apple_device-management/docs/errata.md

# Schema Errata

This document lists errata for the YAML schema. This is used when older versions of the schema are incorrect, and a fix was made in later schema to correct the problem.

## macOS 26.2

### mdm/commands/remove-application.yaml

The `remove-application` command was incorrectly marked as disallowed on user enrollments on macOS. It is allowed on user enrollments.

## iOS 26.1 / tvOS 26.1

### mdm/profiles/com.apple.homescreenlayout.yaml

The `IconItem` incorrectly stated the enum value was `App` but it is `Application`

## macOS 26.1

### other/skipkeys.yaml

The OSShowcase and UpdateCompleted skip keys were incorrectly marked as available in macOS 26.0. They are available beginning macOS 26.1. 

### mdm/profiles/com.apple.screensaver.yaml

The `idleTime` key was incorrectly named `loginWindowIdleTime`.

## iOS 26.0

### mdm/profiles/com.apple.airplay.yaml

The DeviceName key in the Passwords dictionary was marked as required, changed to optional. On iOS 
it is required but on macOS is not.

### mdm/profiles/com.apple.cellularprivatenetwork.managed.yaml

This payload was previously marked as supported on user enrollment, changed to forbidden.

## visionOS 26.0

### mdm/profiles/com.apple.applicationaccess.yaml

allowDefaultBrowserModification was incorrectly marked as supported on visionOS

## iOS 26.0 / macOS 26.0 / tvOS 26.0 / visionOS 26.0

### mdm/profiles/com.apple.relay.managed.yaml

The `ExcludedFQDNs` key was incorrectly documented as `Excluded FQDNs`. This has been corrected
to note that there is no space in the key name.

## macOS 15.4

The Associated Domains payload is only able to be installed via MDM.

## iOS 18.4 / macOS 15.4

Added AuthName, AuthPassword and RemoteAddress keys to VPN subkey that were previously missing

Removed Password key from VPN subkey that was incorrectly added

## iOS 18.4

Adjusted supportedOS information for Shared iPad for a number of restrictions

Hideable and Lockable attributes in the app.managed configuration were missing - originally added in 18.1.

## macOS 15.2

Added missing supervised key to macOS across profiles and commands

## iOS 18.1 / macOS 15.1

### mdm/profiles/com.apple.applicationaccess.yaml

allowExplicitContent was incorrectly marked as supported on unsupervised devices for tvOS.

## iOS 18 / macOS 15

### tvOS

tvOS `introduced` values have been set to a minimum value of `9.0` to reflect the first version of tvOS itself, as opposed to earlier versions of the Apple TV Software.

### declarative/declarations/configurations/account.exchange.yaml

The `<service>Active` keys were incorrectly marked as unsupported on macOS.

### mdm/profiles/com.apple.ManagedClient.preferences.yaml

The `PayloadContent` key of the `com.apple.ManagedClient.preferences` profile
payload was incorrectly named `PreferenceDomain`; the key itself also represents
a dictionary of application preference domain identifiers to
`ManagedPreference.PreferenceDomain`s (rather than a single
`ManagedPreference.PreferenceDomain`).

### mdm/profiles/com.apple.cellularprivatenetwork.managed.yaml

iOS 17 supported multiple private network payloads, but the `multiple` key was set to false.

iOS 17 also mistakenly forbade multiple private network payloads in a single profile.

### mdm/checkin/authenticate.yaml

Starting in iOS 13 and macOS 10.15 UDID is optional because user enrollments do not return UUIDs.

Starting is iOS 13 and macOS 10.15 Enrollment ID is optional because device enrollments only return UUIDs.

## iOS 17 / macOS 14

### mdm/profiles/com.apple.education.yaml

The `GroupBeaconIDs` key in the `DepartmentsItem` dictionary in the `com.apple.education` profile payload incorrectly listed its type as an array of `string`. The correct type is an array of `integer`.

### mdm/profiles/com.apple.vpn.managed.yaml

The `CertificateType` key in the `com.apple.vpn.managed` profile payload incorrectly listed `Ed25519` as a supported certificate type. That type was never supported and has now been removed.

The `PPTP` VPNType has not been supported since iOS 10 and macOS 10.12, see https://support.apple.com/en-us/HT206844. The `PPTP` VPNType has been removed.

There were a number of keys in the VPN dictionary that were implied to appear in other VPN types. These keys have now been explicitly added in all VPN types.

The `ActionParameters` key in the profile payload has always been an array of dictionaries.

### mdm/commands passcode.firmware.set.yaml passcode.firmware.verify.yaml

The response keys were incorrectly listed as being top-level keys in the response dictionary when in fact they were nested one-level deep.

### mdm/profiles/com.apple.vpn.managed.applayer.yaml

The `OnDemandMatchAppEnabled` key in the `com.apple.vpn.managed.applayer` profile payload incorrectly listed its type as `integer`. The correct type is `boolean`.

### mdm/profiles/com.apple.wifi.managed.yaml

The EAPClientConfiguration dictionary listed both OneTimePassword and OneTimeUserPassword as valid keys. The erroneous OneTimePassword key has been removed.

### mdm/profiles/com.apple.security.scep.yaml

The documentation indicated that all the keys in the SubjectAltName value could be either string or array types. The ntPrincipalName cannot be an array and must be a
string. This has been clarified in the description. Note that the type field for the rfc822Name, dNSName, and uniformResourceIdentifier still indicates these are
strings. This has not been corrected as the schema does not support polymorphic types.

### mdm/profiles/com.apple.universalaccess.yaml

The `contrast` key in the `com.apple.universalaccess` profile payload incorrectly listed its type as `integer`. The correct type is `real`.

### mdm/profiles/com.apple.extensiblesso.yaml

The `AuthorizationGroups` key was updated as the key values-pairs in the dictionary were incorrectly stated.

### mdm/profiles/com.apple.dnsSettings.managed

The `ActionParameters` key in the `com.apple.dnsSettings.managed` profile payload has always been an array of dictionaries.