diff --git a/README.md b/README.md index c3f8dd4..2d7366a 100644 --- a/README.md +++ b/README.md @@ -8,32 +8,17 @@ This release corresponds to the following OS versions | OS | Version | |----------|---------| -| iOS | 17.4 | -| macOS | 14.4 | -| tvOS | 17.4 | -| visionOS | 1.1 | -| watchOS | 10.4 | +| iOS | 17.5 | +| macOS | 14.5 | +| tvOS | 17.5 | +| visionOS | 1.2 | +| watchOS | 10.5 | ## Important Release Notes -### visionOS support +### Declarative device management related status -The 17.4/14.4 release adds a `visionOS` value to the `supportedOS` key to indicate support for visionOS devices. - -### Declarative device management supervision state - -The 17.4/14.4 release includes a major change to the `allowed-enrollments` key in declarative device management schema items. A new `supervised` value has been added. So now: - -* `supervised` is used to indicate support for a supervised device enrollment -* `device` is used to indicate support for an unsupervised device enrollment. - -On macOS, device enrollments are always supervised, so the `device` value has been replaced by `supervised` in all `allowed-enrollments`. - -On other platforms, `supervision` has been added or `device` has been removed, as appropriate for actual support. - -### Declarative device management combinetype values - -The 17.4/14.4 release has renamed the `enum-lowest` and `enum-highest` combinetype values to `enum-first` and `enum-last` respectively. +Declarative device management configuration schema now includes a `related-status-items` key to show the relationship between status items and configurations. ## What's Available diff --git a/declarative/declarations/configurations/account.caldav.yaml b/declarative/declarations/configurations/account.caldav.yaml index e926742..97df29e 100644 --- a/declarative/declarations/configurations/account.caldav.yaml +++ b/declarative/declarations/configurations/account.caldav.yaml @@ -68,3 +68,7 @@ payloadkeys: presence: optional content: The identifier of an asset declaration that contains the credentials for this account. Set the corresponding asset type to 'CredentialUserNameAndPassword'. +related-status-items: +- status-items: + - account.list.caldav + note: Each configuration will have a corresponding status item. diff --git a/declarative/declarations/configurations/account.carddav.yaml b/declarative/declarations/configurations/account.carddav.yaml index 4977304..cdea24d 100644 --- a/declarative/declarations/configurations/account.carddav.yaml +++ b/declarative/declarations/configurations/account.carddav.yaml @@ -67,3 +67,7 @@ payloadkeys: presence: optional content: The identifier of an asset declaration that contains the credentials for this account. Set the corresponding asset type to 'CredentialUserNameAndPassword'. +related-status-items: +- status-items: + - account.list.carddav + note: Each configuration will have a corresponding status item. diff --git a/declarative/declarations/configurations/account.exchange.yaml b/declarative/declarations/configurations/account.exchange.yaml index 0772234..16ccafe 100644 --- a/declarative/declarations/configurations/account.exchange.yaml +++ b/declarative/declarations/configurations/account.exchange.yaml @@ -352,3 +352,7 @@ payloadkeys: default: false content: If 'true', the system prevents the user from changing the status of the notes service for this account. +related-status-items: +- status-items: + - account.list.exchange + note: Each configuration will have a corresponding status item. diff --git a/declarative/declarations/configurations/account.google.yaml b/declarative/declarations/configurations/account.google.yaml index 233212a..e3a9677 100644 --- a/declarative/declarations/configurations/account.google.yaml +++ b/declarative/declarations/configurations/account.google.yaml @@ -56,3 +56,7 @@ payloadkeys: for this Google account. Set the corresponding asset type to 'UserIdentity' and ensure that it contains an 'EmailAddress' key that specifies the full Google email address for the account. +related-status-items: +- status-items: + - account.list.google + note: Each configuration will have a corresponding status item. diff --git a/declarative/declarations/configurations/account.ldap.yaml b/declarative/declarations/configurations/account.ldap.yaml index daa6f43..19320f0 100644 --- a/declarative/declarations/configurations/account.ldap.yaml +++ b/declarative/declarations/configurations/account.ldap.yaml @@ -100,3 +100,7 @@ payloadkeys: * 'Base': Only the 'SearchBase' node. * 'OneLevel': The 'SearchBase' node and its immediate children. * 'Subtree': The 'SearchBase' node and all its children, regardless of depth. +related-status-items: +- status-items: + - account.list.ldap + note: Each configuration will have a corresponding status item. diff --git a/declarative/declarations/configurations/account.mail.yaml b/declarative/declarations/configurations/account.mail.yaml index ce7aba4..7308a19 100644 --- a/declarative/declarations/configurations/account.mail.yaml +++ b/declarative/declarations/configurations/account.mail.yaml @@ -227,3 +227,9 @@ payloadkeys: default: false content: If 'true', the system enables the per-message encryption switch in the compose view. +related-status-items: +- status-items: + - account.list.mail.incoming + - account.list.mail.outgoing + note: Each configuration will have a corresponding status item for incoming and + outgoing accounts. diff --git a/declarative/declarations/configurations/account.subscribed-calendar.yaml b/declarative/declarations/configurations/account.subscribed-calendar.yaml index da35a64..fc611ae 100644 --- a/declarative/declarations/configurations/account.subscribed-calendar.yaml +++ b/declarative/declarations/configurations/account.subscribed-calendar.yaml @@ -59,3 +59,7 @@ payloadkeys: content: The identifier of an asset declaration that contains the credentials for this account to authenticate with a calendar server. Set the corresponding asset type to 'CredentialUserNameAndPassword'. +related-status-items: +- status-items: + - account.list.subscribed-calendar + note: Each configuration will have a corresponding status item. diff --git a/declarative/declarations/configurations/app.managed.yaml b/declarative/declarations/configurations/app.managed.yaml index 7cb6a61..bd9857d 100644 --- a/declarative/declarations/configurations/app.managed.yaml +++ b/declarative/declarations/configurations/app.managed.yaml @@ -151,3 +151,7 @@ payloadkeys: type: presence: optional content: The UUID of the VPN to associate with the app. +related-status-items: +- status-items: + - app.managed.list + note: Each configuration will have a corresponding status item. diff --git a/declarative/declarations/configurations/passcode.settings.yaml b/declarative/declarations/configurations/passcode.settings.yaml index b3a8d65..7d9d9a8 100644 --- a/declarative/declarations/configurations/passcode.settings.yaml +++ b/declarative/declarations/configurations/passcode.settings.yaml @@ -225,3 +225,8 @@ payloadkeys: type: presence: optional content: A localized description. +related-status-items: +- status-items: + - passcode.is-compliant + - passcode.is-present + note: This configuration may affect the corresponding status items. diff --git a/declarative/declarations/configurations/screensharing.connection.group.yaml b/declarative/declarations/configurations/screensharing.connection.group.yaml index 3842234..7e97130 100644 --- a/declarative/declarations/configurations/screensharing.connection.group.yaml +++ b/declarative/declarations/configurations/screensharing.connection.group.yaml @@ -43,3 +43,8 @@ payloadkeys: subkeys: - key: ConnectionUUID type: +related-status-items: +- status-items: + - screensharing.connection.group.unresolved-connection + note: Any unresolved connection groups in the configuration will appear in the corresponding + status item. diff --git a/declarative/declarations/configurations/security.certificate.yaml b/declarative/declarations/configurations/security.certificate.yaml index 056226b..58bbbe9 100644 --- a/declarative/declarations/configurations/security.certificate.yaml +++ b/declarative/declarations/configurations/security.certificate.yaml @@ -58,3 +58,7 @@ payloadkeys: presence: required content: The identifier of an asset declaration that contains the certificate to install. +related-status-items: +- status-items: + - security.certificate.list + note: Each configuration will have a corresponding status item. diff --git a/declarative/declarations/configurations/security.identity.yaml b/declarative/declarations/configurations/security.identity.yaml index 5a02b66..37c2069 100644 --- a/declarative/declarations/configurations/security.identity.yaml +++ b/declarative/declarations/configurations/security.identity.yaml @@ -89,3 +89,7 @@ payloadkeys: presence: optional default: true content: If 'true', the private key is extractable in the keychain. +related-status-items: +- status-items: + - security.certificate.list + note: Each configuration will have a corresponding status item. diff --git a/declarative/declarations/configurations/softwareupdate.enforcement.specific.yaml b/declarative/declarations/configurations/softwareupdate.enforcement.specific.yaml index aba0239..a42a307 100644 --- a/declarative/declarations/configurations/softwareupdate.enforcement.specific.yaml +++ b/declarative/declarations/configurations/softwareupdate.enforcement.specific.yaml @@ -56,3 +56,10 @@ payloadkeys: presence: optional content: The URL of a web page that shows details that the organization provides about the enforced update. +related-status-items: +- status-items: + - softwareupdate.failure-reason + - softwareupdate.install-reason + - softwareupdate.install-state + - softwareupdate.pending-version + note: This configuration may affect the corresponding status items. diff --git a/declarative/status/services.background-task.yaml b/declarative/status/services.background-task.yaml index 8f43c99..887ce32 100644 --- a/declarative/status/services.background-task.yaml +++ b/declarative/status/services.background-task.yaml @@ -67,7 +67,7 @@ payloadkeys: - enabled - requires-approval - not-found - content: The SMAppServiceStatus enumeration. + content: The SMAppService.Status enumeration. - key: type title: Background task type type: diff --git a/docs/schema.yaml b/docs/schema.yaml index 314ae97..053a174 100644 --- a/docs/schema.yaml +++ b/docs/schema.yaml @@ -349,3 +349,23 @@ properties: - - - + + related-status-items: + type: array + description: An array describing any status items that might be related to a configuration. + items: + type: object + description: An additional note about a payload. A note is written in "markdown" and can be transformed to HTML if needed. + additionalProperties: false + required: + - status-items + properties: + status-items: + type: array + description: List of status-item types. + items: + type: + - string + note: + type: string + description: A description of the relationship. diff --git a/mdm/commands/application.install.yaml b/mdm/commands/application.install.yaml index 76dc133..61d8cfe 100644 --- a/mdm/commands/application.install.yaml +++ b/mdm/commands/application.install.yaml @@ -326,7 +326,7 @@ responsekeys: - Managed - ManagedButUninstalled - UserInstalledApp - - UserRejectedFailed + - UserRejected - PromptingForUpdate - PromptingForUpdateLogin - ValidatingUpdate @@ -334,6 +334,7 @@ responsekeys: - UpdateRejected - PromptingForManagement - ManagementRejected + - Failed - Unknown content: The app's installation state, if the user accepted the request. If this value is 'NeedsRedemption', the server must send a redemption code to complete diff --git a/mdm/commands/information.device.yaml b/mdm/commands/information.device.yaml index 084e53c..d3c250c 100644 --- a/mdm/commands/information.device.yaml +++ b/mdm/commands/information.device.yaml @@ -2010,7 +2010,7 @@ responsekeys: type: content: The battery level, between '0.0' and '1.0', or '-1.0' if MDM can't determine the battery level. Requires the Device Information access right. Available in - iOS 5 and later. + iOS 5 and later, and macOS 13.3 and later. - key: HasBattery supportedOS: iOS: diff --git a/mdm/commands/user.delete.yaml b/mdm/commands/user.delete.yaml index 332f081..30c31cf 100644 --- a/mdm/commands/user.delete.yaml +++ b/mdm/commands/user.delete.yaml @@ -37,7 +37,7 @@ payloadkeys: type: presence: optional content: The user name of the account to delete. This key is required when the value - for DeleteAllUsers is absent or false. + for 'DeleteAllUsers' is absent or 'false'. - key: ForceDeletion supportedOS: macOS: diff --git a/mdm/errors/softwareupdate.required.yaml b/mdm/errors/softwareupdate.required.yaml index 0c62dff..c475f03 100644 --- a/mdm/errors/softwareupdate.required.yaml +++ b/mdm/errors/softwareupdate.required.yaml @@ -55,3 +55,25 @@ payloadkeys: version identifier can be included (e.g., "20A242a"). If the build version is not consistent with the OS version specified in the 'OSVersion' key, the OS version will take precedence. + - key: RequireBetaProgram + supportedOS: + iOS: + introduced: '17.5' + macOS: + introduced: '14.5' + type: + presence: optional + content: The device automatically enrolls in this beta program, to allow enforced + software updates to beta program OS versions. The device will remain in the + beta program after the enforced software update is completed. + subkeys: + - key: Description + type: + presence: required + content: A human readable description of the beta program. + - key: Token + type: + presence: required + content: The AxM seeding service token for the AxM organization the MDM server + is part of. This token is used to enroll the device in the corresponding beta + program. diff --git a/mdm/errors/well-known.failed.yaml b/mdm/errors/well-known.failed.yaml new file mode 100644 index 0000000..8d59871 --- /dev/null +++ b/mdm/errors/well-known.failed.yaml @@ -0,0 +1,38 @@ +title: Error Well-known Failed +description: Error response for well-known failed +payload: + supportedOS: + iOS: + introduced: '17.5' + macOS: + introduced: '14.5' + tvOS: + introduced: n/a + visionOS: + introduced: '1.2' + watchOS: + introduced: n/a + content: |- + The schema for a JSON or property list XML document returned in an MDM server's 403 response body. The + response headers must include a "Content-Type" header indicating whether JSON or XML is being returned. + + This response is returned when a device is doing well-known resource service discovery for account driven + enrollments, and the server rejects the request. +payloadkeys: +- key: code + type: + presence: required + rangelist: + - com.apple.well-known.failed + content: Indicates that the well-known request has failed. +- key: description + type: + presence: optional + content: The description of the error. This will only be used by the client for + logging purposes and will not be displayed to the user. +- key: message + type: + presence: optional + content: A description of the error suitable for displaying to the user. If needed, + the client will make a best-effort attempt to display the message, but may not + be able to, due to local conditions. diff --git a/mdm/profiles/TopLevel.yaml b/mdm/profiles/TopLevel.yaml index ab82d56..1c5b02c 100644 --- a/mdm/profiles/TopLevel.yaml +++ b/mdm/profiles/TopLevel.yaml @@ -128,6 +128,7 @@ payloadkeys: If present and set to 'true', the user can't delete the profile unless the profile has a removal password and the user provides it. On macOS 10.15 and later, this key only affects removal of manually installed profiles. If set to 'true' and no profile removal payload is present, removing the profile requires admin auth. On macOS versions prior to 10.15, this key prevents admins from removing MDM installed profiles. However, as of macOS 10.15, users can never remove MDM profiles, not even the admin. + On iOS users can't remove a MDM profile. Requires a supervised device. - key: PayloadScope supportedOS: diff --git a/mdm/profiles/com.apple.TCC.configuration-profile-policy.yaml b/mdm/profiles/com.apple.TCC.configuration-profile-policy.yaml index 7c5a0b5..7aea0a1 100644 --- a/mdm/profiles/com.apple.TCC.configuration-profile-policy.yaml +++ b/mdm/profiles/com.apple.TCC.configuration-profile-policy.yaml @@ -291,3 +291,12 @@ payloadkeys: content: Allows the application to access data of other apps. subkeytype: Identity subkeys: *id001 + - key: BluetoothAlways + supportedOS: + macOS: + introduced: '11.0' + type: + presence: optional + content: Specifies the policies for the app to access Bluetooth devices. + subkeytype: Identity + subkeys: *id001 diff --git a/mdm/profiles/com.apple.applicationaccess.yaml b/mdm/profiles/com.apple.applicationaccess.yaml index 631f89f..d739d03 100644 --- a/mdm/profiles/com.apple.applicationaccess.yaml +++ b/mdm/profiles/com.apple.applicationaccess.yaml @@ -429,6 +429,26 @@ payloadkeys: default: true content: If 'false', the system disables keyboard autocorrection. Requires a supervised device. Available in iOS 8.1.3 and later. +- key: allowAutoDim + title: Allow Auto Dim + supportedOS: + iOS: + introduced: '17.4' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a + type: + presence: optional + default: true + content: If set to false, disables auto dim on iPads with OLED displays. - key: allowAutomaticAppDownloads title: Allow Automatic App Downloads supportedOS: @@ -622,7 +642,8 @@ payloadkeys: presence: optional default: true content: If 'false', the system prevents users from changing settings related to - their cellular plan. Requires a supervised device. Available in iOS 11 and later. + their cellular plan (only available on select carriers). Requires a supervised + device. Available in iOS 11 and later. - key: allowChat title: Allow use of iMessage supportedOS: @@ -1212,9 +1233,8 @@ payloadkeys: type: presence: optional default: true - content: If 'false', the system disables modifications to carrier plan related settings - (only available on select carriers). Requires a supervised device. Available in - iOS 11 and later. + content: If 'false', the system disables modifications of eSIMs. Requires a supervised + device. Available in iOS 12.1 and later. - key: allowExplicitContent title: Allow Explicit Content supportedOS: @@ -1652,8 +1672,9 @@ payloadkeys: type: presence: optional default: true - content: If 'false', the system disables live voicemail on the device. Available - in iOS 17.2 and later. + content: |- + If 'false', the system disables live voicemail on the device. + Requires a supervised device. Available in iOS 17.2 and later. - key: allowLocalUserCreation title: Allow creating users in System Settings supportedOS: @@ -1805,7 +1826,7 @@ payloadkeys: default: true content: If 'false', the system prevents installation of alternative marketplace apps from the web and prevents any installed alternative marketplace apps from - installing apps. Available in iOS 17.4 and later. + installing apps. Available in iOS 17.4 and later. Requires a supervised device. - key: allowMultiplayerGaming title: Allow Multiplayer Gaming supportedOS: @@ -2786,6 +2807,27 @@ payloadkeys: default: true content: If 'false', the system prevents changing the wallpaper. Available in iOS 9 and later, and macOS 10.13 and later. Requires a supervised device in iOS. +- key: allowWebDistributionAppInstallation + title: Allow App Installation from web sites + supportedOS: + iOS: + introduced: '17.5' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a + type: + presence: optional + default: true + content: When 'false', the device prevents installation of apps directly from the + web. - key: autonomousSingleAppModePermittedAppIDs supportedOS: iOS: diff --git a/mdm/profiles/com.apple.eas.account.yaml b/mdm/profiles/com.apple.eas.account.yaml index 64cfad8..06a1b8c 100644 --- a/mdm/profiles/com.apple.eas.account.yaml +++ b/mdm/profiles/com.apple.eas.account.yaml @@ -209,13 +209,16 @@ payloadkeys: type: presence: optional rangelist: + - 0 - 1 - 3 - 7 - 14 - 31 default: 7 - content: The number of days in the past to sync mail on the device. + content: |- + The number of days in the past to sync mail on the device. + For no limit, use the value '0'. - key: HeaderMagic supportedOS: iOS: diff --git a/mdm/profiles/com.apple.security.acme.yaml b/mdm/profiles/com.apple.security.acme.yaml index 5cff7de..176d6ae 100644 --- a/mdm/profiles/com.apple.security.acme.yaml +++ b/mdm/profiles/com.apple.security.acme.yaml @@ -181,7 +181,7 @@ payloadkeys: content: |- If 'true', the device provides attestations that describe the device and the generated key to the ACME server. The server can use the attestations as strong evidence that the key is bound to the device, and that the device has properties listed in the attestation. The server can use that as part of a trust score to decide whether to issue the requested certificate. When 'Attest' is 'true', 'HardwareBound' also needs to be 'true'. - This key is supported as of macOS 14 on Apple Silicon and Intel devices that have a T2 chip. If this key is specified for older macOS versions or other Mac devices, it must have a value of 'false'. + Setting this key to 'true' is supported as of macOS 14 on Apple Silicon and Intel devices that have a T2 chip. Older macOS versions or other Mac devices require this key but it must have a value of 'false'. - key: KeyIsExtractable supportedOS: iOS: diff --git a/mdm/profiles/com.apple.system-extension-policy.yaml b/mdm/profiles/com.apple.system-extension-policy.yaml index 5edb5b3..1cf0e7e 100644 --- a/mdm/profiles/com.apple.system-extension-policy.yaml +++ b/mdm/profiles/com.apple.system-extension-policy.yaml @@ -42,7 +42,7 @@ payloadkeys: presence: optional content: |- An array of team identifiers that defines valid, signed system extensions that are allowable to load. Approved system extensions are those signed with any of the specified team identifiers. - To avoid requiring an administrator to authorize the operation, you can activate system extensions that this key specifies using activationRequestForExtension:queue:. + To avoid requiring an administrator to authorize the operation, you can activate system extensions that this key specifies using activationRequest(forExtensionWithIdentifier:queue:). It's an error for the same team identifier to appear in both this array and as a key in the 'AllowedSystemExtensions' dictionary. subkeys: - key: AllowedTeamIdentifiersItem @@ -70,7 +70,7 @@ payloadkeys: presence: optional content: |- A dictionary of approved system extensions on the computer. The dictionary maps the team identifiers (keys) to arrays of bundle identifiers, where the bundle identifier defines the system extension to install. - To avoid requiring an administrator to authorize the operation, you can activate system extensions that this key specifies using activationRequestForExtension:queue:. + To avoid requiring an administrator to authorize the operation, you can activate system extensions that this key specifies using activationRequest(forExtensionWithIdentifier:queue:). It's an error for the same team identifier to appear in both the 'AllowedTeamIdentifiers' array and as a key in this dictionary. subkeys: - key: ANY diff --git a/mdm/profiles/com.apple.vpn.managed.yaml b/mdm/profiles/com.apple.vpn.managed.yaml index d7d1234..3157165 100644 --- a/mdm/profiles/com.apple.vpn.managed.yaml +++ b/mdm/profiles/com.apple.vpn.managed.yaml @@ -1557,7 +1557,8 @@ payloadkeys: introduced: n/a type: presence: optional - content: The dictionary to use when 'VPNType' is 'AlwaysOn'. Not available in watchOS. + content: The dictionary to use when 'VPNType' is 'AlwaysOn'. Not available in tvOS + or watchOS. subkeys: - key: UIToggleEnabled title: UI Toggle Enabled diff --git a/mdm/profiles/com.apple.wifi.managed.yaml b/mdm/profiles/com.apple.wifi.managed.yaml index f92467c..fd2d323 100644 --- a/mdm/profiles/com.apple.wifi.managed.yaml +++ b/mdm/profiles/com.apple.wifi.managed.yaml @@ -283,8 +283,8 @@ payloadkeys: presence: optional content: |- A name that hides the user's true name. The user's actual name appears only inside the encrypted tunnel. For example, you might set this to anonymous or anon, or anon@mycompany.net. It can increase security because an attacker can't see the authenticating user's name in the clear. - This key is only relevant to TTLS, PEAP, and EAP-FAST. + This field is required if 'TLSMinimumVersion' is '1.3'. - key: EAPFASTUsePAC title: Use PAC type: