Contents

SafariExtensionSettings

The declaration to configure Safari Extensions.

Declaration

object SafariExtensionSettings

Properties

NameTypeDescription
ManagedExtensionsSafariExtensionSettingsManagedExtensionsObject

The dictionary of managed extensions settings. Each key in the dictionary represents a composed identifier for a specific managed extension, or you can specify a single “*” character to match any extension. The dictionary values represent the settings that Safari applies to each extension that matches the key. In order for the extension to be managed, its host app needs to be present on the device.

The composed identifier of a managed extension uses the format “Identifier (TeamIdentifier)”, for example “com.example.app (ABCD1234)”. Use codesign -dv <path_to_appex> to show the information you need to generate this string on macOS, using the path to the extension bundle located in the “PlugIns” folder inside the app bundle. For other platforms, request this information from the app developer.

Discussion

Specify com.apple.configuration.safari.extensions.settings as the declaration type.

Safari supports the following values for AllowedDomains and DeniedDomains:

  • A specific domain such as “example.com” or “www.example.com”.

  • A wildcard domain that uses a single “*” character as a prefix for the domain, such as “*example.com”. This matches both the exact domain “example.com”, and any sub-domains such as “www.example.com”. It won’t match other domains with a similar string suffix such as “myexample.com”.

  • A global wildcard specified as a single “*” character that matches any domain.

Safari determines whether a domain is allowed or denied using the following precedence rules:

  1. A specific domain takes precedence over the global wildcard or a wildcard domain.

  2. A wildcard domain takes precedence over the global wildcard.

If the same value appears in both AllowedDomains and DeniedDomains, Safari denies use of a matching domain.

The user can configure any domains not matched by the values in AllowedDomains or DeniedDomains.

Examples

Give an extension access to only “example.com” and its sub-domains, and deny access to everywhere else.

"AllowedDomains": ["*example.com"],
"DeniedDomains": ["*"]

Give an extension access to “example.com” and its sub-domains, without deny anywhere else. The user can make their own choice for other domains.

"AllowedDomains": ["*example.com"]

Give an extension access to “example.com” and its sub-domains, but deny access to “private.example.com” or anywhere else.

"AllowedDomains": ["*example.com"],
"DeniedDomains": ["private.example.com", "*"]

Give an extension access to “public.example.com”, but deny access to “example.com” or any other of its sub-domains. The user can make their own choice for other domains.

"AllowedDomains": ["public.example.com"],
"DeniedDomains": ["*example.com"]

Configuration availability

Allowed in supervised enrollment

iOS, macOS, Shared iPad, visionOS

Allowed in device enrollment

NA

Allowed in user enrollment

NA

Allowed in local enrollment

NA

Allowed in system scope

iOS, visionOS

Allowed in user scope

macOS, Shared iPad

Configuration examples

Topics

Objects

See Also

Configurations