diff --git a/website/dev.firezone.firezone.plist b/website/dev.firezone.firezone.plist
new file mode 100644
index 000000000..db900d9b1
--- /dev/null
+++ b/website/dev.firezone.firezone.plist
@@ -0,0 +1,246 @@
+
+
+
+
+ pfm_app_url
+ https://www.firezone.dev/kb/client-apps/macos-client
+ pfm_description
+ Manage configuration for the Firezone macOS client.
+ pfm_documentation_url
+ https://www.firezone.dev/kb/deploy/clients#provision-with-mdm
+ pfm_domain
+ dev.firezone.firezone
+ pfm_format_version
+ 1
+ pfm_last_modified
+ 2025-05-23T07:58:48Z
+ pfm_platforms
+
+ macOS
+
+ pfm_subkeys
+
+
+ pfm_default
+ Configures Firezone configuration preferences
+ pfm_description
+ Description of the payload.
+ pfm_description_reference
+ Optional. A human-readable description of this payload. This description is shown on the Detail screen.
+ pfm_name
+ PayloadDescription
+ pfm_title
+ Payload Description
+ pfm_type
+ string
+
+
+ pfm_default
+ Firezone
+ pfm_description
+ Name of the payload.
+ pfm_description_reference
+ A human-readable name for the profile payload. This name is displayed on the Detail screen. It does not have to be unique.
+ pfm_name
+ PayloadDisplayName
+ pfm_require
+ always
+ pfm_title
+ Payload Display Name
+ pfm_type
+ string
+
+
+ pfm_default
+ dev.firezone.firezone
+ pfm_description
+ A unique identifier for the payload, dot-delimited. Usually root PayloadIdentifier+subidentifier
+ pfm_description_reference
+ A reverse-DNS-style identifier for the specific payload. It is usually the same identifier as the root-level PayloadIdentifier value with an additional component appended.
+ pfm_name
+ PayloadIdentifier
+ pfm_require
+ always
+ pfm_title
+ Payload Identifier
+ pfm_type
+ string
+
+
+ pfm_default
+ dev.firezone.firezone
+ pfm_description
+ The type of the payload, a reverse dns string.
+ pfm_description_reference
+ The payload type.
+ pfm_name
+ PayloadType
+ pfm_require
+ always
+ pfm_title
+ Payload Type
+ pfm_type
+ string
+
+
+ pfm_description
+ Unique identifier for the payload (format 01234567-89AB-CDEF-0123-456789ABCDEF)
+ pfm_description_reference
+ A globally unique identifier for the payload. The actual content is unimportant, but it must be globally unique. In macOS, you can use uuidgen to generate reasonable UUIDs.
+ pfm_format
+ ^[0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}$
+ pfm_name
+ PayloadUUID
+ pfm_require
+ always
+ pfm_title
+ Payload UUID
+ pfm_type
+ string
+
+
+ pfm_default
+ 1
+ pfm_description
+ The version of the whole configuration profile.
+ pfm_description_reference
+ The version number of the individual payload.
+A profile can consist of payloads with different version numbers. For example, changes to the VPN software in iOS might introduce a new payload version to support additional features, but Mail payload versions would not necessarily change in the same release.
+ pfm_name
+ PayloadVersion
+ pfm_require
+ always
+ pfm_title
+ Payload Version
+ pfm_type
+ integer
+
+
+ pfm_description
+ This value describes the issuing organization of the profile, as displayed to the user
+ pfm_name
+ PayloadOrganization
+ pfm_title
+ Payload Organization
+ pfm_type
+ string
+
+
+ pfm_default
+ https://app.firezone.dev
+ pfm_description
+ The base URL to open when users click "Sign in". The accountSlug will be appended to this.
+ pfm_name
+ authURL
+ pfm_title
+ Authentication URL
+ pfm_type
+ string
+
+
+ pfm_default
+ wss://api.firezone.dev
+ pfm_description
+ The WebSocket URL of the Firezone control plane to connect to.
+ pfm_name
+ apiURL
+ pfm_title
+ WebSocket API URL
+ pfm_type
+ string
+
+
+ pfm_default
+ info
+ pfm_description
+ The RUST_LOG-style filter string to apply to the connectivity library for increasing log output to use for connectivity troubleshooting.
+ pfm_name
+ logFilter
+ pfm_title
+ RUST_LOG filter string
+ pfm_type
+ string
+
+
+ pfm_description
+ Your Firezone account ID or slug which will be appended to the authURL to form the complete sign in URL. Will be set automatically by the client after the first successful authentication.
+ pfm_name
+ accountSlug
+ pfm_title
+ Account ID or Slug
+ pfm_type
+ string
+
+
+ pfm_default
+
+ pfm_description
+ Hide the Admin portal link in the Firezone menu in the macOS menu bar.
+ pfm_name
+ hideAdminPortalMenuItem
+ pfm_title
+ Hide admin portal link
+ pfm_type
+ boolean
+
+
+ pfm_default
+
+ pfm_description
+ Try to connect to Firezone using the saved token and configuration when the client application starts. If the authentication token is expired, the client will start in a disconnected state.
+ pfm_name
+ connectOnStart
+ pfm_title
+ Connect on start
+ pfm_type
+ boolean
+
+
+ pfm_default
+
+ pfm_description
+ Start the Firezone client when the user logs into the machine. Requires the Firezone client to be running to take effect. In many cases you probably want to configure this using a Managed Login Items payload instead to force the client to be running.
+ pfm_name
+ startOnLogin
+ pfm_title
+ Start on login
+ pfm_type
+ boolean
+
+
+ pfm_default
+
+ pfm_description
+ Disables the update check and notification for the Standalone variant of the macOS client. App Store variant versions 1.4.15 and higher already have this disabled.
+ pfm_name
+ disableUpdateCheck
+ pfm_title
+ Disable update check
+ pfm_type
+ boolean
+
+
+ pfm_default
+ https://www.firezone.dev/support
+ pfm_description
+ The URL to which users will be taken to when clicking the Help -> Support link in the menu bar.
+ pfm_name
+ supportURL
+ pfm_title
+ Support URL
+ pfm_type
+ string
+
+
+ pfm_targets
+
+ user
+
+ pfm_title
+ Firezone
+ pfm_unique
+
+ pfm_version
+ 1
+
+
diff --git a/website/public/policy-templates/macos/profile-manifests/dev.firezone.firezone.plist b/website/public/policy-templates/macos/profile-manifests/dev.firezone.firezone.plist
index c103e8df1..12f86b009 100644
--- a/website/public/policy-templates/macos/profile-manifests/dev.firezone.firezone.plist
+++ b/website/public/policy-templates/macos/profile-manifests/dev.firezone.firezone.plist
@@ -126,10 +126,8 @@ A profile can consist of payloads with different version numbers. For example, c
string
- pfm_default
- https://app.firezone.dev
pfm_description
- The base URL to open when users sign in. The accountSlug will be appended to this. In most cases you shouldn't change this. Setting this field will override the user's setting.
+ The base URL to open when users sign in. The accountSlug will be appended to this. In most cases you shouldn't change this. Setting this field will override the user's setting. If unset, defaults to https://app.firezone.dev.
pfm_name
authURL
pfm_title
@@ -138,10 +136,8 @@ A profile can consist of payloads with different version numbers. For example, c
string
- pfm_default
- wss://api.firezone.dev
pfm_description
- The control plane WebSocket URL that the network extension connects to. In most cases you shouldn't change this. Setting this field will override the user's setting.
+ The control plane WebSocket URL that the network extension connects to. In most cases you shouldn't change this. Setting this field will override the user's setting. If unset, defaults to wss://api.firezone.dev.
pfm_name
apiURL
pfm_title
@@ -150,10 +146,8 @@ A profile can consist of payloads with different version numbers. For example, c
string
- pfm_default
- info
pfm_description
- The RUST_LOG-style filter string to apply to the network extension for increasing log output to use for connectivity troubleshooting. In most cases you shouldn't change this. Setting this field will override the user's setting.
+ The RUST_LOG-style filter string to apply to the network extension for increasing log output to use for connectivity troubleshooting. In most cases you shouldn't change this. Setting this field will override the user's setting. If unset, defaults to "info".
pfm_name
logFilter
pfm_title
@@ -172,22 +166,8 @@ A profile can consist of payloads with different version numbers. For example, c
string
- pfm_default
-
pfm_description
- If set to true and you have the Internet Resource enabled for this user in the Firezone admin portal, enforces the use of the Internet Resource for this Mac while Firezone is signed in. If set to false, prevents the Internet Resource from being used. Setting this field will prevent the user from enabling or disabling the Internet Resource.
- pfm_name
- internetResourceEnabled
- pfm_title
- Enforce full-tunnel on or off
- pfm_type
- boolean
-
-
- pfm_default
-
- pfm_description
- Hide the Admin portal link in the Firezone menu in the macOS menu bar.
+ Hide the Admin portal link in the Firezone menu in the macOS menu bar. If unset, defaults to false.
pfm_name
hideAdminPortalMenuItem
pfm_title
@@ -196,10 +176,8 @@ A profile can consist of payloads with different version numbers. For example, c
boolean
- pfm_default
-
pfm_description
- Try to connect to Firezone using the saved token and configuration when the client application starts. If the authentication token is expired, the client will start in a disconnected state. Setting this field will override the user's setting.
+ Try to connect to Firezone using the saved token and configuration when the client application starts. If the authentication token is expired, the client will start in a disconnected state. Setting this field will override the user's setting. If unset, defaults to false.
pfm_name
connectOnStart
pfm_title
@@ -208,10 +186,8 @@ A profile can consist of payloads with different version numbers. For example, c
boolean
- pfm_default
-
pfm_description
- Start the Firezone client when the user logs into the machine. In many cases you probably want to configure this using a Managed Login Items payload instead. Requires the Firezone client to be running to take effect. Setting this field will override the user's setting.
+ Start the Firezone client when the user logs into the machine. In many cases you probably want to configure this using a Managed Login Items payload instead. Requires the Firezone client to be running to take effect. Setting this field will override the user's setting. If unset, defaults to false.
pfm_name
startOnLogin
pfm_title
@@ -220,10 +196,8 @@ A profile can consist of payloads with different version numbers. For example, c
boolean
- pfm_default
-
pfm_description
- Disables the update check and notification for the standalone variant of the macOS client. App Store variant versions 1.4.15 and higher already have this disabled.
+ Disables the update check and notification for the standalone variant of the macOS client. App Store variant versions 1.4.15 and higher already have this disabled. If unset, defaults to false.
pfm_name
disableUpdateCheck
pfm_title
@@ -232,10 +206,8 @@ A profile can consist of payloads with different version numbers. For example, c
boolean
- pfm_default
- https://www.firezone.dev/support
pfm_description
- The URL to which users will be taken to when clicking the Help -> Support link in the menu bar.
+ The URL to which users will be taken to when clicking the Help -> Support link in the menu bar. If unset, defaults to https://www.firezone.dev/support.
pfm_name
supportURL
pfm_title