Custom Schemas For Application Configuration Profiles

noahdowd
Contributor

I created a couple of custom schemas in JSON for this new feature. Just cause I'm excited about it! I learned JSON schemas today to do this, so they might be a little basic but maybe someone will find them useful.
Enterprise Connect:

{
    "$schema": "http://json-schema.org/schema#",

    "definitions": {
        "share": {
            "type": "object",
            "properties": {
                "path": {"type": "string"}
            }
        }
    },

    "type": "object",
    "properties": {
        "adRealm": {"type": "string", "default": ""},
        "alwaysGetNewTicket": {"type": "boolean", "default": "false"},
        "checkForNetworkServer": {"type": "string", "default": ""},
        "checkForNetworkType": {"type": "boolean", "default": "false"},
        "checkShowLegacyCertificates": {"type": "boolean", "default": "false"},
        "connectDelay": {"type": "integer", "default": 0, "minimum": 0},
        "connectionCompletedScriptPath": {"type": "string", "default": ""},
        "connectReminderNagInterval": {"type": "integer", "default": 86400, "minimum": 0},
        "connectReminderTime": {"type": "integer", "minimum": 0},
        "dailyReconnectTime": {"type": "integer", "default": 86400, "minimum": 0},
        "debugMode": {"type": "boolean", "default": "false"},
        "destroyKerbTicketUponCardRemoval": {"type": "boolean", "default": "true"},
        "disablePasswordExpirationChecking": {"type": "boolean"},
        "disablePasswordFunctions": {"type": "boolean", "default": "false"},
        "managedshares": {
            "type": "array",
            "items": {"$ref": "#/definitions/share"},
            "default": []
        },
        "mountNetworkHomeDirectory": {"type": "boolean", "default": "false"},
        "orgLogoPath": {"type": "string"},
        "orgUsernameLabel": {"type": "string"},
        "passwordChangeScriptPath": {"type": "string"},
        "passwordChangeURL": {"type": "string"},
        "passwordExpireOverride": {"type": "integer", "minimum": 0},
        "passwordNotificationDays": {"type": "integer", "default": 15, "minimum": 0},
        "preferredDC": {"type": "string"},
        "prepopulatedUsername": {"type": "string", "default": ""},
        "pwReqComplexity": {"type": "boolean", "default": "false"},
        "pwReqComplexityDisableUnicode": {"type": "boolean", "default": "false"},
        "pwReqHistoryCount": {"type": "integer", "minimum": 0},
        "pwReqLength": {"type": "integer", "minimum": 0},
        "pwReqMinimumPasswordAge": {"type": "integer", "minimum": 0},
        "pwReqText": {"type": "string", "default": ""},
        "runAuditScript": {"type": "boolean"},
        "runAuditScriptPath": {"type": "string"},
        "runPasswordChangeScriptOnLocalPasswordSync": {"type": "boolean", "default": "true"},
        "runPeriodicStateCheck": {"type": "boolean", "default": "true"},
        "setupReminderNagInterval": {"type": "integer", "default": 86400, "minimum": 0},
        "shareMountWaitSeconds": {"type": "integer", "default": 0, "minimum": 0},
        "showKeychainIdentities": {"type": "boolean", "default": "false"},
        "showMenuExtra": {"type": "boolean", "default": "true"},
        "showUsernameWithSmartcard": {"type": "boolean", "default": "false"},
        "smartCardMode": {"type": "boolean", "default": "false"},
        "syncLocalPassword": {"type": "boolean"}
    }
}

And Firefox:

{
    "$schema": "http://json-schema.org/schema#",

    "definitions": {
        "bookmark": {
            "type": "object",
            "properties": {
                "Folder": {"type": "string"},
                "URL": {"type": "string"},
                "Title": {"type": "string"},
                "Favicon": {"type": "string"},
                "Placement": {"type": "string"}
            }
        }
    },

    "type": "object",
    "properties": {
        "DisableSetDesktopBackground": {"type": "boolean", "default": "true"},
        "Preferences": {
            "type": "object",
            "properties": {
                "app.update.auto": {"type": "boolean", "default": "true"},
                "security.default_personal_cert": {"type": "string", "default": "Ask Every Time"}
              }
        },
        "DisableProfileImport": {"type": "boolean", "default": "true"},
        "DisableSecurityBypass": {
            "type": "object",
            "properties": {
               "InvalidCertificate": {"type": "boolean", "default": "true"},
               "SafeBrowsing": {"type": "boolean", "default": "true"}
            }
       },
        "DNSOverHTTPS":{
            "type": "object",
            "properties": {
               "Enabled": {"type": "boolean", "default": "false"},
               "Locked": { "type": "boolean", "default": "true"},
               "ProviderURL": { "type": "string", "default": "URL_TO_ALTERNATE_PROVIDER" }
           }
        },
        "CaptivePortal": { "type": "boolean", "default": "false" },
        "DisableAppUpdate": { "type": "boolean", "default": "true" },
        "DefaultDownloadDirectory": { "type": "string", "default": "${home}/Downloads" },
        "DontCheckDefaultBrowser": { "type": "boolean", "default": "true" },
        "SSLVersionMin": { "type": "string", "default": "tls1.2" },
        "Certificates":{
            "type": "object",
            "properties": {
               "Install": {
                "type": "array",
                "items": {"type": "string"},
                "default": ["cert1.der","cert2.pem"]
               },
               "ImportEnterpriseRoots": { "type": "boolean", "default": "true" }
            }
        },
        "Homepage":{
            "type": "object",
            "properties": {
               "URL": { "type": "string", "default": "http://example.com" },
               "Additional": {
                "type": "array",
                    "items": {"type": "string"},
                    "default": ["https://www.example.com/extra-home1.htm","https://www.example.com/extra-home2.htm","https://www.example.com/extra-home3.htm"]
                },
               "Locked": { "type": "boolean", "default": "true" },
                "StartPage": { "type": "string", "default": "homepage"}
            }
        },
        "DisableFormHistory": { "type": "boolean", "default": "true" },
        "SupportMenu":{
            "type": "object",
            "properties": {
               "Title": { "type": "string", "default": "Click here for help" },
               "URL": { "type": "string", "default": "http://example.edu/" },
               "AccessKey": { "type": "string", "default": "C" }
            }
        },
        "DisableSafeMode": { "type": "boolean", "default": "true" },
        "ExtensionUpdate": { "type": "boolean", "default": "false" },
        "DisableSystemAddonUpdate": { "type": "boolean", "default": "true" },
        "DisableFirefoxScreenshots": { "type": "boolean", "default": "true"},
        "FlashPlugin":{
            "type": "object",
            "properties": {
                "Allow": {
                    "type": "array",
                    "items": {"type": "string"},
                    "default": ["https://www.example.com"]
                },
               "Block": {
                    "type": "array",
                    "items": {"type": "string"},
                    "default": ["https://www.example.org"]
                },
               "Default": { "type": "boolean", "default": "true" },
               "Locked": { "type": "boolean", "default": "true" }
            }
        },
        "DisableFirefoxAccounts": { "type": "boolean", "default": "true" },
        "ExtensionSettings":{
            "type": "object",
            "properties": {
               "*":{
                "type": "object",
                "properties": {
                      "blocked_install_message": {"type": "string", "default": "Custom error message"},
                      "install_sources": {
                            "type": "array",
                            "items": {"type": "string"},
                            "default": ["https://addons.mozilla.org/"]
                      },
                      "installation_mode": {"type": "string", "default": "blocked"}
                }
               },
               "uBlock0@raymondhill.net":{
                "type": "object",
                "properties": {
                      "installation_mode": {"type": "string", "default": "force_installed"},
                      "install_url": {"type": "string", "default": "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi"}
                }
               }
            }
        },
        "DisplayBookmarksToolbar": { "type": "boolean", "default": "true" },
        "HardwareAcceleration": { "type": "boolean", "default": "false" },
        "DisablePrivateBrowsing": { "type": "boolean", "default": "true" },
        "EnterprisePoliciesEnabled": { "type": "boolean", "default": "false" },

        "Bookmarks": {
            "type": "array",
            "items": {"$ref": "#/definitions/bookmark"},
            "default": [{"Folder":"Example1Folder","URL":"https://www.example.org","Title":"Example1","Favicon":"https://www.example.org/favicon.ico","Placement":"toolbar"},{"Folder":"Example2Folder","URL":"https://www.example.com","Title":"Example2","Favicon":"https://www.example.com/favicon.ico","Placement":"menu"}]
        },
        "NetworkPrediction": { "type": "boolean", "default": "false" },
        "EnableTrackingProtection":{
            "type": "object",
            "properties": {
               "Fingerprinting": { "type": "boolean", "default": "true" },
               "Value": { "type": "boolean", "default": "true" },
               "Locked": { "type": "boolean", "default": "true" },
               "Cryptomining": { "type": "boolean", "default": "true" }
            }
        },
        "OverrideFirstRunPage": {"type": "string", "default": "https://www.example.com"},
        "Extensions":{
            "type": "object",
            "properties": {
               "Install": {
                "type": "array",
                "items": {"type": "string"},
                "default": ["https://addons.mozilla.org/firefox/downloads/file/1053714/ghostery_privacy_ad_blocker-8.2.4-an+fx.xpi"]
               },
               "Uninstall": {
                "type": "array",
                "items": {"type": "string"},
                "default": []
                },
               "Locked":
               {
                "type": "array",
                "items": {"type": "string"},
                "default": ["firefox@ghostery.com"]
                }
            }
        },
        "Authentication":{
            "type": "object",
            "properties": {
               "NTLM": {
                "type": "array",
                "items": {"type": "string"},
                "default": ["mydomain.com","https://myotherdomain.com"]
                },
               "Delegated": {
                "type": "array",
                "items": {"type": "string"},
                "default": ["mydomain.com","https://myotherdomain.com"]
               },
               "AllowNonFQDN":{
                "type": "object",
                "properties": {
                    "SPNEGO": { "type": "boolean", "default": "true" },
                    "NTLM": { "type": "boolean", "default": "true" }
                }
               },
               "AllowProxies":{
                "type": "object",
                "properties": {
                      "SPNEGO": { "type": "boolean", "default": "true" },
                      "NTLM": { "type": "boolean", "default": "true" }
                    }
               },
               "Locked": { "type": "boolean", "default": "true" },
               "SPNEGO": {
                "type": "array",
                "items": {"type": "string"},
                "default": ["mydomain.com","https://myotherdomain.com"]
                }
           }
        },
        "Proxy":{
            "type": "object",
            "properties": {
               "SocksVersion": {"type": "string", "default": "4"},
               "Mode": {"type": "string", "default": "manual"},
               "HTTPProxy": {"type": "string", "default": "proxy.example.com:80"},
            "Locked": { "type": "boolean", "default": "true" }
            }
        },
        "SecurityDevices":{
            "type": "object",
            "properties": {
               "NAME_OF_DEVICE": {"type": "string", "default": "PATH_TO_LIBRARY_FOR_DEVICE"}
            }
        },
        "OverridePostUpdatePage": {"type": "string", "default": ""},
        "BlockAboutSupport": { "type": "boolean", "default": "true" },
        "LocalFileLinks": {
            "type": "array",
            "items": {"type": "string"},
            "default": ["http://example.org","http://example.edu"]
        },
        "Permissions":{
            "type": "object",
            "properties": {
               "Camera":{
                "type": "object",
                "properties": {
                      "Allow": {
                        "type": "array",
                        "items": {"type": "string"},
                        "default": ["https://example.org"]
                        },
                      "BlockNewRequests": { "type": "boolean", "default": "true" },
                      "Block": {
                        "type": "array",
                        "items": {"type": "string"},
                        "default": ["https://example.edu"]
                        },
                      "Locked": { "type": "boolean", "default": "true" }
                    }
               },
               "Microphone":{
                "type": "object",
                "properties": {
                      "Allow": {
                        "type": "array",
                        "items": {"type": "string"},
                        "default": ["https://example.org"]
                        },
                      "BlockNewRequests": { "type": "boolean", "default": "true" },
                      "Block": {
                      "type": "array",
                      "items": {"type": "string"},
                      "default": ["https://example.edu"]
                      },
                      "Locked": { "type": "boolean", "default": "true" }
                    }
               },
               "Location":{
                "type": "object",
                "properties": {
                      "Allow": {
                        "type": "array",
                        "items": {"type": "string"},
                        "default": ["https://example.org"]
                        },
                      "BlockNewRequests": { "type": "boolean", "default": "true" },
                      "Block": {
                      "type": "array",
                      "items": {"type": "string"},
                      "default": ["https://example.edu"]
                      },
                      "Locked": { "type": "boolean", "default": "true" }
                    }
               },
               "Notifications":{
                "type": "object",
                "properties": {
                      "Allow": {
                        "type": "array",
                        "items": {"type": "string"},
                        "default": ["https://example.org"]
                        },
                      "BlockNewRequests": { "type": "boolean", "default": "true" },
                      "Block": {
                      "type": "array",
                      "items": {"type": "string"},
                      "default": ["https://example.edu"]
                      },
                      "Locked": { "type": "boolean", "default": "true" }
                    }
               }
            }
        } ,
        "PasswordManagerEnabled": { "type": "boolean", "default": "false" },
        "NoDefaultBookmarks": { "type": "boolean", "default": "true" },
        "FirefoxHome":{
            "type": "object",
            "properties": {
               "TopSites": { "type": "boolean", "default": "true" },
               "Pocket": { "type": "boolean", "default": "false" },
               "Search": { "type": "boolean", "default": "true" },
               "Snippets": { "type": "boolean", "default": "false" },
               "Locked": { "type": "boolean", "default": "true" },
               "Highlights": { "type": "boolean", "default": "true" }
            }
        },
        "DisableFeedbackCommands": { "type": "boolean", "default": "true" },
        "DisablePasswordReveal": { "type": "boolean", "default": "true" },
        "AppUpdateURL": {"type": "string", "default": "https://www.example.com/update.xml"},
        "DisableTelemetry": { "type": "boolean", "default": "true" },
        "DisableDeveloperTools": { "type": "boolean", "default": "true" },
        "SearchBar": {"type": "string", "default": "separate"},
        "WebsiteFilter":{
            "type": "object",
            "properties": {
               "Block": {
                "type": "array",
                "items": {"type": "string"},
                "default": ["<all_urls>"]
               },
               "Exceptions": {
                    "type": "array",
                    "items": {"type": "string"},
                    "default": ["https://www.google.com/*","https://www.yahoo.com/*"]
                }
            }
        },
        "DisableFirefoxStudies": { "type": "boolean", "default": "true" },
        "DownloadDirectory": {"type": "string", "default": "${home}/Downloads"},
        "BlockAboutConfig": { "type": "boolean", "default": "true" },
        "DisableMasterPasswordCreation": { "type": "boolean", "default": "true" },
        "SanitizeOnShutdown": { "type": "boolean", "default": "true" },
        "InstallAddonsPermission":{
            "type": "object",
            "properties": {
               "Allow": {
                "type": "array",
                "items": {"type": "string"},
                "default": ["https://example.org","https://example.edu"]
               },
               "Default": { "type": "boolean", "default": "false" }
            }
        },
        "DisablePocket": { "type": "boolean", "default": "true" },
        "DisableBuiltinPDFViewer": { "type": "boolean", "default": "true" },
        "DisableProfileRefresh": { "type": "boolean", "default": "true" },
        "NewTabPage": { "type": "boolean", "default": "false" },
        "OfferToSaveLoginsDefault": { "type": "boolean", "default": "false" },
        "OfferToSaveLogins": { "type": "boolean", "default": "false" },
        "SSLVersionMax": {"type": "string", "default": "tls1.3"},
        "BlockAboutAddons": { "type": "boolean", "default": "true" },
        "RequestedLocales": {
            "type": "array",
            "items": {"type": "string"},
            "default": ["de","en-US"]
        },
        "BlockAboutProfiles": { "type": "boolean", "default": "true" },
        "Cookies":{
            "type": "object",
            "properties": {
               "Locked": { "type": "boolean", "default": "true" },
               "ExpireAtSessionEnd": { "type": "boolean", "default": "true" },
               "Default": { "type": "boolean", "default": "false" },
               "Allow": {
                "type": "array",
                "items": {"type": "string"},
                "default": ["https://www.example.org/"]
               },
               "RejectTracker": { "type": "boolean", "default": "true" },
               "Block": {
                "type": "array",
                "items": {"type": "string"},
                "default": ["https://www.example.edu/"]
               },
               "AcceptThirdParty": {"type": "string", "default": "never"}
            }
        },
        "DisableForgetButton": { "type": "boolean", "default": "true" },
        "PopupBlocking":{
            "type": "object",
            "properties": {
               "Allow": {
                "type": "array",
                "items": {"type": "string"},
                "default": ["https://www.example.org","https://www.example.edu"]
               },
               "Default": { "type": "boolean", "default": "true" },
               "Locked": { "type": "boolean", "default": "true" }
            }
        }
    } 
}
63 REPLIES 63

sdagley
Esteemed Contributor II

@Santosh Are you saying that the popup menu shown in your image below the Preferences Domain label doesn't display any choices? The feature is there in 10.19, so it should work. I'm on a newer version and here's what that editor looks like for me:

d9ea1240b08f46e88e6bf8d3f5a4455f

When clicked I see this:

6915d7aecd734a77891c12d64fd6ddb3

mm2270
Legendary Contributor III

@Santosh A lot of strange issues in Jamf Pro can be resolved by clearing your browser cache, restarting the browser and trying again. I would try that to see if the pop up menu options show up after that. If they don't, then it might be time to open a support ticket with Jamf about it.

Also, since you stated you're on 10.19, that likely means you have an on-prem Jamf Pro setup, correct? If so, you might have to work with Jamf support to see if something went wrong with the last update you did on the server. Or you could try upgrading to a more recent version.

attintl
New Contributor II

@mm2270 @sdagley Thanks a lot for your response. i have tried to test in multiple browsers and different systems. But i still have the same problem. as you guys said it could be something with my JAMF PRO version. i will try to update to the latest version and see. even if still it dosen't work then i will open a support ticket with JAMF

LovelessinSEA
Contributor II

This is fantastic Stuff! Thanks to everyone putting these together! Any of you amazing souls working on one for Cisco Anyconnect for Big Sur and webfiltering? I found some information(https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect49/upgrade/AnyConnect_macOS_BigSur_Advisory.pdf) but i have no idea how to translate the webfilter properties into a json file.

sdagley
Esteemed Contributor II

@LovelessinSEA The web filter payload isn't something you'd create as a part of an Application & Custom Settings payload. You'd need to create a signed .mobileconfig externally and then upload to Jamf Pro, or wait for Jamf to add the ability to directly create that payload.

bcbackes
Contributor III

I'm trying to learn how to create these json schemas, however, seem to be struggling. Does anyone know if there are any videos or detailed documentation on this? I'm trying to setup one for Defender ATP. I even tried to use schema builder here: https://github.com/BIG-RAT/Managed-App-Schema-Builder. However, I'm doing something wrong because I get an error when I try to save the configuration profile in Jamf.

Any advice is greatly appreciated!

lawinski
New Contributor III

Hey @bcbackes,
for a general idea of how JSON Schema works you can look here: https://json-schema.org/learn/getting-started-step-by-step.html
There are options specific to JAMF. Best bet would be to look at samples of other people.

bcbackes
Contributor III

Ok, I was messing around with Citrix Workspace and looking at how I could lock down some settings in the "com.citrix.receiver.nomas.plist" file. Basically, I was looking to set the following settings:
AutoUpdateState
CEIPEnabled
CitrixCastingEnabled
CrashReportingEnabled

I've added the schema below. Everything was locked down when deploying this out with a configuration profile with the exception of the Citrix Casting Enabled key. For some strange reason, it wasn't greyed out like the others and I was able to enable it afterwards. The rest work great. The Auto Update State actually disappears from Preferences when you select Disabled.

Let me know what I can do better. Thanks!

{
  "title": "com.citrix.receiver.nomas",
  "description": "Citrix Workspace",
  "properties": {
    "AutoUpdateState": {
      "type": "string",
      "title": "AutoUpdateState",
      "description": "Options are: Auto, Manual, Disabled.",
      "examples": [
        "Auto",
        "Manual",
        "Disabled"
      ]
    },
    "CEIPEnabled": {
      "description": "Enable Customer Experience Improvement Program",
      "title": "CEIPEnabled",
      "type": "boolean"
    },
    "CitrixCastingEnabled": {
      "description": "Enables Citrix Casting to External Hubs",
      "title": "CitrixCastingEnabled",
      "type": "boolean"
    },
    "CrashReportingEnabled": {
      "description": "Crash Reporting",
      "title": "CrashReportingEnabled",
      "type": "boolean"
    }
  }
}

HeightsCollege
New Contributor II

Is anyone having issues with NoMAD's preferences from @mscottblake Here?

I'm trying to add the KeychainItems section and all i get is "Configure" and then a blank area - no where to add the actually items I want. Am I missing something?

Ideally, I'm trying to add "com.apple.network.eap.user.item.wlan.ssid.NETWORKNAME" "<<shortname>>" to sync wifi credentials.

Jamf Screenshot
93b9c9b2b22f423a8cba1c8115c5f94c

The KeychainItems section has this as its code

        "KeychainItems": {
            "title": "KeychainItems",
            "description": "A Dictionary or Keychain Items matching an item name to an account name. On password change, NoMAD will update these items with the user’s new password.",
            "propertyOrder": 10,
            "anyOf": [
                {
                    "title": "Not Configured",
                    "type": "null"
                },
                {
                    "title": "Configured",
                    "type": "object"
                }
            ],
            "options": {
                "infoText": "Key: KeychainItems"
            },
            "links": [{
                "rel": "More information",
                "href": "https://nomad.menu/help/preferences-and-what-they-do/"
            }]
        },

mscottblake
Valued Contributor

@HeightsCollege The KeychainItems cannot be modified in this manner. The XML is expecting an array of <dict>s, but it is not possible to do this with the current implementation of the Jamf schema.

You can see the same issue with the Jamf Connect schema.

HeightsCollege
New Contributor II

Thanks for the clarifications @mscottblake. So basically its only in the schema to allow for when Jamf supports it? Meaning that config of those parameters are limited to plist upload at the moment. Also excited about NoMAD 2 thats been shared on macadmins slack - hopefully fix a number of issues.

talkingmoose
Moderator
Moderator

Should be possible to create an array of dictionaries. Does the last example help?

Understanding the Structure of a JSON Schema Manifest

mscottblake
Valued Contributor

@talkingmoose You're right, it can do an array of dicts. I mis-remembered the problem. The KeychainItems entry looks like this:

<key>KeychainItems</key>
<dict>
    <key>random1</key>
    <string>foo</string>
    <key>random2</key>
    <string>bar</string>
</dict>

The schema cannot handle this situation. If you look at the built-in Jamf Connect settings, you can't set the same field in there either. I believe you and I have talked about this before.

I opened a case last year and they said this was PI-007973.

talkingmoose
Moderator
Moderator

@mscottblake, ohhhh, yeah. I've seen similar with the same thing in Jamf Connect. Glad you filed that PI. I'll do some checking internally.

I suggest anyone affected by this (whether writing the manifest or needing this in the manifest) contact Jamf Support and let them know you're affected by the same PI. Similar to a feature request, the more folks that report it, the higher the priority.

PhillyPhoto
Valued Contributor

I uploaded the Edge json directly from MS (from the GET POLICY FILES link), and it looks like this. What am I missing? I used MicrosoftEdgePolicyTemplates > mac > policy_manifest.json
8f41a0d2d7974e1f8420f9c1f725ff90

bcbackes
Contributor III

@PhillyPhoto I believe that is how they normally look until you configure each setting. Chose "Edit", then, change one of them to "Configured", then "Save" and you would see more.

PhillyPhoto
Valued Contributor

@bcbackes yeah, the extension I used to switch it to a dark theme kind of obscured the fact that it was a drop-down menu to click on to configure it. I eventually figured it out.

bcbackes
Contributor III

Here's a schema I created for OneDrive. Note: I haven't tested this yet

{
  "title": "com.microsoft.OneDrive",
  "description": "Preference Domain: com.microsoft.OneDrive, Application: OneDrive, Documentation Link: https://docs.microsoft.com/en-us/onedrive/deploy-and-configure-on-macos",
  "__version": "21",
  "__feedback": "jmanifest@microsoft.com",
  "type": "object",
  "options": {
    "remove_empty_properties": true
  },
  "definitions": {
    "policy_group": {
      "type": "object",
      "format": "grid",
      "options": {
        "collapsed": true,
        "disable_properties": true
      }
    }
  },
  "properties": {
    "AllowTenantList": {
      "title": "AllowTenantList",
      "description": "This setting prevents the users from uploading files to other organizations by specifying a list of allowed tenant IDs. If you enable this setting, the user gets an error if they attempt to add an account from an organization that isn't in the allowed tenants list. If the user has already added the account, the files stop syncing. This setting takes priority over Block syncing OneDrive accounts for specific organizations setting. Do NOT enable both settings at the same time.The parameter for the AllowTenantList key is TenantID and its value is a string, which determines the tenants for whom the Allow Tenant setting is applicable. For the setting to be complete, this parameter also requires a boolean value to be set to it. If the boolean value is set to True, the tenant is allowed to sync.",
      "property_order": 10,
      "anyOf": [
        {
          "type": "null",
          "title": "Not Configured"
        },
        {
          "title": "Configured",
          "type": "array",
          "items": {
            "type": "string",
            "title": "Entries"
          }
        }
      ],
      "options": {
        "infoText": "AllowTenantList"
      },
      "links": [
        {
          "rel": "Documentation for Policy",
          "href": "https://docs.microsoft.com/en-us/onedrive/deploy-and-configure-on-macos"
        }
      ]
    },
    "AutomaticUploadBandwidthPercentage": {
      "title": "AutomaticUploadBandwidthPercentage",
      "description": "This setting enables the sync app to automatically set the amount of bandwidth that can be used for uploading files, based on available bandwidth.To enable this setting, you must define a number between 1 and 99 that determines the percentage of bandwidth the sync app can use out of the total available bandwidth.",
      "property_order": 15,
      "anyOf": [
        {
          "type": "null",
          "title": "Not Configured"
        },
        {
          "title": "Configured",
          "type": "integer"
        }
      ],
      "options": {
        "infoText": "AutomaticUploadBandwidthPercentage"
      },
      "links": [
        {
          "rel": "Documentation for Policy",
          "href": "https://docs.microsoft.com/en-us/onedrive/deploy-and-configure-on-macos"
        }
      ]
    },
    "BlockExternalSync": {
      "title": "BlockExternalSync",
      "description": "This setting prevents the sync app from syncing libraries and folders shared from other organizations. Set the setting's value to True, to prevent the users from syncing OneDrive, SharePoint libraries, and folders with organizations other than the user's own organization. Set the value to False or don't enable the setting to allow the OneDrive, and SharePoint files to be synced with other organizations also.",
      "property_order": 20,
      "anyOf": [
        {
          "type": "null",
          "title": "Not Configured"
        },
        {
          "title": "Configured",
          "type": "boolean"
        }
      ],
      "options": {
        "infoText": "BlockExternalSync"
      },
      "links": [
        {
          "rel": "Documentation for Policy",
          "href": "https://docs.microsoft.com/en-us/onedrive/deploy-and-configure-on-macos"
        }
      ]
    },
    "BlockTenantList": {
      "title": "BlockTenantList",
      "description": "This setting prevents the users from uploading files to organizations that are included in the blocked tenant IDs list. If you enable this setting, the users get an error if they attempt to add an account from an organization that is blocked. If a user has already added an account for a blocked organization, the files stop syncing. This setting does NOT work if you have Allow syncing OneDrive accounts for only specific organizations setting enabled. Do NOT enable both settings at the same time. Enable this setting by defining IDs for the TenantID parameter, which determines the tenants to whom the block tenant setting is applicable. Also set the boolean value to True for the ID of every tenant you want to prevent from syncing with the OneDrive and SharePoint files and folders. NOTE: In the list, inclusion of the tenant ID alone doesn't suffice. It's mandatoray to set the boolean value to True for the ID of each tenant who is to be blocked.",
      "property_order": 25,
      "anyOf": [
        {
          "type": "null",
          "title": "Not Configured"
        },
        {
          "title": "Configured",
          "type": "array",
          "items": {
            "type": "string",
            "title": "Entries"
          }
        }
      ],
      "options": {
        "infoText": "BlockTenantList"
      },
      "links": [
        {
          "rel": "Documentation for Policy",
          "href": "https://docs.microsoft.com/en-us/onedrive/deploy-and-configure-on-macos"
        }
      ]
    },
    "DefaultFolder": {
      "title": "DefaultFolder",
      "description": "This setting specifies the default location of the OneDrive folder for each organization. The parameters are TenantID and DefaultFolderPath. The TenantID value is a string that determines the tenants to whom the default folder location setting is applicable. The DefaultFolderPath value is a string that specifies the default location of the folder. The following are the conditions governing the default folder location: -Mac app store: The path must already exist when the user is setting up the sync app. -Standalone: The path will be created (if it doesn't already exist) after the user sets up the sync app. Only with the Standalone sync app you can prevent users from changing the location.",
      "property_order": 30,
      "anyOf": [
        {
          "type": "null",
          "title": "Not Configured"
        },
        {
          "title": "Configured",
          "type": "string"
        }
      ],
      "options": {
        "infoText": "DefaultFolder"
      },
      "links": [
        {
          "rel": "Documentation for Policy",
          "href": "https://docs.microsoft.com/en-us/onedrive/deploy-and-configure-on-macos"
        }
      ]
    },
    "DisableHydrationToast": {
      "title": "DisableHydrationToast",
      "description": "This setting prevents toasts from appearing when applications cause file contents to be downloaded. If you set the setting's value to True, toasts do not appear when applications trigger the download of file contents.",
      "property_order": 35,
      "anyOf": [
        {
          "type": "null",
          "title": "Not Configured"
        },
        {
          "title": "Configured",
          "type": "boolean"
        }
      ],
      "options": {
        "infoText": "DisableHydrationToast"
      },
      "links": [
        {
          "rel": "Documentation for Policy",
          "href": "https://docs.microsoft.com/en-us/onedrive/deploy-and-configure-on-macos"
        }
      ]
    },
    "DisablePersonalSync": {
      "title": "DisablePersonalSync",
      "description": "This setting blocks user from signing in and syncing files in personal OneDrive accounts. If this setting has been configured after a user has set up sync with a personal account, the user gets signed out. If you set the setting's value to True, the users are prevented from adding or syncing personal accounts.",
      "property_order": 40,
      "anyOf": [
        {
          "type": "null",
          "title": "Not Configured"
        },
        {
          "title": "Configured",
          "type": "boolean"
        }
      ],
      "options": {
        "infoText": "DisablePersonalSync"
      },
      "links": [
        {
          "rel": "Documentation for Policy",
          "href": "https://docs.microsoft.com/en-us/onedrive/deploy-and-configure-on-macos"
        }
      ]
    },
    "DisableTutorial": {
      "title": "DisableTutorial",
      "description": "This setting prevents the tutorial from being shown to the users after they set up OneDrive. If you set this setting's value to True, the tutorial is blocked from being shown to the users after they set up the OneDrive.",
      "property_order": 45,
      "anyOf": [
        {
          "type": "null",
          "title": "Not Configured"
        },
        {
          "title": "Configured",
          "type": "boolean"
        }
      ],
      "options": {
        "infoText": "DisableTutorial"
      },
      "links": [
        {
          "rel": "Documentation for Policy",
          "href": "https://docs.microsoft.com/en-us/onedrive/deploy-and-configure-on-macos"
        }
      ]
    },
    "DownloadBandwidthLimited": {
      "title": "DownloadBandwidthLimited",
      "description": "This setting sets the maximum download throughput rate in kilobytes (KB)/sec for computers running the OneDrive sync app. Set this setting's value to an integer between 50 KB/sec and the maximum rate is 100,000 KB/sec that determines the download throughput in KB/sec that the sync app can use.",
      "property_order": 50,
      "anyOf": [
        {
          "type": "null",
          "title": "Not Configured"
        },
        {
          "title": "Configured",
          "type": "integer"
        }
      ],
      "options": {
        "infoText": "DownloadBandwidthLimited"
      },
      "links": [
        {
          "rel": "Documentation for Policy",
          "href": "https://docs.microsoft.com/en-us/onedrive/deploy-and-configure-on-macos"
        }
      ]
    },
    "EnableAllOcsiClients": {
      "title": "EnableAllOcsiClients",
      "description": "This setting lets multiple users use the Microsoft 365 Apps for enterprise, Office 2019, or Office 2016 desktop apps to simultaneously edit an Office file stored in OneDrive. It also lets users share files from the Office desktop apps. We recommend keeping this setting enabled to make syncing faster and reduce network bandwidth.If you set this setting to True or don't set this setting, the Office tab appears in OneDrive sync preferences, and Use Office applications to sync Office files that I open is selected, by default. If you set this setting to False, the Office tab is hidden in the sync app, and co-authoring and in-app sharing for Office files are disabled. The User can choose how to handle Office files in conflict setting acts as disabled, and when file conflicts occur, both copies of the file are kept. For more information about the settings in the sync app, see Use Office applications to sync Office files that I open.",
      "property_order": 55,
      "anyOf": [
        {
          "type": "null",
          "title": "Not Configured"
        },
        {
          "title": "Configured",
          "type": "boolean"
        }
      ],
      "options": {
        "infoText": "EnableAllOcsiClients"
      },
      "links": [
        {
          "rel": "Documentation for Policy",
          "href": "https://support.office.com/article/8a409b0c-ebe1-4bfa-a08e-998389a9d823"
        }
      ]
    },
    "EnableODIgnore": {
      "title": "EnableODIgnore",
      "description": "This setting lets you enter keywords to prevent the OneDrive sync app from uploading certain files to OneDrive or SharePoint. You can enter complete names, such as (setup.exe) or use the asterisk (*) as a wildcard character to represent a series of characters, such as *.pst. Keywords aren't case-sensitive. If you enable this setting, the sync app doesn't upload new files that match the keywords you specified. No errors appear for the skipped files, and the files remain in the local OneDrive folder. In Finder, the files appear with an (Excluded from sync icon). Users will also see a message in the OneDrive activity center that explains why the files aren't syncing. Set this setting's value to an integer between 50 KB/sec and the maximum rate of 100,000 KB/sec that determines the download throughput in KB/sec that the sync app can use.",
      "property_order": 60,
      "anyOf": [
        {
          "type": "null",
          "title": "Not Configured"
        },
        {
          "title": "Configured",
          "type": "array",
          "items": {
            "type": "string",
            "title": "Entries"
          }
        }
      ],
      "options": {
        "infoText": "EnableODIgnore"
      },
      "links": [
        {
          "rel": "Documentation for Policy",
          "href": "https://docs.microsoft.com/en-us/onedrive/deploy-and-configure-on-macos"
        }
      ]
    },
    "FilesOnDemandEnabled": {
      "title": "FilesOnDemandEnabled",
      "description": "This setting specifies whether Files On-Demand is enabled. We recommend keeping Files On-Demand enabled. See all our recommendations for configuring the sync app. If you don't set this setting, Files On-Demand will be enabled automatically as we roll out the feature, and users can turn the setting on or off. If you set this setting to True, FilesOnDemand is enabled and the users who set up the sync app can view the online-only files, by default. If you set this setting to False, FilesOnDemand is disabled and the users won't be able to turn it on.",
      "property_order": 65,
      "anyOf": [
        {
          "type": "null",
          "title": "Not Configured"
        },
        {
          "title": "Configured",
          "type": "boolean"
        }
      ],
      "options": {
        "infoText": "FilesOnDemandEnabled"
      },
      "links": [
        {
          "rel": "Documentation for Policy",
          "href": "https://docs.microsoft.com/en-us/onedrive/ideal-state-configuration"
        }
      ]
    },
    "HideDockIcon": {
      "title": "HideDockIcon",
      "description": "This setting specifies whether a dock icon for OneDrive is shown. If you set this setting's value to True, the OneDrive dock icon is hidden even if the app is running.",
      "property_order": 70,
      "anyOf": [
        {
          "type": "null",
          "title": "Not Configured"
        },
        {
          "title": "Configured",
          "type": "boolean"
        }
      ],
      "options": {
        "infoText": "HideDockIcon"
      },
      "links": [
        {
          "rel": "Documentation for Policy",
          "href": "https://docs.microsoft.com/en-us/onedrive/deploy-and-configure-on-macos"
        }
      ]
    },
    "HydrationDisallowedApps": {
      "title": "HydrationDisallowedApps",
      "description": "This setting prevents apps from automatically downloading online-only files. You can use this setting to lock down apps that don't work correctly with your deployment of Files On-Demand. To enable this setting, you must define a string in JSON format as described below: [{(ApplicationId):(appId),(MaxBundleVersion):(1.1),(MaxBuildVersion):(1.0)}] (appID) can be either the BSD process name or the bundle display name. (MaxBuildVersion) denotes the maximum build version of the app that will be blocked. (MaxBundleVersion) denotes the maximum bundle version of the app that will be blocked.",
      "property_order": 75,
      "anyOf": [
        {
          "type": "null",
          "title": "Not Configured"
        },
        {
          "title": "Configured",
          "type": "string"
        }
      ],
      "options": {
        "infoText": "HydrationDisallowedApps"
      },
      "links": [
        {
          "rel": "Documentation for Policy",
          "href": "https://docs.microsoft.com/en-us/onedrive/deploy-and-configure-on-macos"
        }
      ]
    },
    "OpenAtLogin": {
      "title": "OpenAtLogin",
      "description": "This setting specifies whether OneDrive starts automatically when the user logs in. If you set this setting's value to True, OneDrive starts automatically when the user logs in on Mac.",
      "property_order": 80,
      "anyOf": [
        {
          "type": "null",
          "title": "Not Configured"
        },
        {
          "title": "Configured",
          "type": "boolean"
        }
      ],
      "options": {
        "infoText": "OpenAtLogin"
      },
      "links": [
        {
          "rel": "Documentation for Policy",
          "href": "https://docs.microsoft.com/en-us/onedrive/deploy-and-configure-on-macos"
        }
      ]
    },
    "SharePointOnPremFrontDoorUrl": {
      "title": "SharePointOnPremFrontDoorUrl",
      "description": "This setting specifies the SharePoint Server 2019 on-premises URL that the OneDrive sync app must try to authenticate and sync against. To enable this setting, you must define a string containing the URL of the on-premises SharePoint Server. Example: https://Contoso.SharePoint.com",
      "property_order": 85,
      "anyOf": [
        {
          "type": "null",
          "title": "Not Configured"
        },
        {
          "title": "Configured",
          "type": "string"
        }
      ],
      "options": {
        "infoText": "SharePointOnPremFrontDoorUrl"
      },
      "links": [
        {
          "rel": "Documentation for Policy",
          "href": "https://docs.microsoft.com/en-us/onedrive/deploy-and-configure-on-macos"
        }
      ]
    },
    "SharePointOnPremPrioritizationPolicy": {
      "title": "SharePointOnPremPrioritizationPolicy",
      "description": "This setting determines whether or not the client should set up sync for SharePoint Server or SharePoint in Microsoft 365 first during the first-run scenario when the email is the same for both SharePoint Server on-premises and SharePoint in Microsoft 365 in a hybrid scenario. If you set this setting's value to 1, it is an indication that OneDrive should set up SharePoint Server on-premises first, followed by SharePoint in Microsoft 365.",
      "property_order": 90,
      "anyOf": [
        {
          "type": "null",
          "title": "Not Configured"
        },
        {
          "title": "Configured",
          "type": "integer",
          "options": {
            "enum_titles": [
              "OneDrive should set up SharePoint in Microsoft 365 (Cloud Based) first",
              "OneDrive should set up SharePoint Server on-premises first"
            ]
          },
          "enum": [
            0,
            1
          ]
        }
      ]
    },
    "SharePointOnPremTenantName": {
      "title": "SharePointOnPremTenantName",
      "description": "This setting enables you to specify the name of the folder created for syncing the SharePoint Server 2019 files specified in the Front Door URL. If this setting is enabled, you can specify a TenantName that is the name the folder will use in the following convention:[OneDrive – TenantName] (specified by you)or [TenantName] (specified by you). If you do not specify any TenantName, the folder will use the first segment of the FrontDoorURL as its name. For example, https://Contoso.SharePoint.com will use Contoso as the Tenant Name in the following convention:[OneDrive – Contoso] or [Contoso]",
      "property_order": 95,
      "anyOf": [
        {
          "type": "null",
          "title": "Not Configured"
        },
        {
          "title": "Configured",
          "type": "string"
        }
      ],
      "options": {
        "infoText": "SharePointOnPremTenantName"
      },
      "links": [
        {
          "rel": "Documentation for Policy",
          "href": "https://docs.microsoft.com/en-us/onedrive/deploy-and-configure-on-macos"
        }
      ]
    },
    "Tier": {
      "title": "Tier",
      "description": "You can configure the OneDrive Standalone sync app to receive delayed updates. Defines the update ring for the computer. UpdateRing (String): This parameter has two different values. [Production] - The default update ring for OneDrive updates. [Insiders] - This update ring receives updates that are (pre-production) and that allow you to play with features before they are released. Note that builds from this ring may be less stable. [Enterprise] - This update ring (now called [Deferred]) receives updates after they have been rolled out through the Production ring. It also lets you control the deployment of updates. For more information about the update rings and the procedure used by the sync app for checking for updates, see The OneDrive sync app update process.",
      "property_order": 100,
      "anyOf": [
        {
          "type": "null",
          "title": "Not Configured"
        },
        {
          "title": "Configured",
          "type": "string"
        }
      ],
      "options": {
        "infoText": "Tier"
      },
      "links": [
        {
          "rel": "Documentation for Policy",
          "href": "https://docs.microsoft.com/en-us/onedrive/deploy-and-configure-on-macos"
        }
      ]
    },
    "UploadBandwidthLimited": {
      "title": "UploadBandwidthLimited",
      "description": "This setting defines the maximum upload throughput rate in KB/sec for computers running the OneDrive sync app. To enable this setting, set a value between 50 and 100,000 that is the upload throughput rate the sync app can use.",
      "property_order": 105,
      "anyOf": [
        {
          "type": "null",
          "title": "Not Configured"
        },
        {
          "title": "Configured",
          "type": "integer"
        }
      ],
      "options": {
        "infoText": "UploadBandwidthLimited"
      },
      "links": [
        {
          "rel": "Documentation for Policy",
          "href": "https://docs.microsoft.com/en-us/onedrive/deploy-and-configure-on-macos"
        }
      ]
    }
  }
}

howie_isaacks
Valued Contributor II

How does someone learn how to create these schema, and how do we know what the configurable properties are for a specific app?

There's a sample Jamf manifest on developer.jamf.com. It includes several different types of properties you might want to include in your own manifest for an application. Copy it and paste it into a new Application & Custom Settings payload and view the resulting form and plist it creates. That can get you started.

Creating a manifest requires a little understanding of JSON. If you understand XML plists then it shouldn't be too difficult to grasp. Understanding how plists work (domain, keys, values, etc.) should be all you need to know as far as what to populate in a property in a manifest.

Keep in mind Jamf manifests are meant to be "reused". By that I mean:

  1. Create and share your manifest with others or use manifests created by others. I do this from time to time when a customer needs to manage some settings that aren't built into Jamf Pro.
  2. Create a manifest to make it easier for less technical co-workers to create custom configuration profiles. Again, I do this for customers because they may not be technically inclined to create their own plists files.
  3. Create a manifest to make it easier to set multiple values in the same property. For example, I have a manifest for deploying Google Chrome Extensions. The Jamf Pro administrator needs to know the values to set, but the manifest makes it easier to input those values.

If you are comfortable creating a plist to manage an app and no one else will be making similar settings, then a manifest is overkill. You can instead upload your plist to the Application & Custom Settings payload much more quickly.

Thanks!

howie_isaacks
Valued Contributor II

The big question I have about this is where in the heck do we find a list of all of the configurable settings for an app? I can write a plist but I have to know what settings can be configured.

The place to start would be with the plists that the apps themselves generate. Key names are usually easy to understand (assuming the developer names them in a way that makes sense).

Some developers like Apple, Google, Microsoft, Zoom and others have configuration profile references published online.

I would also suggest checking out past JNUC and PSUMAC conference session videos about configuration profiles on YouTube. It’s a topic that’s been covered pretty extensively in those venues.

bcbackes
Contributor III

Here's a schema that I have for Microsoft Defender. NOTE: I created this a few months ago so there might be new keys/settings available that can be added. I did add the key to disable the Consumer version sign-in prompt people reported in MacAdmin Slack. This issue comes up when using Jamf App Installers to auto update Defender. The App Installer is using a consumer package which is where this prompt comes from.

 

{
  "__feedback": "jmanifest@microsoft.com",
  "__version": "101.47.27",
  "title": "com.microsoft.wdav",
  "description": "Preference Domain: com.microsoft.wdav, Application: Defender",
  "options": {
    "remove_empty_properties": true
  },
  "type": "object",
  "properties": {
    "antivirusEngine": {
      "title": "Antivirus engine",
      "description": "Properties displayed below will be managed, a user would not be able to override them",
      "propertyOrder": 10,
      "defaultProperties": [],
      "properties": {
        "enableRealTimeProtection": {
          "default": true,
          "description": "Locates and stops malware from installing or running on your device. You can turn off this setting for a short time before it turns back on automatically.",
          "format": "checkbox",
          "links": [
            {
              "href": "https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/mac-preferences#enable--disable-real-time-protection",
              "rel": "More information"
            }
          ],
          "options": {
            "infoText": "Key: enableRealTimeProtection"
          },
          "propertyOrder": 10,
          "title": "Real-time protection",
          "type": "boolean"
        },
        "exclusions": {
          "description": "Entities that have been excluded from the scan. Exclusions can be specified by full paths, extensions, or file names.",
          "items": {
            "format": "grid",
            "properties": {
              "$type": {
                "default": "excludedPath",
                "enum": [
                  "excludedPath",
                  "excludedFileExtension",
                  "excludedFileName"
                ],
                "options": {
                  "enum_titles": [
                    "Path",
                    "File extension",
                    "Process name"
                  ]
                },
                "title": "Type",
                "type": "string"
              },
              "extension": {
                "options": {
                  "dependencies": {
                    "$type": "excludedFileExtension"
                  }
                },
                "title": "File extension",
                "type": "string",
                "minLength": 1
              },
              "isDirectory": {
                "default": "true",
                "format": "checkbox",
                "options": {
                  "dependencies": {
                    "$type": "excludedPath"
                  }
                },
                "title": "Is directory",
                "description": "Directory if selected, or file if not selected",
                "type": "boolean"
              },
              "name": {
                "options": {
                  "dependencies": {
                    "$type": "excludedFileName"
                  }
                },
                "title": "Process name",
                "description": "Process name, either or full path or file name, wildcards supported",
                "type": "string",
                "minLength": 1
              },
              "path": {
                "options": {
                  "dependencies": {
                    "$type": "excludedPath"
                  }
                },
                "title": "Path",
                "description": "Path to exclude, wildcards are supported",
                "type": "string",
                "minLength": 1
              }
            },
            "title": "Exclusions",
            "type": "object"
          },
          "links": [
            {
              "href": "https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/mac-preferences#scan-exclusions",
              "rel": "More information"
            }
          ],
          "options": {
            "infoText": "Key: exclusions"
          },
          "propertyOrder": 30,
          "title": "Scan exclusions",
          "type": "array"
        },
        "passiveMode": {
          "default": false,
          "description": "Whether the antivirus engine runs in passive mode or not.",
          "format": "checkbox",
          "links": [
            {
              "href": "https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/mac-preferences#enable--disable-passive-mode",
              "rel": "More information"
            }
          ],
          "options": {
            "infoText": "Key: passiveMode"
          },
          "propertyOrder": 40,
          "title": "Passive mode",
          "type": "boolean"
        },
        "allowedThreats": {
          "type": "array",
          "description": "List of threats (identified by their name) that are not blocked by the product and are instead allowed to run.",
          "propertyOrder": 50,
          "title": "Allowed threats",
          "links": [
            {
              "href": "https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/mac-preferences#allowed-threats",
              "rel": "More information"
            }
          ],
          "items": {
            "title": "Threat",
            "format": "grid",
            "type": "string"
          }
        },
        "threatTypeSettings": {
          "type": "array",
          "description": "The threatTypeSettings preference in the antivirus engine is used to control how certain threat types are handled by the product.",
          "propertyOrder": 60,
          "title": "Threat type settings",
          "links": [
            {
              "href": "https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/mac-preferences#threat-type-settings",
              "rel": "More information"
            }
          ],
          "items": {
            "title": "Setting",
            "format": "grid",
            "type": "object",
            "properties": {
              "key": {
                "type": "string",
                "title": "Threat type",
                "description": "Type of the threat for which the behavior is configured.",
                "propertyOrder": 10,
                "enum": [
                  "potentially_unwanted_application",
                  "archive_bomb"
                ]
              },
              "value": {
                "type": "string",
                "title": "Action to take",
                "description": "Action to take when coming across a threat of the type specified in the preceding section.",
                "propertyOrder": 20,
                "default": "audit",
                "enum": [
                  "audit",
                  "block",
                  "off"
                ]
              }
            }
          }
        },
        "exclusionsMergePolicy": {
          "default": "merge",
          "title": "Exclusions merge",
          "type": "string",
          "propertyOrder": 70,
          "description": "Specify the merge policy for exclusions. This can be a combination of administrator-defined and user-defined exclusions (merge) or only administrator-defined exclusions (admin_only). This setting can be used to restrict local users from defining their own exclusions.",
          "links": [
            {
              "href": "https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/mac-preferences#exclusion-merge-policy",
              "rel": "More information"
            }
          ],
          "enum": [
            "merge",
            "admin_only"
          ]
        },
        "disallowedThreatActions": {
          "type": "array",
          "description": "Restricts the actions that the local user of a device can take when threats are detected. The actions included in this list are not displayed in the user interface.",
          "propertyOrder": 80,
          "title": "Disallowed threat actions",
          "uniqueItems": true,
          "links": [
            {
              "href": "https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/mac-preferences#disallowed-threat-actions",
              "rel": "More information"
            }
          ],
          "items": {
            "title": "Action",
            "format": "grid",
            "type": "string",
            "enum": [
              "allow",
              "restore"
            ]
          }
        },
        "threatTypeSettingsMergePolicy": {
          "default": "merge",
          "title": "Threat type settings merge",
          "type": "string",
          "propertyOrder": 90,
          "description": "Specify the merge policy for threat type settings. This can be a combination of administrator-defined and user-defined settings (merge) or only administrator-defined settings (admin_only). This setting can be used to restrict local users from defining their own settings for different threat types.",
          "links": [
            {
              "href": "https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/mac-preferences#threat-type-settings-merge-policy",
              "rel": "More information"
            }
          ],
          "enum": [
            "merge",
            "admin_only"
          ]
        },
        "scanResultsRetentionDays": {
          "default": 90,
          "title": "Scan results retention",
          "type": "number",
          "minimum": 1,
          "maximum": 180,
          "propertyOrder": 100,
          "description": "Specify the number of days that results are retained in the scan history on the device. Old scan results are removed from the history. Old quarantined files that are also removed from the disk.",
          "links": [
            {
              "href": "https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/mac-preferences#antivirus-scan-history-retention-in-days",
              "rel": "More information"
            }
          ]
        },
        "scanHistoryMaximumItems": {
          "default": 10000,
          "title": "Scan history size",
          "type": "number",
          "minimum": 5000,
          "maximum": 15000,
          "propertyOrder": 110,
          "description": "Specify the maximum number of entries to keep in the scan history. Entries include all on-demand scans performed in the past and all antivirus detections.",
          "links": [
            {
              "href": "https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/mac-preferences#maximum-number-of-items-in-the-antivirus-scan-history",
              "rel": "More information"
            }
          ]
        }
      }
    },
    "cloudService": {
      "title": "Cloud delivered protection preferences",
      "propertyOrder": 20,
      "defaultProperties": [],
      "properties": {
        "enabled": {
          "default": true,
          "description": "Provides increased, faster protection with access to the latest protection data in the cloud. Works best with automatic sample submission turned on",
          "format": "checkbox",
          "links": [
            {
              "href": "https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/mac-preferences#enable--disable-cloud-delivered-protection",
              "rel": "More information"
            }
          ],
          "propertyOrder": 10,
          "title": "Cloud delivered protection",
          "type": "boolean"
        },
        "diagnosticLevel": {
          "default": "optional",
          "title": "Diagnostic data collection",
          "type": "string",
          "propertyOrder": 20,
          "description": "We encourage you to share your diagnostic and usage data with us to help improve Microsoft products and services.",
          "links": [
            {
              "href": "https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/mac-preferences#diagnostic-collection-level",
              "rel": "More information"
            }
          ],
          "enum": [
            "optional",
            "required"
          ]
        },
        "automaticSampleSubmission": {
          "default": true,
          "description": "Sends sample files to Microsoft to help protect device users and your organization from potential threats",
          "format": "checkbox",
          "links": [
            {
              "href": "https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/mac-preferences#enable--disable-automatic-sample-submissions",
              "rel": "More information"
            }
          ],
          "propertyOrder": 30,
          "title": "Automatic sample submissions",
          "type": "boolean"
        },
        "automaticDefinitionUpdateEnabled": {
          "default": true,
          "title": "Automatic security intelligence updates",
          "description": "Determines whether security intelligence updates are installed automatically:",
          "format": "checkbox",
          "links": [
            {
              "href": "https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/mac-preferences#enable--disable-automatic-security-intelligence-updates",
              "rel": "More information"
            }
          ],
          "propertyOrder": 40,
          "type": "boolean"
        }
      }
    },
    "userInterface": {
      "title": "User interface preferences",
      "propertyOrder": 30,
      "defaultProperties": [],
      "properties": {
        "hideStatusMenuIcon": {
          "default": false,
          "description": "Whether the status menu icon (shown in the top-right corner of the screen) is hidden or not.",
          "format": "checkbox",
          "links": [
            {
              "href": "https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/mac-preferences#show--hide-status-menu-icon",
              "rel": "More information"
            }
          ],
          "propertyOrder": 10,
          "title": "Hide status menu icon",
          "type": "boolean"
        },
        "consumerExperience": {
          "default": "enabled",
          "title": "Control sign-in to consumer version",
          "type": "string",
          "propertyOrder": 20,
          "description": "Specify whether users can sign into the consumer version of Microsoft Defender.",
          "links": [
            {
              "href": "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/mac-preferences?view=o365-worldwide#control-sign-in-to-consumer-version-of-microsoft-defender",
              "rel": "More information"
            }
          ],
          "enum": [
            "enabled",
            "disabled"
          ]
        },
        "userInitiatedFeedback": {
          "default": "enabled",
          "title": "User initiated feedback",
          "type": "string",
          "propertyOrder": 30,
          "description": "Specify whether users can submit feedback to Microsoft by going to Help > Send Feedback.",
          "links": [
            {
              "href": "https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/mac-preferences#diagnostic-collection-level",
              "rel": "More information"
            }
          ],
          "enum": [
            "enabled",
            "disabled"
          ]
        }
      }
    },
    "edr": {
      "title": "EDR preferences",
      "propertyOrder": 40,
      "defaultProperties": [],
      "properties": {
        "tags": {
          "title": "Device tags",
          "type": "array",
          "maxItems": 1,
          "propertyOrder": 20,
          "links": [
            {
              "href": "https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/mac-preferences#device-tags",
              "rel": "More information"
            }
          ],
          "items": {
            "title": "Tag",
            "format": "grid",
            "type": "object",
            "properties": {
              "key": {
                "type": "string",
                "title": "Type of tag",
                "propertyOrder": 10,
                "enum": [
                  "GROUP"
                ]
              },
              "value": {
                "type": "string",
                "title": "Value of tag",
                "propertyOrder": 20
              }
            }
          }
        }
      }
    },
    "features": {
      "title": "Features",
      "propertyOrder": 50,
      "defaultProperties": [],
      "properties": {
        "systemExtensions": {
          "default": "disabled",
          "title": "Use System Extensions",
          "type": "string",
          "propertyOrder": 10,
          "description": "Whether system extensions are used on MacOS 10.15 (Catalina) or not.",
          "links": [
            {
              "href": "https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/microsoft-defender-atp-for-mac-is-moving-to-system-extensions/ba-p/1608736",
              "rel": "More information"
            }
          ],
          "enum": [
            "enabled",
            "disabled"
          ]
        },
        "dataLossPrevention": {
          "default": "disabled",
          "title": "Use Data Loss Prevention",
          "type": "string",
          "propertyOrder": 20,
          "description": "Whether data loss prevention enforcement is enabled on the machine.",
          "links": [
            {
              "href": "https://docs.microsoft.com/en-us/microsoft-365/compliance/data-loss-prevention-policies?view=o365-worldwide",
              "rel": "More information"
            }
          ],
          "enum": [
            "enabled",
            "disabled"
          ]
        }
      }
    }
  }
}