When we push Desktop/Wallpaper configuration to UserEnrolled Mac devices, we get an acknowledgment. But device is not reporting the config in the installed Profile list report.  Issue is seen with only Mac UserEnrolled device ( Tested with 10.15 , 11 os version). As per apple doc this is supported in UserEnrolled devices as well

Regarding allowWallpaperModification setting in https://developer.apple.com/documentation/devicemanagement/restrictions, 1) Is this setting supposed to work on supervised macOS device only or on non-supervised macOS device as well? 2) From our testing, we observed that for the setting change to be effective on the device, device restart is required. Is this expected?

We are testing the new InstallAction option InstallForceRestart (https://developer.apple.com/documentation/devicemanagement/scheduleosupdatecommand/command/updatesitem) on macOS 11 devices per the documentation and we are getting an error that it is an unsupported action for this Product Key. If we use the InstallAction of Default instead with the same Product Key the update is fine. Plist with error is <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "..."> <plist version="1.0"> <dict> <key>CommandUUID</key> <string>0b17230e-7096-4972-be30-1f23fb8c4d6d</string> <key>ErrorChain</key> <array> <dict> <key>ErrorCode</key> <integer>12008</integer> <key>ErrorDomain</key> <string>MCMDMErrorDomain</string> <key>LocalizedDescription</key> <string>Unsupported InstallAction for this ProductKey</string> </dict> </array> <key>Status</key> <string>Error</string> <key>UDID</key> <string>54354E4B-F56B-5D62-83C9-990342AD570B</string> <key>UpdateResults</key> <array> <dict> <key>ErrorChain</key> <array> <dict> <key>ErrorCode</key> <integer>12008</integer> <key>ErrorDomain</key> <string>MCMDMErrorDomain</string> <key>LocalizedDescription</key> <string>Unsupported InstallAction for this ProductKey</string> </dict> </array> <key>InstallAction</key> <string>Error</string> <key>ProductKey</key> <string>MACOS11.1</string> <key>Status</key> <string>InstallFailed</string> </dict> </array> </dict> </plist> Anyone else seeing this error or have people been able to get the InstallForceRestart option to work?

From which version of devices the changes mentioned in https://developer.apple.com/documentation/devicemanagement/vpn/alwayson?changes=latest_major are present? Are they applicable to iOS and macOS platforms? Are they backward compatible? Would "VPN.AlwaysOn.AllowedCaptiveNetworkPlugin", "VPN.AlwaysOn.ServiceException" etc work on newer version of iOS and macOS devices?

Is there more details what is considered "contains sensitive user information which is not permitted for user payloads" for shared IPad deployments on IOS 14? We've looked at the Apple docs and the fields that are sensitive user information do not appear to be explicitly called out. For example, our testing results show that the payloads Email CalDAV CardDAV Exchange Subscribed Calendar LDAP will result in a "contains sensitive user information which is not permitted for user payloads" error if the password attribute is included in the payload. Removing the password attribute and the payload is fine. Is this information documented somewhere explicitly? What are the other list of attributes that are considered sensitive user information?

Any guidance on installing managed applications for macOS 11? We are not getting any luck. <?xml version="1.0"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "..."> <plist version="1.0">  <dict>    <key>CommandUUID</key>    <string>c81be0c8-a5a4-4162-898e-64e865dfd714</string>    <key>Command</key>    <dict>      <key>RequestType</key>      <string>InstallApplication</string>      <key>ManagementFlags</key>      <integer>0</integer>      <key>iTunesStoreID</key>      <integer>406056744</integer>      <key>ChangeManagementState</key> <string>Managed</string> <key>InstallAsManaged</key> <true/> <key>iosApp</key> <false/><key>Configuration</key>      <dict>    <key>configUuid</key>    <string>100000-1000-1000-1000-100000000000</string> </dict><key>Attributes</key>      <dict>    <key>Removable</key>    <true/> </dict>    </dict>  </dict> </plist> results in the error <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "..."> <plist version="1.0"> <dict>        <key>CommandUUID</key>        <string>0c4d2406-1c4e-4ebf-800b-ea372225f911</string>        <key>ErrorChain</key>        <array>               <dict>                       <key>ErrorCode</key>                       <integer>97</integer>                       <key>ErrorDomain</key>                       <string>MDMClientError</string>                       <key>LocalizedDescription</key>                       <string><![CDATA[PurchaseMethod must be 1 <MDMClientError:97>]]></string>               </dict>        </array>        <key>RejectionReason</key>        <string>PurchaseMethodNotSupported</string>        <key>Status</key>        <string>Error</string>        <key>UDID</key>        <string>564D79B5-29E6-DAEC-8E5B-2D921352D787</string> </dict> </plist> We tried removing the InstallAsManaged, but we get the same PurchaseMethodNotSupported error. None of the existing PurchaseMethod values make sense https://developer.apple.com/documentation/devicemanagement/installapplicationcommand/command/options 0 is for IOS 1 is for VPP My understanding was that the whole purpose of the new managed application support for macOS 11 was that EMMs now had the ability to install applications as managed for macOS 11 without using VPP.

We are seeing errors on the IOS 14.2 device when pushing an Encrypted DNS Payload. Specifically Enable Demand Rules: and set Network: Evaluate Connection (for both Domain Action: Never Connect & Domain Action: Connect If Needed options) The error is <?xml version="1.0" encoding="UTF-8"?> ... <plist version="1.0"> <array> <dict> <key>ErrorCode</key> <integer>4001</integer> <key>ErrorDomain</key> <string>MCInstallationErrorDomain</string> <key>LocalizedDescription</key> <string>Profile Installation Failed</string> <key>USEnglishDescription</key> <string>Profile Installation Failed</string> </dict> <dict> <key>ErrorCode</key> <integer>4001</integer> <key>ErrorDomain</key> <string>MCInstallationErrorDomain</string> <key>LocalizedDescription</key> <string>Profile Failed to Install</string> <key>USEnglishDescription</key> <string>Profile Failed to Install</string> </dict> <dict> <key>ErrorCode</key> <integer>1009</integer> <key>ErrorDomain</key> <string>MCProfileErrorDomain</string> <key>LocalizedDescription</key> <string>The profile "h1dns" could not be installed.</string> <key>USEnglishDescription</key> <string>The profile "h1dns" could not be installed.</string> </dict> <dict> <key>ErrorCode</key> <integer>57000</integer> <key>ErrorDomain</key> <string>MCDNSSettingsErrorDomain</string> <key>LocalizedDescription</key> <string>The DNS settings service encountered an internal error.</string> <key>USEnglishDescription</key> <string>The DNS settings service encountered an internal error.</string> </dict> </array> </plist> The plist that we are sending is <?xml version="1.0" encoding="UTF-8"> <!DOCTYPE plist PUBLIC \"-//Apple//DTD PLIST 1.0//EN\" \"..."> <plist version="1.0"> <array> <dict> <key>DNSSettings</key> <dict> <key>DNSProtocol</key> <string>HTTPS</string> <key>ServerAddresses</key> <array> <string>1.1.1.1</string> </array> <key>ServerURL</key> <string><Somehost/dns-query</string> </dict> <key>OnDemandRules</key> <array> <dict> <key>Action</key> <string>EvaluateConnection</string> <key>ActionParameters</key> <dict> <key>DomainAction</key> <string>NeverConnect</string> <key>Domains</key> <array> <string>news.google.com</string> </array> </dict> <key>InterfaceTypeMatch</key> <string>Ethernet</string> </dict> <dict> <key>Action</key> <string>EvaluateConnection</string> <key>ActionParameters</key> <dict> <key>DomainAction</key> <string>ConnectIfNeeded</string> <key>Domains</key> <array> <string>mail.yahoo.com</string> </array> </dict> <key>InterfaceTypeMatch</key> <string>WiFi</string> </dict> </array> <key>ProhibitDisablement</key> <false/> <key>PayloadDescription</key> <string>The payload for configuring encrypted DNS settings.</string> <key>PayloadDisplayName</key> <string>DNS_ENCRYPTED</string> <key>PayloadIdentifier</key> <string>mi.dnssettings.44011.0</string> <key>PayloadOrganization</key> <string>com.mobileiron</string> <key>PayloadType</key> <string>com.apple.dnsSettings.managed</string> <key>PayloadUUID</key> <string>3173360096376915336</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </array> </plist>

The current docs for https://developer.apple.com/documentation/devicemanagement/dnssettings state that the encrypted DNS setting is supported on the device channel for shared IPad Device Channel iOS, macOS, Shared iPad but under Allow Multiple Payloads iOS, macOS shared IPad is not listed. BUT if you go to the Shared IPad Payload list https://support.apple.com/en-gb/guide/mdm/mdm05daf6e79/web DNS Settings is listed as device, combined, and multiple. Device Combined Multiple Which doc is correct?

We are seeing ... <dict> <key>CommandUUID</key> <string>43abc5e2-60a8-4fef-8375-0c3bc530573b</string> <key>ErrorChain</key> <array> <dict> <key>ErrorCode</key> <integer>1</integer> <key>ErrorDomain</key> <string>SingleSignOn</string> <key>LocalizedDescription</key> <string>The profile is a user profile but contains a “Single Sign On Extension” payload which is only valid in device profiles.</string> </dict> </array> <key>NotOnConsole</key> <false/> <key>Status</key> <string>Error</string> <key>UDID</key> <string>3297AA46-0711-5788-8161-FB41629845AF</string> ... pushing a Single Sign On Extension Payload on the user channel for macOS 10.15 devices. The same payload works on the user channel works for macOS 11. We have created a Feedback ticket https://feedbackassistant.apple.com/feedback/8799075

Any more details on the new attributes AssociatedDomains and ExcludedDomains in https://developer.apple.com/documentation/devicemanagement/applayervpn Are these fields supported for iOS and macOS? Which versions? IOS 14 and macOS 11

Per the https://developer.apple.com/documentation/devicemanagement/settingscommand/command/settings/mdmoptions/mdmoptions?changes=latest_minor SettingsCommand.Command.Settings.MDMOptions.MDMOptions the PromptUserToAllowBootstrapTokenForAuthentication default value is false. Can you elaborate why the default value is false? From our testing on macOS 11 it would appear when the value is false, only the primary account is able to logon to the device because only the primary account can decrypt the encrypted volume. Any optional admin accounts that are created are unable to decrypt the value so consequently the optional admin account cannot logon. This seems like a big change in macOS 11 that should be called out. We also noticed that any local users that were created while logged in as the primary account appear to inherit some permission that allows these local users to decrypt the volume and login.

When sending the setting to change the time zone, the plist is Acknowledged, but the device is not changing. I tried setting the following values: America/Moncton America/New_York Europe/Dublin Europe/London In all cases the plist was acknowledged. These are values are part of the IANA timezone database. There are two issues: When "Set Automatically" is enabled on the Date & Time settings screen, the TimeZone is not displayed and there is just a spinning icon. When "Set Automatically" is disabled on the Date & Time settings screen, the Timezone displays but as the original timezone of the device, not of the time zone sent to the device through the SettingsCommand. The device has the following: Software Version: 14.0 (18A5301v) Model Name: iPhone Xs Model Number: A1920 What is the desired outcome from setting the timezone? I had expected to see the timezone change on the device and the current time to match the time zone that was set. Is this not yet functional? Also, if I send a bogus timezone, it is still acknowledged. I would have expected it to get rejected. Will it reject invalid timezones?

What is the purpose of the tri-state BootstrapTokenAllowedForAuthentication value in the SecurityInfo response? allowed, disallowed, not supported are the possible values https://developer.apple.com/documentation/devicemanagement/securityinforesponse/securityinfo?changes=latest_beta During WWDC2020 and when the key was a boolean it seem to be that the key was to indicate if a bootstrap token existed on the device, but that doesn't seem to be the case now with the allowed, disallowed, not supported values.

Any more details on the new restriction allowApplePersonalizedAdvertising See https://developer.apple.com/documentation/devicemanagement/restrictions?changes=latest_major Is it for supervised devices or all devices? IOS 14 and higher or macOS 11 too? What behavior does the end user see/notice if set to false?

What is Items suppose to control in the InstalledApplicationListCommand? Items [string] Possible values: AdHocCodeSigned, AppStoreVendable, BetaApp, BundleSize, DeviceBasedVPP, DynamicSize, ExternalVersionIdentifier, HasUpdateAvailable, Identifier, Installing, IsValidated, Name, ShortVersion, Version The results are the same response https://developer.apple.com/documentation/devicemanagement/installedapplicationlistresponse/installedapplicationlistitem regardless of what strings in included in the Items string of the request.