Hi, in ios14.5 we have new restriction "forceWiFiToAllowedNetworksOnly". This limits device to only join Wi-Fi networks set-up via configuration profile. If there is no valid wifi payload installed then this would stop communication with MDM server right? If so, is there any recommendation on how to handle this or whether there are any constraints to check and not send this recommendation if so?

When we push Desktop/Wallpaper configuration to UserEnrolled Mac devices, we get an acknowledgment. But device is not reporting the config in the installed Profile list report.  Issue is seen with only Mac UserEnrolled device ( Tested with 10.15 , 11 os version). As per apple doc this is supported in UserEnrolled devices as well

Regarding allowWallpaperModification setting in https://developer.apple.com/documentation/devicemanagement/restrictions, 1) Is this setting supposed to work on supervised macOS device only or on non-supervised macOS device as well? 2) From our testing, we observed that for the setting change to be effective on the device, device restart is required. Is this expected?

We are testing the new InstallAction option InstallForceRestart (https://developer.apple.com/documentation/devicemanagement/scheduleosupdatecommand/command/updatesitem) on macOS 11 devices per the documentation and we are getting an error that it is an unsupported action for this Product Key. If we use the InstallAction of Default instead with the same Product Key the update is fine. Plist with error is <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "..."> <plist version="1.0"> <dict> <key>CommandUUID</key> <string>0b17230e-7096-4972-be30-1f23fb8c4d6d</string> <key>ErrorChain</key> <array> <dict> <key>ErrorCode</key> <integer>12008</integer> <key>ErrorDomain</key> <string>MCMDMErrorDomain</string> <key>LocalizedDescription</key> <string>Unsupported InstallAction for this ProductKey</string> </dict> </array> <key>Status</key> <string>Error</string> <key>UDID</key> <string>54354E4B-F56B-5D62-83C9-990342AD570B</string> <key>UpdateResults</key> <array> <dict> <key>ErrorChain</key> <array> <dict> <key>ErrorCode</key> <integer>12008</integer> <key>ErrorDomain</key> <string>MCMDMErrorDomain</string> <key>LocalizedDescription</key> <string>Unsupported InstallAction for this ProductKey</string> </dict> </array> <key>InstallAction</key> <string>Error</string> <key>ProductKey</key> <string>MACOS11.1</string> <key>Status</key> <string>InstallFailed</string> </dict> </array> </dict> </plist> Anyone else seeing this error or have people been able to get the InstallForceRestart option to work?

From which version of devices the changes mentioned in https://developer.apple.com/documentation/devicemanagement/vpn/alwayson?changes=latest_major are present? Are they applicable to iOS and macOS platforms? Are they backward compatible? Would "VPN.AlwaysOn.AllowedCaptiveNetworkPlugin", "VPN.AlwaysOn.ServiceException" etc work on newer version of iOS and macOS devices?

Is there more details what is considered "contains sensitive user information which is not permitted for user payloads" for shared IPad deployments on IOS 14? We've looked at the Apple docs and the fields that are sensitive user information do not appear to be explicitly called out. For example, our testing results show that the payloads Email CalDAV CardDAV Exchange Subscribed Calendar LDAP will result in a "contains sensitive user information which is not permitted for user payloads" error if the password attribute is included in the payload. Removing the password attribute and the payload is fine. Is this information documented somewhere explicitly? What are the other list of attributes that are considered sensitive user information?

Any guidance on installing managed applications for macOS 11? We are not getting any luck. <?xml version="1.0"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "..."> <plist version="1.0">  <dict>    <key>CommandUUID</key>    <string>c81be0c8-a5a4-4162-898e-64e865dfd714</string>    <key>Command</key>    <dict>      <key>RequestType</key>      <string>InstallApplication</string>      <key>ManagementFlags</key>      <integer>0</integer>      <key>iTunesStoreID</key>      <integer>406056744</integer>      <key>ChangeManagementState</key> <string>Managed</string> <key>InstallAsManaged</key> <true/> <key>iosApp</key> <false/><key>Configuration</key>      <dict>    <key>configUuid</key>    <string>100000-1000-1000-1000-100000000000</string> </dict><key>Attributes</key>      <dict>    <key>Removable</key>    <true/> </dict>    </dict>  </dict> </plist> results in the error <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "..."> <plist version="1.0"> <dict>        <key>CommandUUID</key>        <string>0c4d2406-1c4e-4ebf-800b-ea372225f911</string>        <key>ErrorChain</key>        <array>               <dict>                       <key>ErrorCode</key>                       <integer>97</integer>                       <key>ErrorDomain</key>                       <string>MDMClientError</string>                       <key>LocalizedDescription</key>                       <string><![CDATA[PurchaseMethod must be 1 <MDMClientError:97>]]></string>               </dict>        </array>        <key>RejectionReason</key>        <string>PurchaseMethodNotSupported</string>        <key>Status</key>        <string>Error</string>        <key>UDID</key>        <string>564D79B5-29E6-DAEC-8E5B-2D921352D787</string> </dict> </plist> We tried removing the InstallAsManaged, but we get the same PurchaseMethodNotSupported error. None of the existing PurchaseMethod values make sense https://developer.apple.com/documentation/devicemanagement/installapplicationcommand/command/options 0 is for IOS 1 is for VPP My understanding was that the whole purpose of the new managed application support for macOS 11 was that EMMs now had the ability to install applications as managed for macOS 11 without using VPP.

We are seeing errors on the IOS 14.2 device when pushing an Encrypted DNS Payload. Specifically Enable Demand Rules: and set Network: Evaluate Connection (for both Domain Action: Never Connect & Domain Action: Connect If Needed options) The error is <?xml version="1.0" encoding="UTF-8"?> ... <plist version="1.0"> <array> <dict> <key>ErrorCode</key> <integer>4001</integer> <key>ErrorDomain</key> <string>MCInstallationErrorDomain</string> <key>LocalizedDescription</key> <string>Profile Installation Failed</string> <key>USEnglishDescription</key> <string>Profile Installation Failed</string> </dict> <dict> <key>ErrorCode</key> <integer>4001</integer> <key>ErrorDomain</key> <string>MCInstallationErrorDomain</string> <key>LocalizedDescription</key> <string>Profile Failed to Install</string> <key>USEnglishDescription</key> <string>Profile Failed to Install</string> </dict> <dict> <key>ErrorCode</key> <integer>1009</integer> <key>ErrorDomain</key> <string>MCProfileErrorDomain</string> <key>LocalizedDescription</key> <string>The profile "h1dns" could not be installed.</string> <key>USEnglishDescription</key> <string>The profile "h1dns" could not be installed.</string> </dict> <dict> <key>ErrorCode</key> <integer>57000</integer> <key>ErrorDomain</key> <string>MCDNSSettingsErrorDomain</string> <key>LocalizedDescription</key> <string>The DNS settings service encountered an internal error.</string> <key>USEnglishDescription</key> <string>The DNS settings service encountered an internal error.</string> </dict> </array> </plist> The plist that we are sending is <?xml version="1.0" encoding="UTF-8"> <!DOCTYPE plist PUBLIC \"-//Apple//DTD PLIST 1.0//EN\" \"..."> <plist version="1.0"> <array> <dict> <key>DNSSettings</key> <dict> <key>DNSProtocol</key> <string>HTTPS</string> <key>ServerAddresses</key> <array> <string>1.1.1.1</string> </array> <key>ServerURL</key> <string><Somehost/dns-query</string> </dict> <key>OnDemandRules</key> <array> <dict> <key>Action</key> <string>EvaluateConnection</string> <key>ActionParameters</key> <dict> <key>DomainAction</key> <string>NeverConnect</string> <key>Domains</key> <array> <string>news.google.com</string> </array> </dict> <key>InterfaceTypeMatch</key> <string>Ethernet</string> </dict> <dict> <key>Action</key> <string>EvaluateConnection</string> <key>ActionParameters</key> <dict> <key>DomainAction</key> <string>ConnectIfNeeded</string> <key>Domains</key> <array> <string>mail.yahoo.com</string> </array> </dict> <key>InterfaceTypeMatch</key> <string>WiFi</string> </dict> </array> <key>ProhibitDisablement</key> <false/> <key>PayloadDescription</key> <string>The payload for configuring encrypted DNS settings.</string> <key>PayloadDisplayName</key> <string>DNS_ENCRYPTED</string> <key>PayloadIdentifier</key> <string>mi.dnssettings.44011.0</string> <key>PayloadOrganization</key> <string>com.mobileiron</string> <key>PayloadType</key> <string>com.apple.dnsSettings.managed</string> <key>PayloadUUID</key> <string>3173360096376915336</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </array> </plist>

The current docs for https://developer.apple.com/documentation/devicemanagement/dnssettings state that the encrypted DNS setting is supported on the device channel for shared IPad Device Channel iOS, macOS, Shared iPad but under Allow Multiple Payloads iOS, macOS shared IPad is not listed. BUT if you go to the Shared IPad Payload list https://support.apple.com/en-gb/guide/mdm/mdm05daf6e79/web DNS Settings is listed as device, combined, and multiple. Device Combined Multiple Which doc is correct?

We are seeing ... <dict> <key>CommandUUID</key> <string>43abc5e2-60a8-4fef-8375-0c3bc530573b</string> <key>ErrorChain</key> <array> <dict> <key>ErrorCode</key> <integer>1</integer> <key>ErrorDomain</key> <string>SingleSignOn</string> <key>LocalizedDescription</key> <string>The profile is a user profile but contains a “Single Sign On Extension” payload which is only valid in device profiles.</string> </dict> </array> <key>NotOnConsole</key> <false/> <key>Status</key> <string>Error</string> <key>UDID</key> <string>3297AA46-0711-5788-8161-FB41629845AF</string> ... pushing a Single Sign On Extension Payload on the user channel for macOS 10.15 devices. The same payload works on the user channel works for macOS 11. We have created a Feedback ticket https://feedbackassistant.apple.com/feedback/8799075

Any more details on the new attributes AssociatedDomains and ExcludedDomains in https://developer.apple.com/documentation/devicemanagement/applayervpn Are these fields supported for iOS and macOS? Which versions? IOS 14 and macOS 11

Per the https://developer.apple.com/documentation/devicemanagement/settingscommand/command/settings/mdmoptions/mdmoptions?changes=latest_minor SettingsCommand.Command.Settings.MDMOptions.MDMOptions the PromptUserToAllowBootstrapTokenForAuthentication default value is false. Can you elaborate why the default value is false? From our testing on macOS 11 it would appear when the value is false, only the primary account is able to logon to the device because only the primary account can decrypt the encrypted volume. Any optional admin accounts that are created are unable to decrypt the value so consequently the optional admin account cannot logon. This seems like a big change in macOS 11 that should be called out. We also noticed that any local users that were created while logged in as the primary account appear to inherit some permission that allows these local users to decrypt the volume and login.

Any more details on the new restriction allowApplePersonalizedAdvertising See https://developer.apple.com/documentation/devicemanagement/restrictions?changes=latest_major Is it for supervised devices or all devices? IOS 14 and higher or macOS 11 too? What behavior does the end user see/notice if set to false?

What is the format of the Timezone in the new SettingsCommand.Command.Settings.TimeZone setting? The current docs are vague. TimeZone string https://developer.apple.com/documentation/devicemanagement/settingscommand/command/settings/timezone?changes=latest_minor Would it be the same as the setting in the TimeServer profile setting timeZone string The time zone path location string in /usr/share/zoneinfo/; for example, America/Denver or Zulu.  https://developer.apple.com/documentation/devicemanagement/timeserver?changes=latest_minor or a different format entirely? Speaking of which if a Timeserver profile is applied and the new SettingsCommand is sent with a different Timezone which takes precedence or will that be an error?

Hi - Is the new IOS 14 restrictions allowAppClips for all devices? The docs at https://developer.apple.com/documentation/devicemanagement/restrictions state allowAppClips boolean If false, prevents a user from adding any App Clips, and removes any existing App Clips on the device. Available in iOS 14.0 and later. Default: true BUT the latest Apple Configurator beta has text that indicates this restriction is only for IOS 14 and later supervised devices. Which is correct? Apple Configurator or the docs?