# SilverMetal iOS

**Status**: Phase 4 (planning, post-Windows v1)

Tier D — profile-layer only. Weakest tier in the family; labelled as such. We cannot modify iOS; we ship MDM profiles, App Store apps, and a setup guide.

## Scope (v1)

- Signed `.mobileconfig` MDM-style profile that:
  - Enforces device passcode policy
  - Disables analytics uploads, Siri suggestions
  - Restricts iCloud to absolute minimum (Find My, OS update only — sync-replaced services point at SilverSync)
  - Enables Lockdown Mode guidance
  - Default-app changes where iOS 18+ allows (Browser, Mail, etc.)
- Stack ports via App Store:
  - SilverBrowser (subject to Apple WebKit constraints — fall back to a hardened-defaults wrapper if pure custom engine is forbidden)
  - SilverVPN (NetworkExtension API)
  - SilverSync (file/contact/calendar/photos providers)
  - SilverChat (post-v1.1)
  - SilverKeys (post-v1.1)
- Setup guide:
  - Disposable Apple ID guidance
  - Hardware-key 2FA (YubiKey via Lightning / NFC)
  - Recommended app curation
  - eSIM privacy guidance

## Out of scope

- Anything requiring jailbreak (we do not support, recommend, or distribute jailbreaks)
- Anything bypassing Apple's review for Stack apps
- Eliminating Apple ID — it is required for App Store and we say so

## Directory layout

To be populated in Phase 4:

```
ios/
├── profile/         # .mobileconfig sources, signing
├── stack/           # iOS-specific Stack app builds (Xcode projects)
└── docs/            # setup guide, recommended apps, threat-tier disclaimer
```

## Verification gates

- Profile signature verifies on iOS install
- Lockdown Mode guidance verified across iOS 17+
- Stack apps pass App Store review and behave per spec
- Telemetry capture documents minimum-feasible Apple contact (we cannot reach zero)

## Honest framing

This is the weakest SilverMetal tier. iOS is the most restrictive consumer platform; users who pick this tier are typically users who *must* stay on iPhone. The product page must say so prominently.