > Restrictions to see a list of restrictions.
Property Lists offer another level of customization. Use Property Lists, along with blueprints, to take control of your iOS fleet.