Security MDM queries for Apple devices
Security queries return a mobile device management (MDM) solution’s information about whether the device has the following enabled: Activation Lock, Find My, FileVault, Firmware password and more. Security queries can return the following values.
Query | Value | OS |
|---|---|---|
Activation Lock enabled | Yes or no. | iOS iPadOS macOS |
Activation Lock bypass code | The bypass code for the device. | iOS iPadOS macOS |
Find My enabled | Yes or no. | iOS iPadOS |
Certificates listed | List of certificates on the device. | iOS iPadOS tvOS macOS |
FileVault: enabled | Yes or no. | macOS |
FileVault: Has personal recovery key | Set or not set. | macOS |
FileVault: Has institutional recovery key | Set or not set. | macOS |
FileVault: Personal recovery key CMS | If FileVault Personal Recovery Key (PRK) escrow is enabled and a recovery key was set up, the resulting file contains the PRK, encrypted with the certificate from the recovery key payload. That file is also encrypted. | macOS |
FileVault: Personal recovery key device key | If FileVault PRK escrow is enabled and a recovery key was set up, this key contains a short string at the EFI login window displayed to the user as part of the help message if they enter their password incorrectly three times. | macOS |
Firewall settings | Yes or no to the following options:
| macOS |
Firmware password status | Yes or no to the following options:
| macOS |
Hardware encryption type | Describes the underlying hardware encryption capabilities of the device, which can be block-level encryption or file-level encryption. | macOS |
Management status | Specifies whether the device was enrolled in MDM using:
| iOS iPadOS macOS |
Passcode compliant | Yes if the device complies with the passcode requirements. This includes any Exchange accounts. | iOS iPadOS |
Passcode compliant with profiles | Yes if the device complies with the passcode requirements from a configuration profile containing a passcode payload. | iOS iPadOS |
Passcode lock grace period | The user preference for the amount of time (in seconds) the device must be locked before unlock requires the device passcode. | iOS |
Passcode lock grace period enforced | The current enforced value for the amount of time (in seconds) the device must be locked before it requires the device passcode. | iOS iPadOS |
Passcode present | Yes if the device is protected with a password. | iOS iPadOS |
Remote management enabled | Yes if the device has Remote Management or Screen Sharing enabled. | macOS |
System Integrity Protection enabled | Yes or no. | macOS |