We can either point the device at a URL to download and install the Legacy Profile (what we are doing now), or wrap it in a Declarative asset and reference that (newer offered path). Is there a recommended approach, and what drives it — reliability if the URL is unreachable at install time, how refreshes are handled, payload size? One of the pain points we have been working through with the Legacy Profile migration/default use (using the workflow point the device at a URL to download and install the Legacy Profile) is that durring the deployment of net new Declarations at ADE, and UIE on new enroll devices the profile install fails after ~15-30 profiles, and results in deadlock (FB22832791, FB22828244, and FB22827718) until devices reboot. Not ideal for a net new enroll with a end user. Would moving all net new deployments to the asset fix this? Is that going to be required? Thanks!

Reading from the API documentation, we want to confirm that the subscription licenses must be bundled with clientuserid strings. Does that mean the app needs to also be assigned to the user, of can the app be assigned to the device and then the subscription assigned to the user after the fact?

One of the pain points we have be trying to work around is Safari, and XProtect updates via MDM moving to Declarative. Right now we have a blend of OS update and upgrades via Global Settings or Enforcement Specific Declaration. However, the non OS updates are stuck on MDM commands to install thus admins cannot control install time when using Global Settings with Auto Actions. With the full removal of MDM commands for updates how can we have a flavor of version control and install time with Safari vs. keep to latest and Auto Actions?

For binary execution control on Endpoint Security — how granular are the code-signing matching rules, and what happens to a denied binary that's already running versus launched fresh? For the consolidated privacy consent prompt — does app.settings replace the privacy preferences we manage today, or coexist with them? Knowing whether it's a clean migration or a parallel system would help our planning. Thanks!