From bfcc8bbd01bd384582da322fd6c46c1a5e00e8c6 Mon Sep 17 00:00:00 2001 From: Cyrus Daboo Date: Tue, 4 Nov 2025 12:35:42 -0800 Subject: [PATCH] Release-v26.1 --- README.md | 10 ++-- .../services.configuration-files.yaml | 58 +++++++++++++++---- .../softwareupdate.settings.yaml | 22 +++---- ...ing-system.supplemental.build-version.yaml | 4 +- ...ing-system.supplemental.extra-version.yaml | 8 +-- .../softwareupdate.pending-version.yaml | 8 +-- docs/errata.md | 16 +++++ mdm/commands/information.device.yaml | 15 ++--- .../managed.application.feedback.yaml | 4 +- mdm/commands/media.install.yaml | 2 + mdm/commands/system.update.available.yaml | 10 ++-- mdm/commands/system.update.schedule.yaml | 2 +- mdm/commands/user.configured.yaml | 2 +- mdm/profiles/com.apple.applicationaccess.yaml | 40 ++++++++++--- mdm/profiles/com.apple.declarations.yaml | 2 +- mdm/profiles/com.apple.extensiblesso.yaml | 3 +- mdm/profiles/com.apple.homescreenlayout.yaml | 2 +- mdm/profiles/com.apple.loginwindow.yaml | 6 +- mdm/profiles/com.apple.screensaver.yaml | 2 +- .../com.apple.vpn.managed.appmapping.yaml | 2 +- other/skipkeys.yaml | 19 +++--- 21 files changed, 163 insertions(+), 74 deletions(-) diff --git a/README.md b/README.md index ca3de6b..b041f50 100644 --- a/README.md +++ b/README.md @@ -8,11 +8,11 @@ This release corresponds to the following OS versions | OS | Version | |----------|---------| -| iOS | 26.0 | -| macOS | 26.0 | -| tvOS | 26.0 | -| visionOS | 26.0 | -| watchOS | 26.0 | +| iOS | 26.1 | +| macOS | 26.1 | +| tvOS | 26.1 | +| visionOS | 26.1 | +| watchOS | 26.1 | ## Important Release Notes diff --git a/declarative/declarations/configurations/services.configuration-files.yaml b/declarative/declarations/configurations/services.configuration-files.yaml index c60e488..b91b40b 100644 --- a/declarative/declarations/configurations/services.configuration-files.yaml +++ b/declarative/declarations/configurations/services.configuration-files.yaml @@ -23,16 +23,8 @@ payloadkeys: title: Service Type type: presence: required - content: |- - The identifier of the system service with managed configuration files. Use a reverse DNS style for this identifier. However, the system reserves `com.apple.` prefix for built-in services. The available built-in services are: - - - `com.apple.sshd` configures sshd - - `com.apple.sudo` configures sudo - - `com.apple.pam` configures PAM - - `com.apple.cups` configures CUPS - - `com.apple.apache.httpd` configures Apache httpd - - `com.apple.bash` configures bash - - `com.apple.zsh` configures zsh + content: The identifier of the system service with managed configuration files. + Use a reverse DNS style for this identifier. - key: DataAssetReference title: Data Asset Reference type: @@ -49,3 +41,49 @@ payloadkeys: - Has a `Reference` key that includes the `ContentType` and `Hash-SHA-256` keys, which the system requires The system expands the zip archive and stores the data in a well-known location for the service. +notes: +- title: '' + content: |- + The device stores the service configurations files from this configuration in a tamper-proof location. Built-in services use these files to override their default configurations. + + The `DataAssetReference` refers to a zip archive that contains configuration files for a specific service. When the device applies the configuration, it downloads the asset data and expands the archive into a service-specific location. If the device updates a configuration, it downloads the new asset data and expands the data to replace what it previously installed. If the device deactivates or removes the configuration, it removes the configuration files from the service-specific directory. + + All files in the expanded archive are set to -r--r--r-- unix file permissions. Any links in the archive will be restricted to referencing files within the service-specific location. + + The following built-in system services use managed configuration files: + + | ServiceType | Manages | + |---|---| + | com.apple.sshd | /etc/ssh | + | com.apple.sudo | /etc/sudoers | + | com.apple.pam | /etc/pam.d | + | com.apple.cups | /etc/cups | + | com.apple.apache.httpd | /etc/apache2 | + | com.apple.bash | /etc/profile | + | com.apple.zsh | /etc/zprofile | + | | /etc/zlogin | + | | /etc/zlogout | + | | /etc/zshenv | + | | /etc/zshrc | + | com.apple.cryptoTokenKit | /etc/SmartcardLogin.plist | + | com.apple.authorization | /Library/Security/ | + + The files in the zip archive need to mirror the folder structure and configuration files that the service expects to be present starting at the root of the file system. The service uses only the files the declaration provides and ignores the ones in its default directories. + + For example, a configuration with `ServiceType`: `com.apple.sshd` configures sshd to use the files that the `DataAssetReference` provides, instead of the files located at /etc/ssh. The corresponding zip archive needs to contain: + + ``` + etc/ + └ ssh/ + ├ moduli + ├ ssh_config + ├ ssh_config.d/ + ├ sshd_config + └ sshd_config.d/ + └ 100-macos.conf + ``` + + You can create an executable that uses service configuration files by calling the `mcf_service_path_for_service_type` method in the `libmanagedconfigurationfiles.dylib` system library. You pass in an identifier for your service type and the method returns the file system path for the directory that contains the corresponding service configuration files. Use those files to override the standard or default configuration the executable would otherwise use. See libmanagedconfigurationfiles.h in the macOS SDK for more detail. + + > Important: + > The system reserves the `com.apple` prefix for built-in services. diff --git a/declarative/declarations/configurations/softwareupdate.settings.yaml b/declarative/declarations/configurations/softwareupdate.settings.yaml index 51afad0..3c3c2b0 100644 --- a/declarative/declarations/configurations/softwareupdate.settings.yaml +++ b/declarative/declarations/configurations/softwareupdate.settings.yaml @@ -61,8 +61,8 @@ payloadkeys: - supervised type: presence: optional - content: This object configures the deferral of software updates. Rapid Security - Responses aren't considered in `Major`, `Minor`, or `System` deferral mechanism. + content: This object configures the deferral of software updates. Background Security + Improvements aren't considered in `Major`, `Minor`, or `System` deferral mechanism. subkeys: - key: CombinedPeriodInDays title: Combined Major/Minor Update Deferral Period @@ -224,7 +224,7 @@ payloadkeys: - `AlwaysOn` - automatic installations are always enabled. - `AlwaysOff` - automatic installations are always disabled. - key: RapidSecurityResponse - title: Rapid Security Response Settings + title: Background Security Improvement Settings supportedOS: iOS: allowed-enrollments: @@ -235,29 +235,29 @@ payloadkeys: introduced: n/a type: presence: optional - content: These configurations set user access to interacting with Rapid Security - Responses (RSRs). + content: These configurations set user access to interacting with Background Security + Improvement. subkeys: - key: Enable - title: Enable Rapid Security Response Installation + title: Enable Background Security Improvement Installation type: presence: optional default: true combinetype: boolean-and content: |- - If set to `false`, Rapid Security Responses aren't offered for user installation. The system can still install Rapid Security Responses with `com.apple.configuration.softwareupdate.enforcement.specific` configurations. + If set to `false`, Background Security Improvements aren't offered for user installation. The system can still install Background Security Improvements with `com.apple.configuration.softwareupdate.enforcement.specific` configurations. - If set to `true`, the system offers Rapid Security Responses to the user. + If set to `true`, the system offers Background Security Improvements to the user. - key: EnableRollback - title: Enable Rapid Security Response Rollbacks + title: Enable Background Security Improvement Rollbacks type: presence: optional default: true combinetype: boolean-and content: |- - If set to `false`, the system doesn't offer Rapid Security Response rollbacks to the user. + If set to `false`, the system doesn't offer Background Security Improvement rollbacks to the user. - If set to `true`, the system offers Rapid Security Response rollbacks to the user. + If set to `true`, the system offers Background Security Improvement rollbacks to the user. - key: AllowStandardUserOSUpdates title: Allow Standard User OS Updates supportedOS: diff --git a/declarative/status/device.operating-system.supplemental.build-version.yaml b/declarative/status/device.operating-system.supplemental.build-version.yaml index 7da2b78..cdd3f53 100644 --- a/declarative/status/device.operating-system.supplemental.build-version.yaml +++ b/declarative/status/device.operating-system.supplemental.build-version.yaml @@ -54,5 +54,5 @@ payloadkeys: title: Status item value. type: presence: required - content: The operating system's build and rapid security response versions in use - on the device, for example, `20A123a` or `20B27c`. + content: The operating system's build and Background Security Improvement versions + in use on the device, for example, `20A123a` or `20B27c`. diff --git a/declarative/status/device.operating-system.supplemental.extra-version.yaml b/declarative/status/device.operating-system.supplemental.extra-version.yaml index fede6b6..da29b75 100644 --- a/declarative/status/device.operating-system.supplemental.extra-version.yaml +++ b/declarative/status/device.operating-system.supplemental.extra-version.yaml @@ -1,6 +1,6 @@ title: Status Device Operating System Supplemental Extra Version -description: A status report of the device's operating system's rapid security response - identifier. +description: A status report of the device's operating system's Background Security + Improvement identifier. payload: statusitemtype: device.operating-system.supplemental.extra-version supportedOS: @@ -55,5 +55,5 @@ payloadkeys: title: Status item value. type: presence: required - content: The operating system's rapid security response version in use on the device, - for example, `a`. + content: The operating system's Background Security Improvement version in use on + the device, for example, `a`. diff --git a/declarative/status/softwareupdate.pending-version.yaml b/declarative/status/softwareupdate.pending-version.yaml index f758c26..9318cb0 100644 --- a/declarative/status/softwareupdate.pending-version.yaml +++ b/declarative/status/softwareupdate.pending-version.yaml @@ -48,14 +48,14 @@ payloadkeys: title: The OS version type: presence: required - content: The OS version of the pending software update, including any rapid security - response version. This string is empty if no update is pending. + content: The OS version of the pending software update, including any Background + Security Improvement version. This string is empty if no update is pending. - key: build-version title: The build version type: presence: required - content: The build version of the pending software update, including any rapid - security response version. This string is empty if no update is pending. + content: The build version of the pending software update, including any Background + Security Improvement version. This string is empty if no update is pending. - key: target-local-date-time title: The target local date-time type: diff --git a/docs/errata.md b/docs/errata.md index aeb96e9..6d811f1 100644 --- a/docs/errata.md +++ b/docs/errata.md @@ -2,6 +2,22 @@ This document lists errata for the YAML schema. This is used when older versions of the schema are incorrect, and a fix was made in later schema to correct the problem. +## iOS 26.1 / tvOS 26.1 + +### mdm/profiles/com.apple.homescreenlayout.yaml + +The `IconItem` incorrectly stated the enum value was `App` but it is `Application` + +## macOS 26.1 + +### other/skipkeys.yaml + +The OSShowcase and UpdateCompleted skip keys were incorrectly marked as available in macOS 26.0. They are available beginning macOS 26.1. + +### mdm/profiles/com.apple.screensaver.yaml + +The `idleTime` key was incorrectly named `loginWindowIdleTime`. + ## iOS 26.0 ### mdm/profiles/com.apple.airplay.yaml diff --git a/mdm/commands/information.device.yaml b/mdm/commands/information.device.yaml index a818417..bbdbba9 100644 --- a/mdm/commands/information.device.yaml +++ b/mdm/commands/information.device.yaml @@ -265,9 +265,9 @@ payloadkeys: accessrights: AllowQueryDeviceInformation type: presence: optional - content: The key to get the OS update rapid security response version letter, - if a rapid security response update is installed. Requires the Device Information - access right. + content: The key to get the OS update Background Security Improvement version + letter, if a Background Security Improvement update is installed. Requires + the Device Information access right. - key: BuildVersion supportedOS: iOS: @@ -301,9 +301,10 @@ payloadkeys: accessrights: AllowQueryDeviceInformation type: presence: optional - content: The key to get the build version for the currently installed rapid - security response. If there's no installed rapid security response, this value - is the same as `BuildVersion`. Requires the Device Information access right. + content: The key to get the build version for the currently installed Background + Security Improvement. If there's no installed Background Security Improvement, + this value is the same as `BuildVersion`. Requires the Device Information + access right. - key: ModelName supportedOS: iOS: @@ -1974,7 +1975,7 @@ responsekeys: tvOS: introduced: '16.1' type: - content: The OS update rapid security response version letter. + content: The OS update Background Security Improvement version letter. - key: BuildVersion type: content: The operating system version. Requires the Device Information access diff --git a/mdm/commands/managed.application.feedback.yaml b/mdm/commands/managed.application.feedback.yaml index 3e50cea..43b578d 100644 --- a/mdm/commands/managed.application.feedback.yaml +++ b/mdm/commands/managed.application.feedback.yaml @@ -20,7 +20,7 @@ payload: devicechannel: false userchannel: true userenrollment: - mode: forbidden + mode: allowed tvOS: introduced: '10.2' accessrights: AllowAppInstallation @@ -74,7 +74,7 @@ responsekeys: notes: - title: '' content: |- - This command allows the server to get the feedback information of managed apps. + This command allows the server to get the feedback information of managed apps. In macOS 12 and later, macOS supports this command on the user channel. The response doesn't include apps that Declarative Device Management is managing. diff --git a/mdm/commands/media.install.yaml b/mdm/commands/media.install.yaml index 38703cf..332b882 100644 --- a/mdm/commands/media.install.yaml +++ b/mdm/commands/media.install.yaml @@ -16,6 +16,8 @@ payload: mode: allowed macOS: introduced: '10.9' + deprecated: '11.0' + removed: '11.0' accessrights: AllowAppInstallation devicechannel: false userchannel: true diff --git a/mdm/commands/system.update.available.yaml b/mdm/commands/system.update.available.yaml index d069a6a..be0387d 100644 --- a/mdm/commands/system.update.available.yaml +++ b/mdm/commands/system.update.available.yaml @@ -220,7 +220,7 @@ responsekeys: introduced: '16.2' type: presence: required - content: If `true`, this update is a Rapid Security Response. + content: If `true`, this update is a Background Security Improvement. - key: SupplementalBuildVersion supportedOS: iOS: @@ -231,8 +231,8 @@ responsekeys: introduced: '16.2' type: presence: optional - content: The build version for the Rapid Security Response update, for example, - `13A999`, which is the same as `Build`. + content: The build version for the Background Security Improvement update, for + example, `13A999`, which is the same as `Build`. - key: SupplementalOSVersionExtra supportedOS: iOS: @@ -243,8 +243,8 @@ responsekeys: introduced: '16.2' type: presence: optional - content: The Rapid Security Response OS version suffix, for example, `(a)`. - Only present if this is a Rapid Security Response update. + content: The Background Security Improvement OS version suffix, for example, + `(a)`. Only present if this is a Background Security Improvement update. notes: - title: '' content: |- diff --git a/mdm/commands/system.update.schedule.yaml b/mdm/commands/system.update.schedule.yaml index 40bccf4..1701da4 100644 --- a/mdm/commands/system.update.schedule.yaml +++ b/mdm/commands/system.update.schedule.yaml @@ -68,7 +68,7 @@ payloadkeys: The version of the update, which the system requires if `ProductKey` isn't present. This value is available in iOS 11.3 and later, macOS 12 and later, and tvOS 12.2 and later. > Note: - > This value isn't available for use with Rapid Security Response (RSR) updates. + > This value isn't available for use with Background Security Improvement updates. - key: InstallAction type: presence: required diff --git a/mdm/commands/user.configured.yaml b/mdm/commands/user.configured.yaml index e6188ac..af1b683 100644 --- a/mdm/commands/user.configured.yaml +++ b/mdm/commands/user.configured.yaml @@ -10,7 +10,7 @@ payload: supervised: true requiresdep: true sharedipad: - mode: allowed + mode: required devicechannel: false userchannel: true userenrollment: diff --git a/mdm/profiles/com.apple.applicationaccess.yaml b/mdm/profiles/com.apple.applicationaccess.yaml index 012227a..41580f3 100644 --- a/mdm/profiles/com.apple.applicationaccess.yaml +++ b/mdm/profiles/com.apple.applicationaccess.yaml @@ -1052,7 +1052,8 @@ payloadkeys: type: presence: optional default: true - content: If `false`, the system disables content caching. + content: If `false`, the system disables content caching. This restriction is not + supported on the user channel. - key: allowContinuousPathKeyboard title: Allow Continuous Path Keyboard supportedOS: @@ -2837,7 +2838,7 @@ payloadkeys: default: true content: If `false`, the system disables Apple Music Radio. - key: allowRapidSecurityResponseInstallation - title: Allow Rapid Security Response Installation + title: Allow Background Security Improvement Installation supportedOS: iOS: introduced: '16.0' @@ -2859,9 +2860,9 @@ payloadkeys: type: presence: optional default: true - content: If `false`, the system prohibits installation of rapid security responses. + content: If `false`, the system prohibits installation of Background Security Improvements. - key: allowRapidSecurityResponseRemoval - title: Allow Rapid Security Response Removal + title: Allow Background Security Improvement Removal supportedOS: iOS: introduced: '16.0' @@ -2883,7 +2884,7 @@ payloadkeys: type: presence: optional default: true - content: If `false`, the system prohibits removal of rapid security responses. + content: If `false`, the system prohibits removal of Background Security Improvements. - key: allowRCSMessaging supportedOS: iOS: @@ -3251,7 +3252,7 @@ payloadkeys: presence: optional default: true content: If `false`, the system prevents modification of Time Machine settings in - System Settings. + System Settings. This restriction is not supported on the user channel. - key: allowUIAppInstallation title: Allow App Installation from App Store supportedOS: @@ -3411,7 +3412,7 @@ payloadkeys: content: If `false`, the system allows iOS devices to always connect to USB accessories while locked. In macOS, allows new USB and Thunderbolt accessories, and SD cards to connect without authorization. If the system has Lockdown mode enabled, it - ignores this value. + ignores this value. This restriction is not supported on the user channel. - key: allowVideoConferencing title: Allow Video Conferencing supportedOS: @@ -4430,6 +4431,31 @@ payloadkeys: - `0`: None This restriction will require supervision in a future release. +- key: ratingAppsExemptedBundleIDs + title: Apps Exempted from Rating Restrictions + supportedOS: + iOS: + introduced: '26.1' + allowmanualinstall: false + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a + type: + presence: optional + content: If present, the system exempts apps with bundle IDs in the array from age-based + rating restrictions. The system uses intersection combine rules to combine multiple + payloads and any exceptions that parental control apps provide, including ScreenTime. + subkeys: + - key: ratingAppsExemptedBundleID + title: Exempted App + type: - key: ratingMovies title: Movies Ranking Number supportedOS: diff --git a/mdm/profiles/com.apple.declarations.yaml b/mdm/profiles/com.apple.declarations.yaml index ae151d0..fa4a17e 100644 --- a/mdm/profiles/com.apple.declarations.yaml +++ b/mdm/profiles/com.apple.declarations.yaml @@ -57,7 +57,7 @@ payloadkeys: notes: - title: '' content: |- - This profile applies a set of declarations to the device. This allows a user to install declarations without requiring an MDM enrollment. A configuration profile containing this payload type can't be installed by a device management server. Device management servers need to use declarative device management to install declarations. + This profile applies a set of declarations to the device. Users use this profile to install declarations without requiring an MDM enrollment. A device management server can't install a configuration profile containing this payload type. Device management servers need to use declarative device management to install declarations. > Important: > When a user installs the profile, the device only applies configuration declarations that allow a "local" enrollment. Consult the documentation for each configuration type to see if you can use it. diff --git a/mdm/profiles/com.apple.extensiblesso.yaml b/mdm/profiles/com.apple.extensiblesso.yaml index f698984..738b352 100644 --- a/mdm/profiles/com.apple.extensiblesso.yaml +++ b/mdm/profiles/com.apple.extensiblesso.yaml @@ -188,7 +188,8 @@ payloadkeys: introduced: n/a type: presence: optional - content: The dictionary to configure Platform SSO. + content: The dictionary to configure Platform SSO. Requires `Type` to be set to + `Redirect`. subkeys: - key: AuthenticationMethod type: diff --git a/mdm/profiles/com.apple.homescreenlayout.yaml b/mdm/profiles/com.apple.homescreenlayout.yaml index d5bd0b5..f3c2c9b 100644 --- a/mdm/profiles/com.apple.homescreenlayout.yaml +++ b/mdm/profiles/com.apple.homescreenlayout.yaml @@ -43,7 +43,7 @@ payloadkeys: type: presence: required rangelist: - - App + - Application - Folder - WebClip content: The type of the Dock item. diff --git a/mdm/profiles/com.apple.loginwindow.yaml b/mdm/profiles/com.apple.loginwindow.yaml index dcffc7d..92fc2c1 100644 --- a/mdm/profiles/com.apple.loginwindow.yaml +++ b/mdm/profiles/com.apple.loginwindow.yaml @@ -67,7 +67,8 @@ payloadkeys: type: presence: optional content: The list of user GUIDs or group GUIDs of users that the system allows to - log in. An asterisk (`*`) string specifies all users or groups. + log in. An asterisk (`*`) string specifies all users or groups. This only applies + to network accounts and mobile accounts. subkeys: - key: AllowListItem type: @@ -77,7 +78,8 @@ payloadkeys: type: presence: optional content: The list of user GUIDs or group GUIDs of users that the system disallows - to log in. This list takes priority over the list in the `AllowList` key. + to log in. This list takes priority over the list in the `AllowList` key. This + only applies to network accounts and mobile accounts. subkeys: - key: DenyListItem type: diff --git a/mdm/profiles/com.apple.screensaver.yaml b/mdm/profiles/com.apple.screensaver.yaml index 89319d2..8ec71d1 100644 --- a/mdm/profiles/com.apple.screensaver.yaml +++ b/mdm/profiles/com.apple.screensaver.yaml @@ -43,7 +43,7 @@ payloadkeys: unlock or stop the screen saver (the grace period). A value of `2147483647` (for example, `0x7FFFFFFF`) disables this requirement. To use this option, you must set `askForPassword` to `true`. Available in macOS 10.13 and later. -- key: loginWindowIdleTime +- key: idleTime type: presence: optional content: The number of seconds of inactivity before the screen saver activates (0 diff --git a/mdm/profiles/com.apple.vpn.managed.appmapping.yaml b/mdm/profiles/com.apple.vpn.managed.appmapping.yaml index 6d4f8cf..1bbf67b 100644 --- a/mdm/profiles/com.apple.vpn.managed.appmapping.yaml +++ b/mdm/profiles/com.apple.vpn.managed.appmapping.yaml @@ -9,7 +9,7 @@ payload: introduced: '10.9' multiple: false devicechannel: true - userchannel: false + userchannel: true requiresdep: false userapprovedmdm: false allowmanualinstall: true diff --git a/other/skipkeys.yaml b/other/skipkeys.yaml index f6ef487..f755afc 100644 --- a/other/skipkeys.yaml +++ b/other/skipkeys.yaml @@ -51,20 +51,20 @@ payloadkeys: type: presence: optional content: The key to skip the Action Button configuration pane. -- key: AdditionalPrivacySettings - title: Skip Additional Privacy Settings pane +- key: AgeBasedSafetySettings + title: Skip Age Based Safety Settings pane supportedOS: iOS: - introduced: n/a + introduced: '26.1' macOS: - introduced: '26.0' + introduced: n/a tvOS: introduced: n/a visionOS: introduced: n/a type: presence: optional - content: The key to skip the Additional Privacy Settings pane. + content: The key to skip the Age Based Safety Settings pane. - key: Android title: Prevents migration from Android device supportedOS: @@ -346,7 +346,7 @@ payloadkeys: iOS: introduced: '26.0' macOS: - introduced: '26.0' + introduced: '26.1' tvOS: introduced: n/a visionOS: @@ -442,6 +442,7 @@ payloadkeys: supportedOS: iOS: introduced: '18.4' + always-skippable: false macOS: introduced: n/a tvOS: @@ -450,7 +451,9 @@ payloadkeys: introduced: n/a type: presence: optional - content: The key to skip the Safety and Handling pane. + content: The key to skip the Safety and Handling pane. This pane isn't always skippable + because it appears before the device retrieves the Cloud Configuration from the + server. - key: ScreenTime title: Skip Screen Time pane supportedOS: @@ -626,7 +629,7 @@ payloadkeys: iOS: introduced: '14.0' macOS: - introduced: '26.0' + introduced: '26.1' tvOS: introduced: n/a visionOS: