---
title: MDM
framework: devicemanagement
role: symbol
role_heading: Device Management Profile
path: devicemanagement/mdm
---

# MDM

The payload that configures mobile device management (MDM) settings.

## Declaration

```data
object MDM
```

## Properties

AccessRights: Logical OR of the following bit flags: 1: Allow inspection of installed configuration profiles. 2: Allow installation and removal of configuration profiles. 4: Allow device lock and passcode removal. 8: Allow device erase. 16: Allow query of device information (device capacity, serial number). 32: Allow query of network information (phone/SIM numbers, MAC addresses). 64: Allow inspection of installed provisioning profiles. 128: Allow installation and removal of provisioning profiles. 256: Allow inspection of installed applications. 512: Allow restriction-related queries. 1024: Allow security-related queries. 2048: Allow manipulation of settings. 4096: Allow app management. Don’t set to 0. Specify 1 if you specify 2. Specify 64 if you specify 128. Ignored if you set a value for ManagedAppleID. note: When updating the payload, the addition of any access right is an error, and the update is rejected. AssignedManagedAppleID: The Managed Apple Account pre-assigned to the authenticated user. Required for account-driven enrollments. note: When updating the payload, the value of this key must not change. Any change is an error, and the system rejects the update. Available: iOS 15+ | iPadOS 15+ | macOS 14+ | visionOS 1.1+ CheckInURL: The URL that the device should use to check in during installation. The URL must begin with the https:// URL scheme and may contain a port number (:1234, for example). If not set, the system uses ServerURL. note: When updating the payload, the value of this key must not change. Any change is an error, and the system rejects the update. CheckInURLPinningCertificateUUIDs: An array of strings, each containing the payload UUID of a certificate to use when evaluating trust to the ‘…/checkin/’ URLs of MDM servers. Available: iOS 13.4+ | iPadOS 13.4+ | macOS 10.13+ | tvOS 13.4+ | visionOS 1.1+ | watchOS 10+ CheckOutWhenRemoved: If ‘true’, the device attempts to send a Check Out message to the ‘CheckInURL’ when the profile is removed. EnrollmentMode: The enrollment mode the server indicates to use when enrolling. Required for account-driven enrollment. note: When updating the payload, the value of this key must not change. Any change is an error, and the system rejects the update. Available: iOS 15+ | iPadOS 15+ | macOS 14+ | visionOS 1.1+ IdentityCertificateUUID: The UUID of the certificate payload for the device’s identity. It may also point to a SCEP payload. PinningRevocationCheckRequired: If ‘true’, the system fails the connection attempt unless it obtains a verified positive response during certificate revocation checks. If ‘false’, the system performs revocation checks on a best-attempt basis, where failure to reach the server isn’t considered fatal. Available: iOS 13.4+ | iPadOS 13.4+ | macOS 10.13+ | tvOS 13.4+ | visionOS 1.1+ | watchOS 10+ PromptUserToAllowBootstrapTokenForAuthentication: If ‘true’, the system warns the user that they need to reboot into RecoveryOS and allow the MDM to use the bootstrap token for authentication for certain sensitive operations such as enabling kernel extensions or installing some types of software updates. If the MDM doesn’t need to perform these operations, it can leave this key set to ‘false’, and the user isn’t notified. The SettingsCommand.Command.Settings.MDMOptions.MDMOptions command overrides this default value. This setting only applies to devices that have ‘BootstrapTokenRequiredForSoftwareUpdate’ or ‘BootstrapTokenRequiredForKernelExtensionApproval’ set to ‘true’ in their SecurityInfoResponse.SecurityInfo. ADE-enrolled devices are automatically allowed to use the bootstrap token for authentication. Available: macOS 11+ RequiredAppIDForMDM: This property specifies an iTunes Store ID for an app the system can install with the InstallApplicationCommand, without any approval from the user. The MDM vendor or managing organization generally provides this app, which enhances the management experience for the user. The device shows the user details about this app in the account-driven enrollment process prior to installing the MDM profile. Use this property with account-driven MDM enrollments that normally require user approval for app installs through MDM. Only account-driven enrollments support this property and other enrollment types ignore it. note: When updating the payload, the value of this key must not change. Any change is an error, and the system rejects the update. Available: iOS 15.1+ | iPadOS 15.1+ | visionOS 1.1+ ServerCapabilities: A unique array of strings indicating server capabilities: com.apple.mdm.per-user-connections: Indicates that the server supports both device and user connections. This must be present when managing Shared iPad or macOS devices. com.apple.mdm.bootstraptoken: Indicates that the server supports escrowing the bootstrap token. This must be present for the device to create a bootstrap token and send it to the server. Available in iOS 26 and later, macOS 11 and later, and visionOS 26 and later. com.apple.mdm.token: Indicates that the server supports the Get Token CheckIn message type. This must be present for the device to use Get Token CheckIn message when appropriate. note: When updating the payload, the com.apple.mdm.per-user-connections capability must not be added or removed. Any such change is an error, and the update is rejected. ServerURL: The URL that the device contacts to retrieve device management instructions. The URL must begin with the https:// URL scheme, and may contain a port number (:1234, for example). note: When updating the payload, the value of this key must not change. Any change is an error, and the system rejects the update. ServerURLPinningCertificateUUIDs: An array of strings, each containing the UUID of a certificate to use when evaluating trust to the ‘…/connect/’ URLs of MDM servers. Available: iOS 13.4+ | iPadOS 13.4+ | macOS 10.13+ | tvOS 13.4+ | visionOS 1.1+ | watchOS 10+ SignMessage: If ‘true’, each message coming from the device carries the additional ‘Mdm-Signature’ HTTP header. Topic: The topic that MDM listens to for push notifications. The certificate that the server uses to send push notifications must have the same topic in its subject. The topic must begin with the ‘com.apple.mgmt.’ prefix. note: When updating the payload, the value of this key must not change. Any change is an error, and the system rejects the update. UseDevelopmentAPNS: If ‘true’, the device uses the development APNS servers. Otherwise, the device uses the production servers. Set to ‘false’ if your Apple Push Notification Service certificate was issued by the Apple Push Certificate Portal (‘https://identity.apple.com/pushcert’). That portal only issues certificates for the production push environment.

## Mentioned in

Deploy software updates using declarative management Displaying managed apps and packages Implementing Platform SSO during device enrollment Implementing the simple authentication account-driven enrollment flow Managing devices and users in macOS Migrating managed devices Returning a managed device to service

## Discussion

Discussion Specify com.apple.mdm as the payload type. Also define the following four standard payload values in your MDM payload: PayloadIdentifier: The reverse-DNS style identifier that identifies the profile; for example, com.example.myprofile. The system uses this value to determine whether to replace an existing profile or add a new one. PayloadUUID: A globally unique identifier for the profile. In macOS, you can use uuidgen to generate this value. PayloadType: The payload type. Set to com.apple.mdm to designate that this payload is an MDM payload. PayloadVersion: The version number of the profile format, which describes the version of the configuration profile as a whole, not of the individual profiles within it. Set this value to 1. note: MDM reserves profile payload dictionary keys with the Payload prefix. Don’t treat them as managed preferences. Profile availability  |   |   |   |   |   |   |   |  Profile example <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict>     <key>PayloadContent</key>     <array>         <dict>             <key>PayloadContent</key>             <data>             LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZlRENDQTJB             Q0NRQzFsWFV5WnJPbERqQU5CZ2txaGtpRzl3MEJBUXNGQURCK01R             c3dDUVlEVlFRR0V3SlYKVXpFVE1CRUdBMVVFQ0F3S1EyRnNhV1p2             Y201cFlURVNNQkFHQTFVRUJ3d0pRM1Z3WlhKMGFXNXZNUk13RVFZ             RApWUVFLREFwQmNIQnNaU0JKYm1NdU1Sb3dHQVlEVlFRTERCRkVa             WFpwWTJVZ1RXRnVZV2RsYldWdWRERVZNQk1HCkExVUVBd3dNVFVN             Z1VtOXZkQ0JEWlhKME1CNFhEVEU1TURVd01UQTNNVFF6TVZvWERU             STVNRFF5T0RBM01UUXoKTVZvd2ZqRUxNQWtHQTFVRUJoTUNWVk14             RXpBUkJnTlZCQWdNQ2tOaGJHbG1iM0p1YVdFeEVqQVFCZ05WQkFj             TQpDVU4xY0dWeWRHbHViekVUTUJFR0ExVUVDZ3dLUVhCd2JHVWdT             VzVqTGpFYU1CZ0dBMVVFQ3d3UlJHVjJhV05sCklFMWhibUZuWlcx             bGJuUXhGVEFUQmdOVkJBTU1ERTFESUZKdmIzUWdRMlZ5ZERDQ0Fp             SXdEUVlKS29aSWh2Y04KQVFFQkJRQURnZ0lQQURDQ0Fnb0NnZ0lC             QUpZVUFISWErRHI1Q0JzeEQ5NjJTRTc1WG50UzNmTEYyRGJIdHFT             YwpwdXpsRVhEeC8yaXNVWHVKVkhYdlNkWkx3YmpFRFJKMTF5WlNv             SzFTMTJVOFVUS1VsK2JHUS9HbjcxVkJnblY2CmFxYmRWVzRFOGxJ             bU1rN2paRE1IMW14a3cxOWZHdEREaEVOMTA1R3g3K2RVbkpzMTdz             NHAramJIUThwbzNIY2sKNG5VejgyVTZKUmJXdU5SZFNxNWIvaDNT             VzlBM2laMXRPRHlNbExOK1ZyaHREYkxhRS9URlk1eFovdjRiUmZ2             RQpGSjYvVVQ2bGc3RVorcjBYdnljV0tvMnZUL2ZPdUVHbU5CczFy             YmNPZ3dpQlZEUjdXRG5Pb3RUVkHtMUxydFZFCmFtVlljUHdxSjlu             Y01hSk14Y01JNHZDazR4eFBwNy9jeEJzcGQwK2diR1lYSVlkYnI5             YlM2Q1RhMHkzTmIxeCsKdnJZN1RTWFBHSFRNQzAvYXBQQ21CRjBy             RFdzNm1ZcytFKzRQaENLaDUyeFRROHp5WjVRNk5yOVhqUVJKajl2             YgpKa2pMMTY1NnJwVFBFV21CUzJxQ1ZqTUxpbFA4MGE1MDVkd0kx             YzZwa1NrUDczMGtIaExtQ1R4ZkJwb1Jid1p5CjFrQk1qM2xhWkE5             Y21UUlFiT1pQMkYzNVVudmw1LzFuNG5Wd0N4R1Mzc2U1NWxudzh3             SzUvRmtBYXptS1dDdzAKTnZjRUc5T0FtQUIrNWpaVVdNZXdoenFy             TWdMUDFQbm1qR0twemN0dG8vTmxQZE91QVhnZ1A0ZjlPaVkyNlV4             UwpHcW55R2hXamlIbTZIeXkvMWNuNXRYZVNMcVZISzZoaXJINk1o             eks4K0R5Rkg2N0R3dmIyTnRKUkhadUhTb0FXClRwS2ZBZ01CQUFF             d0RRWUpLb1pJaHZjTkFSSUxCUUFEZ2dJQkFHVWl4VDEwaW5KcVVq             b0NtTWpHNlJwL1hGRUgKZzZoQml6OFUveVJWUEhvMG9RNFREdnIw             WDBFOXk3Lyt3YXc5clpIRTdqd1VOendtWXZFeWwwMzZCcFQyVVZB             aQpvWDAyMDZqcmVXSk9nTVYxbFlBVWhYZTY1eml2ak9WRE9rVFFX             aUZKb3pjbXYwdXZabmsrRWl4eFByUEJYOThOClhRNEF5VWt5S25n             WTVHSnlPbW5iK3ZnUlFCM25yTXpJbXIyekxNUlp2b21DT1pEV0FK             ZGF3UlNZTXBFOGZreVAKZnY3QzVWOXdLVllxVFJNd1FEbk1YL1g5             eUFUTXV0QWV0MTV3N2taN3JYenc4ZFxjZFBwMlBSQkJIem1kWWF3             egpmbFdWT2dBKzdHSTcwVkVtNER6UkxCVmJjaUcyZU1mVEtYemZX             eGcrbHhQaWxacy82T2Y1aG9jdVRWeVhEeHJnCkUwRDZLbFVSK2k0             N3ovZDRTaWsrSVdJRkx3Y21XOEhFelEyVzlTakFwSDRTaGhEKzBz             UXQ2bzZMNjA0cjBqTzEKbUhYbkhxSmNGRmVaYjlONzJrMElNZTJv             MForaXd1YmJYamZQZzlMV1EzamVJOVJPZkJzWlA1ZkE1MkxiRlB5             UgpiSkxOODl4cm5DeEt2TzVsUHp2WHpwYXlrRUNWRG1Oa0lZMlRO             WG4yUnVmQVdDYXpFVWlLd2lPQ1JLZjJSTHBPCmZUb25IYVdIZi9B             NzBqWTJXb1JGQ3laV1BnQ3U2QW1kMFNNK3p2cm1NQi9SLzZBYlQv             WDFjckFQR1ArNkVzU0YKeHBkRHJqZUdLYWlYM3l0UmVBSnFFMEFQ             YWt4OENXR2haMkVVOUlnY3loNTE2bGY4OXlUcTBEbGlCUjNDWVJl             bgpsMGJhMSt6M1J6VlZhRWgvCi0tLS0tRU5EIENFUlRJRklDQVRF             LS0tLS0K             </data>             <key>PayloadIdentifier</key>             <string>com.example.mypempayload</string>             <key>PayloadType</key>             <string>com.apple.security.pem</string>             <key>PayloadUUID</key>             <string>0dfe81fe-e8f6-45c0-9860-2c893fe30114</string>             <key>PayloadVersion</key>             <integer>1</integer>         </dict>         <dict>             <key>PayloadContent</key>             <dict>                 <key>URL</key>                 <string>https://mdm.example.com:2002/scep</string>                 <key>Key Type</key>                 <string>RSA</string>                 <key>Key Usage</key>                 <integer>5</integer>                 <key>Keysize</key>                 <integer>2048</integer>                 <key>Subject</key>                 <array>                     <array>                         <array>                             <string>O</string>                             <string>Example, Inc.</string>                         </array>                     </array>                     <array>                         <array>                             <string>CN</string>                             <string>Device Certificate</string>                         </array>                     </array>                 </array>                 <key>Challenge</key>                 <string>MDMEnrollment</string>             </dict>             <key>PayloadIdentifier</key>             <string>com.example.mysceppayload</string>             <key>PayloadType</key>             <string>com.apple.security.scep</string>             <key>PayloadUUID</key>             <string>47492623-e4e7-4a64-ba63-2f31d2ca1a5f</string>             <key>PayloadVersion</key>             <integer>1</integer>         </dict>         <dict>             <key>IdentityCertificateUUID</key>             <string>47492623-e4e7-4a64-ba63-2f31d2ca1a5f</string>             <key>ServerURL</key>             <string>https://mdm.example.com:2001/mdm</string>             <key>Topic</key>             <string>com.apple.mgmt.External.c809ab17-1cbd-48f2-8dc7-e952131df20c</string>             <key>AccessRights</key>             <integer>8191</integer>             <key>ServerCapabilities</key>             <array>                 <string>com.apple.mdm.per-user-connections</string>                 <string>com.apple.mdm.bootstraptoken</string>             </array>             <key>CheckInURL</key>             <string>https://mdm.example.com:2001/checkin</string>             <key>CheckOutWhenRemoved</key>             <true/>             <key>PromptUserToAllowBootstrapTokenForAuthentication</key>             <false/>             <key>PayloadIdentifier</key>             <string>com.example.mymdmpayload</string>             <key>PayloadType</key>             <string>com.apple.mdm</string>             <key>PayloadUUID</key>             <string>0ae4af50-590a-4478-b540-aa0a21da23f1</string>             <key>PayloadVersion</key>             <integer>1</integer>         </dict>     </array>     <key>PayloadDisplayName</key>     <string>MDM</string>     <key>PayloadIdentifier</key>     <string>com.example.myprofile</string>     <key>PayloadType</key>     <string>Configuration</string>     <key>PayloadUUID</key>     <string>1f4ef23b-ab01-45b9-879c-7a036e47b083</string>     <key>PayloadVersion</key>     <integer>1</integer> </dict> </plist>

## See Also

### Managed devices

- [EducationConfiguration](devicemanagement/educationconfiguration.md)
- [LightsOutManagementLOM](devicemanagement/lightsoutmanagementlom.md)
- [ManagedPreferences](devicemanagement/managedpreferences.md)
- [ProfileRemovalPassword](devicemanagement/profileremovalpassword.md)