Apple's iOS 5 Changes to .mobileconfig Enhance Security and Add Features (updated)

  • strict warning: Only variables should be passed by reference in /var/sites/e/ on line 61.
  • strict warning: Only variables should be passed by reference in /var/sites/e/ on line 61.
  • strict warning: Only variables should be passed by reference in /var/sites/e/ on line 61.
  • strict warning: Declaration of views_handler_field_user_name::init() should be compatible with views_handler_field_user::init(&$view, $data) in /var/sites/e/ on line 61.
Your rating: None (4 votes)

(Update: AirWatch sent a useful summary of the changes. I've added them below.)

With the release of iOS 5, Apple has added some new features to its .mobileconfig specification. This is the fundamental specification for how Mobile Device Management services interface with the iPhone and iPad. This is the reason why so many MDM providers offer similar features. MDM providers are limited to providing new features until Apple updates this spec. So when Apple adds keys here, expect MDM providers to follow -- and the best to follow quickly.


The most significant changes are with email payloads. A set of new keys allow for enhanced security.

PreventMove, if set to true, forces this email account into a fence. That is, messages received by this account cannot be moved into another account. This also prevents forwarding or replying from a different account than the original account.

PreventAppSheet, if set to true, prevents this account from being used in third-party applications.

SMIMEEnabled, and its companions SMIMESigningCertificateUUID and SMIMEEncryptionCertificateUUID, allow for signed and encrypted mail. SCEP-based credentials managed by the MDM system may be used here.


There are a number of new keys for allows control over iCloud.

allowCloudBackup permits or disables iCloud device backup.

allowCloudDocumentSync will disable document syncing, while allowCloudKeyValueSync will disable key-value syncing, for apps that use that iCloud technology (not every app is document-based). Finally, allowPhotoStream can be used to disable iCloud storage of device photos.


forceITunesStorePasswordEntry prevents iTunes from saving your backup password. So you'll need to add it every time.

allowUntrustedTLSPrompt enhances SSL security by rejecting invalid certificates. The default behavior is to prompt the user, who may not think before tapping.

Here's a biggie: You can now disable voice and/or data roaming.


Wi-Fi payloads gain an AutoJoin keyword. It also more specifically describes known Wi-Fi networks by allowing specification of the EncryptionType and ProxyType.


Battery Life can now be queried.

Share your ideas

bdogd's picture


Joined: Nov 19, 2010

Good info

Your rating: None

Thanks Aaron.

This is great info and a good summary of what is new.

Scoosh's picture


Joined: Dec 7, 2010


Your rating: None (1 vote)

One of the MDM vendors indicated that allowCloudKeyValueSync will be folded under allowCloudDocumentSync


Recent Activity