Device Management Command

SecurityInfoResponse.SecurityInfo

The response object for the security info command.

Properties

FDE_Enabled
boolean

If true, machine has FDE enabled.

FDE_HasInstitutionalRecoveryKey
boolean

If true, FDE has an institutional recovery key.

FDE_HasPersonalRecoveryKey
boolean

If true, FDE has a personal recovery key.

FDE_PersonalRecoveryKeyCMS
data

If FileVault Personal Recovery Key (PRK) escrow is enabled and a recovery key was configured, this key will contain the PRK, encrypted with the certificate from the FDERecoveryKeyEscrow profile and wrapped as CMS data.

FDE_PersonalRecoveryKeyDeviceKey
string

If FileVault PRK escrow is enabled and a recovery key was configured, this key contains a short sting (the device serial number) that will be displayed to the user at EFI loginwindow, as part of the help message if they enter their password incorrectly three times. The server can use this string as an index when saving the device PRK. This replaces the recordNumber that was returned by the server in the previous escrow mechanism.

The current firewall settings.

The state of the EFI firmware password.

HardwareEncryptionCaps
integer

This integer describes the underlying hardware encryption capabilities of the device.

  • 1: Block-level encryption

  • 2: File-level encryption

  • 3: Both block-level and file-level encryption

For a device to be protected with Data Protection, HardwareEncryptionCaps must be 3 and PasscodePresent must be true.

This dictionary contains information about the MDM enrollment.

PasscodeCompliant
boolean

If true, the user's passcode is compliant with all requirements on the device, including Exchange and other accounts.

PasscodeCompliantWithProfiles
boolean

If true, the user's passcode is compliant with requirements from profiles.

PasscodeLockGracePeriod
integer

The user preference for the amount of time, in seconds, the device must be locked before unlock will require the device passcode.

PasscodeLockGracePeriodEnforced
integer

The current enforced value for the amount of time, in seconds, the device must be locked before unlock will require the device passcode.

PasscodePresent
boolean

If true, the device is protected by a passcode.

SystemIntegrityProtectionEnabled
boolean

If true, System Integrity Protection (SIP) is enabled.

The current Secure Boot settings of the device. This information is returned for both T2-enabled and non-T2-enabled devices. The values of the dictionary keys will always be set to "not supported" on a device that is not T2-enabled.

RemoteDesktopEnabled
boolean

If true, remote desktop is enabled.

Topics

Commands

object SecurityInfoResponse.SecurityInfo.FirewallSettings

The response object for firewall settings.

object SecurityInfoResponse.SecurityInfo.FirmwarePasswordStatus

The response object for the firmware password status.

object SecurityInfoResponse.SecurityInfo.ManagementStatus

The response object for the MDM status.

object SecurityInfoResponse.SecurityInfo.SecureBoot

The response object for the secure boot settings.

See Also

Command and Response

object SecurityInfoCommand

The wrapper for the Security Info command.

object SecurityInfoCommand.Command

The object for the Security Info command.

object SecurityInfoResponse

The wrapper object for the Security Info response.

object SecurityInfoResponse.SecurityInfo.FirewallSettings

The response object for firewall settings.

object SecurityInfoResponse.SecurityInfo.FirewallSettings.ApplicationsItem

The response object for applications within the firewall settings.

object SecurityInfoResponse.SecurityInfo.FirmwarePasswordStatus

The response object for the firmware password status.

object SecurityInfoResponse.SecurityInfo.ManagementStatus

The response object for the MDM status.

object SecurityInfoResponse.SecurityInfo.SecureBoot

The response object for the secure boot settings.