Release_iOS-17-5_macOS-14-5

README.md

@@ -8,32 +8,17 @@ This release corresponds to the following OS versions
 
 | OS       | Version |
 |----------|---------|
-| iOS      | 17.4    |
-| macOS    | 14.4    |
-| tvOS     | 17.4    |
-| visionOS |  1.1    |
-| watchOS  | 10.4    |
+| iOS      | 17.5    |
+| macOS    | 14.5    |
+| tvOS     | 17.5    |
+| visionOS |  1.2    |
+| watchOS  | 10.5    |
 
 ## Important Release Notes
 
-### visionOS support
+### Declarative device management related status
 
-The 17.4/14.4 release adds a `visionOS` value to the `supportedOS` key to indicate support for visionOS devices.
-
-### Declarative device management supervision state
-
-The 17.4/14.4 release includes a major change to the `allowed-enrollments` key in declarative device management schema items. A new `supervised` value has been added. So now:
-
-* `supervised` is used to indicate support for a supervised device enrollment
-* `device` is used to indicate support for an unsupervised device enrollment.
-
-On macOS, device enrollments are always supervised, so the `device` value has been replaced by `supervised` in all `allowed-enrollments`.
-
-On other platforms, `supervision` has been added or `device` has been removed, as appropriate for actual support.
-
-### Declarative device management combinetype values
-
-The 17.4/14.4 release has renamed the `enum-lowest` and `enum-highest` combinetype values to `enum-first` and `enum-last` respectively.
+Declarative device management configuration schema now includes a `related-status-items` key to show the relationship between status items and configurations.
 
 ## What's Available
 

declarative/declarations/configurations/account.caldav.yaml

@@ -68,3 +68,7 @@ payloadkeys:
   presence: optional
   content: The identifier of an asset declaration that contains the credentials for
     this account. Set the corresponding asset type to 'CredentialUserNameAndPassword'.
+related-status-items:
+- status-items:
+  - account.list.caldav
+  note: Each configuration will have a corresponding status item.

declarative/declarations/configurations/account.carddav.yaml

@@ -67,3 +67,7 @@ payloadkeys:
   presence: optional
   content: The identifier of an asset declaration that contains the credentials for
     this account. Set the corresponding asset type to 'CredentialUserNameAndPassword'.
+related-status-items:
+- status-items:
+  - account.list.carddav
+  note: Each configuration will have a corresponding status item.

declarative/declarations/configurations/account.exchange.yaml

@@ -352,3 +352,7 @@ payloadkeys:
   default: false
   content: If 'true', the system prevents the user from changing the status of the
     notes service for this account.
+related-status-items:
+- status-items:
+  - account.list.exchange
+  note: Each configuration will have a corresponding status item.

declarative/declarations/configurations/account.google.yaml

@@ -56,3 +56,7 @@ payloadkeys:
     for this Google account. Set the corresponding asset type to 'UserIdentity' and
     ensure that it contains an 'EmailAddress' key that specifies the full Google email
     address for the account.
+related-status-items:
+- status-items:
+  - account.list.google
+  note: Each configuration will have a corresponding status item.

declarative/declarations/configurations/account.ldap.yaml

@@ -100,3 +100,7 @@ payloadkeys:
         * 'Base': Only the 'SearchBase' node.
         * 'OneLevel': The 'SearchBase' node and its immediate children.
         * 'Subtree': The 'SearchBase' node and all its children, regardless of depth.
+related-status-items:
+- status-items:
+  - account.list.ldap
+  note: Each configuration will have a corresponding status item.

declarative/declarations/configurations/account.mail.yaml

@@ -227,3 +227,9 @@ payloadkeys:
       default: false
       content: If 'true', the system enables the per-message encryption switch in
         the compose view.
+related-status-items:
+- status-items:
+  - account.list.mail.incoming
+  - account.list.mail.outgoing
+  note: Each configuration will have a corresponding status item for incoming and
+    outgoing accounts.

declarative/declarations/configurations/account.subscribed-calendar.yaml

@@ -59,3 +59,7 @@ payloadkeys:
   content: The identifier of an asset declaration that contains the credentials for
     this account to authenticate with a calendar server. Set the corresponding asset
     type to 'CredentialUserNameAndPassword'.
+related-status-items:
+- status-items:
+  - account.list.subscribed-calendar
+  note: Each configuration will have a corresponding status item.

declarative/declarations/configurations/app.managed.yaml

@@ -151,3 +151,7 @@ payloadkeys:
     type: <string>
     presence: optional
     content: The UUID of the VPN to associate with the app.
+related-status-items:
+- status-items:
+  - app.managed.list
+  note: Each configuration will have a corresponding status item.

declarative/declarations/configurations/passcode.settings.yaml

@@ -225,3 +225,8 @@ payloadkeys:
       type: <string>
       presence: optional
       content: A localized description.
+related-status-items:
+- status-items:
+  - passcode.is-compliant
+  - passcode.is-present
+  note: This configuration may affect the corresponding status items.

declarative/declarations/configurations/screensharing.connection.group.yaml

@@ -43,3 +43,8 @@ payloadkeys:
   subkeys:
   - key: ConnectionUUID
     type: <string>
+related-status-items:
+- status-items:
+  - screensharing.connection.group.unresolved-connection
+  note: Any unresolved connection groups in the configuration will appear in the corresponding
+    status item.

declarative/declarations/configurations/security.certificate.yaml

@@ -58,3 +58,7 @@ payloadkeys:
   presence: required
   content: The identifier of an asset declaration that contains the certificate to
     install.
+related-status-items:
+- status-items:
+  - security.certificate.list
+  note: Each configuration will have a corresponding status item.

declarative/declarations/configurations/security.identity.yaml

@@ -89,3 +89,7 @@ payloadkeys:
   presence: optional
   default: true
   content: If 'true', the private key is extractable in the keychain.
+related-status-items:
+- status-items:
+  - security.certificate.list
+  note: Each configuration will have a corresponding status item.

declarative/declarations/configurations/softwareupdate.enforcement.specific.yaml

@@ -56,3 +56,10 @@ payloadkeys:
   presence: optional
   content: The URL of a web page that shows details that the organization provides
     about the enforced update.
+related-status-items:
+- status-items:
+  - softwareupdate.failure-reason
+  - softwareupdate.install-reason
+  - softwareupdate.install-state
+  - softwareupdate.pending-version
+  note: This configuration may affect the corresponding status items.

declarative/status/services.background-task.yaml

@@ -67,7 +67,7 @@ payloadkeys:
       - enabled
       - requires-approval
       - not-found
-      content: The SMAppServiceStatus enumeration.
+      content: The SMAppService.Status enumeration.
     - key: type
       title: Background task type
       type: <string>

docs/schema.yaml

@@ -349,3 +349,23 @@ properties:
                 - <array>
                 - <dictionary>
                 - <any>
+
+  related-status-items:
+    type: array
+    description: An array describing any status items that might be related to a configuration.
+    items:
+      type: object
+      description: An additional note about a payload. A note is written in "markdown" and can be transformed to HTML if needed.
+      additionalProperties: false
+      required:
+      - status-items
+      properties:
+        status-items:
+          type: array
+          description: List of status-item types.
+          items:
+            type:
+            - string
+        note:
+          type: string
+          description: A description of the relationship.

mdm/commands/application.install.yaml

@@ -326,7 +326,7 @@ responsekeys:
   - Managed
   - ManagedButUninstalled
   - UserInstalledApp
-  - UserRejectedFailed
+  - UserRejected
   - PromptingForUpdate
   - PromptingForUpdateLogin
   - ValidatingUpdate
@@ -334,6 +334,7 @@ responsekeys:
   - UpdateRejected
   - PromptingForManagement
   - ManagementRejected
+  - Failed
   - Unknown
   content: The app's installation state, if the user accepted the request. If this
     value is 'NeedsRedemption', the server must send a redemption code to complete

mdm/commands/information.device.yaml

@@ -2010,7 +2010,7 @@ responsekeys:
     type: <real>
     content: The battery level, between '0.0' and '1.0', or '-1.0' if MDM can't determine
       the battery level. Requires the Device Information access right. Available in
-      iOS 5 and later.
+      iOS 5 and later, and macOS 13.3 and later.
   - key: HasBattery
     supportedOS:
       iOS:

mdm/commands/user.delete.yaml

@@ -37,7 +37,7 @@ payloadkeys:
   type: <string>
   presence: optional
   content: The user name of the account to delete. This key is required when the value
-    for DeleteAllUsers is absent or false.
+    for 'DeleteAllUsers' is absent or 'false'.
 - key: ForceDeletion
   supportedOS:
     macOS:

mdm/errors/softwareupdate.required.yaml

@@ -55,3 +55,25 @@ payloadkeys:
       version identifier can be included (e.g., "20A242a"). If the build version is
       not consistent with the OS version specified in the 'OSVersion' key, the OS
       version will take precedence.
+  - key: RequireBetaProgram
+    supportedOS:
+      iOS:
+        introduced: '17.5'
+      macOS:
+        introduced: '14.5'
+    type: <dictionary>
+    presence: optional
+    content: The device automatically enrolls in this beta program, to allow enforced
+      software updates to beta program OS versions. The device will remain in the
+      beta program after the enforced software update is completed.
+    subkeys:
+    - key: Description
+      type: <string>
+      presence: required
+      content: A human readable description of the beta program.
+    - key: Token
+      type: <string>
+      presence: required
+      content: The AxM seeding service token for the AxM organization the MDM server
+        is part of. This token is used to enroll the device in the corresponding beta
+        program.

mdm/errors/well-known.failed.yaml

@@ -0,0 +1,38 @@
+title: Error Well-known Failed
+description: Error response for well-known failed
+payload:
+  supportedOS:
+    iOS:
+      introduced: '17.5'
+    macOS:
+      introduced: '14.5'
+    tvOS:
+      introduced: n/a
+    visionOS:
+      introduced: '1.2'
+    watchOS:
+      introduced: n/a
+  content: |-
+    The schema for a JSON or property list XML document returned in an MDM server's 403 response body. The
+    response headers must include a "Content-Type" header indicating whether JSON or XML is being returned.
+
+    This response is returned when a device is doing well-known resource service discovery for account driven
+    enrollments, and the server rejects the request.
+payloadkeys:
+- key: code
+  type: <string>
+  presence: required
+  rangelist:
+  - com.apple.well-known.failed
+  content: Indicates that the well-known request has failed.
+- key: description
+  type: <string>
+  presence: optional
+  content: The description of the error. This will only be used by the client for
+    logging purposes and will not be displayed to the user.
+- key: message
+  type: <string>
+  presence: optional
+  content: A description of the error suitable for displaying to the user. If needed,
+    the client will make a best-effort attempt to display the message, but may not
+    be able to, due to local conditions.

mdm/profiles/TopLevel.yaml

@@ -128,6 +128,7 @@ payloadkeys:
     If present and set to 'true', the user can't delete the profile unless the profile has a removal password and the user provides it.
     On macOS 10.15 and later, this key only affects removal of manually installed profiles. If set to 'true' and no profile removal payload is present, removing the profile requires admin auth.
     On macOS versions prior to 10.15, this key prevents admins from removing MDM installed profiles. However, as of macOS 10.15, users can never remove MDM profiles, not even the admin.
+    On iOS users can't remove a MDM profile.
     Requires a supervised device.
 - key: PayloadScope
   supportedOS:

mdm/profiles/com.apple.TCC.configuration-profile-policy.yaml

@@ -291,3 +291,12 @@ payloadkeys:
     content: Allows the application to access data of other apps.
     subkeytype: Identity
     subkeys: *id001
+  - key: BluetoothAlways
+    supportedOS:
+      macOS:
+        introduced: '11.0'
+    type: <array>
+    presence: optional
+    content: Specifies the policies for the app to access Bluetooth devices.
+    subkeytype: Identity
+    subkeys: *id001

mdm/profiles/com.apple.applicationaccess.yaml

@@ -429,6 +429,26 @@ payloadkeys:
   default: true
   content: If 'false', the system disables keyboard autocorrection. Requires a supervised
     device. Available in iOS 8.1.3 and later.
+- key: allowAutoDim
+  title: Allow Auto Dim
+  supportedOS:
+    iOS:
+      introduced: '17.4'
+      supervised: true
+      userenrollment:
+        mode: forbidden
+    macOS:
+      introduced: n/a
+    tvOS:
+      introduced: n/a
+    visionOS:
+      introduced: n/a
+    watchOS:
+      introduced: n/a
+  type: <boolean>
+  presence: optional
+  default: true
+  content: If set to false, disables auto dim on iPads with OLED displays.
 - key: allowAutomaticAppDownloads
   title: Allow Automatic App Downloads
   supportedOS:
@@ -622,7 +642,8 @@ payloadkeys:
   presence: optional
   default: true
   content: If 'false', the system prevents users from changing settings related to
-    their cellular plan. Requires a supervised device. Available in iOS 11 and later.
+    their cellular plan (only available on select carriers). Requires a supervised
+    device. Available in iOS 11 and later.
 - key: allowChat
   title: Allow use of iMessage
   supportedOS:
@@ -1212,9 +1233,8 @@ payloadkeys:
   type: <boolean>
   presence: optional
   default: true
-  content: If 'false', the system disables modifications to carrier plan related settings
-    (only available on select carriers). Requires a supervised device. Available in
-    iOS 11 and later.
+  content: If 'false', the system disables modifications of eSIMs. Requires a supervised
+    device. Available in iOS 12.1 and later.
 - key: allowExplicitContent
   title: Allow Explicit Content
   supportedOS:
@@ -1652,8 +1672,9 @@ payloadkeys:
   type: <boolean>
   presence: optional
   default: true
-  content: If 'false', the system disables live voicemail on the device. Available
-    in iOS 17.2 and later.
+  content: |-
+    If 'false', the system disables live voicemail on the device.
+    Requires a supervised device. Available in iOS 17.2 and later.
 - key: allowLocalUserCreation
   title: Allow creating users in System Settings
   supportedOS:
@@ -1805,7 +1826,7 @@ payloadkeys:
   default: true
   content: If 'false', the system prevents installation of alternative marketplace
     apps from the web and prevents any installed alternative marketplace apps from
-    installing apps. Available in iOS 17.4 and later.
+    installing apps. Available in iOS 17.4 and later. Requires a supervised device.
 - key: allowMultiplayerGaming
   title: Allow Multiplayer Gaming
   supportedOS:
@@ -2786,6 +2807,27 @@ payloadkeys:
   default: true
   content: If 'false', the system prevents changing the wallpaper. Available in iOS
     9 and later, and macOS 10.13 and later. Requires a supervised device in iOS.
+- key: allowWebDistributionAppInstallation
+  title: Allow App Installation from web sites
+  supportedOS:
+    iOS:
+      introduced: '17.5'
+      supervised: true
+      userenrollment:
+        mode: forbidden
+    macOS:
+      introduced: n/a
+    tvOS:
+      introduced: n/a
+    visionOS:
+      introduced: n/a
+    watchOS:
+      introduced: n/a
+  type: <boolean>
+  presence: optional
+  default: true
+  content: When 'false', the device prevents installation of apps directly from the
+    web.
 - key: autonomousSingleAppModePermittedAppIDs
   supportedOS:
     iOS:

mdm/profiles/com.apple.eas.account.yaml

@@ -209,13 +209,16 @@ payloadkeys:
   type: <integer>
   presence: optional
   rangelist:
+  - 0
   - 1
   - 3
   - 7
   - 14
   - 31
   default: 7
-  content: The number of days in the past to sync mail on the device.
+  content: |-
+    The number of days in the past to sync mail on the device.
+    For no limit, use the value '0'.
 - key: HeaderMagic
   supportedOS:
     iOS:

mdm/profiles/com.apple.security.acme.yaml

@@ -181,7 +181,7 @@ payloadkeys:
   content: |-
     If 'true', the device provides attestations that describe the device and the generated key to the ACME server. The server can use the attestations as strong evidence that the key is bound to the device, and that the device has properties listed in the attestation. The server can use that as part of a trust score to decide whether to issue the requested certificate.
     When 'Attest' is 'true', 'HardwareBound' also needs to be 'true'.
-    This key is supported as of macOS 14 on Apple Silicon and Intel devices that have a T2 chip. If this key is specified for older macOS versions or other Mac devices, it must have a value of 'false'.
+    Setting this key to 'true' is supported as of macOS 14 on Apple Silicon and Intel devices that have a T2 chip. Older macOS versions or other Mac devices require this key but it must have a value of 'false'.
 - key: KeyIsExtractable
   supportedOS:
     iOS:

mdm/profiles/com.apple.system-extension-policy.yaml

@@ -42,7 +42,7 @@ payloadkeys:
   presence: optional
   content: |-
     An array of team identifiers that defines valid, signed system extensions that are allowable to load. Approved system extensions are those signed with any of the specified team identifiers.
-    To avoid requiring an administrator to authorize the operation, you can activate system extensions that this key specifies using activationRequestForExtension:queue:.
+    To avoid requiring an administrator to authorize the operation, you can activate system extensions that this key specifies using activationRequest(forExtensionWithIdentifier:queue:).
     It's an error for the same team identifier to appear in both this array and as a key in the 'AllowedSystemExtensions' dictionary.
   subkeys:
   - key: AllowedTeamIdentifiersItem
@@ -70,7 +70,7 @@ payloadkeys:
   presence: optional
   content: |-
     A dictionary of approved system extensions on the computer. The dictionary maps the team identifiers (keys) to arrays of bundle identifiers, where the bundle identifier defines the system extension to install.
-    To avoid requiring an administrator to authorize the operation, you can activate system extensions that this key specifies using activationRequestForExtension:queue:.
+    To avoid requiring an administrator to authorize the operation, you can activate system extensions that this key specifies using activationRequest(forExtensionWithIdentifier:queue:).
     It's an error for the same team identifier to appear in both the 'AllowedTeamIdentifiers' array and as a key in this dictionary.
   subkeys:
   - key: ANY

mdm/profiles/com.apple.vpn.managed.yaml

@@ -1557,7 +1557,8 @@ payloadkeys:
       introduced: n/a
   type: <dictionary>
   presence: optional
-  content: The dictionary to use when 'VPNType' is 'AlwaysOn'. Not available in watchOS.
+  content: The dictionary to use when 'VPNType' is 'AlwaysOn'. Not available in tvOS
+    or watchOS.
   subkeys:
   - key: UIToggleEnabled
     title: UI Toggle Enabled

mdm/profiles/com.apple.wifi.managed.yaml

@@ -283,8 +283,8 @@ payloadkeys:
     presence: optional
     content: |-
       A name that hides the user's true name. The user's actual name appears only inside the encrypted tunnel. For example, you might set this to anonymous or anon, or anon@mycompany.net. It can increase security because an attacker can't see the authenticating user's name in the clear.
-
       This key is only relevant to TTLS, PEAP, and EAP-FAST.
+      This field is required if 'TLSMinimumVersion' is '1.3'.
   - key: EAPFASTUsePAC
     title: Use PAC
     type: <boolean>