Security MDM queries for Apple devices
Security queries return a mobile device management (MDM) solution’s information about whether the device has the following turned on: Activation Lock, Find My, FileVault, Firmware password (for Intel-based Mac computers) and more. Security queries can return the following values.
Query | Supported operating system | Value returned |
|---|---|---|
Activation Lock bypass code | iOS iPadOS macOS visionOS 2.0 | The bypass code for the device. |
Can Activation Lock be managed | macOS | Yes or no. |
Certificate list | iOS iPadOS macOS tvOS visionOS 1.1 | A list of certificates on the device. |
FileVault turned on | macOS | Yes or no. |
FileVault: Has institutional recovery key | macOS | Yes or no. |
FileVault: Has personal recovery key | macOS | Yes or no. |
FileVault: Personal recovery key CMS | macOS | If FileVault personal recovery key (PRK) escrow is enabled and a recovery key was set up, the resulting file contains the PRK, encrypted with the certificate from the recovery key payload. That file is also encrypted. |
FileVault: Personal recovery key device key | macOS | If FileVault PRK escrow is enabled and a recovery key was set up, this key contains a short string at the EFI login window displayed to the user as part of the help message if they enter their password incorrectly three times. |
Find My turned on | iOS iPadOS visionOS 1.1 | Yes or no. |
Firewall settings | macOS | Yes or no to the following options:
|
Firmware password status | macOS | Yes or no to the following options:
|
Hardware encryption type | iOS iPadOS tvOS visionOS 1.1 | A description of the underlying hardware encryption capabilities of the device, which can be block-level encryption or file-level encryption. |
Management status | iOS iPadOS macOS visionOS 1.1 | A value indicating whether the device was enrolled in MDM using:
|
Passcode compliant | iOS iPadOS visionOS 1.1 | Yes, if the device complies with the passcode requirements. This includes any Exchange accounts. |
Passcode compliant with profiles | iOS iPadOS visionOS 1.1 | Yes, if the device complies with the passcode requirements from a configuration profile containing a passcode payload. |
Passcode lock grace period | iOS iPadOS visionOS 1.1 | The user preference for the amount of time (in seconds) the device must be locked before unlock requires the device passcode. |
Passcode lock grace period enforced | iOS iPadOS visionOS 1.1 | The current enforced value for the amount of time (in seconds) the device must be locked before it requires the device passcode. |
Passcode present | iOS iPadOS visionOS 1.1 | Yes, if the device is protected with a password. |
Secure boot status | macOS | Returns the following:
|
System Integrity Protection turned on | macOS | Yes or no. |