Hi - We have logic for the pretty names for Apple OS. Is Big Sur going to be macOS 11.0 in all cases? Apple MDM docs make a mention of macOS 10.16 For example Accessibility string Skips the Accessibility pane, only if the Mac is connected to Ethernet and the cloud config is downloaded. Availability: macOS 10.16+. https://developer.apple.com/documentation/devicemanagement/skipkeys Is that a typo? There is also debate on the internet that only macs with Apple Silicon would be macOS 11

Back in macOS 10.13, when Apple first introduced the restriction forceDelayedSoftwareUpdates there was another restriction enforcedSoftwareUpdateDelay that was introduced in macOS 10.13.4 that was used in conjunction. In macOS 11, the restriction forceDelayedAppSoftwareUpdates has been introduced. The the existing restriction enforcedSoftwareUpdateDelay also apply to this new restriction? In other words if I set the software update delay to 60 days will both OS software updates and non-OS software updated (eg: applications) be delayed by 60 days?

See https://developer.apple.com/documentation/devicemanagement/wifi?changes=latest_minor DisableAssociationMACRandomization boolean If true, disables MAC address randomization for that Wi-Fi network while associated with the network. This also shows a privacy warning in Settings indicating that the network has reduced privacy protections. Default: false Most of the other options mention which releases and OS that attribute is available for, but the availability is not documented for this option. In general, new attributes for MDM payloads are ignored by older operating systems, but is the DisableAssociationMACRandomization attribute only supported for macOS 11 and IOS 14 and later?

Hi- What is the default value for the new attribute PreviewType in the Notifications payload? The docs at https://developer.apple.com/documentation/devicemanagement/notifications/notificationsettingsitem?changes=latest_major state PreviewType integer The type previews for notifications. This key overrides the value at Settings>Notifications>Show Previews. 0 - Always: Previews will be shown when the device is locked and unlocked 1 - When Unlocked: Previews will only be shown when the device is unlocked 2 - Never: Previews will never be shown Available in iOS 14 and later.  Possible values: 0, 1, 2 All other attributes have the default explicitly mentioned, but not for this new property. Is the default value 0 - Always?

Hi Our testing of the new DisableAssociationMACRandomizatio n attribute on the Wi-Fi payload for IOS 14 devices shows that when the attribute is set to false, the device will report the actual value of the MAC address to the router, but we were surprised to see that the end user can enable Private address from the device for that Wi-Fi. Doesn't this defeat the purpose of the MDM requesting that the DisableAssociationMACRandomization be enabled? Is this the correct behavior? Our mutual customers who use products like Cisco ICE need the actual MAC address which I assume is why Apple provided the new attribute DisableAssociationMACRandomization to disable the randomization feature in the first place. But if the end user can just reenable it themselves this new attribute is only marginally helpful. Are there plans to allow MDM to lock this setting?

https://developer.apple.com/documentation/devicemanagement/certificatepkcs12 The document states that this is not for user channel for shared iPad, only for macOS. Doesn't an identity cert have to be sent with a vpn, exchange, email payload? Does that imply we can only use these payloads with identity certs in device channel?

Hi - Is the new IOS 14 restrictions allowAppClips for all devices? The docs at https://developer.apple.com/documentation/devicemanagement/restrictions state allowAppClips boolean If false, prevents a user from adding any App Clips, and removes any existing App Clips on the device. Available in iOS 14.0 and later. Default: true BUT the latest Apple Configurator beta has text that indicates this restriction is only for IOS 14 and later supervised devices. Which is correct? Apple Configurator or the docs?

The docs at https://developer.apple.com/documentation/devicemanagement/skipkeys state that Skips the Accessibility pane, only if the Mac is connected to Ethernet and the cloud config is downloaded. Availability: macOS 11+. The Ethernet requirement makes sense because the Accessibility screen comes before the Wi-Fi setting so the device would not have gotten the Automated Device Enrollment profile, but what does cloud config is downloaded mean? Does this mean the configuration is pushed by Apple Configurator rather than coming over the air?

What is the format of the Timezone in the new SettingsCommand.Command.Settings.TimeZone setting? The current docs are vague. TimeZone string https://developer.apple.com/documentation/devicemanagement/settingscommand/command/settings/timezone?changes=latest_minor Would it be the same as the setting in the TimeServer profile setting timeZone string The time zone path location string in /usr/share/zoneinfo/; for example, America/Denver or Zulu.  https://developer.apple.com/documentation/devicemanagement/timeserver?changes=latest_minor or a different format entirely? Speaking of which if a Timeserver profile is applied and the new SettingsCommand is sent with a different Timezone which takes precedence or will that be an error?

What is Items suppose to control in the InstalledApplicationListCommand? Items [string] Possible values: AdHocCodeSigned, AppStoreVendable, BetaApp, BundleSize, DeviceBasedVPP, DynamicSize, ExternalVersionIdentifier, HasUpdateAvailable, Identifier, Installing, IsValidated, Name, ShortVersion, Version The results are the same response https://developer.apple.com/documentation/devicemanagement/installedapplicationlistresponse/installedapplicationlistitem regardless of what strings in included in the Items string of the request.

Any more details on the new restriction allowApplePersonalizedAdvertising See https://developer.apple.com/documentation/devicemanagement/restrictions?changes=latest_major Is it for supervised devices or all devices? IOS 14 and higher or macOS 11 too? What behavior does the end user see/notice if set to false?

What is the purpose of the tri-state BootstrapTokenAllowedForAuthentication value in the SecurityInfo response? allowed, disallowed, not supported are the possible values https://developer.apple.com/documentation/devicemanagement/securityinforesponse/securityinfo?changes=latest_beta During WWDC2020 and when the key was a boolean it seem to be that the key was to indicate if a bootstrap token existed on the device, but that doesn't seem to be the case now with the allowed, disallowed, not supported values.

When sending the setting to change the time zone, the plist is Acknowledged, but the device is not changing. I tried setting the following values: America/Moncton America/New_York Europe/Dublin Europe/London In all cases the plist was acknowledged. These are values are part of the IANA timezone database. There are two issues: When "Set Automatically" is enabled on the Date & Time settings screen, the TimeZone is not displayed and there is just a spinning icon. When "Set Automatically" is disabled on the Date & Time settings screen, the Timezone displays but as the original timezone of the device, not of the time zone sent to the device through the SettingsCommand. The device has the following: Software Version: 14.0 (18A5301v) Model Name: iPhone Xs Model Number: A1920 What is the desired outcome from setting the timezone? I had expected to see the timezone change on the device and the current time to match the time zone that was set. Is this not yet functional? Also, if I send a bogus timezone, it is still acknowledged. I would have expected it to get rejected. Will it reject invalid timezones?

Per the https://developer.apple.com/documentation/devicemanagement/settingscommand/command/settings/mdmoptions/mdmoptions?changes=latest_minor SettingsCommand.Command.Settings.MDMOptions.MDMOptions the PromptUserToAllowBootstrapTokenForAuthentication default value is false. Can you elaborate why the default value is false? From our testing on macOS 11 it would appear when the value is false, only the primary account is able to logon to the device because only the primary account can decrypt the encrypted volume. Any optional admin accounts that are created are unable to decrypt the value so consequently the optional admin account cannot logon. This seems like a big change in macOS 11 that should be called out. We also noticed that any local users that were created while logged in as the primary account appear to inherit some permission that allows these local users to decrypt the volume and login.

Any more details on the new attributes AssociatedDomains and ExcludedDomains in https://developer.apple.com/documentation/devicemanagement/applayervpn Are these fields supported for iOS and macOS? Which versions? IOS 14 and macOS 11