From dc25ddb461310664c35faf97d5c941fe07caf504 Mon Sep 17 00:00:00 2001 From: DigiYann <114911792+DigiYann@users.noreply.github.com> Date: Tue, 8 Aug 2023 10:31:26 +0200 Subject: [PATCH] DigiDNA minor release updates (#588) * 2022-12 platforms minor version release updates * Changed as the original yaml from Apple but both pfm_description, pfm_description_reference and pfm_note should be controlled * Changed last modified and fixed minors errors such as 2 dots, etc. * Date correction * * Added: pfm_title key at line 359 and value at line 360 * * Added: pfm_platforms key value for macOS * Changed: pfm_last_modified date * Platforms sorted * Added back Domains detail lost in merge --------- Co-authored-by: Ari Leviatan Co-authored-by: Yann BERNARD --- .../ManifestsApple/com.apple.domains.plist | 36 ++++++++-------- .../com.apple.security.acme.plist | 41 ++++++++++++++++++- .../com.apple.servicemanagement.plist | 14 ++++++- .../com.apple.webcontent-filter.plist | 16 ++------ 4 files changed, 74 insertions(+), 33 deletions(-) diff --git a/Manifests/ManifestsApple/com.apple.domains.plist b/Manifests/ManifestsApple/com.apple.domains.plist index 6fc7d00a0..63ea19864 100755 --- a/Manifests/ManifestsApple/com.apple.domains.plist +++ b/Manifests/ManifestsApple/com.apple.domains.plist @@ -13,7 +13,7 @@ pfm_interaction combined pfm_last_modified - 2023-02-27T08:57:44Z + 2023-04-18T11:14:46Z pfm_platforms iOS @@ -161,16 +161,16 @@ The payload organization for a payload need not match the payload organization i pfm_description Downloads from Safari will be considered managed documents if they originate from a managed domain. - pfm_description_reference - Optional. An array of URL strings. URLs matching the patterns listed here will be considered managed. Not supported in macOS. pfm_description_extended Any email address that does not have a suffix that matches one of the unmarked email domains specified by the key EmailDomains will be considered out-of-domain and will be highlighted as such in the Mail app. + pfm_description_reference + Optional. An array of URL strings. URLs matching the patterns listed here will be considered managed. Not supported in macOS. + pfm_name + WebDomains pfm_platforms iOS - pfm_name - WebDomains pfm_subkeys @@ -194,18 +194,6 @@ The payload organization for a payload need not match the payload organization i pfm_description User names and passwords entered in websites with Safari can be saved if the domain is listed. - pfm_description_reference - Optional. An array of URL strings. Supported in iOS 9.3 and later; not supported in macOS. Users can save passwords in Safari only from URLs matching the patterns listed here. Regardless of the iCloud account that the user is using, if the device is not supervised, there can be no whitelist. If the device is supervised, there may be a whitelist, but if there is still no whitelist, note these two cases: -• IfthedeviceisconfiguredasSharediPad, no password can be saved. -• IfthedeviceisnotconfiguredasShared iPad, all passwords can be saved. - pfm_ios_min - 9.3 - pfm_platforms - - iOS - - pfm_name - SafariPasswordAutoFillDomains pfm_description_extended Opening a document originating from a managed Safari web domain causes iOS to treat the document as managed for the purpose of Managed Open In. @@ -224,6 +212,18 @@ Trailing slashes will be ignored. If a ManagedWebDomain string entry contains a port number, only addresses that specify that port number will be considered managed. Otherwise, the domain will be matched without regard to the port number specified. For example, the pattern *.apple.com:8080 will match http://site.apple.com:8080/page.html but not http://site.apple.com/page.html, while the pattern *.apple.com will match both URLs. Managed Safari Web Domain definitions are cumulative. Patterns defined by all Managed Web Domains payloads will be used to match a URL request. SafariPasswordAutoFillDomains definitions are cumulative. Patterns defined by all SafariPasswordAutoFillDomains payloads will be used to determine if passwords can be stored for a given URL. + pfm_description_reference + Optional. An array of URL strings. Supported in iOS 9.3 and later; not supported in macOS. Users can save passwords in Safari only from URLs matching the patterns listed here. Regardless of the iCloud account that the user is using, if the device is not supervised, there can be no whitelist. If the device is supervised, there may be a whitelist, but if there is still no whitelist, note these two cases: +• IfthedeviceisconfiguredasSharediPad, no password can be saved. +• IfthedeviceisnotconfiguredasShared iPad, all passwords can be saved. + pfm_ios_min + 9.3 + pfm_name + SafariPasswordAutoFillDomains + pfm_platforms + + iOS + pfm_subkeys @@ -271,6 +271,8 @@ SafariPasswordAutoFillDomains definitions are cumulative. Patterns defined by al pfm_subkeys + pfm_name + CrossSiteTrackingPreventionRelaxedDomainItemM pfm_title Domain pfm_type diff --git a/Manifests/ManifestsApple/com.apple.security.acme.plist b/Manifests/ManifestsApple/com.apple.security.acme.plist index cce47fd41..66889bedf 100644 --- a/Manifests/ManifestsApple/com.apple.security.acme.plist +++ b/Manifests/ManifestsApple/com.apple.security.acme.plist @@ -13,10 +13,13 @@ pfm_ios_min 16.0 pfm_last_modified - 2022-09-06T09:11:27Z + 2023-04-18T11:08:07Z + pfm_macos_min + 13.1 pfm_platforms iOS + macOS tvOS pfm_subkeys @@ -154,6 +157,8 @@ The valid values for 'KeySize' depend on the values of 'KeyType' and 'HardwareBound'. See those keys for specific requirements. pfm_name KeySize + pfm_note + On macOS, this key is required but must have a value of 'false'. pfm_require always pfm_title @@ -341,6 +346,38 @@ When 'Attest' is 'true', 'HardwareBound' must also be 'true'. pfm_type boolean + + pfm_default + + pfm_description + Whether the private key of the identity obtained via SCEP should be tagged as "non-extractable" in the keychain. + pfm_name + KeyIsExtractable + pfm_platforms + + macOS + + pfm_title + Key Is Extractable + pfm_type + boolean + + + pfm_default + + pfm_description + If true, all apps have access to the private key. + pfm_name + AllowAllAppsAccess + pfm_platforms + + macOS + + pfm_title + Allow All Apps Access + pfm_type + boolean + pfm_targets @@ -353,6 +390,6 @@ When 'Attest' is 'true', 'HardwareBound' must also be 'true'. pfm_unique pfm_version - 1 + 2 diff --git a/Manifests/ManifestsApple/com.apple.servicemanagement.plist b/Manifests/ManifestsApple/com.apple.servicemanagement.plist index b7f70b8df..83f033a33 100644 --- a/Manifests/ManifestsApple/com.apple.servicemanagement.plist +++ b/Manifests/ManifestsApple/com.apple.servicemanagement.plist @@ -11,7 +11,7 @@ pfm_format_version 1 pfm_last_modified - 2022-11-04T02:07:23Z + 2022-12-14T02:29:57Z pfm_macos_min 13.0 pfm_platforms @@ -184,6 +184,16 @@ pfm_type string + + pfm_description + An additional constraint to limit the scope of the rule that is tested after matching the RuleType/RuleValue. + pfm_name + TeamIdentifier + pfm_title + Team Identifier + pfm_type + string + pfm_title Rule @@ -206,6 +216,6 @@ pfm_unique pfm_version - 1 + 2 diff --git a/Manifests/ManifestsApple/com.apple.webcontent-filter.plist b/Manifests/ManifestsApple/com.apple.webcontent-filter.plist index fcdeeeb3e..443593b04 100755 --- a/Manifests/ManifestsApple/com.apple.webcontent-filter.plist +++ b/Manifests/ManifestsApple/com.apple.webcontent-filter.plist @@ -255,7 +255,7 @@ The search algorithm is complex and may vary from release to release, but it is pfm_default pfm_description_reference - If true, enables the filtering of WebKit traffic. + If 'true', enables the filtering of WebKit traffic. Either 'FilterBrowsers or 'FilterSockets' must be 'true'. pfm_exclude @@ -777,7 +777,7 @@ The search algorithm is complex and may vary from release to release, but it is pfm_default pfm_description_reference - If true, enables the filtering of socket traffic. + If 'true', enables the filtering of socket traffic. Either 'FilterBrowsers' or 'FilterSockets' must be 'true'. pfm_exclude @@ -825,9 +825,7 @@ The search algorithm is complex and may vary from release to release, but it is pfm_description The bundle identifier string of the Filter Data Provider System Extension. This string identifies the Filter Data Provider when the filter starts running. pfm_description_reference - The bundle identifier string of the Filter Data Provider System Extension. This string identifies the Filter Data Provider when the filter starts running. This field is required if FilterSockets is set to 1. - -Available in macOS 10.15 and later. + The bundle identifier string of the Filter Data Provider System Extension. This string identifies the Filter Data Provider when the filter starts running. pfm_exclude @@ -933,13 +931,7 @@ Available in macOS 10.15 and later. pfm_description pfm_description_reference - If set to 1, enables the filtering of network packets. - -Either FilterPackets or FilterSockets must be true for the filter to have any effect. - -Can be used when FilterType is Plugin. - -Available in macOS 10.15 and later. + If this value is 'true', the property enables the filtering of network packets. Either 'FilterPackets' or 'FilterSockets' must be 'true'. You can only use this when 'FilterType' is 'Plugin'. pfm_exclude