What are the available iPhone MDM AccessRights

Question

I am currently using 8191 for the 'AccessRights' variable required for the MDM payload (com.apple.mdm).

Now when using this the users gets the following message:

The administrator may collect personal data, add/remove accounts and restrictions, list, install and manage apps, and remotely erase data on your iPhone

Telling him/her the MDM-server are allowed to wipe the device remotely. Now I don't want the MDM-server to be able to do this at all.

When I change the AccessRights to 4161 for instance, the message changes into:

The administrator may collect personal data, and list, install and manage apps on your iPhone

Now I can't find ANY reference to this AccessRights variable and its values. Can anyone enlighten me on what the value actually represents?

Answer 1

Here is the table that describes all flags for access rights:

You can mix these values to configure necessary list of access rights.
In your particular cases:
8191 - is a combination of all above values.
4161 - is a combination of 4096, 64 and 1.

Answer 2

Update:

Visput's printscreen of "Mobile Device Management Protocol Reference" provides the desired numerical values for AccessRights . However this answer will remain for context, the lessons learned along the way and the mention that said material may be subject to NonDisclosure Agreements due to the nature of the Apple confidential material.

---

For clear understanding of the answer's scope as well as for the sake of explaining to novices i will provide a little context.

Context

First off Mobile Device Management (MDM) provides you with features which are organized into a collection of settings called configuration profiles - features like real management capabilities, including convenient configuration, self-service tools, and enhanced protection etc.

These profiles are just XML file that allow you to distribute configuration information. Configuration profiles are in property list format.

From the document that describes the keys in a configuration profile and provides examples of the resulting XML payloads, PayloadContent is one of the keys. It is also the one you meant that contains the AccessRights property.

PayloadContent[optional] is an Array of payload dictionaries (payload objects). Not present if IsEncrypted is true.

The docs specify that these are the Payload Dictionary Keys Common to All Payloads: PayloadType,PayloadVersion,PayloadIdentifier,PayloadUUID,PayloadDisplayName,PayloadDescription,PayloadOrganization.

In addition to the standard payload keys above, each payload type contains keys that are specific to that payload type.

You are working with PayloadType "com.apple.mdm" and are looking for payload-specific keys for the MDM payload.

Conclusion

I have looked long and hard for all references of mdm payload keys. All i could find where a couple of AccessRights values, there is none in the official documentation available to the public.

The closest i could find was Inside the mdm protocol (pdf). A project with the goal of not creating a simple, turn-key, stand-alone MDM server, nor probing the protocol for weaknesses or hidden features, but simply to document as much of the protocol as possible.

From this document:

Unfortunately, documentation of the underlying protocol has never been freely available. Obviously, third parties selling MDM servers were provided access to the documentation by Apple, but it’s not been available for researchers or smaller development shops. This hampers risk analysis for enterprises making use of MDM. In order to aid such risk assessments, and to enable and encourage future research, this project was born.

Now i consider the document to be very useful for understanding MDM. On access rights it provides an image page 8 representing a print screen of a GUI tool which presents access rights as check boxes. As for generated values, your best chance is to google anything like:

<key>AccessRights</key>
<integer>8191</integer>

I've also found the value 2047 somewhere. I've also found mentions of access rights in this Security Configuration Recommendations from the NSA for Apple iOS devices. On page 16 you have Access Rights for Remote Administrators:

The following settings control what an MDM server is permitted to query from an iOS device. For an enterprise-owned, enterprise-controlled device, permitting the enterprise administrator to query as much information as possible is appropriate. Some MDM products may simply include these access rights by default and offer options to retrieve less information from the device.

And it goes on to actually list the check boxes which where also illustrated in the previous guide. No correspondence to xml generated data/ids.

The closest i got to the actual id's was in this mdm-settings.xml which enumerates the access rules along with some other data used on the device for iOS6.

Your best change is to contact apple support and ask for details.

The info you are looking for may be subject to NonDisclosure Agreements due to the nature of the Apple confidential material. The document above was based on data available in Developer Preview