Contents

SecurityInfoResponse.SecurityInfo

A dictionary that contains security-related information.

Declaration

object SecurityInfoResponse.SecurityInfo

Properties

NameTypeDescription
AuthenticatedRootVolumeEnabledboolean

If true, the system booted using an Authenticated Root Volume.

Available: macOS 11+

AutoLockTimeinteger

The number of seconds before a device goes to sleep after being idle. This value is only available on Shared iPad in iOS 17 and later.

Available: iOS 17+ | iPadOS 17+

BootstrapTokenAllowedForAuthenticationstring

This value specifies whether the Secure Enclave Processor (SEP) supports and allows secure operations to use the Bootstrap Token. The value is automatically set for devices enrolled through Automated Device Enrollment (ADE). The user can also manually set this value in the RecoveryOS.

This value is available for a Mac with Apple silicon in macOS 11 and later. Not available for user enrollment.

Available: macOS 11+

BootstrapTokenRequiredForKernelExtensionApprovalboolean

If true, the device can accept a Bootstrap Token from the MDM server instead of prompting for user authentication prior to enabling kernel extensions. This includes enabling kexts through the com.apple.syspolicy.kernel-extension-policy payload or triggering the RestartDevice command with RebuildKernelCache set to true. This only applies when BootstrapTokenAllowedForAuthentication is true in the SecurityInfoResponse.SecurityInfo response.

This value is available for a Mac with Apple silicon in macOS 11 and later. Not available for user enrollment.

Available: macOS 11+

BootstrapTokenRequiredForSoftwareUpdateboolean

If true, the device can accept a Bootstrap Token from the MDM server instead of prompting for user authentication prior to installation. This only applies when BootstrapTokenAllowedForAuthentication is true in the SecurityInfoResponse.SecurityInfo response.

This value is available for a Mac with Apple silicon in macOS 11 and later. Not available for user enrollment.

Available: macOS 11+

FDE_Enabledboolean

If true, the device has enabled FileVault full disk encryption (FDE).

Available: macOS 10.9+

FDE_HasInstitutionalRecoveryKeyboolean

If true, FileVault FDE has an institutional recovery key.

Available: macOS 10.9+

FDE_HasPersonalRecoveryKeyboolean

If true, FileVault FDE has a personal recovery key.

Available: macOS 10.9+

FDE_PersonalRecoveryKeyCMSdata

If the FileVault personal recovery key has enabled escrow with a recovery key, this value contains the key. The certificate from the FDERecoveryKeyEscrow profile encrypts the key and wraps it as CMS data.

Available: macOS 10.13+

FDE_PersonalRecoveryKeyDeviceKeystring

If the FileVault personal recovery key has enabled escrow with a recovery key, this value is the device serial number. This is the value that displays to the user at the EFI Login Window as part of the help message if they enter their password incorrectly three times. The server also uses this value as an index when saving the device personal recovery key. This replaces the recordNumber that the server returned in the previous escrow mechanism.

Available: macOS 10.13+

FirewallSettingsSecurityInfoResponse.SecurityInfo.FirewallSettings

A dictionary that contains the firewall settings.

Available: macOS 10.12+

FirmwarePasswordStatusSecurityInfoResponse.SecurityInfo.FirmwarePasswordStatus

A dictionary that contains the status of the EFI firmware password.

Available: macOS 10.13+

HardwareEncryptionCapsinteger

An integer that indicates the underlying hardware encryption capabilities of the device, which is one of the following values:

  • 1: Block-level encryption

  • 2: File-level encryption

  • 3: Both block-level and file-level encryption

Available: iOS 4+ | iPadOS 4+ | tvOS 9+ | visionOS 1.1+ | watchOS 10+

IsRecoveryLockEnabledboolean

If true, a password is required to enter recovery (see SetRecoveryLockCommand). Available in macOS 11.5 and later and only on a Mac with Apple silicon.

Available: macOS 11.5+

ManagementStatusSecurityInfoResponse.SecurityInfo.ManagementStatus

A dictionary that contains the status of the device’s MDM enrollment.

Available: iOS 13+ | iPadOS 13+ | macOS 10.13.2+ | tvOS 13+ | visionOS 1.1+ | watchOS 10+

PasscodeCompliantboolean

If true, the user’s passcode is compliant with all requirements on the device, including Exchange and other accounts.

Available: iOS 4+ | iPadOS 4+ | tvOS 9+ | visionOS 1.1+ | watchOS 10+

PasscodeCompliantWithProfilesboolean

If true, the user’s passcode is compliant with requirements from profiles. This key doesn’t apply to User-Enrolled devices.

Available: iOS 4+ | iPadOS 4+ | tvOS 9+ | visionOS 1.1+ | watchOS 10+

PasscodeLockGracePeriodinteger

The user preference for the number of seconds before a locked screen requires the device passcode to unlock it. This value is only available for Shared iPad.

Available: iOS 9.3.2+ | iPadOS 9.3.2+ | tvOS 9+ | visionOS 1.1+ | watchOS 10+

PasscodeLockGracePeriodEnforcedinteger

The enforced value for the number of seconds before a locked screen requires the device passcode to unlock it. If a device has a passcode, changing PasscodeLockGracePeriod to a larger value doesn’t take effect until the user logs out or removes the passcode. This value is only available for Shared iPad.

Available: iOS 9.3.2+ | iPadOS 9.3.2+ | tvOS 9+ | visionOS 1.1+ | watchOS 10+

PasscodePresentboolean

If true, the device has a passcode. This key doesn’t apply to User-Enrolled devices.

Available: iOS 4+ | iPadOS 4+ | tvOS 9+ | visionOS 1.1+ | watchOS 10+

RemoteDesktopEnabledboolean

If true, Remote Desktop is active on the device.

Available: macOS 10.14.4+

SecureBootSecurityInfoResponse.SecurityInfo.SecureBoot

A dictionary that contains the device’s Secure Boot settings.

Available: macOS 10.15+

SystemIntegrityProtectionEnabledboolean

If true, System Integrity Protection (SIP) is active on the device.

Available: macOS 10.12+

Topics

Objects

See Also

Objects