Reference

Parameter Reference

Every field available in SafeClip, with its Apple plist key, accepted values, and MDM spec notes. All payloads conform to Apple's Configuration Profile Reference.

WebClip

com.apple.webClip.managed

Installs a website shortcut on the iOS Home Screen with a custom icon. The shortcut can launch in full-screen mode, behaving like a native app.

Field	Plist Key	Type	Required	Notes
Profile Name	`PayloadDisplayName`	`string`	Optional	Default: "WebClip"Display name shown in Settings → General → VPN & Device Management.
Label	`Label`	`string`	Required	Values: Max 16 charactersThe name that appears beneath the icon on the Home Screen.
Bundle Identifier	`PayloadIdentifier`	`string (reverse-DNS)`	Optional	Default: com.safeclip.online.profileValues: e.g. com.example.appUnique identifier for the payload. Used as a namespace for all sub-payloads (.clip / .wifi / .vpn).
URL	`URL`	`string (URL)`	Required	The full URL the shortcut opens. HTTPS is strongly recommended — HTTP URLs cannot launch in full-screen on iOS 9+.
Icon	`Icon`	`data (Base64 PNG)`	Optional	PNG image encoded as Base64 and embedded in the <data> element. Recommended size: 180×180 px. SafeClip caps uploads at 200 KB and 500×500 px.
Full Screen Mode	`FullScreen`	`boolean`	Optional	Default: trueValues: true / falseWhen true, the web clip launches without any browser chrome (no address bar or Safari UI).
Precomposed Icon	`Precomposed`	`boolean`	Optional	Default: trueValues: true / falseWhen true, SpringBoard does not add a gloss effect to the icon.
Removable	`IsRemovable`	`boolean`	Optional	Default: trueValues: true / falseWhen false, the user cannot delete the web clip without first removing the profile.
Ignore Manifest Scope	`IgnoreManifestScope`	`boolean`	Optional	Default: trueValues: true / falseWhen true, navigation outside the web clip's origin URL stays in full-screen mode instead of opening Safari. iOS 14+ only.

Profile Name

Optional

PayloadDisplayName

string

Default: "WebClip"

Display name shown in Settings → General → VPN & Device Management.

Label

Required

Label

string

Values: Max 16 characters

The name that appears beneath the icon on the Home Screen.

Bundle Identifier

Optional

PayloadIdentifier

string (reverse-DNS)

Default: com.safeclip.online.profile

Values: e.g. com.example.app

Unique identifier for the payload. Used as a namespace for all sub-payloads (.clip / .wifi / .vpn).

URL

Required

URL

string (URL)

The full URL the shortcut opens. HTTPS is strongly recommended — HTTP URLs cannot launch in full-screen on iOS 9+.

Icon

Optional

Icon

data (Base64 PNG)

PNG image encoded as Base64 and embedded in the <data> element. Recommended size: 180×180 px. SafeClip caps uploads at 200 KB and 500×500 px.

Full Screen Mode

Optional

FullScreen

boolean

Default: true

Values: true / false

When true, the web clip launches without any browser chrome (no address bar or Safari UI).

Precomposed Icon

Optional

Precomposed

boolean

Default: true

Values: true / false

When true, SpringBoard does not add a gloss effect to the icon.

Removable

Optional

IsRemovable

boolean

Default: true

Values: true / false

When false, the user cannot delete the web clip without first removing the profile.

Ignore Manifest Scope

Optional

IgnoreManifestScope

boolean

Default: true

Values: true / false

When true, navigation outside the web clip's origin URL stays in full-screen mode instead of opening Safari. iOS 14+ only.

WiFi

com.apple.wifi.managed

Configures a WiFi network on the device. The device will automatically join the network when in range without requiring the user to enter credentials.

Field	Plist Key	Type	Required	Notes
Profile Name	`PayloadDisplayName`	`string`	Optional	Default: "WiFi Profile"Friendly name shown in the profile list.
SSID	`SSID_STR`	`string`	Required	The exact network name. Case-sensitive — must match your router's SSID character-for-character.
Security Type	`EncryptionType`	`string (enum)`	Required	Default: WPA2Values: None · WEP · WPA2 · WPA3SafeClip maps "WPA2/WPA3 Personal" → WPA2, which iOS accepts for both WPA2 and WPA3 networks via automatic negotiation.
Password	`Password`	`string`	Optional	Network password. Not required when Security Type is None. Stored in plaintext inside the plist — protect the file accordingly.
Hidden Network	`HIDDEN_NETWORK`	`boolean`	Optional	Default: falseValues: true / falseWhen true, iOS actively probes for the SSID instead of waiting for a broadcast beacon.
Auto-Join	`AutoJoin`	`boolean`	Optional	Default: trueValues: true / falseWhen true, the device joins the network automatically whenever it is in range.

Profile Name

Optional

PayloadDisplayName

string

Default: "WiFi Profile"

Friendly name shown in the profile list.

SSID

Required

SSID_STR

string

The exact network name. Case-sensitive — must match your router's SSID character-for-character.

Security Type

Required

EncryptionType

string (enum)

Default: WPA2

Values: None · WEP · WPA2 · WPA3

SafeClip maps "WPA2/WPA3 Personal" → WPA2, which iOS accepts for both WPA2 and WPA3 networks via automatic negotiation.

Password

Optional

Password

string

Network password. Not required when Security Type is None. Stored in plaintext inside the plist — protect the file accordingly.

Hidden Network

Optional

HIDDEN_NETWORK

boolean

Default: false

Values: true / false

When true, iOS actively probes for the SSID instead of waiting for a broadcast beacon.

Auto-Join

Optional

AutoJoin

boolean

Default: true

Values: true / false

When true, the device joins the network automatically whenever it is in range.

DNS

com.apple.dnsSettings.managed

Configures encrypted DNS for the device. Encrypting DNS queries prevents ISPs and on-path observers from logging or tampering with domain lookups. Requires iOS 14 / macOS 11 or later.

Field	Plist Key	Type	Required	Notes
Profile Name	`PayloadDisplayName`	`string`	Optional	Default: "Encrypted DNS"Friendly name shown in Settings → General → VPN & Device Management.
DNS Protocol	`DNSProtocol`	`string (enum)`	Required	Values: HTTPS · TLSHTTPS = DNS-over-HTTPS (DoH). TLS = DNS-over-TLS (DoT). DoH uses port 443; DoT uses port 853.
DoH / DoT Server URL	`ServerURL (DoH) · ServerName (DoT)`	`string (URL / hostname)`	Required	For DoH: full HTTPS URL, e.g. https://cloudflare-dns.com/dns-query. For DoT: hostname only, e.g. dns.quad9.net.
Fallback IPv4	`ServerAddresses[ ]`	`string (IP)`	Optional	Plain-text DNS fallback used when the encrypted resolver is unreachable. Added to the ServerAddresses array. e.g. 1.1.1.1
Fallback IPv6	`ServerAddresses[ ]`	`string (IPv6)`	Optional	IPv6 fallback resolver, e.g. 2606:4700:4700::1111. Appended to the same ServerAddresses array as the IPv4 fallback.

Profile Name

Optional

PayloadDisplayName

string

Default: "Encrypted DNS"

Friendly name shown in Settings → General → VPN & Device Management.

DNS Protocol

Required

DNSProtocol

string (enum)

Values: HTTPS · TLS

HTTPS = DNS-over-HTTPS (DoH). TLS = DNS-over-TLS (DoT). DoH uses port 443; DoT uses port 853.

DoH / DoT Server URL

Required

ServerURL (DoH) · ServerName (DoT)

string (URL / hostname)

For DoH: full HTTPS URL, e.g. https://cloudflare-dns.com/dns-query. For DoT: hostname only, e.g. dns.quad9.net.

Fallback IPv4

Optional

ServerAddresses[ ]

string (IP)

Plain-text DNS fallback used when the encrypted resolver is unreachable. Added to the ServerAddresses array. e.g. 1.1.1.1

Fallback IPv6

Optional

ServerAddresses[ ]

string (IPv6)

IPv6 fallback resolver, e.g. 2606:4700:4700::1111. Appended to the same ServerAddresses array as the IPv4 fallback.

VPN

com.apple.vpn.managed

Configures a VPN connection on the device. SafeClip supports L2TP/IPSec (legacy, broad router support) and IKEv2 (modern, recommended for mobile). The correct sub-dictionary structure differs between the two types.

Field	Plist Key	Type	Required	Notes
Profile Name	`PayloadDisplayName / UserDefinedName`	`string`	Optional	Default: "VPN"Shown both in the profile list and as the VPN connection name in Settings → VPN.
VPN Type	`VPNType`	`string (enum)`	Required	Values: L2TP · IKEv2Determines the sub-dictionary structure. L2TP uses IPSec + VPN dicts; IKEv2 uses a single IKEv2 dict.
Server Address	`CommRemoteAddress (L2TP) · RemoteAddress (IKEv2)`	`string (hostname / IP)`	Required	The VPN server's public hostname or IP address. For IKEv2, this should match the server's TLS certificate CN/SAN.
Remote ID	`RemoteIdentifier`	`string`	Optional	IKEv2 only. The identity the server presents during IKE negotiation — usually identical to Server Address. Defaults to Server Address if left blank. Critical for IKEv2: If your VPN fails to connect, ensure this matches the Server Address exactly.
Username	`AuthName / LocalIdentifier`	`string`	Optional	The user account name for VPN authentication. Used as AuthName in both L2TP (VPN dict) and IKEv2 (EAP / XAUTH). Also set as LocalIdentifier in IKEv2.
Password	`AuthPassword`	`string`	Optional	The user account password. Stored in plaintext in the plist. Different from the Shared Secret — this is the per-user credential.
Shared Secret	`SharedSecret`	`data (L2TP Base64) · string (IKEv2)`	Optional	The pre-shared key (PSK) for IPSec tunnel authentication. For L2TP, SafeClip Base64-encodes it and inserts it as a <data> element in the IPSec dict. For IKEv2, it is a plain <string> in the IKEv2 dict. Note: Older iOS versions might require hex encoding, but SafeClip uses the modern string format compliant with iOS 17+. Different from the user Password.

Profile Name

Optional

PayloadDisplayName / UserDefinedName

string

Default: "VPN"

Shown both in the profile list and as the VPN connection name in Settings → VPN.

VPN Type

Required

VPNType

string (enum)

Values: L2TP · IKEv2

Determines the sub-dictionary structure. L2TP uses IPSec + VPN dicts; IKEv2 uses a single IKEv2 dict.

Server Address

Required

CommRemoteAddress (L2TP) · RemoteAddress (IKEv2)

string (hostname / IP)

The VPN server's public hostname or IP address. For IKEv2, this should match the server's TLS certificate CN/SAN.

Remote ID

Optional

RemoteIdentifier

string

IKEv2 only. The identity the server presents during IKE negotiation — usually identical to Server Address. Defaults to Server Address if left blank. Critical for IKEv2: If your VPN fails to connect, ensure this matches the Server Address exactly.

Username

Optional

AuthName / LocalIdentifier

string

The user account name for VPN authentication. Used as AuthName in both L2TP (VPN dict) and IKEv2 (EAP / XAUTH). Also set as LocalIdentifier in IKEv2.

Password

Optional

AuthPassword

string

The user account password. Stored in plaintext in the plist. Different from the Shared Secret — this is the per-user credential.

Shared Secret

Optional

SharedSecret

data (L2TP Base64) · string (IKEv2)

The pre-shared key (PSK) for IPSec tunnel authentication. For L2TP, SafeClip Base64-encodes it and inserts it as a <data> element in the IPSec dict. For IKEv2, it is a plain <string> in the IKEv2 dict. Note: Older iOS versions might require hex encoding, but SafeClip uses the modern string format compliant with iOS 17+. Different from the user Password.

Common Payload Keys

Every payload dict (WebClip, WiFi, DNS, VPN) also contains the following standard keys, which SafeClip sets automatically:

PayloadTypeApple payload identifier (e.g. com.apple.wifi.managed)

PayloadVersionAlways 1

PayloadUUIDRandomly generated UUID per payload

PayloadIdentifierDerived from Bundle Identifier + payload suffix (.clip / .wifi / .dns / .vpn)

PayloadDisplayNameHuman-readable name from the Profile Name field

Have a question not covered here? Browse the FAQ →