Release_iOS-18-2_macOS-15-2

2026-05-10 12:59:31 +02:00 · 2024-12-12 15:35:43 -05:00
parent b6202ca2fb
commit 1fa842739c
133 changed files with 529 additions and 176 deletions
@@ -8,11 +8,11 @@ This release corresponds to the following OS versions

 | OS       | Version |
 |----------|---------|
-| iOS      | 18.1    |
-| macOS    | 15.1    |
-| tvOS     | 18.1    |
-| visionOS |  2.1    |
-| watchOS  | 11.1    |
+| iOS      | 18.2    |
+| macOS    | 15.2    |
+| tvOS     | 18.2    |
+| visionOS |  2.2    |
+| watchOS  | 11.2    |

 ## Important Release Notes

@@ -23,7 +23,7 @@ payloadkeys:
 - key: Restrictions
  type: <dictionary>
  presence: optional
-  content: Defines the restrictions for disks
+  content: The restrictions for the disk.
  subkeys:
  - key: ExternalStorage
    title: External Storage
@@ -36,9 +36,9 @@ payloadkeys:
    combinetype: enum-last
    content: |-
      Specifies the mount policy for external storage:
-      * Allowed - external storage that is read-write or read-only will be mounted.
-      * ReadOnly - only external storage that is read-only will be automatically mounted. Note that external storage that is read-write will not be mounted read-only.
-      * Disallowed - no external storage will be mounted.
+      * 'Allowed': the system can mount external storage that is read-write or read-only.
+      * 'ReadOnly': the system can only mount read-only external storage. Note that external storage that is read-write will not be mounted read-only.
+      * 'Disallowed': The system can't mount any external storage.
  - key: NetworkStorage
    title: Network Storage
    type: <string>
@@ -50,6 +50,6 @@ payloadkeys:
    combinetype: enum-last
    content: |-
      Specifies the mount policy for network storage:
-      * Allowed - network storage that is read-write or read-only will be mounted.
-      * ReadOnly - only network storage that is read-only will be mounted. Note that network storage that is read-write will not be mounted read-only.
-      * Disallowed - no network storage will be mounted.
+      * 'Allowed': the system can mount network storage that is read-write or read-only.
+      * 'ReadOnly': the system can only mount read-only network storage. Note that network storage that is read-write will not be mounted read-only.
+      * 'Disallowed': The system can't mount any network storage.
@@ -75,7 +75,7 @@ payloadkeys:
    type: <dictionary>
    presence: optional
    content: If present, configures the Math Notes mode of the calculator. If not
-      present, math notes mode is enabled.
+      present, Math Notes mode is enabled.
    subkeys:
    - key: Enabled
      type: <boolean>
@@ -110,7 +110,7 @@ payloadkeys:
    type: <boolean>
    presence: required
    combinetype: boolean-and
-    content: Controls whether keyboard suggestions include math solutions
+    content: Controls whether keyboard suggestions include math solutions.
  - key: MathNotes
    type: <boolean>
    presence: required
@@ -30,17 +30,15 @@ payloadkeys:
  title: Managed Extensions
  type: <dictionary>
  presence: optional
-  content: Extensions being managed
+  content: The dictionary of managed extensions settings.
  subkeys:
  - key: ANY
    type: <dictionary>
    presence: optional
-    content: The composed identifier of the managed extension, or "*" for all extensions.
-      In order for the extension to be managed, its host app must be present on the
-      device. To generate this string use codesign -dv <path_to_appex>. The browser
-      extension is located in the PlugIns folder inside the app bundle. The expected
-      format is "Identifier (TeamIdentifier)". For extensions that are not also available
-      on macOS the app developer will need to provide this information.
+    content: |-
+      The composed identifier of the managed extension, or “*” for all extensions. In order for the extension to be managed, its host app must be present on the device.
+      To generate this string use 'codesign -dv <path_to_appex>'. The browser extension is located in the PlugIns folder inside the app bundle. The expected format is “Identifier (TeamIdentifier)”.
+      For extensions that aren't also available on macOS the app developer needs to provide this information.
    subkeytype: ExtensionDictionary
    subkeys:
    - key: State
@@ -54,9 +52,9 @@ payloadkeys:
      combinetype: enum-last
      content: |-
        Controls whether an extension is allowed.
-        * Allowed - The user is allowed to turn the extension on or off
-        * AlwaysOn - The extension will always be on
-        * AlwaysOff - The extension will always be off
+        * 'Allowed' - The user is allowed to turn the extension on or off.
+        * 'AlwaysOn' - The extension will always be on.
+        * 'AlwaysOff' - The extension will always be off.
    - key: PrivateBrowsing
      title: Private Browsing state
      type: <string>
@@ -68,18 +66,18 @@ payloadkeys:
      combinetype: enum-last
      content: |-
        Controls whether an extension is allowed in Private Browsing.
-        * Allowed - The user is allowed to turn the extension on or off in Private Browsing
-        * AlwaysOn - The extension will always be on in Private Browsing if the extension is on outside of Private Browsing
-        * AlwaysOff - The extension will never be on in Private Browsing
+        * 'Allowed' - The user is allowed to turn the extension on or off in Private Browsing.
+        * 'AlwaysOn' - The extension will always be on in Private Browsing if the extension is on outside of Private Browsing.
+        * 'AlwaysOff' - The extension will never be on in Private Browsing.
    - key: AllowedDomains
      title: Allowed domains
      type: <array>
      presence: optional
      combinetype: set-union
      content: Controls the domains and sub-domains the extension is granted access
-        to. Any non-prefixed domains take precedence over prefixed domains, and DeniedDomains
-        takes precedence over AllowedDomains. Any domains not specified in AllowedDomains
-        or DeniedDomains are configurable by the user.
+        to. Any non-prefixed domains take precedence over prefixed domains, and 'DeniedDomains'
+        takes precedence over 'AllowedDomains'. Any domains not specified in 'AllowedDomains'
+        or 'DeniedDomains' are configurable by the user.
      subkeys:
      - key: Domain
        title: Domain
@@ -90,10 +88,10 @@ payloadkeys:
      type: <array>
      presence: optional
      combinetype: set-union
-      content: Controls the domains and sub-domains the extension is not allowed to
+      content: Controls the domains and sub-domains the extension isn't allowed to
        access. Any non-prefixed domains take precedence over prefixed domains, and
-        DeniedDomains takes precedence over AllowedDomains. Any domains not specified
-        in AllowedDomains or DeniedDomains are configurable by the user.
+        'DeniedDomains' takes precedence over 'AllowedDomains'. Any domains not specified
+        in 'AllowedDomains' or 'DeniedDomains' are configurable by the user.
      subkeys:
      - key: Domain
        title: Domain
@@ -24,8 +24,8 @@ payloadkeys:
  type: <string>
  presence: required
  content: The unique identifier of the set of background tasks managed with this
-    configuration. This should be a reverse DNS style identifier. This is used solely
-    by the management system to differentiate between tasks in different configurations.
+    configuration. This should be a reverse DNS style identifier. The system uses
+    this identifier to differentiate between tasks in different configurations.
 - key: TaskDescription
  title: Task Description
  type: <string>
@@ -40,20 +40,14 @@ payloadkeys:
  - application/zip
  presence: optional
  content: |-
-    Specifies the identifier of an asset declaration containing a reference
-    to the files to be used for the background task configuration. The corresponding
-    asset must be of type "com.apple.asset.data". The referenced data must be a zip
-    archive of an entire directory, that will be expanded and stored in a well known
-    location for the background task. The asset's "ContentType" and "Hash-SHA-256"
-    keys in the "Reference" key are required.
-
-    This file should contain background task executables, scripts, and configuration
-    files, but not the launchd configuration files.
+    Specifies the identifier of an asset declaration containing a reference to the files to be used for the background task configuration. The corresponding asset must be of type “'com.apple.asset.data'”.
+    The referenced data must be a zip archive of an entire directory, that will be expanded and stored in a well known location for the background task. The asset's “ContentType” and “Hash-SHA-256” keys in the “Reference” key are required.
+    This file should contain background task executables, scripts, and configuration files, but not the 'launchd' configuration files.
 - key: LaunchdConfigurations
  title: Launchd Configurations
  type: <array>
  presence: optional
-  content: An array of launchd configuration files used to run the background tasks.
+  content: An array of 'launchd' configuration files used to run the background tasks.
  subkeys:
  - key: launchd-item
    type: <dictionary>
@@ -70,11 +64,11 @@ payloadkeys:
      - application/xml
      - text/xml
      presence: required
-      content: |-
-        Specifies the identifier of an asset declaration containing a reference
-        to the launchd configuration file for the background task. The referenced data must be a
-        property list file conforming to the launchd.plist format. The asset's "ContentType" and "Hash-SHA-256"
-        keys in the "Reference" key are required.
+      content: Specifies the identifier of an asset declaration containing a reference
+        to the launchd configuration file for the background task. The referenced
+        data must be a property list file conforming to the launchd.plist format.
+        The asset's “ContentType” and “Hash-SHA-256” keys in the “Reference” key are
+        required.
    - key: Context
      title: Launchd Context
      type: <string>
@@ -33,9 +33,9 @@ payloadkeys:
  presence: optional
  default: true
  combinetype: boolean-and
-  content: If 'true', the device shows all software update enforcement notifications.
-    If 'false', the device only shows notifications triggered one hour before the
-    enforcement deadline, and the restart countdown notification.
+  content: |-
+    If set to 'true', the device shows all software update enforcement notifications.
+    If set to 'false', the device only shows notifications triggered one hour before the enforcement deadline, and the restart countdown notification.
 - key: Deferrals
  title: Software Update Deferrals
  supportedOS:
@@ -44,8 +44,8 @@ payloadkeys:
      - supervised
  type: <dictionary>
  presence: optional
-  content: Controls the deferral of software updates. Rapid Security Responses are
-    not considered within 'Major', 'Minor', or 'System' deferral mechanism.
+  content: This object configures the deferral of software updates. Rapid Security
+    Responses aren't considered within 'Major', 'Minor', or 'System' deferral mechanism.
  subkeys:
  - key: CombinedPeriodInDays
    title: Combined Major/Minor Update Deferral Period
@@ -60,7 +60,7 @@ payloadkeys:
    combinetype: number-max
    content: Specifies the number of days to defer a major or minor OS software update
      on the device. When set, software updates only appear after the specified delay,
-      following the release of the software update.
+      following the release of the software update. Available in iOS 18 and later.
  - key: MajorPeriodInDays
    title: Major Update Deferral Period
    supportedOS:
@@ -74,7 +74,7 @@ payloadkeys:
    combinetype: number-max
    content: Specifies the number of days to defer a major OS software update on the
      device. When set, software updates only appear after the specified delay, following
-      the release of the software update.
+      the release of the software update. Available in macOS 15 and later.
  - key: MinorPeriodInDays
    title: Minor Update Deferral Period
    supportedOS:
@@ -87,8 +87,9 @@ payloadkeys:
      max: 90
    combinetype: number-max
    content: Specifies the number of days to defer a minor OS software update on the
-      device. When set, software updates only appear after the specified delay, following
-      the release of the software update.
+      device. It also defers major updates for iOS. When set, software updates only
+      appear after the specified delay, following the release of the software update.
+      Available in macOS 15 and later.
  - key: SystemPeriodInDays
    title: System Update Deferral Period
    supportedOS:
@@ -102,7 +103,7 @@ payloadkeys:
    combinetype: number-max
    content: Specifies the number of days to defer system or non-OS updates. When
      set, updates only appear after the specified delay, following the release of
-      the update.
+      the update. Available in macOS 15 and later.
 - key: RecommendedCadence
  title: Software Update Recommended Cadence
  supportedOS:
@@ -116,10 +117,10 @@ payloadkeys:
  - Newest
  combinetype: enum-last
  content: |-
-    Specifies how the device shows software updates to the user. When more than one update is available update, the device behaves as follows:
-    * "All" - Shows all software update versions.
-    * "Oldest" - Shows only the oldest (lower numbered) software update version.
-    * "Newest" - Shows only the newest (highest numbered) software update version.
+    This string specifies how the device shows software updates to the user. When more than one update is available update, the device behaves as follows:
+    * 'All' - Shows all software update versions.
+    * 'Oldest' - Shows only the oldest (lower numbered) software update version.
+    * 'Newest' - Shows only the newest (highest numbered) software update version.
 - key: AutomaticActions
  title: Automatic Software Update Settings
  supportedOS:
@@ -128,7 +129,7 @@ payloadkeys:
      - supervised
  type: <dictionary>
  presence: optional
-  content: Specifies various automatic Software Update functionality.
+  content: This object configures various automatic Software Update functionality.
  subkeys:
  - key: Download
    title: Automatic downloads of available updates.
@@ -141,10 +142,10 @@ payloadkeys:
    default: Allowed
    combinetype: enum-last
    content: |-
-      Specifies whether automatic downloads of available updates can be controlled by the user:
-      * "Allowed" - the user can enable or disable automatic downloads.
-      * "AlwaysOn" - automatic downloads are always enabled.
-      * "AlwaysOff" - automatic downloads are always disabled.
+      Specifies whether the user can control automatic downloads of available updates:
+      * 'Allowed' - the user can enable or disable automatic downloads.
+      * 'AlwaysOn' - automatic downloads are always enabled.
+      * 'AlwaysOff' - automatic downloads are always disabled.
  - key: InstallOSUpdates
    title: Automatic installs of OS updates.
    type: <string>
@@ -156,10 +157,10 @@ payloadkeys:
    default: Allowed
    combinetype: enum-last
    content: |-
-      Specifies whether automatic install of available OS updates can be controlled by the user:
-      * "Allowed" - the user can enable or disable automatic installs.
-      * "AlwaysOn" - automatic installs are always enabled.
-      * "AlwaysOff" - automatic installs are always disabled.
+      Specifies whether the user can control automatic installation of available updates:
+      * 'Allowed' - the user can enable or disable automatic installation.
+      * 'AlwaysOn' - automatic installations are always enabled.
+      * 'AlwaysOff' - automatic installations are always disabled.
  - key: InstallSecurityUpdate
    title: Automatic installs of available security updates.
    supportedOS:
@@ -174,10 +175,10 @@ payloadkeys:
    default: Allowed
    combinetype: enum-last
    content: |-
-      Specifies whether automatic install of available security updates can be controlled by the user:
-      * "Allowed" - the user can enable or disable automatic installs.
-      * "AlwaysOn" - automatic installs are always enabled.
-      * "AlwaysOff" - automatic installs are always disabled.
+      Specifies whether the user can control automatic installation of available security updates:
+      * 'Allowed' - the user can enable or disable automatic installation.
+      * 'AlwaysOn' - automatic installations are always enabled.
+      * 'AlwaysOff' - automatic installations are always disabled.
 - key: RapidSecurityResponse
  title: Rapid Security Response Settings
  supportedOS:
@@ -186,8 +187,8 @@ payloadkeys:
      - supervised
  type: <dictionary>
  presence: optional
-  content: These configurations allow for setting user access to interacting with
-    Rapid Security Responses (RSRs).
+  content: These configurations set user access to interacting with Rapid Security
+    Responses (RSRs).
  subkeys:
  - key: Enable
    title: Enable Rapid Security Response Installation
@@ -195,17 +196,18 @@ payloadkeys:
    presence: optional
    default: true
    combinetype: boolean-and
-    content: If 'false', Rapid Security Responses are not offered for user installation.
-      Rapid Security Responses can still be installed via 'com.apple.configuration.softwareupdate.enforcement.specific'
-      configurations. If 'true', Rapid Security Responses are offered to the user.
+    content: |-
+      If set to 'false', Rapid Security Responses aren't offered for user installation. The system can still install Rapid Security Responses with 'com.apple.configuration.softwareupdate.enforcement.specific' configurations.
+      If set to 'true', the system offers Rapid Security Responses to the user.
  - key: EnableRollback
    title: Enable Rapid Security Response Rollbacks
    type: <boolean>
    presence: optional
    default: true
    combinetype: boolean-and
-    content: If 'false', Rapid Security Response rollbacks are not offered to the
-      user. If 'true', Rapid Security Response rollbacks are offered to the user.
+    content: |-
+      If set to 'false', the system doesn't offer Rapid Security Response rollbacks to the user.
+      If set to 'true', the system offers Rapid Security Response rollbacks to the user.
 - key: AllowStandardUserOSUpdates
  title: Allow Standard User OS Updates
  supportedOS:
@@ -215,16 +217,16 @@ payloadkeys:
  presence: optional
  default: true
  combinetype: boolean-and
-  content: If 'true', a standard user can perform Major and Minor Software Updates.
-    If 'false', only administrators can perform Major and Minor Software Updates.
+  content: |-
+    If set to 'true', a standard user can perform Major and Minor Software Updates.
+    If set to 'false', only administrators can perform Major and Minor Software Updates.
 - key: Beta
  supportedOS:
    macOS:
      introduced: n/a
  type: <dictionary>
  presence: optional
-  content: Configurations for controlling or specifying the beta programs associated
-    with a device.
+  content: This object configures the beta program settings for a device.
  subkeys:
  - key: ProgramEnrollment
    supportedOS:
@@ -240,26 +242,19 @@ payloadkeys:
    default: Allowed
    combinetype: enum-last
    content: |-
-      Specifies whether beta program enrollment can be controlled by the user in software update settings UI:
-      * "Allowed" - the user can enroll in any applicable beta programs associated with their
-        logged in Apple Account. If the `OfferPrograms` key is present, then the programs listed in
-        that key are also presented to the user.
-      * "AlwaysOn" - the beta programs specified by the organization are used, and the user
-        is not be able to enroll in a beta program using their logged in Apple Account. The device
-        is automatically enrolled into the beta program specified by the `RequireProgram` key if
-        it is present. Otherwise, the programs listed in the `OfferPrograms` key are
-        presented to the user to choose which to enroll with.
-      * "AlwaysOff" - The device is not allowed to enroll in any beta programs. The device is
-        removed from any beta programs, if already enrolled.
+      Specifies whether the user can control beta program enrollment in the software update settings UI:
+      * 'Allowed' - the user can enroll in any applicable beta programs associated with their logged in Apple Account. If the 'OfferPrograms' key is present, then the programs listed in that key are also presented to the user.
+      * 'AlwaysOn' - the beta programs specified by the organization are used, and the user isn't able to enroll in a beta program using their logged in Apple Account. The device is automatically enrolled into the beta program specified by the 'RequireProgram' key if it's present. Otherwise, the system presents the programs listed in the 'OfferPrograms' key to the user to choose which to enroll with.
+      * 'AlwaysOff' - The device isn't allowed to enroll in any beta programs. The system removes the device from any beta programs, if already enrolled.
  - key: OfferPrograms
    type: <array>
    presence: optional
    combinetype: set-union
    content: An array of beta programs allowed on the device. This key must only be
-      present if the `ProgramEnrollment` key is set to `Allowed` or `AlwaysOn`. This
-      key must not be present if the `RequireProgram` key is present. This key can
-      be present on unsupervised devices where the `ProgramEnrollment` key is not
-      supported but is implicitly set to `Allowed`.
+      present if the 'ProgramEnrollment' key is set to 'Allowed' or 'AlwaysOn'. This
+      key must not be present if the 'RequireProgram' key is present. This key can
+      be present on unsupervised devices where the 'ProgramEnrollment' key isn't supported
+      but is implicitly set to 'Allowed'.
    subkeys:
    - key: Program
      type: <dictionary>
@@ -274,8 +269,8 @@ payloadkeys:
        type: <string>
        presence: required
        content: The Apple Business Manager or Apple School Manager seeding service
-          token for the organization the MDM server is part of. This token is used
-          to enroll the device in the corresponding beta program.
+          token for the organization the MDM server is part of. The system uses this
+          token to enroll the device in the corresponding beta program.
  - key: RequireProgram
    supportedOS:
      iOS:
@@ -285,7 +280,7 @@ payloadkeys:
    presence: optional
    combinetype: first
    content: The device automatically enrolls in this beta program. This key must
-      only be present if the `ProgramEnrollment` key is set to `AlwaysOn`. The `OfferPrograms`
+      only be present if the 'ProgramEnrollment' key is set to 'AlwaysOn'. The 'OfferPrograms'
      key must not be present if this key is present.
    subkeys:
    - key: Description
@@ -296,8 +291,8 @@ payloadkeys:
      type: <string>
      presence: required
      content: The Apple Business Manager or Apple School Manager seeding service
-        token for the organization the MDM server is part of. This token is used to
-        enroll the device in the corresponding beta program.
+        token for the organization the MDM server is part of. The system uses this
+        token to enroll the device in the corresponding beta program.
 related-status-items:
 - status-items:
  - softwareupdate.beta-enrollment
@@ -55,5 +55,4 @@ payloadkeys:
  type: <string>
  presence: required
  content: The device's marketing name, such as 'iPhone 12'. This value may not always
-    be available. Alternatively, use 'device.model.configuration-code' to look up
-    the marketing name through the web API.
+    be available.
@@ -30,5 +30,5 @@ payloadkeys:
  title: The device's enrolled beta program.
  type: <string>
  presence: required
-  content: The device's enrolled beta program name, or an empty string if there is
+  content: The device's enrolled beta program name, or an empty string if there's
    no enrolled beta program.
@@ -31,4 +31,4 @@ payloadkeys:
  type: <string>
  presence: required
  content: The device identifier to use when looking up available software updates
-    via <https://gdmf.apple.com/v2/pmv>.
+    via 'https://gdmf.apple.com/v2/pmv'.
@@ -46,3 +46,10 @@ payloadkeys:
    presence: required
    content: The build version of the pending software update, including any rapid
      security response version. This string is empty if no update is pending.
+  - key: target-local-date-time
+    title: The target local date-time
+    type: <string>
+    presence: optional
+    content: The local date time value for when the pending software update will be
+      installed. This key is only present when the pending software update is being
+      enforced.
@@ -2,6 +2,10 @@

 This document lists errata for the YAML schema. This is used when older versions of the schema are incorrect, and a fix was made in later schema to correct the problem.

+## macOS 15.2
+
+Added missing supervised key to macOS across profiles and commands
+
 ## iOS 18.1 / macOS 15.1

 ### mdm/profiles/com.apple.applicationaccess.yaml
@@ -17,6 +17,7 @@ payload:
      introduced: '10.7'
      devicechannel: true
      userchannel: false
+      supervised: false
      requiresdep: false
      userenrollment:
        mode: allowed
@@ -96,8 +97,8 @@ payloadkeys:
        mode: forbidden
  type: <string>
  presence: optional
-  content: The device's UDID (Unique Device ID). This is required if the enrollment
-    type is not user enrollment.
+  content: The device's UDID (Unique Device ID). The system requires this value if
+    the enrollment type isn't user enrollment.
 - key: EnrollmentID
  supportedOS:
    iOS:
@@ -117,8 +118,9 @@ payloadkeys:
      introduced: n/a
  type: <string>
  presence: optional
-  content: The per-enrollment identifier for the device. Available in macOS 10.15
-    and iOS 13.0 and later. This is required if the enrollment type is user enrollment.
+  content: |-
+    The per-enrollment identifier for the device. The system requires this value if the enrollment type is user enrollment.
+    Available in macOS 10.15 and iOS 13.0 and later.
 - key: OSVersion
  supportedOS:
    iOS:
@@ -17,6 +17,7 @@ payload:
      introduced: '10.7'
      devicechannel: true
      userchannel: false
+      supervised: false
      requiresdep: false
      userenrollment:
        mode: allowed
@@ -17,6 +17,7 @@ payload:
      introduced: '10.7'
      devicechannel: true
      userchannel: true
+      supervised: false
      requiresdep: false
      userenrollment:
        mode: allowed
@@ -9,6 +9,7 @@ payload:
      introduced: '10.7'
      devicechannel: false
      userchannel: true
+      supervised: false
      requiresdep: false
      userenrollment:
        mode: forbidden
@@ -11,6 +11,7 @@ payload:
      accessrights: None
      devicechannel: true
      userchannel: false
+      supervised: false
      requiresdep: true
      userenrollment:
        mode: forbidden
@@ -10,6 +10,7 @@ payload:
      accessrights: QueryInstalledApps
      devicechannel: false
      userchannel: true
+      supervised: false
      requiresdep: false
      userenrollment:
        mode: forbidden
@@ -10,6 +10,7 @@ payload:
      accessrights: QueryInstalledApps
      devicechannel: false
      userchannel: true
+      supervised: false
      requiresdep: false
      userenrollment:
        mode: forbidden
@@ -12,6 +12,7 @@ payload:
      accessrights: AllowAppInstallation
      devicechannel: true
      userchannel: false
+      supervised: false
      requiresdep: false
      userenrollment:
        mode: allowed
@@ -26,6 +26,7 @@ payload:
      accessrights: AllowAppInstallation
      devicechannel: true
      userchannel: true
+      supervised: false
      requiresdep: false
      userenrollment:
        mode: allowed
@@ -19,6 +19,7 @@ payload:
      accessrights: AllowQueryApplications
      devicechannel: true
      userchannel: true
+      supervised: false
      requiresdep: false
      userenrollment:
        mode: forbidden
@@ -19,6 +19,7 @@ payload:
      accessrights: None
      devicechannel: false
      userchannel: true
+      supervised: false
      requiresdep: false
      userenrollment:
        mode: forbidden
@@ -22,6 +22,8 @@ payload:
      accessrights: AllowAppInstallation
      devicechannel: true
      userchannel: true
+      supervised: false
+      requiresdep: false
      userenrollment:
        mode: allowed
    tvOS:
@@ -19,6 +19,8 @@ payload:
      accessrights: AllowAppInstallation
      devicechannel: true
      userchannel: false
+      supervised: false
+      requiresdep: false
      userenrollment:
        mode: forbidden
    tvOS:
@@ -25,6 +25,7 @@ payload:
      accessrights: AllowInspection
      devicechannel: true
      userchannel: true
+      supervised: false
      requiresdep: false
      userenrollment:
        mode: allowed
@@ -20,6 +20,7 @@ payload:
      accessrights: None
      devicechannel: true
      userchannel: false
+      supervised: false
      requiresdep: true
      userenrollment:
        mode: forbidden
@@ -20,6 +20,7 @@ payload:
      accessrights: AllowDeviceErase
      devicechannel: true
      userchannel: false
+      supervised: false
      requiresdep: false
      userenrollment:
        mode: forbidden
@@ -20,6 +20,7 @@ payload:
      accessrights: AllowPasscodeRemovalAndLock
      devicechannel: true
      userchannel: false
+      supervised: false
      requiresdep: false
      userenrollment:
        mode: forbidden
@@ -20,6 +20,7 @@ payload:
      accessrights: AllowPasscodeRemovalAndLock
      devicechannel: true
      userchannel: false
+      supervised: false
      requiresdep: false
      userenrollment:
        mode: forbidden
@@ -20,6 +20,7 @@ payload:
      accessrights: AllowPasscodeRemovalAndLock
      devicechannel: true
      userchannel: false
+      supervised: false
      requiresdep: false
      userenrollment:
        mode: forbidden
@@ -11,6 +11,7 @@ payload:
      accessrights: AllowQueryNetworkInformation
      devicechannel: true
      userchannel: false
+      supervised: false
      requiresdep: false
      userenrollment:
        mode: forbidden
@@ -20,6 +20,7 @@ payload:
      accessrights: Special Case
      devicechannel: true
      userchannel: true
+      supervised: false
      requiresdep: false
      userenrollment:
        mode: allowed
@@ -20,6 +20,7 @@ payload:
      accessrights: AllowQuerySecurity
      devicechannel: true
      userchannel: true
+      supervised: false
      requiresdep: false
      userenrollment:
        mode: allowed
@@ -69,8 +70,8 @@ responsekeys:
        userenrollment:
          mode: forbidden
    type: <boolean>
-    content: If 'true', the device has a passcode. This value is available in iOS
-      4 and later, and tvOS 6 and later.
+    content: If 'true', the device has a passcode. This key doesn't apply to User-Enrolled
+      devices. This value is available in iOS 4 and later, and tvOS 6 and later.
  - key: PasscodeCompliant
    supportedOS:
      macOS:
@@ -10,6 +10,7 @@ payload:
      accessrights: DeviceLockAndRemovePasscode
      devicechannel: true
      userchannel: false
+      supervised: false
      requiresdep: false
      userenrollment:
        mode: forbidden
@@ -11,6 +11,7 @@ payload:
      accessrights: DeviceLockAndRemovePasscode
      devicechannel: true
      userchannel: false
+      supervised: false
      requiresdep: false
      userenrollment:
        mode: forbidden
@@ -23,6 +23,7 @@ payload:
      accessrights: AllowAppInstallation
      devicechannel: true
      userchannel: false
+      supervised: false
      requiresdep: false
      userenrollment:
        mode: allowed
@@ -20,6 +20,7 @@ payload:
      accessrights: AllowAppInstallation
      devicechannel: false
      userchannel: true
+      supervised: false
      requiresdep: false
      userenrollment:
        mode: forbidden
@@ -19,6 +19,7 @@ payload:
      accessrights: None
      devicechannel: true
      userchannel: false
+      supervised: false
      requiresdep: false
      userenrollment:
        mode: allowed
@@ -19,6 +19,7 @@ payload:
      accessrights: None
      devicechannel: true
      userchannel: false
+      supervised: false
      requiresdep: false
      userenrollment:
        mode: forbidden
@@ -10,6 +10,7 @@ payload:
      accessrights: DeviceLockAndRemovePasscode
      devicechannel: true
      userchannel: false
+      supervised: false
      requiresdep: false
      userenrollment:
        mode: forbidden
@@ -10,6 +10,7 @@ payload:
      accessrights: None
      devicechannel: true
      userchannel: false
+      supervised: false
      requiresdep: false
      userenrollment:
        mode: forbidden
@@ -10,6 +10,7 @@ payload:
      accessrights: DeviceLockAndRemovePasscode
      devicechannel: true
      userchannel: false
+      supervised: false
      requiresdep: false
      userenrollment:
        mode: forbidden
@@ -10,6 +10,7 @@ payload:
      accessrights: DeviceLockAndRemovePasscode
      devicechannel: true
      userchannel: false
+      supervised: false
      requiresdep: false
      userenrollment:
        mode: forbidden
@@ -22,6 +22,7 @@ payload:
      accessrights: AllowInstallationRemoval
      devicechannel: true
      userchannel: true
+      supervised: false
      requiresdep: false
      userenrollment:
        mode: allowed
@@ -21,6 +21,7 @@ payload:
      accessrights: AllowInspection
      devicechannel: true
      userchannel: true
+      supervised: false
      requiresdep: false
      userenrollment:
        mode: allowed
@@ -22,6 +22,7 @@ payload:
      accessrights: None
      devicechannel: true
      userchannel: false
+      supervised: false
      requiresdep: false
      userenrollment:
        mode: allowed
@@ -22,6 +22,7 @@ payload:
      accessrights: None
      devicechannel: true
      userchannel: false
+      supervised: false
      requiresdep: false
      userenrollment:
        mode: allowed
@@ -21,6 +21,7 @@ payload:
      accessrights: None
      devicechannel: true
      userchannel: false
+      supervised: false
      requiresdep: false
      userenrollment:
        mode: allowed
@@ -20,6 +20,7 @@ payload:
      accessrights: AllowInstallationRemoval
      devicechannel: true
      userchannel: true
+      supervised: false
      requiresdep: false
      userenrollment:
        mode: allowed
@@ -10,6 +10,7 @@ payload:
      accessrights: DeviceLockAndRemovePasscode
      devicechannel: true
      userchannel: false
+      supervised: false
      requiresdep: false
      userenrollment:
        mode: forbidden
@@ -11,6 +11,7 @@ payload:
      accessrights: None
      devicechannel: true
      userchannel: false
+      supervised: false
      requiresdep: true
      userenrollment:
        mode: forbidden
@@ -19,6 +19,7 @@ payload:
      accessrights: AllowSettings
      devicechannel: true
      userchannel: true
+      supervised: false
      requiresdep: false
      userenrollment:
        mode: allowed
@@ -604,6 +605,40 @@ payloadkeys:
        presence: optional
        content: A unique identifier for the various services a single organization
          manages.
+  - key: DefaultApplications
+    supportedOS:
+      iOS:
+        introduced: '18.2'
+        sharedipad:
+          mode: forbidden
+        userenrollment:
+          mode: forbidden
+      macOS:
+        introduced: n/a
+      tvOS:
+        introduced: n/a
+      visionOS:
+        introduced: '2.2'
+        userenrollment:
+          mode: forbidden
+      watchOS:
+        introduced: n/a
+    type: <dictionary>
+    presence: optional
+    content: A dictionary that contains default application bundle identifiers. Currently
+      it supports a default web browser app.
+    subkeys:
+    - key: Item
+      type: <string>
+      presence: required
+      rangelist:
+      - DefaultApplications
+      content: Sets information about default applications.
+    - key: WebBrowser
+      type: <string>
+      presence: optional
+      content: The bundle identifier of the app that will be set as the default web
+        browser. This app must be an eligible web browser in the region of the device.
  - key: MDMOptions
    supportedOS:
      iOS:
@@ -761,7 +796,8 @@ payloadkeys:
      type: <integer>
      presence: optional
      content: The quota size, in megabytes (MB), for each user on the shared device,
-        or if the quota size is too small, the minimum quota size.
+        or if the quota size is too small, the minimum quota size. Available to Temporary
+        Sessions Only guest users on iOS 17+.
    - key: ResidentUsers
      type: <integer>
      presence: optional
@@ -20,6 +20,7 @@ payload:
      accessrights: None
      devicechannel: true
      userchannel: false
+      supervised: false
      requiresdep: false
      userenrollment:
        mode: forbidden
@@ -10,6 +10,7 @@ payload:
      accessrights: DeviceLockAndRemovePasscode
      devicechannel: true
      userchannel: false
+      supervised: false
      requiresdep: false
      userenrollment:
        mode: forbidden
@@ -19,6 +19,7 @@ payload:
      multiple: false
      devicechannel: true
      userchannel: true
+      supervised: false
      requiresdep: false
      userapprovedmdm: false
      allowmanualinstall: true
@@ -10,6 +10,7 @@ payload:
      multiple: false
      devicechannel: true
      userchannel: true
+      supervised: false
      requiresdep: false
      userapprovedmdm: false
      allowmanualinstall: true
@@ -19,6 +19,7 @@ payload:
      multiple: false
      devicechannel: true
      userchannel: true
+      supervised: false
      requiresdep: false
      userapprovedmdm: false
      allowmanualinstall: true
@@ -10,6 +10,7 @@ payload:
      multiple: true
      devicechannel: true
      userchannel: true
+      supervised: false
      requiresdep: false
      userapprovedmdm: false
      allowmanualinstall: true
@@ -12,6 +12,7 @@ payload:
      multiple: true
      devicechannel: false
      userchannel: true
+      supervised: false
      requiresdep: false
      userapprovedmdm: false
      allowmanualinstall: true
@@ -10,6 +10,7 @@ payload:
      multiple: false
      devicechannel: true
      userchannel: true
+      supervised: false
      requiresdep: false
      userapprovedmdm: false
      allowmanualinstall: true
@@ -10,6 +10,7 @@ payload:
      multiple: false
      devicechannel: true
      userchannel: true
+      supervised: false
      requiresdep: false
      userapprovedmdm: false
      allowmanualinstall: true
@@ -10,6 +10,7 @@ payload:
      multiple: false
      devicechannel: true
      userchannel: true
+      supervised: false
      requiresdep: false
      userapprovedmdm: false
      allowmanualinstall: true
@@ -68,8 +68,8 @@ payloadkeys:
 - key: Certificate
  type: <data>
  presence: optional
-  content: DER-encoded certificate data if an institutional recovery key will be added.
-    This key is not supported on Macs with Apple silicon.
+  content: The DER-encoded certificate data if the system creates an institutional
+    recovery key. This key isn't supported on Macs with Apple silicon.
 - key: PayloadCertificateUUID
  type: <string>
  presence: optional
@@ -10,6 +10,7 @@ payload:
      multiple: true
      devicechannel: true
      userchannel: true
+      supervised: false
      requiresdep: false
      userapprovedmdm: false
      allowmanualinstall: true
@@ -10,6 +10,7 @@ payload:
      multiple: true
      devicechannel: true
      userchannel: true
+      supervised: false
      requiresdep: false
      userapprovedmdm: false
      allowmanualinstall: true
@@ -19,6 +19,7 @@ payload:
      multiple: false
      devicechannel: true
      userchannel: true
+      supervised: false
      requiresdep: false
      userapprovedmdm: false
      allowmanualinstall: true
@@ -11,6 +11,7 @@ payload:
      multiple: false
      devicechannel: true
      userchannel: true
+      supervised: false
      requiresdep: false
      userapprovedmdm: false
      allowmanualinstall: true
@@ -19,6 +19,7 @@ payload:
      multiple: true
      devicechannel: true
      userchannel: true
+      supervised: false
      requiresdep: false
      userapprovedmdm: false
      allowmanualinstall: true
@@ -77,9 +78,9 @@ payloadkeys:
      format: ^([0-9A-Fa-f]{2}:){5}([0-9A-Fa-f]{2})$
      content: |-
        The device ID of the AirPlay destination in the format 'xx:xx:xx:xx:xx:xx'. This field isn't case-sensitive.
-        The list of visible AirPlay destinations will be limited to devices that are present in the `AllowList` field of all installed AirPlay payloads.
-        Specifying the same MACAddress more than once, whether in the same payload across different payloads, will result in undefined behavior.
-        As of iOS 18 and macOS 15, `DeviceID` isn't supported, as tvOS 18 AirPlay destinations do not support it.
+        The system limits the list of visible AirPlay destinations to devices that are present in the 'AllowList' field of all installed AirPlay payloads.
+        Specifying the same MACAddress more than once, whether in the same payload across different payloads, results in undefined behavior.
+        As of tvOS 18, 'DeviceID' isn't supported.
    - key: DeviceName
      title: Device Name
      supportedOS:
@@ -91,7 +92,7 @@ payloadkeys:
      presence: optional
      content: |-
        The name of the AirPlay device.
-        The list of visible AirPlay destinations will be limited to devices that are present in the AllowList field of all installed AirPlay payloads.
+        The system limits the list of visible AirPlay destinations to devices that are present in the 'AllowList' field of all installed AirPlay payloads.
 - key: Passwords
  title: Passwords
  type: <array>
@@ -19,6 +19,7 @@ payload:
      multiple: true
      devicechannel: true
      userchannel: true
+      supervised: false
      requiresdep: false
      userapprovedmdm: false
      allowmanualinstall: true
@@ -10,6 +10,7 @@ payload:
      multiple: true
      devicechannel: true
      userchannel: true
+      supervised: false
      requiresdep: false
      userapprovedmdm: false
      allowmanualinstall: true
@@ -19,6 +19,7 @@ payload:
      multiple: true
      devicechannel: true
      userchannel: true
+      supervised: false
      requiresdep: false
      userapprovedmdm: false
      allowmanualinstall: true
@@ -362,9 +363,9 @@ payloadkeys:
  type: <boolean>
  presence: optional
  default: true
-  content: If false, disables the ability for the user to hide apps. It does not affect
-    the user's ability to leave it in the App Library, while removing it from the
-    home screen.
+  content: If 'false', disables the ability for the user to hide apps. It doesn't
+    affect the user's ability to leave it in the App Library, while removing it from
+    the home screen. Available in iOS 18 and later.
 - key: allowAppsToBeLocked
  title: Allow Locking Apps
  supportedOS:
@@ -384,8 +385,9 @@ payloadkeys:
  type: <boolean>
  presence: optional
  default: true
-  content: If false, disables the ability for the user to lock apps. Because hiding
-    apps also requires locking them, disallowing locking also disallows hiding.
+  content: If 'false', disables the ability for the user to lock apps. Because hiding
+    apps also requires locking them, disallowing locking also disallows hiding. Available
+    in iOS 18 and later.
 - key: allowARDRemoteManagementModification
  title: Allow modifying Remote Management Sharing setting
  supportedOS:
@@ -491,6 +493,8 @@ payloadkeys:
    iOS:
      introduced: '17.4'
      supervised: true
+      sharedipad:
+        mode: forbidden
      userenrollment:
        mode: forbidden
    macOS:
@@ -620,7 +624,9 @@ payloadkeys:
      userenrollment:
        mode: forbidden
    macOS:
-      introduced: n/a
+      introduced: '15.0'
+      userenrollment:
+        mode: forbidden
    tvOS:
      introduced: n/a
    visionOS:
@@ -631,7 +637,7 @@ payloadkeys:
  presence: optional
  default: true
  content: If 'false', the system removes the Book Store tab from the Books app. Requires
-    a supervised device. Available in iOS 6 and later.
+    a supervised device. Available in iOS 6 and later and macOS 15 and later.
 - key: allowBookstoreErotica
  title: Allow Bookstore Erotica
  supportedOS:
@@ -640,7 +646,9 @@ payloadkeys:
      userenrollment:
        mode: forbidden
    macOS:
-      introduced: n/a
+      introduced: '15.0'
+      userenrollment:
+        mode: forbidden
    tvOS:
      introduced: '11.3'
      deprecated: '17.0'
@@ -652,8 +660,9 @@ payloadkeys:
  presence: optional
  default: true
  content: If 'false', the system prevents the user from downloading Apple Books media
-    that's tagged as erotica. Available in iOS 6 and later, and tvOS 11.3 and later.
-    Support for this restriction on unsupervised devices is deprecated.
+    that's tagged as erotica. Available in iOS 4.0 and later, macOS 15 and later,
+    and tvOS 17 and later. Support for this restriction on unsupervised devices is
+    deprecated.
 - key: allowCallRecording
  title: Allow Call Recording
  supportedOS:
@@ -675,7 +684,7 @@ payloadkeys:
  type: <boolean>
  presence: optional
  default: true
-  content: If false, call recording is disabled.
+  content: If 'false', disables call recording. Available in iOS 18 and later.
 - key: allowCamera
  title: Allow Camera Use
  supportedOS:
@@ -996,6 +1005,8 @@ payloadkeys:
    visionOS:
      introduced: '2.0'
      supervised: true
+      userenrollment:
+        mode: forbidden
    watchOS:
      introduced: n/a
  type: <boolean>
@@ -1065,6 +1076,31 @@ payloadkeys:
  default: true
  content: If 'false', the system disables QuickPath keyboard. Requires a supervised
    device. Available in iOS 13 and later.
+- key: allowDefaultBrowserModification
+  title: Allow default browser modification
+  supportedOS:
+    iOS:
+      introduced: '18.2'
+      supervised: true
+      userenrollment:
+        mode: forbidden
+    macOS:
+      introduced: n/a
+    tvOS:
+      introduced: n/a
+    visionOS:
+      introduced: '2.2'
+      supervised: true
+      userenrollment:
+        mode: forbidden
+    watchOS:
+      introduced: n/a
+  type: <boolean>
+  presence: optional
+  default: true
+  content: If 'false', disables default browser preference modification. The MDM Settings
+    command to set the default browser preference will still work when this is applied.
+    Available in iOS 18.2 and later, and visionOS 2.2 and later.
 - key: allowDefinitionLookup
  title: Allow Define
  supportedOS:
@@ -1366,7 +1402,9 @@ payloadkeys:
      userenrollment:
        mode: forbidden
    macOS:
-      introduced: n/a
+      introduced: '15.0'
+      userenrollment:
+        mode: forbidden
    tvOS:
      introduced: '11.3'
      supervised: true
@@ -1377,11 +1415,64 @@ payloadkeys:
  type: <boolean>
  presence: optional
  default: true
-  content: If 'false', the system hides explicit music or video content purchased
-    from the iTunes Store. The system marks explicit content as such by content providers,
-    such as record labels, when sold through the iTunes Store. Available in iOS 4
-    and later, and tvOS 11.3 and later. Requires a supervised device in iOS 13 and
-    later. Support for this restriction on unsupervised devices is deprecated.
+  content: |-
+    If 'false', the system hides explicit music or video content purchased from the iTunes Store. The system marks explicit content as such by content providers, such as record labels, when sold through the iTunes Store. Explicit content in the News and Podcast apps is also hidden.
+    Available in iOS 4.0 and later, macOS 15 and later, and tvOS 11.3 and later. Requires a supervised device in iOS 13 and later. Support for this restriction on unsupervised devices is deprecated.
+- key: allowExternalIntelligenceIntegrations
+  title: Allow external intelligence integrations
+  supportedOS:
+    iOS:
+      introduced: '18.2'
+      supervised: false
+      sharedipad:
+        mode: forbidden
+      userenrollment:
+        mode: allowed
+    macOS:
+      introduced: '15.2'
+      userenrollment:
+        mode: forbidden
+    tvOS:
+      introduced: n/a
+    visionOS:
+      introduced: n/a
+    watchOS:
+      introduced: n/a
+  type: <boolean>
+  presence: optional
+  default: true
+  content: If 'false', disables the use of external, cloud-based intelligence services
+    with Siri. On iOS, this restriction is temporarily allowed on unsupervised and
+    user enrollments. In a future release, this restriction will require supervision,
+    and will be ignored on non-supervised devices. Available in iOS 18.2 and later,
+    and macOS 15.2 and later.
+- key: allowExternalIntelligenceIntegrationsSignIn
+  title: Allow external intelligence integrations sign-in
+  supportedOS:
+    iOS:
+      introduced: '18.2'
+      supervised: true
+      sharedipad:
+        mode: forbidden
+      userenrollment:
+        mode: forbidden
+    macOS:
+      introduced: '15.2'
+      userenrollment:
+        mode: forbidden
+    tvOS:
+      introduced: n/a
+    visionOS:
+      introduced: n/a
+    watchOS:
+      introduced: n/a
+  type: <boolean>
+  presence: optional
+  default: true
+  content: If 'false', forces external intelligence providers into anonymous mode.
+    If a user is already signed in to an external intelligence provider, applying
+    this restriction will cause them to be signed out when the next request is attempted.
+    Available in iOS 18.2 and later, and macOS 15.2 and later.
 - key: allowFileSharingModification
  title: Allow modifying File Sharing setting
  supportedOS:
@@ -1998,6 +2089,8 @@ payloadkeys:
    iOS:
      introduced: '18.1'
      supervised: true
+      sharedipad:
+        mode: forbidden
      userenrollment:
        mode: forbidden
    macOS:
@@ -2013,8 +2106,9 @@ payloadkeys:
  type: <boolean>
  presence: optional
  default: true
-  content: If false, disables the ability to create summaries of email messages manually.
-    This does not affect automatic summary generation.
+  content: If 'false', disables the ability to create summaries of email messages
+    manually. This doesn't affect automatic summary generation. Available in iOS 18.1
+    and later.
 - key: allowManagedAppsCloudSync
  title: Allow iCloud Sync for Managed Apps
  supportedOS:
@@ -2098,7 +2192,8 @@ payloadkeys:
  type: <boolean>
  presence: optional
  default: true
-  content: If false, prevents modification of Media Sharing settings.
+  content: If 'false', prevents modification of Media Sharing settings. Available
+    in macOS 15.1 and later.
 - key: allowMultiplayerGaming
  title: Allow Multiplayer Gaming
  supportedOS:
@@ -2649,7 +2744,8 @@ payloadkeys:
  type: <boolean>
  presence: optional
  default: true
-  content: If false, prevents the use of RCS messaging.
+  content: If 'false', prevents the use of RCS messaging. Available in iOS 18.1 and
+    later.
 - key: allowRemoteAppleEventsModification
  title: Allow modifying Remote Apple Events Sharing setting
  supportedOS:
@@ -2732,6 +2828,28 @@ payloadkeys:
    removes its icon from the Home screen. This setting also prevents users from opening
    web clips. As of iOS 13, requires a supervised device. Available in iOS 4 and
    later.
+- key: allowSatelliteConnection
+  title: Allow use of satellite connectivity
+  supportedOS:
+    iOS:
+      introduced: '18.2'
+      supervised: true
+      sharedipad:
+        mode: forbidden
+      userenrollment:
+        mode: forbidden
+    macOS:
+      introduced: n/a
+    tvOS:
+      introduced: n/a
+    visionOS:
+      introduced: n/a
+    watchOS:
+      introduced: n/a
+  type: <boolean>
+  presence: optional
+  default: true
+  content: If false, the connection to and use of satellite services is prohibited.
 - key: allowScreenShot
  title: Allow Screenshots and Screen Recording
  supportedOS:
@@ -3023,6 +3141,8 @@ payloadkeys:
      introduced: n/a
    visionOS:
      introduced: '1.1'
+      userenrollment:
+        mode: forbidden
    watchOS:
      introduced: n/a
  type: <boolean>
@@ -3559,8 +3679,8 @@ payloadkeys:
  type: <boolean>
  presence: optional
  default: false
-  content: If set to true, then the presentation of a screen capture alert will be
-    bypassed.
+  content: If 'true', then the system bypasses the presentation of a screen capture
+    alert. Available in macOS 15.1 and later.
 - key: forceClassroomAutomaticallyJoinClasses
  supportedOS:
    iOS:
@@ -3571,6 +3691,7 @@ payloadkeys:
    macOS:
      introduced: 10.14.4
      supervised: true
+      allowmanualinstall: false
      userenrollment:
        mode: forbidden
    tvOS:
@@ -3595,6 +3716,7 @@ payloadkeys:
    macOS:
      introduced: 10.14.4
      supervised: true
+      allowmanualinstall: false
      userenrollment:
        mode: forbidden
    tvOS:
@@ -3619,6 +3741,7 @@ payloadkeys:
    macOS:
      introduced: 10.14.4
      supervised: true
+      allowmanualinstall: false
      userenrollment:
        mode: forbidden
    tvOS:
@@ -3643,6 +3766,7 @@ payloadkeys:
    macOS:
      introduced: 10.14.4
      supervised: true
+      allowmanualinstall: false
      userenrollment:
        mode: forbidden
    tvOS:
@@ -3833,7 +3957,7 @@ payloadkeys:
  presence: optional
  default: false
  content: |-
-    If 'true', the system preserves eSIM when it erases the device due to too many failed password attempts or the Erase All Content and Settings option in Settings > General > Reset. Available in iOS 17.2 and later.
+    If 'true', the system preserves eSIM when it erases the device due to too many failed password attempts or the Erase All Content and Settings option in Settings > General > Reset. Requires a supervised device. Available in iOS 17.2 and later.
    The system doesn't preserve eSIM if Find My initiates erasing the device.
 - key: forceWatchWristDetection
  title: Force Apple Watch Wrist Detection
@@ -3926,7 +4050,9 @@ payloadkeys:
      userenrollment:
        mode: forbidden
    macOS:
-      introduced: n/a
+      introduced: '15.0'
+      userenrollment:
+        mode: forbidden
    tvOS:
      introduced: '11.3'
    visionOS:
@@ -3940,7 +4066,7 @@ payloadkeys:
    max: 1000
  default: 1000
  content: |-
-    The maximum level of app content allowed on the device. Preinstalled (first party) apps ignore this restriction. Available in iOS 4 and later, and tvOS 11.3 and later. Support for this restriction on unsupervised devices is deprecated.
+    The maximum level of app content allowed on the device. Preinstalled (first party) apps ignore this restriction. Available in iOS 4.0 and later, macOS 15 and later, and tvOS 11.3 and later.  Support for this restriction on unsupervised devices is deprecated.
    Possible values, with the US description of the rating level:

    * '1000': All
@@ -3956,7 +4082,9 @@ payloadkeys:
      userenrollment:
        mode: forbidden
    macOS:
-      introduced: n/a
+      introduced: '15.0'
+      userenrollment:
+        mode: forbidden
    tvOS:
      introduced: '11.3'
    visionOS:
@@ -3970,7 +4098,7 @@ payloadkeys:
    max: 1000
  default: 1000
  content: |-
-    The maximum level of movie content allowed on the device. Available in iOS 4 and later, and tvOS 11.3 and later. Support for this restriction on unsupervised devices is deprecated.
+    The maximum level of movie content allowed on the device. Available in iOS 4.0 and later, macOS 15 and later, and tvOS 11.3 and later.  Support for this restriction on unsupervised devices is deprecated.
    Possible values, with the US description of the rating level:

    * '1000': All
@@ -4000,7 +4128,8 @@ payloadkeys:
  - nz
  - gb
  content: The two-letter key that profile tools use to display the proper ratings
-    for the given region. The client doesn't recognize or report this data.
+    for the given region. The client doesn't recognize or report this data. Available
+    in iOS 4.0 and later, macOS 10.7 and later, and tvOS 9 and later.
 - key: ratingTVShows
  title: TV Shows Ranking Number
  supportedOS:
@@ -4008,7 +4137,9 @@ payloadkeys:
      userenrollment:
        mode: forbidden
    macOS:
-      introduced: n/a
+      introduced: '15.0'
+      userenrollment:
+        mode: forbidden
    tvOS:
      introduced: '11.3'
    visionOS:
@@ -4022,7 +4153,7 @@ payloadkeys:
    max: 1000
  default: 1000
  content: |-
-    The maximum level of TV content allowed on the device. Available in iOS 4 and later, and tvOS 11.3 and later. Support for this restriction on unsupervised devices is deprecated.
+    The maximum level of TV content allowed on the device. Available in iOS 4.0 and later, macOS 15 and later, and tvOS 11.3 and later. Support for this restriction on unsupervised devices is deprecated.
    Possible values, with the US description of the rating level:

    * '1000': All
@@ -10,6 +10,7 @@ payload:
      multiple: false
      devicechannel: true
      userchannel: true
+      supervised: false
      requiresdep: false
      userapprovedmdm: false
      allowmanualinstall: true
@@ -11,6 +11,7 @@ payload:
      multiple: true
      devicechannel: true
      userchannel: true
+      supervised: false
      requiresdep: false
      userapprovedmdm: true
      allowmanualinstall: true
@@ -20,6 +20,7 @@ payload:
      multiple: true
      devicechannel: false
      userchannel: true
+      supervised: false
      requiresdep: false
      userapprovedmdm: false
      allowmanualinstall: true
@@ -20,6 +20,7 @@ payload:
      multiple: true
      devicechannel: false
      userchannel: true
+      supervised: false
      requiresdep: false
      userapprovedmdm: false
      allowmanualinstall: true
@@ -9,6 +9,7 @@ payload:
      multiple: false
      devicechannel: true
      userchannel: true
+      supervised: false
      requiresdep: false
      userapprovedmdm: false
      allowmanualinstall: true
@@ -12,6 +12,7 @@ payload:
      multiple: false
      devicechannel: true
      userchannel: true
+      supervised: false
      requiresdep: false
      userapprovedmdm: false
      allowmanualinstall: true
@@ -17,6 +17,7 @@ payload:
      multiple: true
      devicechannel: true
      userchannel: true
+      supervised: false
      requiresdep: false
      userapprovedmdm: false
      allowmanualinstall: true
@@ -10,6 +10,7 @@ payload:
      multiple: false
      devicechannel: true
      userchannel: true
+      supervised: false
      requiresdep: false
      userapprovedmdm: false
      allowmanualinstall: true
@@ -10,6 +10,7 @@ payload:
      multiple: false
      devicechannel: true
      userchannel: true
+      supervised: false
      requiresdep: false
      userapprovedmdm: false
      allowmanualinstall: true
@@ -19,6 +19,7 @@ payload:
      multiple: false
      devicechannel: true
      userchannel: true
+      supervised: false
      requiresdep: false
      userapprovedmdm: false
      allowmanualinstall: true
@@ -104,3 +105,24 @@ payloadkeys:
  subkeys:
  - key: CrossSiteTrackingPreventionRelaxedDomainItem
    type: <string>
+- key: CrossSiteTrackingPreventionRelaxedApps
+  title: Cross-Site Tracking Prevention Relaxed Apps
+  supportedOS:
+    iOS:
+      introduced: '18.0'
+      supervised: true
+      allowmanualinstall: false
+      userenrollment:
+        mode: forbidden
+    macOS:
+      introduced: '15.0'
+      allowmanualinstall: false
+  type: <array>
+  presence: optional
+  content: An array of up to 10 strings representing app bundle-ids. Apps matching
+    the bundle-ids listed here will have relaxed enforcement of cross-site tracking
+    prevention for the domains listed in the 'CrossSiteTrackingPreventionRelaxedDomains'
+    key.
+  subkeys:
+  - key: CrossSiteTrackingPreventionRelaxedAppsItem
+    type: <string>
@@ -19,6 +19,7 @@ payload:
      multiple: false
      devicechannel: false
      userchannel: true
+      supervised: false
      requiresdep: false
      userapprovedmdm: false
      allowmanualinstall: true
@@ -10,6 +10,7 @@ payload:
      multiple: true
      devicechannel: false
      userchannel: true
+      supervised: false
      requiresdep: false
      userapprovedmdm: false
      allowmanualinstall: true
@@ -19,6 +19,7 @@ payload:
      multiple: true
      devicechannel: true
      userchannel: true
+      supervised: false
      requiresdep: false
      userapprovedmdm: true
      allowmanualinstall: false
@@ -19,6 +19,7 @@ payload:
      multiple: true
      devicechannel: true
      userchannel: true
+      supervised: false
      requiresdep: false
      userapprovedmdm: true
      allowmanualinstall: false
@@ -10,6 +10,7 @@ payload:
      multiple: false
      devicechannel: true
      userchannel: true
+      supervised: false
      requiresdep: false
      userapprovedmdm: false
      allowmanualinstall: true
@@ -10,6 +10,7 @@ payload:
      multiple: false
      devicechannel: true
      userchannel: true
+      supervised: false
      requiresdep: false
      userapprovedmdm: false
      allowmanualinstall: true
@@ -10,6 +10,7 @@ payload:
      multiple: false
      devicechannel: true
      userchannel: true
+      supervised: false
      requiresdep: false
      userapprovedmdm: true
      allowmanualinstall: false
@@ -28,3 +29,41 @@ payloadkeys:
  default: false
  content: If 'true', enables file providers access to the path of the requesting
    process.
+- key: ManagementAllowsKnownFolderSyncing
+  supportedOS:
+    macOS:
+      introduced: '15.2'
+      devicechannel: true
+      userchannel: false
+      userenrollment:
+        mode: forbidden
+  type: <boolean>
+  presence: optional
+  default: true
+  content: If 'false', the device prevents the File Provider extension using desktop
+    and documents synchronization in any app. If 'true', the device allows File Provider
+    extension desktop and documents synchronization. This does not impact the ability
+    for apps to utilize the File Provider extension for file and folder syncing with
+    remote storage.
+- key: ManagementKnownFolderSyncingAllowList
+  supportedOS:
+    macOS:
+      introduced: '15.2'
+      devicechannel: true
+      userchannel: false
+      userenrollment:
+        mode: forbidden
+  type: <array>
+  presence: optional
+  content: An array of app identifiers for apps that are allowed to utilize File Provider
+    extension desktop and documents synchronization. If present, and `ManagementAllowsKnownFolderSyncing`
+    is set to `true`, the device allows only the apps in this list to use desktop
+    and documents synchronization. This key is ignored if `ManagementAllowsKnownFolderSyncing`
+    is set to `false`. This setting does not impact the ability for apps to utilize
+    File Provider extension for volume access. The format of the app identifiers is
+    "Bundle.Identifier (TeamIdentifier)".
+  subkeys:
+  - key: AllowListItem
+    type: <string>
+    presence: required
+    content: A composed app identifier. The format is "Bundle.Identifier (TeamIdentifier)".
@@ -10,6 +10,7 @@ payload:
      multiple: false
      devicechannel: true
      userchannel: true
+      supervised: false
      requiresdep: false
      userapprovedmdm: false
      allowmanualinstall: true
@@ -10,6 +10,7 @@ payload:
      multiple: false
      devicechannel: true
      userchannel: true
+      supervised: false
      requiresdep: false
      userapprovedmdm: false
      allowmanualinstall: true
@@ -10,6 +10,7 @@ payload:
      multiple: false
      devicechannel: true
      userchannel: true
+      supervised: false
      requiresdep: false
      userapprovedmdm: false
      allowmanualinstall: true
@@ -19,6 +19,7 @@ payload:
      multiple: true
      devicechannel: true
      userchannel: true
+      supervised: false
      requiresdep: false
      userapprovedmdm: false
      allowmanualinstall: true
@@ -10,6 +10,7 @@ payload:
      multiple: false
      devicechannel: true
      userchannel: true
+      supervised: false
      requiresdep: false
      userapprovedmdm: false
      allowmanualinstall: true
@@ -19,6 +19,7 @@ payload:
      multiple: false
      devicechannel: true
      userchannel: true
+      supervised: false
      requiresdep: false
      userapprovedmdm: false
      allowmanualinstall: true
@@ -11,6 +11,7 @@ payload:
      multiple: false
      devicechannel: true
      userchannel: true
+      supervised: false
      requiresdep: false
      userapprovedmdm: false
      allowmanualinstall: true
@@ -13,6 +13,7 @@ payload:
      multiple: true
      devicechannel: false
      userchannel: true
+      supervised: false
      requiresdep: false
      userapprovedmdm: false
      allowmanualinstall: true
@@ -20,6 +20,7 @@ payload:
      multiple: true
      devicechannel: false
      userchannel: true
+      supervised: false
      requiresdep: false
      userapprovedmdm: false
      allowmanualinstall: true
@@ -10,6 +10,7 @@ payload:
      multiple: true
      devicechannel: true
      userchannel: true
+      supervised: false
      requiresdep: false
      userapprovedmdm: false
      allowmanualinstall: true
@@ -19,6 +19,7 @@ payload:
      multiple: true
      devicechannel: false
      userchannel: true
+      supervised: false
      requiresdep: false
      userapprovedmdm: false
      allowmanualinstall: true
@@ -9,6 +9,7 @@ payload:
      multiple: false
      devicechannel: true
      userchannel: true
+      supervised: false
      requiresdep: false
      userapprovedmdm: false
      allowmanualinstall: true
--- a/Show More
+++ b/Show More