Release_iOS-18-0_macOS-15-0

2026-05-25 08:54:05 +02:00 · 2024-09-11 15:52:55 -04:00
parent dcc320a6a6
commit 85fae8ac89
140 changed files with 2312 additions and 303 deletions
@@ -8,11 +8,11 @@ This release corresponds to the following OS versions

 | OS       | Version |
 |----------|---------|
-| iOS      | 17.5    |
-| macOS    | 14.5    |
-| tvOS     | 17.5    |
-| visionOS |  1.2    |
-| watchOS  | 10.5    |
+| iOS      | 18.0    |
+| macOS    | 15.0    |
+| tvOS     | 18.0    |
+| visionOS |  2.0    |
+| watchOS  | 11.0    |

 ## Important Release Notes

@@ -16,6 +16,8 @@ payload:
 payloadkeys:
 - key: Reference
  type: <dictionary>
+  asset-content-types:
+  - application/json
  presence: required
  content: |-
    The external reference. Ensure that the asset data:
@@ -16,6 +16,9 @@ payload:
 payloadkeys:
 - key: Reference
  type: <dictionary>
+  asset-content-types:
+  - application/pkcs1
+  - application/pem
  presence: required
  content: The external reference. Ensure that the asset data uses a media type of
    'application/pkcs1' or 'application/pem' to correctly identify the type of encoded
@@ -16,6 +16,8 @@ payload:
 payloadkeys:
 - key: Reference
  type: <dictionary>
+  asset-content-types:
+  - application/json
  presence: required
  content: |-
    The external reference. Ensure that the asset data:
@@ -16,6 +16,8 @@ payload:
 payloadkeys:
 - key: Reference
  type: <dictionary>
+  asset-content-types:
+  - application/json
  presence: required
  content: |-
    The external reference. Ensure that the asset data:
@@ -17,6 +17,8 @@ payload:
 payloadkeys:
 - key: Reference
  type: <dictionary>
+  asset-content-types:
+  - application/json
  presence: required
  content: |-
    The external reference. Ensure that the asset data:
@@ -24,11 +24,12 @@ payloadkeys:
  title: Client identifier
  type: <string>
  presence: required
-  content: The server can use this as a nonce to prevent issuing multiple certificates.
-    It also indicates to the ACME server that the device has access to a valid client
-    identifier that the enterprise infrastructure issued. This can help the ACME server
-    determine whether to trust the device, however this is a relatively weak indication
-    because of the risk that an attacker may intercept and duplicate the client identifier.
+  content: The server can use this as a one-time code to prevent issuing multiple
+    certificates. It also indicates to the ACME server that the device has access
+    to a valid client identifier that the enterprise infrastructure issued. This can
+    help the ACME server determine whether to trust the device, however this is a
+    relatively weak indication because of the risk that an attacker may intercept
+    and duplicate the client identifier.
 - key: KeySize
  title: Key Size
  type: <integer>
@@ -137,4 +138,15 @@ payloadkeys:
    evidence that the key is bound to the device, and that the device has properties
    listed in the attestation. The server can use that as part of a trust score to
    decide whether to issue the requested certificate. When 'Attest' is 'true', set
-    'HardwareBound' to 'true'. On macOS, set this key, if present, to 'false'.
+    'HardwareBound' to 'true'. See the ACME attestation hardware support note for
+    hardware requirements.
+notes:
+- title: ACME attestation hardware support
+  content: |-
+    The following table indicates which System on Chips (SoCs) support ACME attestation.
+    If the Attest key is ignored, the ACME server does not receive an attestation.
+
+    | Attest key support | iPhone, iPad                         | Mac            | Apple TV                | Apple Watch    | Vision Pro |
+    |--------------------|--------------------------------------|----------------|-------------------------|----------------|------------|
+    | Ignored            | A10x Fusion and earlier              | Intel          | A10x Fusion and earlier | S3 and earlier | none       |
+    | Supported          | A11 Bionic and later<br>All M series | Apple Silicon  | A12 Bionic and later    | S4 and later   | All        |
@@ -28,6 +28,7 @@ payload:
    visionOS:
      introduced: '1.1'
      allowed-enrollments:
+      - supervised
      - device
      - user
      - local
@@ -28,6 +28,7 @@ payload:
    visionOS:
      introduced: '1.1'
      allowed-enrollments:
+      - supervised
      - device
      - user
      - local
@@ -29,6 +29,7 @@ payload:
    visionOS:
      introduced: '1.1'
      allowed-enrollments:
+      - supervised
      - device
      - user
      - local
@@ -268,9 +269,6 @@ payloadkeys:
      content: If 'true', the system enables the per-message encryption switch in
        the compose view.
 - key: MailServiceActive
-  supportedOS:
-    macOS:
-      introduced: n/a
  type: <boolean>
  presence: optional
  default: true
@@ -285,9 +283,6 @@ payloadkeys:
  content: If 'true', the system prevents the user from changing the status of the
    mail service for this account.
 - key: ContactsServiceActive
-  supportedOS:
-    macOS:
-      introduced: n/a
  type: <boolean>
  presence: optional
  default: true
@@ -302,9 +297,6 @@ payloadkeys:
  content: If 'true', the system prevents the user from changing the status of the
    address book service for this account.
 - key: CalendarServiceActive
-  supportedOS:
-    macOS:
-      introduced: n/a
  type: <boolean>
  presence: optional
  default: true
@@ -319,9 +311,6 @@ payloadkeys:
  content: If 'true', the system prevents the user from changing the status of the
    calendar service for this account.
 - key: RemindersServiceActive
-  supportedOS:
-    macOS:
-      introduced: n/a
  type: <boolean>
  presence: optional
  default: true
@@ -336,9 +325,6 @@ payloadkeys:
  content: If 'true', the system prevents the user from changing the status of the
    reminders service for this account.
 - key: NotesServiceActive
-  supportedOS:
-    macOS:
-      introduced: n/a
  type: <boolean>
  presence: optional
  default: true
@@ -28,6 +28,7 @@ payload:
    visionOS:
      introduced: '1.1'
      allowed-enrollments:
+      - supervised
      - device
      - user
      - local
@@ -28,6 +28,7 @@ payload:
    visionOS:
      introduced: '1.1'
      allowed-enrollments:
+      - supervised
      - device
      - user
      - local
@@ -28,6 +28,7 @@ payload:
    visionOS:
      introduced: '1.1'
      allowed-enrollments:
+      - supervised
      - device
      - user
      - local
@@ -28,6 +28,7 @@ payload:
    visionOS:
      introduced: '1.1'
      allowed-enrollments:
+      - supervised
      - device
      - user
      - local
@@ -29,19 +29,20 @@ payloadkeys:
  title: App Store ID
  type: <string>
  presence: optional
-  content: The App Store ID of the managed app. One and only one of 'AppStoreID',
-    'BundleID', or 'ManifestURL' must be present.
+  content: The App Store ID of the managed app that is downloaded from the App Store.
+    One and only one of 'AppStoreID', 'BundleID', or 'ManifestURL' must be present.
 - key: BundleID
  title: Bundle ID
  type: <string>
  presence: optional
-  content: The bundle ID of the managed app. One and only one of 'AppStoreID', 'BundleID',
-    or 'ManifestURL' must be present.
+  content: The bundle ID of the managed app that is downloaded from the App Store.
+    One and only one of 'AppStoreID', 'BundleID', or 'ManifestURL' must be present.
 - key: ManifestURL
  title: Manifest URL
  type: <string>
  presence: optional
-  content: The URL of the manifest for the managed app. One and only one of 'AppStoreID',
+  content: The URL of the manifest for the managed app that is downloaded from a web
+    site. The manifest is returned as a property list. One and only one of 'AppStoreID',
    'BundleID', or 'ManifestURL' must be present.
 - key: InstallBehavior
  title: Install Behavior
@@ -70,8 +71,25 @@ payloadkeys:
    presence: optional
    content: A dictionary that describes the app's license.
    subkeys:
+    - key: Assignment
+      title: Assignment
+      type: <string>
+      presence: optional
+      rangelist:
+      - Device
+      - User
+      content: |-
+        Indicates what type of license to use when an App Store app is installed:
+        * Device - the license is assigned to the device.
+        * User - the license is assigned to the user.
+        This key must be present for App Store apps, when either 'AppStoreID' or 'BundleID' are present in the configuration.
    - key: VPPType
      title: VPP Type
+      supportedOS:
+        iOS:
+          removed: '18.0'
+        macOS:
+          removed: '15.0'
      type: <string>
      presence: optional
      rangelist:
@@ -0,0 +1,55 @@
+title: Disk Management:Settings
+description: Use this configuration to install disk management settings on the device.
+payload:
+  declarationtype: com.apple.configuration.diskmanagement.settings
+  supportedOS:
+    iOS:
+      introduced: n/a
+    macOS:
+      introduced: '15.0'
+      allowed-enrollments:
+      - supervised
+      - local
+      allowed-scopes:
+      - system
+    tvOS:
+      introduced: n/a
+    visionOS:
+      introduced: n/a
+    watchOS:
+      introduced: n/a
+  apply: combined
+payloadkeys:
+- key: Restrictions
+  type: <dictionary>
+  presence: optional
+  content: Defines the restrictions for disks
+  subkeys:
+  - key: ExternalStorage
+    title: External Storage
+    type: <string>
+    presence: optional
+    rangelist:
+    - Allowed
+    - ReadOnly
+    - Disallowed
+    combinetype: enum-last
+    content: |-
+      Specifies the mount policy for external storage:
+      * Allowed - external storage that is read-write or read-only will be mounted.
+      * ReadOnly - only external storage that is read-only will be automatically mounted. Note that external storage that is read-write will not be mounted read-only.
+      * Disallowed - no external storage will be mounted.
+  - key: NetworkStorage
+    title: Network Storage
+    type: <string>
+    presence: optional
+    rangelist:
+    - Allowed
+    - ReadOnly
+    - Disallowed
+    combinetype: enum-last
+    content: |-
+      Specifies the mount policy for network storage:
+      * Allowed - network storage that is read-write or read-only will be mounted.
+      * ReadOnly - only network storage that is read-only will be mounted. Note that network storage that is read-write will not be mounted read-only.
+      * Disallowed - no network storage will be mounted.
@@ -32,6 +32,7 @@ payload:
    visionOS:
      introduced: '1.1'
      allowed-enrollments:
+      - supervised
      - device
      - user
      allowed-scopes:
@@ -45,7 +46,7 @@ payloadkeys:
  type: <string>
  presence: required
  content: |-
-    The URL of the profile to download and install, which needs to start with 'https://', and must be hosted by the MDM server. The system silently ignores any account or passcode payloads in the profile. Use their declarative configurations instead.
+    The URL of the profile to download and install, which needs to start with 'https://', and must be hosted by the MDM server.
    If a user enrollment triggers this configuration, the system silently ignores any MDM 1 payloads in macOS where the User Enrollment Mode setting is 'forbidden'. In iOS, the system rejects the entire profile.
 - key: VisibleName
  title: Configuration Visible Name
@@ -36,6 +36,7 @@ payload:
    visionOS:
      introduced: '1.1'
      allowed-enrollments:
+      - supervised
      - device
      - user
      - local
@@ -55,5 +56,5 @@ payloadkeys:
  type: <string>
  presence: required
  content: |-
-    The URL of the profile to download and install, which needs to start with 'https://', and must be hosted by the MDM server. The system silently ignores any account or passcode payloads in the profile. Use their declarative configurations instead.
+    The URL of the profile to download and install, which needs to start with 'https://', and must be hosted by the MDM server.
    If a user enrollment triggers this configuration, the system silently ignores any MDM 1 payloads in macOS where the User Enrollment Mode setting is 'forbidden'. In iOS and tvOS, the system rejects the entire profile.
@@ -34,6 +34,7 @@ payload:
    visionOS:
      introduced: '1.1'
      allowed-enrollments:
+      - supervised
      - device
      - user
      allowed-scopes:
@@ -36,6 +36,7 @@ payload:
    visionOS:
      introduced: '1.1'
      allowed-enrollments:
+      - supervised
      - device
      - user
      - local
@@ -0,0 +1,118 @@
+title: Math Settings
+description: Use this configuration to configure math-related settings
+payload:
+  declarationtype: com.apple.configuration.math.settings
+  supportedOS:
+    iOS:
+      introduced: '18.0'
+      allowed-enrollments:
+      - supervised
+      allowed-scopes:
+      - system
+      sharedipad:
+        allowed-scopes:
+        - system
+        - user
+    macOS:
+      introduced: '15.0'
+      allowed-enrollments:
+      - supervised
+      allowed-scopes:
+      - user
+    tvOS:
+      introduced: n/a
+    visionOS:
+      introduced: n/a
+    watchOS:
+      introduced: n/a
+  apply: combined
+  content: Configures the built-in math and calculator app settings.
+payloadkeys:
+- key: Calculator
+  type: <dictionary>
+  presence: optional
+  content: If present, configures the built-in Calculator app.
+  subkeys:
+  - key: BasicMode
+    type: <dictionary>
+    presence: optional
+    content: If present, configures the basic mode of the calculator. Basic mode is
+      always enabled.
+    subkeys:
+    - key: AddSquareRoot
+      type: <boolean>
+      presence: required
+      combinetype: boolean-or
+      content: Add the square root button to the basic calculator by replacing the
+        +/- button. Normally, the square root button is available in scientific mode,
+        so this key can be used to make it available when the scientific mode is restricted.
+  - key: ScientificMode
+    type: <dictionary>
+    presence: optional
+    content: If present, configures the scientific mode of the calculator. If not
+      present, scientific mode is enabled.
+    subkeys:
+    - key: Enabled
+      type: <boolean>
+      presence: required
+      combinetype: boolean-and
+      content: Controls whether the mode is enabled.
+  - key: ProgrammerMode
+    supportedOS:
+      iOS:
+        introduced: n/a
+    type: <dictionary>
+    presence: optional
+    content: If present, configures the programmer mode of the calculator. If not
+      present, programmer mode is enabled.
+    subkeys:
+    - key: Enabled
+      type: <boolean>
+      presence: required
+      combinetype: boolean-and
+      content: Controls whether the mode is enabled.
+  - key: MathNotesMode
+    type: <dictionary>
+    presence: optional
+    content: If present, configures the Math Notes mode of the calculator. If not
+      present, math notes mode is enabled.
+    subkeys:
+    - key: Enabled
+      type: <boolean>
+      presence: required
+      combinetype: boolean-and
+      content: Controls whether the mode is enabled.
+  - key: InputModes
+    type: <dictionary>
+    presence: optional
+    content: If present, controls global input options of the calculator. If not present,
+      all input modes are enabled.
+    subkeys:
+    - key: UnitConversion
+      type: <boolean>
+      presence: required
+      combinetype: boolean-and
+      content: Configures whether unit conversions are enabled.
+    - key: RPN
+      supportedOS:
+        iOS:
+          introduced: n/a
+      type: <boolean>
+      presence: required
+      combinetype: boolean-and
+      content: Configures whether RPN input is enabled.
+- key: SystemBehavior
+  type: <dictionary>
+  presence: optional
+  content: If present, configures math behavior in the system.
+  subkeys:
+  - key: KeyboardSuggestions
+    type: <boolean>
+    presence: required
+    combinetype: boolean-and
+    content: Controls whether keyboard suggestions include math solutions
+  - key: MathNotes
+    type: <boolean>
+    presence: required
+    combinetype: boolean-and
+    content: Controls whether Math Notes is allowed in other apps such as Notes.
@@ -25,7 +25,14 @@ payload:
    tvOS:
      introduced: n/a
    visionOS:
-      introduced: n/a
+      introduced: '2.0'
+      allowed-enrollments:
+      - supervised
+      - device
+      - user
+      - local
+      allowed-scopes:
+      - system
    watchOS:
      introduced: '10.0'
      allowed-enrollments:
@@ -116,6 +123,8 @@ payloadkeys:
      introduced: n/a
    macOS:
      introduced: '13.1'
+    visionOS:
+      introduced: n/a
    watchOS:
      introduced: n/a
  type: <integer>
@@ -181,6 +190,8 @@ payloadkeys:
      introduced: n/a
    macOS:
      introduced: '13.1'
+    visionOS:
+      introduced: n/a
    watchOS:
      introduced: n/a
  type: <boolean>
@@ -197,6 +208,8 @@ payloadkeys:
      introduced: n/a
    macOS:
      introduced: '14.0'
+    visionOS:
+      introduced: n/a
    watchOS:
      introduced: n/a
  type: <dictionary>
@@ -0,0 +1,101 @@
+title: Safari:Extension Settings
+description: Use this configuration to manage Safari Extensions.
+payload:
+  declarationtype: com.apple.configuration.safari.extensions.settings
+  supportedOS:
+    iOS:
+      introduced: '18.0'
+      allowed-enrollments:
+      - supervised
+      allowed-scopes:
+      - system
+      sharedipad:
+        allowed-scopes:
+        - user
+    macOS:
+      introduced: '15.0'
+      allowed-enrollments:
+      - supervised
+      allowed-scopes:
+      - user
+    tvOS:
+      introduced: n/a
+    visionOS:
+      introduced: n/a
+    watchOS:
+      introduced: n/a
+  apply: combined
+payloadkeys:
+- key: ManagedExtensions
+  title: Managed Extensions
+  type: <dictionary>
+  presence: optional
+  content: Extensions being managed
+  subkeys:
+  - key: ANY
+    type: <dictionary>
+    presence: optional
+    content: The composed identifier of the managed extension, or "*" for all extensions.
+      In order for the extension to be managed, its host app must be present on the
+      device. To generate this string use codesign -dv <path_to_appex>. The browser
+      extension is located in the PlugIns folder inside the app bundle. The expected
+      format is "Identifier (TeamIdentifier)". For extensions that are not also available
+      on macOS the app developer will need to provide this information.
+    subkeytype: ExtensionDictionary
+    subkeys:
+    - key: State
+      title: Extension state
+      type: <string>
+      presence: optional
+      rangelist:
+      - Allowed
+      - AlwaysOn
+      - AlwaysOff
+      combinetype: enum-last
+      content: |-
+        Controls whether an extension is allowed.
+        * Allowed - The user is allowed to turn the extension on or off
+        * AlwaysOn - The extension will always be on
+        * AlwaysOff - The extension will always be off
+    - key: PrivateBrowsing
+      title: Private Browsing state
+      type: <string>
+      presence: optional
+      rangelist:
+      - Allowed
+      - AlwaysOn
+      - AlwaysOff
+      combinetype: enum-last
+      content: |-
+        Controls whether an extension is allowed in Private Browsing.
+        * Allowed - The user is allowed to turn the extension on or off in Private Browsing
+        * AlwaysOn - The extension will always be on in Private Browsing if the extension is on outside of Private Browsing
+        * AlwaysOff - The extension will never be on in Private Browsing
+    - key: AllowedDomains
+      title: Allowed domains
+      type: <array>
+      presence: optional
+      combinetype: set-union
+      content: Controls the domains and sub-domains the extension is granted access
+        to. Any non-prefixed domains take precedence over prefixed domains, and DeniedDomains
+        takes precedence over AllowedDomains. Any domains not specified in AllowedDomains
+        or DeniedDomains are configurable by the user.
+      subkeys:
+      - key: Domain
+        title: Domain
+        type: <string>
+        content: A domain or set of sub-domains where the extension is allowed
+    - key: DeniedDomains
+      title: Denied domains
+      type: <array>
+      presence: optional
+      combinetype: set-union
+      content: Controls the domains and sub-domains the extension is not allowed to
+        access. Any non-prefixed domains take precedence over prefixed domains, and
+        DeniedDomains takes precedence over AllowedDomains. Any domains not specified
+        in AllowedDomains or DeniedDomains are configurable by the user.
+      subkeys:
+      - key: Domain
+        title: Domain
+        type: <string>
+        content: A domain or set of sub-domains where the extension is not allowed
@@ -36,6 +36,7 @@ payload:
    visionOS:
      introduced: '1.1'
      allowed-enrollments:
+      - supervised
      - device
      - user
      - local
@@ -36,6 +36,7 @@ payload:
    visionOS:
      introduced: '1.1'
      allowed-enrollments:
+      - supervised
      - device
      - user
      - local
@@ -0,0 +1,91 @@
+title: Services Background Tasks
+description: Specifies management of a background tasks
+payload:
+  declarationtype: com.apple.configuration.services.background-tasks
+  supportedOS:
+    iOS:
+      introduced: n/a
+    macOS:
+      introduced: '15.0'
+      allowed-enrollments:
+      - supervised
+      allowed-scopes:
+      - system
+    tvOS:
+      introduced: n/a
+    visionOS:
+      introduced: n/a
+    watchOS:
+      introduced: n/a
+  apply: multiple
+payloadkeys:
+- key: TaskType
+  title: Task Type
+  type: <string>
+  presence: required
+  content: The unique identifier of the set of background tasks managed with this
+    configuration. This should be a reverse DNS style identifier. This is used solely
+    by the management system to differentiate between tasks in different configurations.
+- key: TaskDescription
+  title: Task Description
+  type: <string>
+  presence: optional
+  content: A description of the set of background tasks managed by this configuration.
+- key: ExecutableAssetReference
+  title: Executable Asset Reference
+  type: <string>
+  assettypes:
+  - com.apple.asset.data
+  asset-content-types:
+  - application/zip
+  presence: optional
+  content: |-
+    Specifies the identifier of an asset declaration containing a reference
+    to the files to be used for the background task configuration. The corresponding
+    asset must be of type "com.apple.asset.data". The referenced data must be a zip
+    archive of an entire directory, that will be expanded and stored in a well known
+    location for the background task. The asset's "ContentType" and "Hash-SHA-256"
+    keys in the "Reference" key are required.
+
+    This file should contain background task executables, scripts, and configuration
+    files, but not the launchd configuration files.
+- key: LaunchdConfigurations
+  title: Launchd Configurations
+  type: <array>
+  presence: optional
+  content: An array of launchd configuration files used to run the background tasks.
+  subkeys:
+  - key: launchd-item
+    type: <dictionary>
+    presence: required
+    subkeys:
+    - key: FileAssetReference
+      title: File Asset Reference
+      type: <string>
+      assettypes:
+      - com.apple.asset.data
+      asset-content-types:
+      - application/plist
+      - application/x-plist
+      - application/xml
+      - text/xml
+      presence: required
+      content: |-
+        Specifies the identifier of an asset declaration containing a reference
+        to the launchd configuration file for the background task. The referenced data must be a
+        property list file conforming to the launchd.plist format. The asset's "ContentType" and "Hash-SHA-256"
+        keys in the "Reference" key are required.
+    - key: Context
+      title: Launchd Context
+      type: <string>
+      presence: required
+      rangelist:
+      - daemon
+      - agent
+      content: Indicates whether the launchd configuration file is applied to the
+        system daemon, or system agent domain.
+related-status-items:
+- status-items:
+  - services.background-task
+  note: Each service managed by a configuration will have a corresponding status item
+    that will contain a reference to the configuration.
@@ -37,6 +37,8 @@ payloadkeys:
  type: <string>
  assettypes:
  - com.apple.asset.data
+  asset-content-types:
+  - application/zip
  presence: required
  content: |-
    The identifier of an asset declaration that contains a reference to the files to use for system service configuration. Ensure that the corresponding asset:
@@ -0,0 +1,304 @@
+title: Software Update:Settings
+description: Software update settings
+payload:
+  declarationtype: com.apple.configuration.softwareupdate.settings
+  supportedOS:
+    iOS:
+      introduced: '18.0'
+      allowed-enrollments:
+      - supervised
+      - device
+      allowed-scopes:
+      - system
+      sharedipad:
+        allowed-scopes:
+        - system
+    macOS:
+      introduced: '15.0'
+      allowed-enrollments:
+      - supervised
+      allowed-scopes:
+      - system
+    tvOS:
+      introduced: n/a
+    visionOS:
+      introduced: n/a
+    watchOS:
+      introduced: n/a
+  apply: combined
+payloadkeys:
+- key: Notifications
+  title: Software Update Notifications
+  type: <boolean>
+  presence: optional
+  default: true
+  combinetype: boolean-and
+  content: If 'true', the device shows all software update enforcement notifications.
+    If 'false', the device only shows notifications triggered one hour before the
+    enforcement deadline, and the restart countdown notification.
+- key: Deferrals
+  title: Software Update Deferrals
+  supportedOS:
+    iOS:
+      allowed-enrollments:
+      - supervised
+  type: <dictionary>
+  presence: optional
+  content: Controls the deferral of software updates. Rapid Security Responses are
+    not considered within 'Major', 'Minor', or 'System' deferral mechanism.
+  subkeys:
+  - key: CombinedPeriodInDays
+    title: Combined Major/Minor Update Deferral Period
+    supportedOS:
+      macOS:
+        introduced: n/a
+    type: <integer>
+    presence: optional
+    range:
+      min: 1
+      max: 90
+    combinetype: number-max
+    content: Specifies the number of days to defer a major or minor OS software update
+      on the device. When set, software updates only appear after the specified delay,
+      following the release of the software update.
+  - key: MajorPeriodInDays
+    title: Major Update Deferral Period
+    supportedOS:
+      iOS:
+        introduced: n/a
+    type: <integer>
+    presence: optional
+    range:
+      min: 1
+      max: 90
+    combinetype: number-max
+    content: Specifies the number of days to defer a major OS software update on the
+      device. When set, software updates only appear after the specified delay, following
+      the release of the software update.
+  - key: MinorPeriodInDays
+    title: Minor Update Deferral Period
+    supportedOS:
+      iOS:
+        introduced: n/a
+    type: <integer>
+    presence: optional
+    range:
+      min: 1
+      max: 90
+    combinetype: number-max
+    content: Specifies the number of days to defer a minor OS software update on the
+      device. When set, software updates only appear after the specified delay, following
+      the release of the software update.
+  - key: SystemPeriodInDays
+    title: System Update Deferral Period
+    supportedOS:
+      iOS:
+        introduced: n/a
+    type: <integer>
+    presence: optional
+    range:
+      min: 1
+      max: 90
+    combinetype: number-max
+    content: Specifies the number of days to defer system or non-OS updates. When
+      set, updates only appear after the specified delay, following the release of
+      the update.
+- key: RecommendedCadence
+  title: Software Update Recommended Cadence
+  supportedOS:
+    macOS:
+      introduced: n/a
+  type: <string>
+  presence: optional
+  rangelist:
+  - All
+  - Oldest
+  - Newest
+  combinetype: enum-last
+  content: |-
+    Specifies how the device shows software updates to the user. When more than one update is available update, the device behaves as follows:
+    * "All" - Shows all software update versions.
+    * "Oldest" - Shows only the oldest (lower numbered) software update version.
+    * "Newest" - Shows only the newest (highest numbered) software update version.
+- key: AutomaticActions
+  title: Automatic Software Update Settings
+  supportedOS:
+    iOS:
+      allowed-enrollments:
+      - supervised
+  type: <dictionary>
+  presence: optional
+  content: Specifies various automatic Software Update functionality.
+  subkeys:
+  - key: Download
+    title: Automatic downloads of available updates.
+    type: <string>
+    presence: optional
+    rangelist:
+    - Allowed
+    - AlwaysOn
+    - AlwaysOff
+    default: Allowed
+    combinetype: enum-last
+    content: |-
+      Specifies whether automatic downloads of available updates can be controlled by the user:
+      * "Allowed" - the user can enable or disable automatic downloads.
+      * "AlwaysOn" - automatic downloads are always enabled.
+      * "AlwaysOff" - automatic downloads are always disabled.
+  - key: InstallOSUpdates
+    title: Automatic installs of OS updates.
+    type: <string>
+    presence: optional
+    rangelist:
+    - Allowed
+    - AlwaysOn
+    - AlwaysOff
+    default: Allowed
+    combinetype: enum-last
+    content: |-
+      Specifies whether automatic install of available OS updates can be controlled by the user:
+      * "Allowed" - the user can enable or disable automatic installs.
+      * "AlwaysOn" - automatic installs are always enabled.
+      * "AlwaysOff" - automatic installs are always disabled.
+  - key: InstallSecurityUpdate
+    title: Automatic installs of available security updates.
+    supportedOS:
+      iOS:
+        introduced: n/a
+    type: <string>
+    presence: optional
+    rangelist:
+    - Allowed
+    - AlwaysOn
+    - AlwaysOff
+    default: Allowed
+    combinetype: enum-last
+    content: |-
+      Specifies whether automatic install of available security updates can be controlled by the user:
+      * "Allowed" - the user can enable or disable automatic installs.
+      * "AlwaysOn" - automatic installs are always enabled.
+      * "AlwaysOff" - automatic installs are always disabled.
+- key: RapidSecurityResponse
+  title: Rapid Security Response Settings
+  supportedOS:
+    iOS:
+      allowed-enrollments:
+      - supervised
+  type: <dictionary>
+  presence: optional
+  content: These configurations allow for setting user access to interacting with
+    Rapid Security Responses (RSRs).
+  subkeys:
+  - key: Enable
+    title: Enable Rapid Security Response Installation
+    type: <boolean>
+    presence: optional
+    default: true
+    combinetype: boolean-and
+    content: If 'false', Rapid Security Responses are not offered for user installation.
+      Rapid Security Responses can still be installed via 'com.apple.configuration.softwareupdate.enforcement.specific'
+      configurations. If 'true', Rapid Security Responses are offered to the user.
+  - key: EnableRollback
+    title: Enable Rapid Security Response Rollbacks
+    type: <boolean>
+    presence: optional
+    default: true
+    combinetype: boolean-and
+    content: If 'false', Rapid Security Response rollbacks are not offered to the
+      user. If 'true', Rapid Security Response rollbacks are offered to the user.
+- key: AllowStandardUserOSUpdates
+  title: Allow Standard User OS Updates
+  supportedOS:
+    iOS:
+      introduced: n/a
+  type: <boolean>
+  presence: optional
+  default: true
+  combinetype: boolean-and
+  content: If 'true', a standard user can perform Major and Minor Software Updates.
+    If 'false', only administrators can perform Major and Minor Software Updates.
+- key: Beta
+  supportedOS:
+    macOS:
+      introduced: n/a
+  type: <dictionary>
+  presence: optional
+  content: Configurations for controlling or specifying the beta programs associated
+    with a device.
+  subkeys:
+  - key: ProgramEnrollment
+    supportedOS:
+      iOS:
+        allowed-enrollments:
+        - supervised
+    type: <string>
+    presence: optional
+    rangelist:
+    - Allowed
+    - AlwaysOn
+    - AlwaysOff
+    default: Allowed
+    combinetype: enum-last
+    content: |-
+      Specifies whether beta program enrollment can be controlled by the user in software update settings UI:
+      * "Allowed" - the user can enroll in any applicable beta programs associated with their
+        logged in Apple Account. If the `OfferPrograms` key is present, then the programs listed in
+        that key are also presented to the user.
+      * "AlwaysOn" - the beta programs specified by the organization are used, and the user
+        is not be able to enroll in a beta program using their logged in Apple Account. The device
+        is automatically enrolled into the beta program specified by the `RequireProgram` key if
+        it is present. Otherwise, the programs listed in the `OfferPrograms` key are
+        presented to the user to choose which to enroll with.
+      * "AlwaysOff" - The device is not allowed to enroll in any beta programs. The device is
+        removed from any beta programs, if already enrolled.
+  - key: OfferPrograms
+    type: <array>
+    presence: optional
+    combinetype: set-union
+    content: An array of beta programs allowed on the device. This key must only be
+      present if the `ProgramEnrollment` key is set to `Allowed` or `AlwaysOn`. This
+      key must not be present if the `RequireProgram` key is present. This key can
+      be present on unsupervised devices where the `ProgramEnrollment` key is not
+      supported but is implicitly set to `Allowed`.
+    subkeys:
+    - key: Program
+      type: <dictionary>
+      presence: required
+      content: The name and token associated with a specific beta program to be allowed.
+      subkeys:
+      - key: Description
+        type: <string>
+        presence: required
+        content: A human readable description of the beta program.
+      - key: Token
+        type: <string>
+        presence: required
+        content: The Apple Business Manager or Apple School Manager seeding service
+          token for the organization the MDM server is part of. This token is used
+          to enroll the device in the corresponding beta program.
+  - key: RequireProgram
+    supportedOS:
+      iOS:
+        allowed-enrollments:
+        - supervised
+    type: <dictionary>
+    presence: optional
+    combinetype: first
+    content: The device automatically enrolls in this beta program. This key must
+      only be present if the `ProgramEnrollment` key is set to `AlwaysOn`. The `OfferPrograms`
+      key must not be present if this key is present.
+    subkeys:
+    - key: Description
+      type: <string>
+      presence: required
+      content: A human readable description of the beta program.
+    - key: Token
+      type: <string>
+      presence: required
+      content: The Apple Business Manager or Apple School Manager seeding service
+        token for the organization the MDM server is part of. This token is used to
+        enroll the device in the corresponding beta program.
+related-status-items:
+- status-items:
+  - softwareupdate.beta-enrollment
+  - softwareupdate.pending-version
@@ -36,9 +36,10 @@ payloadkeys:
  assettypes:
  - com.apple.asset.credential.certificate
  presence: optional
-  content: An array of identifiers of asset declarations that contain anchor certificates
-    to use to evaluate the trust of the enrollment profile server. Set the type of
-    the corresponding assets to 'com.apple.asset.credential.certificate'.
+  content: |-
+    An array of identifiers of asset declarations that contain anchor certificates to use to evaluate the trust of the enrollment profile server. Set the type of the corresponding assets to 'com.apple.asset.credential.certificate'.
+    These certificates are pinned, meaning that the server specified by the 'EnrollmentProfileURL' must use a certificate that chains to one of the certs in this array.
+    If it chains to one of the built-in trusted root certificates but not one of the 'AnchorCertificateAssetReferences' certs, the connection will fail.
  subkeys:
  - key: AnchorCertificateAssetReferenceItem
    type: <string>
@@ -28,6 +28,7 @@ payload:
    visionOS:
      introduced: '1.1'
      allowed-enrollments:
+      - supervised
      - device
      - user
      - local
@@ -28,6 +28,7 @@ payload:
    visionOS:
      introduced: '1.1'
      allowed-enrollments:
+      - supervised
      - device
      - user
      - local
@@ -28,6 +28,7 @@ payload:
    visionOS:
      introduced: '1.1'
      allowed-enrollments:
+      - supervised
      - device
      - user
      - local
@@ -28,6 +28,7 @@ payload:
    visionOS:
      introduced: '1.1'
      allowed-enrollments:
+      - supervised
      - device
      - user
      - local
@@ -28,6 +28,7 @@ payload:
    visionOS:
      introduced: '1.1'
      allowed-enrollments:
+      - supervised
      - device
      - user
      - local
@@ -28,6 +28,7 @@ payload:
    visionOS:
      introduced: '1.1'
      allowed-enrollments:
+      - supervised
      - device
      - user
      - local
@@ -28,6 +28,7 @@ payload:
    visionOS:
      introduced: '1.1'
      allowed-enrollments:
+      - supervised
      - device
      - user
      - local
@@ -28,6 +28,7 @@ payload:
    visionOS:
      introduced: '1.1'
      allowed-enrollments:
+      - supervised
      - device
      - user
      - local
@@ -34,6 +34,7 @@ payload:
    visionOS:
      introduced: '1.1'
      allowed-enrollments:
+      - supervised
      - device
      - local
      allowed-scopes:
@@ -34,6 +34,7 @@ payload:
    visionOS:
      introduced: '1.1'
      allowed-enrollments:
+      - supervised
      - device
      - local
      allowed-scopes:
@@ -36,6 +36,7 @@ payload:
    visionOS:
      introduced: '1.1'
      allowed-enrollments:
+      - supervised
      - device
      - user
      - local
@@ -36,6 +36,7 @@ payload:
    visionOS:
      introduced: '1.1'
      allowed-enrollments:
+      - supervised
      - device
      - user
      - local
@@ -36,6 +36,7 @@ payload:
    visionOS:
      introduced: '1.1'
      allowed-enrollments:
+      - supervised
      - device
      - user
      - local
@@ -36,6 +36,7 @@ payload:
    visionOS:
      introduced: '1.1'
      allowed-enrollments:
+      - supervised
      - device
      - user
      - local
@@ -36,6 +36,7 @@ payload:
    visionOS:
      introduced: '1.1'
      allowed-enrollments:
+      - supervised
      - device
      - user
      - local
@@ -36,6 +36,7 @@ payload:
    visionOS:
      introduced: '1.1'
      allowed-enrollments:
+      - supervised
      - device
      - user
      - local
@@ -36,6 +36,7 @@ payload:
    visionOS:
      introduced: '1.1'
      allowed-enrollments:
+      - supervised
      - device
      - user
      - local
@@ -36,6 +36,7 @@ payload:
    visionOS:
      introduced: '1.1'
      allowed-enrollments:
+      - supervised
      - device
      - user
      - local
@@ -36,6 +36,7 @@ payload:
    visionOS:
      introduced: '1.1'
      allowed-enrollments:
+      - supervised
      - device
      - user
      - local
@@ -36,6 +36,7 @@ payload:
    visionOS:
      introduced: '1.1'
      allowed-enrollments:
+      - supervised
      - device
      - user
      - local
@@ -33,6 +33,7 @@ payload:
    visionOS:
      introduced: '1.1'
      allowed-enrollments:
+      - supervised
      - device
      - user
      allowed-scopes:
@@ -33,6 +33,7 @@ payload:
    visionOS:
      introduced: '1.1'
      allowed-enrollments:
+      - supervised
      - device
      - user
      allowed-scopes:
@@ -27,6 +27,7 @@ payload:
    visionOS:
      introduced: '1.1'
      allowed-enrollments:
+      - supervised
      - device
      - user
      allowed-scopes:
@@ -61,7 +62,8 @@ payloadkeys:
      default: false
      content: To indicate removal of an app, this key's value is set to true, and
        only this key and the "identifier" key will be present in the status item
-        object.
+        object. An MDM installed app will be reported as removed if management of
+        the app has been transferred to declarative device management.
    - key: name
      title: App name
      type: <string>
@@ -23,6 +23,7 @@ payload:
    visionOS:
      introduced: '1.1'
      allowed-enrollments:
+      - supervised
      - device
      - user
      - local
@@ -23,6 +23,7 @@ payload:
    visionOS:
      introduced: '1.1'
      allowed-enrollments:
+      - supervised
      - device
      - user
      - local
@@ -36,6 +36,7 @@ payload:
    visionOS:
      introduced: '1.1'
      allowed-enrollments:
+      - supervised
      - device
      - user
      - local
@@ -110,3 +110,33 @@ payloadkeys:
        type: <string>
        presence: required
        content: The hash value of the 'launchd' 'plist' file.
+      - key: device-management
+        title: Device Management
+        supportedOS:
+          macOS:
+            introduced: '15.0'
+        type: <dictionary>
+        presence: optional
+        content: If present, indicates this background task was created by a 'services.background-tasks'
+          configuration. This dictionary contains properties that identify the configuration
+          and specific version of the declaration asset that provided the launchd
+          plist for the task.
+        subkeys:
+        - key: configuration-identifier
+          title: Configuration Identifier
+          type: <string>
+          presence: required
+          content: The identifier of the 'services.background-tasks' configuration
+            that created this task.
+        - key: asset-identifier
+          title: Asset Identifier
+          type: <string>
+          presence: required
+          content: The identifier of the declaration asset that provided the launchd
+            plist for this task.
+        - key: asset-server-token
+          title: Asset Server Token
+          type: <string>
+          presence: required
+          content: The server token of the declaration asset that provided the launchd
+            plist for this task.
@@ -0,0 +1,34 @@
+title: Status Software Update Beta Enrollment
+description: The device's enrolled beta program.
+payload:
+  statusitemtype: softwareupdate.beta-enrollment
+  supportedOS:
+    iOS:
+      introduced: '18.0'
+      allowed-enrollments:
+      - supervised
+      - device
+      allowed-scopes:
+      - system
+      sharedipad:
+        allowed-scopes:
+        - system
+    macOS:
+      introduced: '15.0'
+      allowed-enrollments:
+      - supervised
+      allowed-scopes:
+      - system
+    tvOS:
+      introduced: n/a
+    visionOS:
+      introduced: n/a
+    watchOS:
+      introduced: n/a
+payloadkeys:
+- key: softwareupdate.beta-enrollment
+  title: The device's enrolled beta program.
+  type: <string>
+  presence: required
+  content: The device's enrolled beta program name, or an empty string if there is
+    no enrolled beta program.
@@ -0,0 +1,34 @@
+title: Status Software Update Device ID
+description: The device's software update device ID.
+payload:
+  statusitemtype: softwareupdate.device-id
+  supportedOS:
+    iOS:
+      introduced: '18.0'
+      allowed-enrollments:
+      - supervised
+      - device
+      allowed-scopes:
+      - system
+      sharedipad:
+        allowed-scopes:
+        - system
+    macOS:
+      introduced: '15.0'
+      allowed-enrollments:
+      - supervised
+      allowed-scopes:
+      - system
+    tvOS:
+      introduced: n/a
+    visionOS:
+      introduced: n/a
+    watchOS:
+      introduced: n/a
+payloadkeys:
+- key: softwareupdate.device-id
+  title: The device's software update device ID.
+  type: <string>
+  presence: required
+  content: The device identifier to use when looking up available software updates
+    via <https://gdmf.apple.com/v2/pmv>.
@@ -36,6 +36,7 @@ payload:
    visionOS:
      introduced: '1.1'
      allowed-enrollments:
+      - supervised
      - device
      - user
      - local
@@ -36,6 +36,7 @@ payload:
    visionOS:
      introduced: '1.1'
      allowed-enrollments:
+      - supervised
      - device
      - user
      - local
@@ -36,6 +36,7 @@ payload:
    visionOS:
      introduced: '1.1'
      allowed-enrollments:
+      - supervised
      - device
      - user
      - local
@@ -36,6 +36,7 @@ payload:
    visionOS:
      introduced: '1.1'
      allowed-enrollments:
+      - supervised
      - device
      - user
      - local
@@ -36,6 +36,7 @@ payload:
    visionOS:
      introduced: '1.1'
      allowed-enrollments:
+      - supervised
      - device
      - user
      - local
@@ -36,6 +36,7 @@ payload:
    visionOS:
      introduced: '1.1'
      allowed-enrollments:
+      - supervised
      - device
      - user
      - local
@@ -36,6 +36,7 @@ payload:
    visionOS:
      introduced: '1.1'
      allowed-enrollments:
+      - supervised
      - device
      - user
      - local
@@ -2,13 +2,37 @@

 This document lists errata for the YAML schema. This is used when older versions of the schema are incorrect, and a fix was made in later schema to correct the problem.

+## iOS 18 / macOS 15
+
+### tvOS
+
+tvOS `introduced` values have been set to a minimum value of `9.0` to reflect the first version of tvOS itself, as opposed to earlier versions of the Apple TV Software.
+
+### declarative/declarations/configurations/account.exchange.yaml
+
+The `<service>Active` keys were incorrectly marked as unsupported on macOS.
+
+### mdm/profiles/com.apple.ManagedClient.preferences.yaml
+
+The `PayloadContent` key of the `com.apple.ManagedClient.preferences` profile
+payload was incorrectly named `PreferenceDomain`; the key itself also represents
+a dictionary of application preference domain identifiers to
+`ManagedPreference.PreferenceDomain`s (rather than a single
+`ManagedPreference.PreferenceDomain`).
+
+### mdm/profiles/com.apple.cellularprivatenetwork.managed.yaml
+
+iOS 17 supported multiple private network payloads, but the `multiple` key was set to false.
+
+iOS 17 also mistakenly forbade multiple private network payloads in a single profile.
+
 ## iOS 17 / macOS 14

-### profiles/com.apple.education.yaml
+### mdm/profiles/com.apple.education.yaml

 The `GroupBeaconIDs` key in the `DepartmentsItem` dictionary in the `com.apple.education` profile payload incorrectly listed its type as an array of `string`. The correct type is an array of `integer`.

-### profiles/com.apple.vpn.managed.yaml
+### mdm/profiles/com.apple.vpn.managed.yaml

 The `CertificateType` key in the `com.apple.vpn.managed` profile payload incorrectly listed `Ed25519` as a supported certificate type. That type was never supported and has now been removed.

@@ -18,32 +42,32 @@ There were a number of keys in the VPN dictionary that were implied to appear in

 The `ActionParameters` key in the profile payload has always been an array of dictionaries.

-### mdmprotocol/commands passcode.firmware.set.yaml passcode.firmware.verify.yaml
+### mdm/commands passcode.firmware.set.yaml passcode.firmware.verify.yaml

 The response keys were incorrectly listed as being top-level keys in the response dictionary when in fact they were nested one-level deep.

-### profiles/com.apple.vpn.managed.applayer.yaml
+### mdm/profiles/com.apple.vpn.managed.applayer.yaml

 The `OnDemandMatchAppEnabled` key in the `com.apple.vpn.managed.applayer` profile payload incorrectly listed its type as `integer`. The correct type is `boolean`.

-### profiles/com.apple.wifi.managed.yaml
+### mdm/profiles/com.apple.wifi.managed.yaml

 The EAPClientConfiguration dictionary listed both OneTimePassword and OneTimeUserPassword as valid keys. The erroneous OneTimePassword key has been removed.

-### profiles/com.apple.security.scep.yaml
+### mdm/profiles/com.apple.security.scep.yaml

 The documentation indicated that all the keys in the SubjectAltName value could be either string or array types. The ntPrincipalName cannot be an array and must be a
 string. This has been clarified in the description. Note that the type field for the rfc822Name, dNSName, and uniformResourceIdentifier still indicates these are
 strings. This has not been corrected as the schema does not support polymorphic types.

-### profiles/com.apple.universalaccess.yaml
+### mdm/profiles/com.apple.universalaccess.yaml

 The `contrast` key in the `com.apple.universalaccess` profile payload incorrectly listed its type as `integer`. The correct type is `real`.

-### profiles/com.apple.extensiblesso.yaml
+### mdm/profiles/com.apple.extensiblesso.yaml

 The `AuthorizationGroups` key was updated as the key values-pairs in the dictionary were incorrectly stated.

-### profiles/com.apple.dnsSettings.managed
+### mdm/profiles/com.apple.dnsSettings.managed

 The `ActionParameters` key in the `com.apple.dnsSettings.managed` profile payload has always been an array of dictionaries.
@@ -14,6 +14,7 @@ The definition of the schema used here is in the `schema.yaml` file. That file c
 | payloadkeys  | array  | A list of YAML objects representing the command request |
 | responsekeys | array  | A list of YAML objects representing the command response |
 | reasons      | array  | A list of YAML objects representing declarative device management status reason codes |
+| notes        | array  | A list of YAML objects representing additional notes for the schema item as a whole |

 ### Payload Object

@@ -95,8 +96,9 @@ The `mode` can have one of four values: `allowed`, `required`, `forbidden`, and
 | title       | string | The title of the key |
 | supportedOS | object | Identifies the range of supported OS versions that support the key |
 | type        | string | The type of key |
-| subtype     | string | Indicates the expected format of the string value of the key |
-| assettypes  | string | Indicates the set of allowed asset types |
+| subtype     | string | Indicates the expected format of the string value of the key (deprecated) |
+| valuetype   | string | Indicates the expected format of the string value of the key |
+| assettypes  | array  | Indicates the set of allowed asset types |
 | presence    | string | Whether the key is required or optional |
 | rangelist   | array  | List of allowed values for this key |
 | range       | object | Bounds for the value of this key |
@@ -110,11 +112,62 @@ The `mode` can have one of four values: `allowed`, `required`, `forbidden`, and

 __Notes__

-The `type` value can be one of: `<string>`, `<integer>`, `<real>`, `<boolean>`, `<date>`, `<data>`, `<array>`, `<dictionary>`, or `<any>`. The value `<any>` may be used to indicate that any of the standard values can be used without any expectation that the value will be validated.
+The `subtype` key is deprecated in favor of the `valuetype` key.

-The `subtype` value can be one of: `<url>`, `<hostname>`, or `<email>`, to indicate the expected value of a string.
+The `presence` value must be one of: `required` or `optional`.

-The `presence` value can be one of: `required` or `optional`.
+#### Type Values
+
+| Name          | Description |
+|---------------|-------------|
+| \<string>     | A string value |
+| \<integer>    | An integer value |
+| \<real>       | A real value |
+| \<boolean>    | A boolean value |
+| \<date>       | A date value (deprecated) |
+| \<data>       | A data value |
+| \<array>      | An array value |
+| \<dictionary> | A dictionary value |
+| \<any>        | Any standard value |
+
+__Notes__
+
+If the `<string>` value is used, the `valuetype` key may also be specified to define a specific format for the string (see below).
+
+The value `<any>` may be used to indicate that any of the standard values can be used without any expectation that the value will be validated.
+
+The `<date>` value is deprecated. Instead `<string>` will be used with a suitable `<valuetype>` set to indicate one of several date-time formats.
+
+#### Valuetype Values
+
+`domain`
+: The string value is a domain name. This is an exact match (i.e., `example.com` will match `example.com` and will not match `test.example.com`, `1example.com`, `example.com2`).
+
+`domain-prefix`
+: The string value is a domain name pattern, with matching rules as follows:
+* If the string starts with a `*.`, the pattern will match any sub-domain of the parent domain, but not the parent domain itself (i.e., `*.example.com` will match `test.example.com` and will not match `example.com`, `test.1example.com`, `test.example.com2`).
+* If the match prefix is not present, the pattern will match the exact domain only (i.e., `example.com` will match `example.com` and will not match `test.example.com`, `1example.com`, `example.com2`).
+
+`email`
+: The string value is an email address conforming to the syntax of [RFC 5322](https://www.rfc-editor.org/rfc/rfc5322.txt). e.g., `user@example.com`.
+
+`hostname`
+: The string value is a hostname, IPv4 address, or IPv6 address (with the IPV6 literal enclosed in square braces). e.g., `server.example.com`, `10.0.1.1`, `[fe80::1]`.
+
+`localtime`
+: The string value is a date and time conforming to the syntax of [RFC 3339](https://www.rfc-editor.org/rfc/rfc3339.txt) without a `time-offset` or `time-secfrac` element: `YYYY-MM-DDTHH:MM:SS`. e.g., `2023-09-21T12:00:00`.
+
+`regex`
+: The string value is a regular expression.
+
+`timestamp`
+: The string value is a date and time conforming to the syntax of [RFC 3339](https://www.rfc-editor.org/rfc/rfc3339.txt) with a `time-offset` element, and without a `time-secfrac` element: `YYYY-MM-DDTHH:MM:SSZ` or `YYYY-MM-DDTHH:MM:SS+ZZZZ`. e.g., `2023-09-21T12:00:00Z`, `2023-09-21T12:00:00-0500`.
+
+`url`
+: The string value is a URL conforming to the syntax of [RFC 3986](https://www.rfc-editor.org/rfc/rfc3986.txt).
+
+`uuid`
+: The string value is a 36-character UUID, with both lowercase and uppercase hexadecimal digits allowed.

 ### Range Object

@@ -369,3 +369,21 @@ properties:
        note:
          type: string
          description: A description of the relationship.
+
+  notes:
+    type: array
+    description: An array of additional notes about a payload. These are published to the open source repository.
+    items:
+      type: object
+      description: An additional note about a payload. A note is written in "markdown" and can be transformed to HTML if needed.
+      additionalProperties: false
+      required:
+      - title
+      - content
+      properties:
+        title:
+          type: string
+          description: Title for the note.
+        content:
+          type: string
+          description: The note content in "markdown" format.
@@ -120,9 +120,9 @@ payloadkeys:
      introduced: n/a
  type: <string>
  presence: optional
-  content: On Shared iPad, this value returns the Managed Apple ID of the user. When
-    present indicates that the token is for the user channel. On macOS, this value
-    always returns the short name of the user.
+  content: On Shared iPad, this value returns the Managed Apple Account of the user.
+    When present indicates that the token is for the user channel. On macOS, this
+    value always returns the short name of the user.
 - key: UserID
  supportedOS:
    iOS:
@@ -151,9 +151,9 @@ payloadkeys:
      introduced: n/a
  type: <string>
  presence: optional
-  content: On Shared iPad, this value returns the Managed Apple ID of the user. When
-    present, it indicates that the token is for the user channel. In macOS, this value
-    returns the short name of the user.
+  content: On Shared iPad, this value returns the Managed Apple Account identifier
+    of the user. When present, it indicates that the token is for the user channel.
+    In macOS, this value returns the short name of the user.
 - key: UserID
  supportedOS:
    iOS:
@@ -129,7 +129,7 @@ payloadkeys:
  type: <string>
  presence: optional
  content: |-
-    On Shared iPad: This is the Managed Apple ID of the user on Shared iPad. It indicates that the token is for the user channel.
+    On Shared iPad: This is the Managed Apple Account identifier of the user on Shared iPad. It indicates that the token is for the user channel.
    On macOS, this is the short name of the user.
 - key: UserID
  supportedOS:
@@ -1,4 +1,4 @@
-title: Application:List Active NSExtensions
+title: Active NSExtensions Command
 description: Returns information about the active NSExtensions for a particular user.
 payload:
  requesttype: ActiveNSExtensions
@@ -1,4 +1,4 @@
-title: NSExtensions Mappings NSExtensions
+title: NSExtension Mappings Command
 description: This command returns information about installed extensions for a user.
 payload:
  requesttype: NSExtensionMappings
@@ -40,7 +40,8 @@ payloadkeys:
 - key: ManifestURL
  type: <string>
  presence: optional
-  content: The URL of the app manifest, which needs to begin with 'https:'.
+  content: The URL of the app manifest, which needs to begin with 'https:'. The manifest
+    is returned as a property list.
 - key: ManifestURLPinningCerts
  type: <array>
  presence: optional
@@ -88,7 +88,8 @@ payloadkeys:
      introduced: '7.0'
  type: <string>
  presence: optional
-  content: The URL of the app manifest, which needs to begin with 'https:'.
+  content: The URL of the app manifest, which needs to begin with 'https:'. The manifest
+    is returned as a property list.
 - key: ManagementFlags
  supportedOS:
    macOS:
@@ -350,6 +351,7 @@ responsekeys:
  - ManagementChangeNotSupported
  - NotAnApp
  - NotSupported
+  - Other
  - PurchaseMethodNotSupported
  - PurchaseMethodNotSupportedInMultiUser
-  content: The reason, if installation fails.
+  content: The reason, if installation fails. macOS only returns "Other".
@@ -1,4 +1,4 @@
-title: Application List Command
+title: Installed Application List Command
 description: This command allows the server to query for installed 3rd party applications.
 payload:
  requesttype: InstalledApplicationList
@@ -221,8 +221,8 @@ responsekeys:
          introduced: '11.3'
      type: <boolean>
      presence: optional
-      content: If 'true', installing the app didn't require an Apple ID. This value
-        is available in iOS 11.3 and later, and tvOS 11.3 and later.
+      content: If 'true', installing the app didn't require an Apple Account. This
+        value is available in iOS 11.3 and later, and tvOS 11.3 and later.
    - key: BetaApp
      supportedOS:
        iOS:
@@ -294,6 +294,17 @@ responsekeys:
      default: false
      content: If 'true', the app is an App Clip. Available in iOS 16 and later.
    - key: Source
+      supportedOS:
+        iOS:
+          introduced: '17.2'
+        macOS:
+          introduced: n/a
+        tvOS:
+          introduced: n/a
+        visionOS:
+          introduced: n/a
+        watchOS:
+          introduced: n/a
      type: <string>
      presence: optional
      content: The source of the application. When the app is managed by Declarative
@@ -29,7 +29,7 @@ payload:
      userenrollment:
        mode: allowed
    tvOS:
-      introduced: '6.0'
+      introduced: '9.0'
      accessrights: AllowInspection
      supervised: false
    visionOS:
@@ -24,7 +24,12 @@ payload:
    tvOS:
      introduced: n/a
    visionOS:
-      introduced: n/a
+      introduced: '2.0'
+      accessrights: None
+      supervised: true
+      requiresdep: false
+      userenrollment:
+        mode: forbidden
    watchOS:
      introduced: n/a
  content: Retrieves the Activation Lock bypass code from the device. This bypass
@@ -24,7 +24,12 @@ payload:
    tvOS:
      introduced: n/a
    visionOS:
-      introduced: n/a
+      introduced: '2.0'
+      accessrights: None
+      supervised: true
+      requiresdep: false
+      userenrollment:
+        mode: forbidden
    watchOS:
      introduced: n/a
  content: Clears the Activation Lock bypass code from the device.
@@ -28,7 +28,12 @@ payload:
      accessrights: None
      supervised: true
    visionOS:
-      introduced: n/a
+      introduced: '2.0'
+      accessrights: None
+      supervised: true
+      requiresdep: true
+      userenrollment:
+        mode: forbidden
    watchOS:
      introduced: n/a
  content: Informs the device that it can continue past DEP enrollment. Only works
@@ -1,4 +1,4 @@
-title: Device Erase Command
+title: Erase Device Command
 description: This command allows the server to remotely erase the device. This command
  requires the Device Erase right.
 payload:
@@ -131,7 +131,7 @@ payloadkeys:
    macOS:
      introduced: n/a
    tvOS:
-      introduced: n/a
+      introduced: '18.0'
    visionOS:
      introduced: n/a
    watchOS:
@@ -139,7 +139,7 @@ payloadkeys:
  type: <dictionary>
  presence: optional
  content: The configuration settings for Return to Service. This value is available
-    in iOS 17 and later.
+    in iOS 17 and later and with Shared iPad and tvOS 18 and later.
  subkeys:
  - key: Enabled
    title: Use Return to Service
@@ -1,4 +1,4 @@
-title: eSIM Cellular Plan Management Command
+title: Refresh Cellular Plans Command
 description: Instructs the device to query for active cellular plan eSIM "profiles"
  at the designated carrier eSIM server URL.
 payload:
@@ -26,7 +26,12 @@ payload:
    tvOS:
      introduced: n/a
    visionOS:
-      introduced: n/a
+      introduced: '2.0'
+      accessrights: AllowPasscodeRemovalAndLock
+      supervised: false
+      requiresdep: false
+      userenrollment:
+        mode: allowed
    watchOS:
      introduced: '10.0'
      accessrights: AllowPasscodeRemovalAndLock
@@ -42,6 +47,8 @@ payloadkeys:
        mode: ignored
    macOS:
      introduced: '10.14'
+    visionOS:
+      introduced: n/a
  type: <string>
  presence: optional
  content: The message to display on the Lock screen of the device. This value doesn't
@@ -55,6 +62,8 @@ payloadkeys:
        mode: ignored
    macOS:
      introduced: '11.5'
+    visionOS:
+      introduced: n/a
  type: <string>
  presence: optional
  content: The phone number to display on the Lock screen. This value doesn't apply
@@ -66,6 +75,8 @@ payloadkeys:
      introduced: n/a
    macOS:
      introduced: '10.8'
+    visionOS:
+      introduced: n/a
    watchOS:
      introduced: n/a
  type: <string>
@@ -1,4 +1,4 @@
-title: Disable MDM Lost Mode Command
+title: Disable Lost Mode Command
 description: This command allows the server to take the device out of MDM lost mode.
 payload:
  requesttype: DisableLostMode
@@ -1,4 +1,4 @@
-title: Enable MDM Lost Mode Command
+title: Enable Lost Mode Command
 description: This command allows the server to put the device in MDM lost mode, with
  a message, phone number, and footnote text. A message or phone number must be provided.
 payload:
@@ -1,4 +1,4 @@
-title: Device Restart Command
+title: Restart Device Command
 description: This command requires the Device Lock access right. The device will restart
  immediately.
 payload:
@@ -1,4 +1,4 @@
-title: Device Restrictions Command
+title: Restrictions Command
 description: This command allows the server to determine what restrictions are being
  enforced on the device, and the total sum of all restrictions. This command requires
  the Restrictions Query access right.
@@ -19,7 +19,7 @@ payload:
    macOS:
      introduced: n/a
    tvOS:
-      introduced: '6.1'
+      introduced: '9.0'
      accessrights: AllowQueryRestrictions
      supervised: false
    visionOS:
@@ -1,4 +1,4 @@
-title: Device Shut Down Command
+title: Shut Down Device Command
 description: This command requires the Device Lock access right. The device will shut
  down immediately.
 payload:
@@ -24,7 +24,7 @@ payload:
      userenrollment:
        mode: allowed
    tvOS:
-      introduced: '6.0'
+      introduced: '9.0'
      accessrights: Special Case
      supervised: false
    visionOS:
@@ -68,6 +68,7 @@ payloadkeys:
        watchOS:
          accessrights: n/a
      type: <string>
+      presence: optional
      content: The key to get the unique identifier of the device.
    - key: ProvisioningUDID
      supportedOS:
@@ -85,6 +86,7 @@ payloadkeys:
        watchOS:
          introduced: n/a
      type: <string>
+      presence: optional
      content: The key to get the device identifier for provisioning profiles. This
        value differs from the UDID for Apple silicon. Available in macOS 11.3 and
        later.
@@ -103,6 +105,7 @@ payloadkeys:
        watchOS:
          accessrights: n/a
      type: <string>
+      presence: optional
      content: The key to get the contents of SettingsCommand.Command.Settings.OrganizationInfo.OrganizationInfo.
    - key: MDMOptions
      supportedOS:
@@ -119,6 +122,7 @@ payloadkeys:
        watchOS:
          introduced: '10.0'
      type: <string>
+      presence: optional
      content: The key to get the contents of SettingsCommand.Command.Settings.MDMOptions.MDMOptions.
    - key: LastCloudBackupDate
      supportedOS:
@@ -136,6 +140,7 @@ payloadkeys:
        watchOS:
          introduced: n/a
      type: <string>
+      presence: optional
      content: The key to get the date of the most recent iCloud backup. Available
        in iOS 8 and later.
    - key: AwaitingConfiguration
@@ -154,10 +159,13 @@ payloadkeys:
          introduced: '10.2'
          accessrights: n/a
        visionOS:
-          introduced: n/a
+          introduced: '2.0'
+          userenrollment:
+            mode: forbidden
        watchOS:
          accessrights: n/a
      type: <string>
+      presence: optional
      content: The key to determine whether the device is waiting for a DeviceConfigured
        or UserConfigured Command to continue through Setup Assistant on the device
        channel or user channel, respectively.
@@ -181,6 +189,7 @@ payloadkeys:
        watchOS:
          accessrights: AllowAppInstallation
      type: <string>
+      presence: optional
      content: The key to determine whether iTunes Store account is active. Requires
        the App Installation access right.
    - key: iTunesStoreAccountHash
@@ -203,6 +212,7 @@ payloadkeys:
        watchOS:
          accessrights: AllowAppInstallation
      type: <string>
+      presence: optional
      content: The key to get a hash of the logged-in iTunes Store account. Also see
        GetVppUserRequest. This value requires the App Installation access right.
    - key: DeviceName
@@ -218,6 +228,7 @@ payloadkeys:
        watchOS:
          accessrights: AllowQueryDeviceInformation
      type: <string>
+      presence: optional
      content: The key to get the device name. Requires the Device Information access
        right.
    - key: OSVersion
@@ -233,6 +244,7 @@ payloadkeys:
        watchOS:
          accessrights: AllowQueryDeviceInformation
      type: <string>
+      presence: optional
      content: The key to get the operating system version. Requires the Device Information
        access right.
    - key: SupplementalOSVersionExtra
@@ -251,6 +263,7 @@ payloadkeys:
        watchOS:
          accessrights: AllowQueryDeviceInformation
      type: <string>
+      presence: optional
      content: The key to get the OS update rapid security response version letter,
        if a rapid security response update is installed. This value requires the
        Device Information access right.
@@ -267,6 +280,7 @@ payloadkeys:
        watchOS:
          accessrights: AllowQueryDeviceInformation
      type: <string>
+      presence: optional
      content: The key to get the operating system version. This value requires the
        Device Information access right.
    - key: SupplementalBuildVersion
@@ -285,6 +299,7 @@ payloadkeys:
        watchOS:
          accessrights: AllowQueryDeviceInformation
      type: <string>
+      presence: optional
      content: The key to get the build version for the currently installed rapid
        security response. If there's no installed rapid security response, this value
        is the same as 'BuildVersion'. Requires the Device Information access right.
@@ -301,6 +316,7 @@ payloadkeys:
        watchOS:
          accessrights: AllowQueryDeviceInformation
      type: <string>
+      presence: optional
      content: The key to get the model name, such as iPhone. Requires the Device
        Information access right.
    - key: Model
@@ -316,6 +332,7 @@ payloadkeys:
        watchOS:
          accessrights: AllowQueryDeviceInformation
      type: <string>
+      presence: optional
      content: The key to get the model. Requires the Device Information access right.
    - key: ModelNumber
      supportedOS:
@@ -333,6 +350,7 @@ payloadkeys:
        watchOS:
          accessrights: AllowQueryDeviceInformation
      type: <string>
+      presence: optional
      content: The key to get the device's hardware model number including region
        info, such as 'MK1A3LL/A'. Requires the Device Information access right. Requires
        Apple silicon on macOS.
@@ -350,6 +368,7 @@ payloadkeys:
        watchOS:
          introduced: n/a
      type: <string>
+      presence: optional
      content: The key to determine whether the device is a Mac with Apple silicon
        (for example, an Apple M1 chip). Available in macOS 12 and later.
    - key: ProductName
@@ -365,6 +384,7 @@ payloadkeys:
        watchOS:
          accessrights: AllowQueryDeviceInformation
      type: <string>
+      presence: optional
      content: The key to get the product name, such as iPad8,12. This value requires
        the Device Information access right.
    - key: SerialNumber
@@ -386,6 +406,7 @@ payloadkeys:
        watchOS:
          accessrights: AllowQueryDeviceInformation
      type: <string>
+      presence: optional
      content: The key to get the serial number. Requires the Device Information access
        right.
    - key: DeviceCapacity
@@ -401,6 +422,7 @@ payloadkeys:
        watchOS:
          accessrights: AllowQueryDeviceInformation
      type: <string>
+      presence: optional
      content: The key to get the device's total capacity. Requires the Device Information
        access right. Available in iOS 4 and later, and macOS 10.7 and later.
    - key: AvailableDeviceCapacity
@@ -416,6 +438,7 @@ payloadkeys:
        watchOS:
          accessrights: AllowQueryDeviceInformation
      type: <string>
+      presence: optional
      content: The key to get the available capacity. Requires the Device Information
        access right. Available in iOS 4 and later, and macOS 10.7 and later.
    - key: IMEI
@@ -434,6 +457,7 @@ payloadkeys:
        watchOS:
          introduced: n/a
      type: <string>
+      presence: optional
      content: The key to get the International Mobile Equipment Identity (IMEI) number.
        Requires the Device Information access right. Available as of iOS 4 and deprecated
        in iOS 16.
@@ -453,6 +477,7 @@ payloadkeys:
        watchOS:
          introduced: n/a
      type: <string>
+      presence: optional
      content: The key to get the mobile equipment ID (MEID). Requires the Device
        Information access right. Available as of iOS 4 and deprecated in iOS 16.
    - key: ModemFirmwareVersion
@@ -470,6 +495,7 @@ payloadkeys:
        watchOS:
          introduced: n/a
      type: <string>
+      presence: optional
      content: The key to get the modem firmware version. Requires the Device Information
        access right. Available in iOS 4 and later.
    - key: CellularTechnology
@@ -486,6 +512,7 @@ payloadkeys:
        watchOS:
          introduced: n/a
      type: <string>
+      presence: optional
      content: The key to get the cellular technology type. Requires the Device Information
        access right. Available in iOS 4.2.6 and later.
    - key: BatteryLevel
@@ -503,6 +530,7 @@ payloadkeys:
        watchOS:
          accessrights: AllowQueryDeviceInformation
      type: <string>
+      presence: optional
      content: The key to get the battery level. Requires the Device Information access
        right. Available in iOS 5 and later.
    - key: HasBattery
@@ -519,6 +547,7 @@ payloadkeys:
        watchOS:
          introduced: n/a
      type: <string>
+      presence: optional
      content: The key to determine whether the device has an internal battery.
    - key: IsSupervised
      supportedOS:
@@ -535,6 +564,7 @@ payloadkeys:
        watchOS:
          accessrights: AllowQueryDeviceInformation
      type: <string>
+      presence: optional
      content: The key to determine whether the device is supervised. Requires the
        Device Information access right. Available in iOS 6 and later, macOS 10.15
        and later, and tvOS 9 and later.
@@ -552,6 +582,7 @@ payloadkeys:
        watchOS:
          introduced: n/a
      type: <string>
+      presence: optional
      content: The key to determine whether the device is a Shared iPad. Requires
        the Device Information access right. Available in iOS 9.3 and later.
    - key: IsDeviceLocatorServiceEnabled
@@ -568,6 +599,7 @@ payloadkeys:
        watchOS:
          accessrights: AllowQueryDeviceInformation
      type: <string>
+      presence: optional
      content: The key to determine whether the system enabled a device locator service
        such as Find My on the device. Requires the Device Information access right.
        Available in iOS 7 and later.
@@ -593,6 +625,7 @@ payloadkeys:
          deprecated: '10.0'
          accessrights: AllowQueryDeviceInformation
      type: <string>
+      presence: optional
      content: The key to determine whether the system enabled Activation Lock on
        the device. Requires the Device Information access right. Available as of
        iOS 7 and macOS 10.15, and deprecated in iOS 16 and macOS 13.
@@ -612,6 +645,7 @@ payloadkeys:
        watchOS:
          introduced: n/a
      type: <string>
+      presence: optional
      content: The key to determine whether the device supports Activation Lock. Also
        see 'IsActivationLockManageable' in SecurityInfoResponse.SecurityInfo.ManagementStatus.
        Available in macOS 10.9 and later.
@@ -633,6 +667,7 @@ payloadkeys:
        watchOS:
          accessrights: AllowQueryDeviceInformation
      type: <string>
+      presence: optional
      content: The key to determine whether the device is in Do Not Disturb (DND)
        mode. Requires the Device Information access right. Available in iOS 7 and
        later.
@@ -643,13 +678,14 @@ payloadkeys:
        macOS:
          introduced: n/a
        tvOS:
-          introduced: '6.0'
+          introduced: '9.0'
          accessrights: AllowQueryDeviceInformation
        visionOS:
          introduced: n/a
        watchOS:
          introduced: n/a
      type: <string>
+      presence: optional
      content: The key to get the device ID. Requires the Device Information access
        right. Available in tvOS 6 and later.
    - key: EASDeviceIdentifier
@@ -666,6 +702,7 @@ payloadkeys:
        watchOS:
          introduced: n/a
      type: <string>
+      presence: optional
      content: The key to get the device identifier for Exchange ActiveSync (EAS).
        Requires the Device Information access right. Available in iOS 7 and later.
    - key: IsCloudBackupEnabled
@@ -686,6 +723,7 @@ payloadkeys:
        watchOS:
          introduced: n/a
      type: <string>
+      presence: optional
      content: The key to determine whether the system enabled iCloud Backup on the
        device. Requires the Device Information access right. Available in iOS 7.1
        and later.
@@ -704,6 +742,7 @@ payloadkeys:
        watchOS:
          introduced: n/a
      type: <string>
+      presence: optional
      content: The key to get an array of directory GUIDs for logged-in managed users.
        Requires the Device Information access right. Available in macOS 10.11 and
        later.
@@ -723,6 +762,7 @@ payloadkeys:
        watchOS:
          introduced: n/a
      type: <string>
+      presence: optional
      content: The key to get the contents of DeviceInformationResponse.QueryResponses.OSUpdateSettings.
        Requires the Device Information access right. Available in macOS 10.11 and
        later.
@@ -740,6 +780,7 @@ payloadkeys:
        watchOS:
          introduced: n/a
      type: <string>
+      presence: optional
      content: The key to get the local hostname from Bonjour. Available in macOS
        10.11 and later.
    - key: HostName
@@ -756,6 +797,7 @@ payloadkeys:
        watchOS:
          introduced: n/a
      type: <string>
+      presence: optional
      content: The key to get the hostname. Available in macOS 10.11 and later.
    - key: AutoSetupAdminAccounts
      supportedOS:
@@ -774,6 +816,7 @@ payloadkeys:
        watchOS:
          introduced: n/a
      type: <string>
+      presence: optional
      content: The key to get the contents of DeviceInformationResponse.QueryResponses.AutoSetupAdminAccountsItem,
        which Setup Assistant automatically creates during enrollment. Requires the
        Device Information access right. Available in macOS 10.11 and later.
@@ -791,6 +834,7 @@ payloadkeys:
        watchOS:
          introduced: n/a
      type: <string>
+      presence: optional
      content: The key to determine whether the system enabled System Integrity Protection
        on the device. This value requires the Device Information access right, and
        is available in macOS 10.12 and later.
@@ -808,6 +852,7 @@ payloadkeys:
        watchOS:
          introduced: n/a
      type: <string>
+      presence: optional
      content: The key to determine whether the device can receive 'PowerON', 'PowerOFF',
        and 'Reset' commands from a lights-out management (LOM) controller. Available
        in macOS 11 and later.
@@ -827,6 +872,7 @@ payloadkeys:
        watchOS:
          accessrights: AllowQueryDeviceInformation
      type: <string>
+      presence: optional
      content: The key to determine whether the system enabled Managed Lost Mode on
        the device. Requires the Device Information access right. Available in iOS
        9.3 and later.
@@ -852,6 +898,7 @@ payloadkeys:
        watchOS:
          introduced: n/a
      type: <string>
+      presence: optional
      content: The key to get the maximum number of users that can use this Shared
        iPad device. In iOS 13.4 and later, this value is always '32'. Requires the
        Device Information access right. Available in iOS 9.3 and later.
@@ -877,6 +924,7 @@ payloadkeys:
        watchOS:
          introduced: n/a
      type: <string>
+      presence: optional
      content: The key to get the estimated number of users that can use this Shared
        iPad device, according to the available space of the device and each user's
        quota. Requires the Device Information access right. Available in iOS 14 and
@@ -903,6 +951,7 @@ payloadkeys:
        watchOS:
          introduced: n/a
      type: <string>
+      presence: optional
      content: The key to get the quota size for each user on this Shared iPad device.
        Requires the Device Information access right. Available in iOS 13.4 and later.
    - key: ResidentUsers
@@ -927,6 +976,7 @@ payloadkeys:
        watchOS:
          introduced: n/a
      type: <string>
+      presence: optional
      content: The key to get the number of users currently on this Shared iPad device.
        Requires the Device Information access right. Available in iOS 13.4 and later.
    - key: UserSessionTimeout
@@ -951,6 +1001,7 @@ payloadkeys:
        watchOS:
          introduced: n/a
      type: <string>
+      presence: optional
      content: The key to get the timeout interval for the user session.
    - key: TemporarySessionTimeout
      supportedOS:
@@ -974,6 +1025,7 @@ payloadkeys:
        watchOS:
          introduced: n/a
      type: <string>
+      presence: optional
      content: The key to get the timeout interval for the temporary session.
    - key: TemporarySessionOnly
      supportedOS:
@@ -997,6 +1049,7 @@ payloadkeys:
        watchOS:
          introduced: n/a
      type: <string>
+      presence: optional
      content: The key to determine whether the device only allows temporary sessions.
    - key: ManagedAppleIDDefaultDomains
      supportedOS:
@@ -1020,6 +1073,7 @@ payloadkeys:
        watchOS:
          introduced: n/a
      type: <string>
+      presence: optional
      content: The key to get the list of domains that the device suggests on the
        Shared iPad login screen. Available in iOS 16 and later.
    - key: OnlineAuthenticationGracePeriod
@@ -1044,6 +1098,7 @@ payloadkeys:
        watchOS:
          introduced: n/a
      type: <string>
+      presence: optional
      content: The key to get the grace period for Shared iPad online authentication
        (in days). Available in iOS 16 and later.
    - key: SkipLanguageAndLocaleSetupForNewUsers
@@ -1068,6 +1123,7 @@ payloadkeys:
        watchOS:
          introduced: n/a
      type: <string>
+      presence: optional
      content: The key to determine whether the system skips the language and country/region
        panes for new users on Shared iPad.
    - key: PushToken
@@ -1088,6 +1144,7 @@ payloadkeys:
        watchOS:
          introduced: n/a
      type: <string>
+      presence: optional
      content: The key to get the push token for the current user-channel connection.
        The MDM server ignores this query for the device channel. Requires the Device
        Information access right. Available in iOS 9.3 and later, and macOS 10.12
@@ -1106,6 +1163,7 @@ payloadkeys:
        watchOS:
          accessrights: AllowQueryDeviceInformation
      type: <string>
+      presence: optional
      content: The key to determine whether the system enabled the diagnostic submission
        setting on the device. Requires the Device Information access right. Available
        in iOS 9.3 and later.
@@ -1123,6 +1181,7 @@ payloadkeys:
        watchOS:
          accessrights: AllowQueryDeviceInformation
      type: <string>
+      presence: optional
      content: The key to determine whether the device is sharing app analytics. Requires
        the Device Information access right. Available in iOS 4 and later, and macOS
        10.7 and later.
@@ -1137,10 +1196,12 @@ payloadkeys:
          introduced: '14.0'
          accessrights: AllowQueryDeviceInformation
        visionOS:
+          introduced: '2.0'
          accessrights: AllowQueryDeviceInformation
        watchOS:
          accessrights: AllowQueryDeviceInformation
      type: <string>
+      presence: optional
      content: The key to get the current Internet Assigned Numbers Authority (IANA)
        time zone database name. Requires the Device Information access right. Available
        in iOS 14 and later, and tvOS 14 and later.
@@ -1160,6 +1221,7 @@ payloadkeys:
        watchOS:
          introduced: n/a
      type: <string>
+      presence: optional
      content: The key to get the integrated circuit card (ICC) identifier for the
        installed SIM card. Requires the Network Information access right. Available
        as of iOS 4 and deprecated in iOS 16.
@@ -1182,6 +1244,7 @@ payloadkeys:
        watchOS:
          introduced: n/a
      type: <string>
+      presence: optional
      content: The key to get the Bluetooth media access control (MAC) address. Requires
        the Network Information access right.
    - key: WiFiMAC
@@ -1203,6 +1266,7 @@ payloadkeys:
        watchOS:
          accessrights: AllowQueryNetworkInformation
      type: <string>
+      presence: optional
      content: The key to get the Wi-Fi MAC address. Requires the Network Information
        access right.
    - key: EthernetMAC
@@ -1220,6 +1284,7 @@ payloadkeys:
        watchOS:
          introduced: n/a
      type: <string>
+      presence: optional
      content: The key to get the primary Ethernet MAC address. Requires the Network
        Information access right. Available in macOS 10.7 and later.
    - key: CurrentCarrierNetwork
@@ -1238,6 +1303,7 @@ payloadkeys:
        watchOS:
          introduced: n/a
      type: <string>
+      presence: optional
      content: The key to get the name of the current carrier network. Requires the
        Network Information access right. Available as of iOS 4 and deprecated in
        iOS 16.
@@ -1257,6 +1323,7 @@ payloadkeys:
        watchOS:
          introduced: n/a
      type: <string>
+      presence: optional
      content: Apple no longer supports this query. Use 'SubscriberCarrierNetwork'
        instead.
    - key: SubscriberCarrierNetwork
@@ -1276,6 +1343,7 @@ payloadkeys:
        watchOS:
          introduced: n/a
      type: <string>
+      presence: optional
      content: The key to get the home carrier network. Requires the Network Information
        access right. Available as of iOS 5 and deprecated in iOS 16.
    - key: CarrierSettingsVersion
@@ -1294,6 +1362,7 @@ payloadkeys:
        watchOS:
          introduced: n/a
      type: <string>
+      presence: optional
      content: The key to get the version of the carrier settings. Requires the Network
        Information access right. Available as of iOS 4 and deprecated in iOS 16.
    - key: PhoneNumber
@@ -1312,6 +1381,7 @@ payloadkeys:
        watchOS:
          introduced: n/a
      type: <string>
+      presence: optional
      content: The key to get the raw phone number, without punctuation, and including
        the country code. Requires the Network Information access right. Available
        as of iOS 4 and deprecated in iOS 16.
@@ -1331,6 +1401,7 @@ payloadkeys:
        watchOS:
          introduced: n/a
      type: <string>
+      presence: optional
      content: The key to determine whether the system enabled data roaming on the
        device. Requires the Network Information access right. Available in iOS 5
        and later.
@@ -1351,6 +1422,7 @@ payloadkeys:
        watchOS:
          introduced: n/a
      type: <string>
+      presence: optional
      content: The key to determine whether the system enabled voice roaming on the
        device, which isn't available for all carriers. Requires the Network Information
        access right. Available as of iOS 5 and deprecated in iOS 16.
@@ -1370,6 +1442,7 @@ payloadkeys:
        watchOS:
          introduced: n/a
      type: <string>
+      presence: optional
      content: The key to determine whether the system enabled Personal Hotspot on
        the device, which isn't available for all carriers. Requires the Network Information
        access right. Available in iOS 7 and later.
@@ -1387,6 +1460,7 @@ payloadkeys:
        watchOS:
          introduced: n/a
      type: <string>
+      presence: optional
      content: The key to determine whether the device is network-tethered. Requires
        the Network Information access right. Available in iOS 10.3 and later.
    - key: IsRoaming
@@ -1405,6 +1479,7 @@ payloadkeys:
        watchOS:
          introduced: n/a
      type: <string>
+      presence: optional
      content: The key to determine whether the device is roaming. Requires the Network
        Information access right. Available in iOS 4.2 and later.
    - key: SubscriberMCC
@@ -1424,6 +1499,7 @@ payloadkeys:
        watchOS:
          introduced: n/a
      type: <string>
+      presence: optional
      content: The key to get the home mobile country code. Requires the Network Information
        access right. Available as of iOS 4.2.6 and deprecated in iOS 16.
    - key: SubscriberMNC
@@ -1443,6 +1519,7 @@ payloadkeys:
        watchOS:
          introduced: n/a
      type: <string>
+      presence: optional
      content: The key to get the home mobile network code. Requires the Network Information
        access right. Available as of iOS 4.2.6 and deprecated in iOS 16.
    - key: CurrentMCC
@@ -1461,6 +1538,7 @@ payloadkeys:
        watchOS:
          introduced: n/a
      type: <string>
+      presence: optional
      content: The key to get the current mobile country code (MCC). Requires the
        Network Information access right. It's available as of iOS 4 and deprecated
        in iOS 16.
@@ -1480,6 +1558,7 @@ payloadkeys:
        watchOS:
          introduced: n/a
      type: <string>
+      presence: optional
      content: The key to get the current mobile network code (MNC). Requires the
        Network Information access right. Available as of iOS 4 and deprecated in
        iOS 16.
@@ -1499,6 +1578,7 @@ payloadkeys:
        watchOS:
          introduced: n/a
      type: <string>
+      presence: optional
      content: The key to get the contents of DeviceInformationResponse.QueryResponses.ServiceSubscriptionProperty.
        Requires the Network Information access right.
    - key: PINRequiredForEraseDevice
@@ -1514,7 +1594,10 @@ payloadkeys:
          introduced: n/a
        visionOS:
          introduced: n/a
+        watchOS:
+          introduced: n/a
      type: <string>
+      presence: optional
      content: The key to determine whether the EraseDeviceCommand requires a PIN.
        Available in macOS 11 and later.
    - key: PINRequiredForDeviceLock
@@ -1533,6 +1616,7 @@ payloadkeys:
        watchOS:
          introduced: n/a
      type: <string>
+      presence: optional
      content: The key to determine whether the DeviceLockCommand requires a PIN.
        Available in macOS 11 and later.
    - key: SupportsiOSAppInstalls
@@ -1549,6 +1633,7 @@ payloadkeys:
        watchOS:
          introduced: n/a
      type: <string>
+      presence: optional
      content: The key to determine whether the macOS device supports iOS or iPadOS
        app installs. Available in macOS 11 and later.
    - key: SoftwareUpdateDeviceID
@@ -1569,6 +1654,7 @@ payloadkeys:
        watchOS:
          introduced: n/a
      type: <string>
+      presence: optional
      content: The key to get the device identifier that you use to look up available
        OS updates through <https://gdmf.apple.com/v2/pmv>. Available in iOS 15 and
        later, and macOS 12 and later.
@@ -1587,6 +1673,7 @@ payloadkeys:
        watchOS:
          introduced: n/a
      type: <string>
+      presence: optional
      content: The key to get the device settings that control which updates appear
        in the Software Update pane in Settings. Available in iOS 14.5 and later.
    - key: AccessibilitySettings
@@ -1608,6 +1695,7 @@ payloadkeys:
        watchOS:
          supervised: true
      type: <string>
+      presence: optional
      content: The key to get the current state of settable accessibility settings.
        Available in iOS 16 and later.
    - key: DevicePropertiesAttestation
@@ -1624,9 +1712,11 @@ payloadkeys:
          userenrollment:
            mode: allowed
      type: <string>
-      content: The key to get an attestation of the device's properties. Available
+      presence: optional
+      content: The key to request an attestation of the device's properties. Available
        in iOS 16 and later, macOS 14 and later, tvOS 16 and later, and watchOS 10
-        and later.
+        and later. See the DeviceInformation attestation hardware support note for
+        hardware requirements.
    - key: EACSPreflight
      supportedOS:
        iOS:
@@ -1644,6 +1734,7 @@ payloadkeys:
        watchOS:
          introduced: n/a
      type: <string>
+      presence: optional
      content: The key to determine whether the device can perform an EraseDeviceCommand
        using Erase All Content and Settings (EACS).
 - key: DeviceAttestationNonce
@@ -1662,8 +1753,9 @@ payloadkeys:
  type: <data>
  presence: optional
  content: |-
-    This value can contain up to 32 bytes of data. If specified, queries need to contain 'DevicePropertiesAttestation'. If omitted or if the value matches the cached attestation, the system returns the cached attestation. Otherwise, the system requests and returns a new attestation that contains the new nonce.
-    The nonce appears in the resulting attestation to ensure it was recently generated. To request a new attestation, provide a new nonce. The system caches the most recently generated attestation on the device. Requests for new attestations are rate limited. If it has been fewer than 7 days since the system generated an attestation, the device returns the cached attestation rather than generating a new one.
+    This specifies a freshness code which appears in the resulting attestation. The value can contain up to 32 bytes of data. If specified, 'Queries' needs to contain 'DevicePropertiesAttestation'.
+    The MDM server can use this to prove that an attestation was recently generated. The system caches the most recently generated attestation on the device. If omitted or if the value matches the cached attestation, the system returns the cached attestation. To request a new attestation, provide a new freshness code. Requests for new attestations are rate limited. If it has been fewer than 7 days since the system generated an attestation, the device returns the cached attestation rather than generating a new one.
+    Available in iOS 16 and later, macOS 14 and later, tvOS 16 and later, and watchOS 10 and later. See the DeviceInformation attestation hardware support note for hardware requirements.
 responsekeys:
 - key: QueryResponses
  type: <dictionary>
@@ -1812,7 +1904,7 @@ responsekeys:
      tvOS:
        introduced: '10.2'
      visionOS:
-        introduced: n/a
+        introduced: '2.0'
    type: <boolean>
    content: |-
      If 'true' on the device channel, the device is still waiting for a DeviceConfiguredCommand to continue through Setup Assistant.
@@ -2132,7 +2224,7 @@ responsekeys:
      macOS:
        introduced: n/a
      tvOS:
-        introduced: '6.0'
+        introduced: '9.0'
      visionOS:
        introduced: n/a
      watchOS:
@@ -2204,6 +2296,7 @@ responsekeys:
    subkeys:
    - key: CatalogURL
      type: <string>
+      presence: optional
      content: The URL to the software update catalog the client is using. This value
        is available in macOS 10.11 and later.
    - key: IsDefaultCatalog
@@ -2215,9 +2308,15 @@ responsekeys:
      content: The date of the last software update scan. This value is available
        in macOS 10.11 and later.
    - key: PreviousScanResult
+      supportedOS:
+        macOS:
+          deprecated: '11.0'
+          removed: '15.0'
      type: <string>
+      presence: optional
      content: The result code of last software update scan; '”0”' = success. This
-        value is available in macOS 10.11 and later.
+        value is available in macOS 10.11 and later. This key was removed in macOS
+        15 as it has been unsupported since macOS 11.
    - key: PerformPeriodicCheck
      type: <boolean>
      content: If 'true', start a new scan. This value is available in macOS 10.11
@@ -3091,9 +3190,25 @@ responsekeys:
        userenrollment:
          mode: allowed
    type: <array>
-    content: The key to get an attestation of the device's properties. Available in
+    content: |-
+      The key to get an attestation of the device's properties. Available in
      iOS 16 and later, macOS 14 and later, tvOS 16 and later, and watchOS 10 and
-      later.
+      later. See the DeviceInformation attestation hardware support note for hardware
+      requirements.
+      The value is an array of certificates in DER form that forms a certificate chain. The chain is rooted with the Apple CA 'Apple Enterprise Attestation Root CA'. The first array item is the leaf certificate. The leaf certificate contains custom OIDs describing a device. Which OIDs are present in the certificate depend on the OS version of the device and the type of enrollment. If Apple's attestation servers are unable to verify a device property it will provide a blank value, omit the OID entirely, or refuse to issue an attestation certificate.
+      The following OIDs were introduced in iOS 16, iPadOS 16, tvOS 16, watchOS 9.l0, visionOS 1.0 and macOS 14.0:
+      * 1.2.840.113635.100.8.9.1 serial number -- This is the serial number of the device. It is omitted if the enrollment is a User Enrollment.
+      * 1.2.840.113635.100.8.9.2 UDID  -- For a Mac this has the same value as the ProvisioningUDID key in the DeviceInformation response, and does not match the UDID used elsewhere in the MDM protocol. It is omitted if the enrollment is a User Enrollment.
+      * 1.2.840.113635.100.8.10.2 sepOS version  -- This is the version of the operating system running on the Secure Enclave at the time the attestation is generated. In most cases this matches the version of the main operating system.
+      * 1.2.840.113635.100.8.11.1 Freshness code  -- This is the freshness code. For an explanation of the expected value, see the DeviceAttestationNonce key in the DeviceInformation request. This may not match the requested freshness code if a cached attestation was returned.
+      The following OIDs were introduced in iOS 17.2, iPadOS 17.2, tvOS 17.2, watchOS 10.2, visionOS 1.l0, and macOS 14.2:
+      * 1.2.840.113635.100.8.9.4 Software Update Device ID -- This is an identifier of the device model. It is expected to match the SoftwareUpdateDeviceID in the DeviceInformation response. This is the device identifier to use when looking up available OS updates through https://gdmf.apple.com/v2/pmv.
+      * 1.2.840.113635.100.8.10.1 OS Version -- This is the version of iOS, iPadOS or tvOS running on the device at the time the attestation is generated.
+      * 1.2.840.113635.100.8.10.3 LLB Version -- This is the version of the Low Level Bootloader firmware running on the device at the time the attestation is generated. For more information about the boot process, see the documentation of the boot process in the Apple Platform Security guide.
+      The following OIDs were introduced in macOS 14.2:
+      * 1.2.840.113635.100.8.13.1 System Integrity Protection (SIP) status -- This indicates whether SIP is enabled or disabled at the time the attestation is generated. 0 indicates enabled, 1 indicates disabled.
+      * 1.2.840.113635.100.8.13.2 Secure boot status -- This describes part of the configuration of the LocalPolicy at the time the attestation is generated. The possible values are 'Full Security', 'Reduced Security', or 'Permissive Security'. For a description of these values see the Apple Platform Security guide.
+      * 1.2.840.113635.100.8.13.3 Third party kernel extensions allowed -- This indicates whether third party kernel extensions are allowed. A value of 0 indicates third party kernel extensions are not allowed. Any other value means that some kinds of third party kernel extensions are allowed.
    subkeys:
    - key: AttestationCertificate
      type: <data>
@@ -3119,3 +3234,13 @@ responsekeys:
      * 'not supported': The device is too old to support EACS.
      * 'unknown failure': A problem occurred for which there isn't a more specific error message.
      * '(other string)': A reason why the device can't perform EACS, such as “System is not sealed”
+notes:
+- title: DeviceInformation attestation hardware support
+  content: |-
+    The following table indicates which System on Chips (SoCs) support DeviceInformation attestation.
+    Unsupported devices ignore the DevicePropertiesAttestation and DeviceAttestationNonce keys.
+
+    | Support status | iPhone, iPad                         | Mac           | Apple TV                | Apple Watch    | Vision Pro |
+    |----------------|--------------------------------------|---------------|-------------------------|----------------|------------|
+    | Unsupported    | A10x Fusion and earlier              | Intel         | A10x Fusion and earlier | S3 and earlier | none       |
+    | Supported      | A11 Bionic and later<br>All M series | Apple Silicon | A12 Bionic and later    | S4 and later   | All        |
@@ -1,4 +1,4 @@
-title: Security Information Command
+title: Security Info Command
 description: This command queries the device for security-related information. Queries
  are available if the MDM host has the Security Query right.
 payload:
@@ -24,7 +24,7 @@ payload:
      userenrollment:
        mode: allowed
    tvOS:
-      introduced: '6.0'
+      introduced: '9.0'
      accessrights: AllowQuerySecurity
      supervised: false
    visionOS:
@@ -1,4 +1,4 @@
-title: App Attributes Command
+title: Managed Application Attributes Command
 description: Queries managed application attributes. Attributes can be set on managed
  apps. These attributes can be changed over time.
 payload:
@@ -1,4 +1,4 @@
-title: App Configuration Command
+title: Managed Application Configuration Command
 description: This command queries the device for the current configuration of managed
  applications. This command requires the App Management right. macOS supports this
  command as of 10.15, on the device channel and for User Enrollments only, because
@@ -1,4 +1,4 @@
-title: App Feedback Command
+title: Managed Application Feedback Command
 description: This command queries the device for application feedback information.
  This command requires the App Management right.
 payload:
@@ -26,7 +26,7 @@ payload:
      userenrollment:
        mode: allowed
    tvOS:
-      introduced: '6.0'
+      introduced: '9.0'
      accessrights: AllowInstallationRemoval
      supervised: false
    visionOS:
@@ -25,7 +25,7 @@ payload:
      userenrollment:
        mode: allowed
    tvOS:
-      introduced: '6.0'
+      introduced: '9.0'
      accessrights: AllowInspection
      supervised: false
    visionOS:
@@ -128,6 +128,22 @@ responsekeys:
      content: If 'true', the current MDM service installed the profile. MDM doesn't
        return this value for supervised devices, and can remove or replace all profiles
        on supervised devices.
+    - key: Source
+      supportedOS:
+        iOS:
+          introduced: '18.0'
+        macOS:
+          introduced: '15.0'
+        tvOS:
+          introduced: '18.0'
+        visionOS:
+          introduced: '2.0'
+        watchOS:
+          introduced: '11.0'
+      type: <string>
+      presence: optional
+      content: Source of the profile. This value will be set to "Declarative Device
+        Management" when the profile is managed by Declarative Device Management.
    - key: PayloadContent
      type: <array>
      presence: optional
@@ -24,7 +24,7 @@ payload:
      userenrollment:
        mode: allowed
    tvOS:
-      introduced: '6.0'
+      introduced: '9.0'
      accessrights: AllowInstallationRemoval
      supervised: false
    visionOS:
@@ -1,4 +1,4 @@
-title: Remote Desktop Disable Command
+title: Disable Remote Desktop Command
 description: Disable Remote Desktop on the device.
 payload:
  requesttype: DisableRemoteDesktop
@@ -1,4 +1,4 @@
-title: Remote Desktop Enable Command
+title: Enable Remote Desktop Command
 description: Enable Remote Desktop on the device.
 payload:
  requesttype: EnableRemoteDesktop
@@ -23,7 +23,7 @@ payload:
      userenrollment:
        mode: allowed
    tvOS:
-      introduced: '6.0'
+      introduced: '9.0'
      accessrights: AllowSettings
      supervised: false
    visionOS:
@@ -457,7 +457,10 @@ payloadkeys:
        userenrollment:
          mode: forbidden
      visionOS:
-        introduced: n/a
+        introduced: '2.0'
+        supervised: true
+        userenrollment:
+          mode: forbidden
      watchOS:
        introduced: n/a
    type: <dictionary>
@@ -584,7 +587,7 @@ payloadkeys:
      tvOS:
        introduced: n/a
      visionOS:
-        introduced: n/a
+        introduced: '2.0'
      watchOS:
        introduced: n/a
    type: <dictionary>
@@ -624,6 +627,8 @@ payloadkeys:
            introduced: n/a
          visionOS:
            introduced: n/a
+          watchOS:
+            introduced: n/a
        type: <boolean>
        presence: optional
        default: false
@@ -638,6 +643,8 @@ payloadkeys:
            introduced: n/a
          visionOS:
            introduced: n/a
+          watchOS:
+            introduced: n/a
        type: <boolean>
        presence: optional
        default: false
@@ -756,7 +763,7 @@ payloadkeys:
      default: false
      content: |-
        If 'true', the user only sees the Guest Welcome pane and can only log in as a guest user.
-        If 'false', the user can sign in with a managed Apple ID (the existing behavior).
+        If 'false', the user can sign in with a Managed Apple Account (the existing behavior).
        Available in iOS 14.5 and later.
    - key: ManagedAppleIDDefaultDomains
      supportedOS:
@@ -765,7 +772,7 @@ payloadkeys:
      type: <array>
      presence: optional
      content: |-
-        A list of domains that the Shared iPad login screen displays. The user can pick a domain from the list to complete their Managed Apple ID.
+        A list of domains that the Shared iPad login screen displays. The user can pick a domain from the list for their Managed Apple Account.
        If this list contains more than 3 domains, the system picks 3 at random for display. Available in iOS 16 and later.
      subkeys:
      - key: AppleID domain
@@ -969,7 +976,10 @@ payloadkeys:
        introduced: '14.0'
        supervised: true
      visionOS:
-        introduced: n/a
+        introduced: '2.0'
+        supervised: true
+        userenrollment:
+          mode: forbidden
      watchOS:
        introduced: n/a
    type: <dictionary>
@@ -1126,6 +1136,8 @@ payloadkeys:
      supportedOS:
        iOS:
          introduced: n/a
+        watchOS:
+          introduced: n/a
      type: <boolean>
      presence: optional
      default: false
@@ -41,7 +41,7 @@ responsekeys:
  presence: required
  content: |-
    An array of dictionaries that contains only the most recent available updates in iOS and tvOS, and possibly multiple available updates in macOS. Follow the instructions in the Managed Apps and Updates section of the Apple Software Lookup Service to find a complete catalog of iOS and tvOS updates.
-    In macOS 14 and later, 'AvailableOSUpdates' doesn't include InstallAssistant-based, full-replacement installers. It only contains over-the-air (OTA) updates. OTA updates can update or upgrade the OS and support all 'InstallAction' options.
+    In macOS 14 and later, 'AvailableOSUpdates' doesn't include InstallAssistant-based, full-replacement installers. It only contains over-the-air (OTA) updates. OTA updates can update or upgrade the OS and support all 'InstallAction' options. If a Software Update is actively managed via a Declarative Device Management Specific Enforcement configuration this command is ignored as it pertains to the actively managed update. This command may return information around unmanaged updates such as System Applications and Configuration Data. For actively available updates in conjunction with a declarative configuration, please reference the Apple Software Lookup Service.
  subkeys:
  - key: AvailableOSUpdatesItem
    type: <dictionary>
--- a/Show More
+++ b/Show More