I'm encountering what appears to be a specific precedence behavior with ManagedSettingsStore.shield and would appreciate some further clarification.
My current understanding is that category-level shields take precedence over individual app allowances.
My test involved...
Using FamilyActivityPicker to select a single target application (e.g., "Calculator," which falls under the "Utilities" category).
Using FamilyActivityPicker again to select the category of that target application.
I applied shields using ManagedSettingsStore (named .individual):
store.shield.applicationCategories = .specific(Set([utilitiesCategoryToken]))
store.shield.applications = Set([calculatorApplicationToken])
Result: The calculator app remains shielded, suggesting that the category-level shield on Utilities overrides the attempt to allow the individual app. I also tried this using a single picker, but received only the category token instead of all application tokens in that category.
Is this observed precedence (where store.shield.applicationCategories effectively overrides store.shield.applications for apps within the shielded category) the intended behavior?
If so, are there any mechanisms available within the main app's capabilities (potentially using a Device Activity Report Extension or Shield Extension) to allow a specific ApplicationToken if its corresponding ActivityCategoryToken is part of the store.shield.applicationCategories set?
Essentially, can store.shield.applications be used to create "allow exceptions" for individual apps that fall into an otherwise shielded category?
Additionally, I mentioned that selecting an entire category in the picker only returns the opaque category token, not any application tokens. Is there any way in which I could return both the category and all application tokens by just selecting the category?
Any insights or pointers would be greatly appreciated!