Contents

SystemPolicyRule

The payload that configures the system policy.

Declaration

object SystemPolicyRule

Properties

NameTypeDescription
Commentstring

This string appears in the System Policy UI. If it’s missing, PayloadDisplayName or PayloadDescription is entered into this field before the rule is added to the System Policy database.

Expirationdate

The expiration date for rules being processed.

LeafCertificatedata

The single leaf certificate for the app that is in the allow list.

OperationTypestring

The type of operation.

Prioritynumber

The rule’s priority.

Requirementstring

The policy requirement. This key must follow the syntax described in Code Signing Requirement Language.

Discussion

Specify com.apple.systempolicy.rule as the payload type.

This payload allows control over Gatekeeper’s system policy rules. The keys and functionality are tightly related to the spctl command line tool. For more information, see the manual page for spctl.

This payload can only exist in a device profile. If the payload is present in a user profile, an error occurs during installation and the profile installation fails.

Profile availability

Device channel

macOS

User channel

NA

Allow manual install

macOS

Requires supervision

NA

Requires user-approved MDM

NA

Allowed in user enrollment

NA

Allow multiple payloads

macOS

Profile example

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>PayloadContent</key>
    <array>
        <dict>
            <key>Priority</key>
            <real>101</real>
            <key>Requirement</key>
            <string>anchor apple generic and identifier "com.example.myapp" and (certificate leaf[field.9.8.765.432109.876.5.4.3] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.9.8.765.432109.876.5.4.3] /* exists */ and certificate leaf[subject.OU] = "ABCDE12345")</string>
            <key>PayloadIdentifier</key>
            <string>com.example.mysystempolicyrulepayload</string>
            <key>PayloadType</key>
            <string>com.apple.systempolicy.rule</string>
            <key>PayloadUUID</key>
            <string>624b5152-a1cd-4bac-baa3-51fbb1f04973</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
        </dict>
    </array>
    <key>PayloadDisplayName</key>
    <string>System Policy Rule</string>
    <key>PayloadIdentifier</key>
    <string>com.example.myprofile</string>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadUUID</key>
    <string>7fa54f02-e6e1-4042-bb75-a2a4d962ac6d</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
</dict>
</plist>

See Also

System Policy