| Property | Type | Default Value | Applied on | Version | Notes |
|---|---|---|---|---|---|
| domain | String | Tenant Domain is used to for displaying the tenant in the Agent Menu. | |||
| idsDomainLookup | String | Supplies the url used for the Domain FQDN call. Should contain the domain and end in the form <url>/<domain>/ The idsDomainLookup is used to construct our FQDN service and directly to make the FQDN call. It is also used when we send logs. | |||
| oAuthClientSecret | String | Used as the oAuth token for asset registration call occurring before enrollment (currently being implemented) | |||
| oAuthClientId | String | Not currently used | |||
| oAuthScope | String | The scope of what the oAuthClientSecret can be used for. Not currently used | |||
| disabledFeatures | array of one Of (‘sudo’, ‘kerberos’) For versions under 24.2.0, also ‘unenrolledReminder’ | Accepted values are “kerberos”, “sudo”, “unenrolledReminder” Slightly changes the enrollment behavior based on if tenant wants to update their sudo configuration and if tenant is leveraging kerberos unenrolledReminder - Setting to false disables the automatic presentation of the welcome view every login or 24 hours for a non-enrolled user (REMOVED in 24.2.0, this is now handled by the enableGetStartedNotification value returned from the asset/configuration call) | |||
| canUnenroll (optional) | Boolean | False | In agent menu - will determine if “Unenroll” is visible after enrollment | ||
| accountLockOverride (optional) | Dictionary | "accountLockOverride" : { "maxFailedLoginAttempts": 8, "minutesUntilFailedLoginReset": 60, "shouldLockScreenOnAccountLock": true } | maxFailedLoginAttempts: number Number of failed PIN entry attempts after which user is blocked from logging in to the macOS for lockout period defined below. Another invalid PIN entry attempt within lockout period extends the lockout period by the same amount of minutes. minutesUntilFailedLoginReset: number Length of the lockout period in minutes. shouldLockScreenOnAccountLock: boolean Determines whether or not the screen will lock when the user gets blocked from logging in to the macOS | ||
| enableAdminAccess (optional) | Boolean | False | If set to true, the menu will display “Admin Access” for standard users | ||
| allowOtherSmartCard (optional) | Boolean | True | If set to false, we search for other smart cards and print a warning if there was any found (i.e. Yubikey) prior enrollment | ||
| certExpirationOverride (optional) | boolean | False | MA’s start | Present the “Renew Certificate…” option in the agent menu whole time. (WA-13230) | |
| ssoRedirectionURLs (optional) | Array of Strings | Enrollment, MA Start | Tells the app to autoselect the identity used to SSO to the resource at the URLs supplied. Example: “ssoRedirectionURLs”: [ “https://next.cert.stage.truu.ai:443”, “https://url2:443”] | ||
| disableAssetAPICalls (optional) | Boolean | False | Setting to true disables Asset Enrollment and Heartbeat | ||
| eventCacheMaxAge (optional) | integer | 720 | MA’s Start | 25.2.0 | Specifies for how long we should persist the event. Value is in hours. |
| kerberosRealms (optional) | Array of Strings | Array of Realms and KDCs. Attempts to force use of the listed Realms and KDCs during enrollment. Examples:\\“kerberosRealms”:[ “corp.truu.ai” ] or (supplying a cdc in addition to the realm)“kerberosRealms”:[ “corp.truu.ai;kdc1234.corp.truu.ai” ] | |||
| useLocalNameForKerberos | Boolean | False | The option useLocalNameForKerberos = true is needed for an environments, where the Kerberos realm principal name differs from the linked TruU account. In such cases, the principal name constructed from the NSUserName and the realm name. | ||
| enableLogSubmissionOnLoginView | Boolean | False | MA’s Start | 24.2 | Enables the ability to send logs from the custom login view |
| authPluginSettings (optional) | Dictionary | "authPluginSettings" : { "enableLoginWindow": false } | 24.2 | ||
| enrollmentReminderDelay | Integer | 10 | MA’s Start | 24.3.0 | This key can postpone the enrollment notification, for example, to be shown 1 minute after it is triggered (timer/login/MA installation/…). Value is in seconds. |
| fetchDirectoryGroups (optional) | boolean | False | Ma’s Start | 25.1.1 | configure if entra groups should be regularly fetched into “/Library/Preferences/com.truu.user.state.plist” |
| runPostEnrollmentAfterReboot (optional) | boolean | false | ADE account creation | 24.6.0 | This key can controls behavior for post-enrollment phase. If set to “true” then post-enrollment phase postponed until computer reboot. |
| paginationSize (optional) | integer | 1000 | User info groups fetching | 24.6.0 | The agent is pooling data from Identity Server to provide info about user’s groups. For some tenants that’s a tens of thousands. This parameter manages the bulk (page) size what can be fetched at one HTTP GET call. |
| odPwdChangeAllowed (optional) | boolean | true | MA’s Start | 25.2.1 | If set to true, users can change their system password when enrolled via system settings, MDM, or using the recovery Key |
| fileVaultAutologon (optional) | boolean | true | Login Window start | 24.5.0 | Defines if the login window should be skipped once credentials were already provided on the FileVault screen. |
Required System Permissions Manual Install TruU