Able to access corporate mail attachment in unmanaged apps even after the restriction profile (“allowOpenFromManagedToUnmanaged”) has been installed in the device. Followed the following steps able to reproduce this issue Logged in with a personal mail account in iOS device in Mail app. Pushed an MDM profile with Email configuration to an iOS device. Now this account is in managed space Pushed a Restriction profile which has the key “allowOpenFromManagedToUnmanaged” to “false”. This restricts unmanaged apps to open attachments from managed space. Now when I send a email with an attachment to this managed mail account from personal account (Mail is sent from another device, not managed device) On receiving the email in managed mail account, Able to open the attachment in unmanaged apps. The restriction seems not to be working when the personal mail account is present in the mail app along with the corporate mail account and the attachment received in a corporate mail account is treated to be in unmanaged space. The restriction works fine when the personal mail account is removed from mail app. Kindly confirm whether this is the expected behaviour.

During the "What’s new in managing Apple devices" session, you provided information about the "Not Now" option during Mac ABM Enrollment. We observed that this option was functional when enrolling a Mac through ABM using the "profiles renew -type enrollment" command. However, when attempting to enroll a Mac by erasing it through ABM, we couldn't find the "Not Now" option. Could you please confirm whether the "Not Now" option is intended to be available when enrolling a Mac by erasing it through ABM? Your clarification on this matter would be greatly appreciated.

Hi Apple Team, We are excited by looking on the new updates introduced in WWDC23. In a Session named "Do More With Managed Apple IDs" Where There is Sign In Policy Introduced For Managed Apple IDs Any Device Managed Devices Only Supervised Devices Only And as a MDM Vendor We need to Support GetToken CheckIn Request to Support Sign In Policy Managed Devices Only, Supervised Devices Only and have some doubts regarding this. When the Policy is Set To Managed Device Only and we don't have DEP Tokens Registered by Customer with us.How could we able generate the JWT Signed Token with the necessary serverUUID. In case 1) Even though if I have DEP Token with me How could I choose the necessary serverUUID If the device had managed by MDM through Profile Based Enrollments. Can you please provide with appropriate solution to overcome this

We are unable to find the documentation for DDM in Managing apps. We searched the Apple Documentation for the newly introduced API and declarations announced (which are given below) but we could not find any results on this. Documentation for New Apps and Books for Organizations API that replaces ContentMetaData API Documentation for "com.apple.configuration.app.managed" DDM Configuration Documentation for "app.managed.list" DDM status The documentation has not been updated with these cases. Kindly help us on this.

Problem Description: A App Store (VPP - B2B) app distributed to a device through MDM is not installing. The "InstalledApplicationList" response doesn't have the app in it. The "ManagedApplicationList" response has the app with status as "ManagedButUninstalled". But this cannot happen since there is a restriction - allowAppRemoval is set to false for this device which prevents the removal of installed apps in that device. This is applied before the app was distributed to MDM. Steps to reproduce: Enroll a device in MDM. Use restrictions payload[com.apple.applicationaccess] with a key "allowAppRemoval" set to "true". Distribute an app to device. Perform operations to fetch "InstalledApplicationList" and "ManagedApplicationList". Expected Result: The device should install the app successfully and ManagedApplicationList response should return "Managed" status for the app. Actual Result: The device doesn't install the app and "ManagedApplicationList" returns "ManagedButUninstalled" status. InstallApplication Response: <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CommandUUID</key> <string>InstallApplication;Collection=899898</string> <key>Identifier</key> <string>pad.xxxx.ilD</string> <key>State</key> <string>Installing</string> <key>Status</key> <string>Acknowledged</string> <key>UDID</key> <string>000000-00000000-00000000</string> </dict> </plist> ManagedApplicationList Response: <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CommandUUID</key> <string>ManagedApplicationList</string> <key>ManagedApplicationList</key> <dict> <key>com.manageengine.mdm.iosagent</key> <dict> <key>ExternalVersionIdentifier</key> <integer>857024336</integer> <key>HasConfiguration</key> <true/> <key>HasFeedback</key> <true/> <key>IsValidated</key> <true/> <key>ManagementFlags</key> <integer>5</integer> <key>Status</key> <string>Managed</string> </dict> <key>com.teamviewer.teamviewerQS</key> <dict> <key>ExternalVersionIdentifier</key> <integer>851678159</integer> <key>HasConfiguration</key> <false/> <key>HasFeedback</key> <false/> <key>IsValidated</key> <true/> <key>ManagementFlags</key> <integer>5</integer> <key>Status</key> <string>Managed</string> </dict> <key>pad.xxxx.ilD</key> <dict> <key>ExternalVersionIdentifier</key> <integer>857489710</integer> <key>HasConfiguration</key> <true/> <key>HasFeedback</key> <false/> <key>IsValidated</key> <false/> <key>ManagementFlags</key> <integer>5</integer> <key>Status</key> <string>ManagedButUninstalled</string> </dict> </dict> <key>Status</key> <string>Acknowledged</string> <key>UDID</key> <string>000000-00000000-00000000</string> </dict> </plist> Restrictions Response: <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CommandUUID</key> <string>Restrictions</string> <key>GlobalRestrictions</key> <dict> <key>intersection</key> <dict> <key>autonomousSingleAppModePermittedAppIDs</key> <dict> <key>values</key> <array> <string>pad.xxxx.ilD</string> </array> </dict> <key>whitelistedAppBundleIDs</key> <dict> <key>values</key> <array> <string>pad.xxxx.ilD</string> <string>com.manageengine.mdm.iosagent</string> <string>com.teamviewer.teamviewerQS</string> </array> </dict> </dict> <key>restrictedBool</key> <dict> <key>allowAppRemoval</key> <dict> <key>value</key> <false/> </dict> </dict> <key>restrictedValue</key> <dict> <key>maxInactivity</key> <dict> <key>value</key> <integer>5</integer> </dict> </dict> <key>union</key> <dict> <key>blacklistedAppBundleIDs</key> <dict> <key>values</key> <array> <string>com.google.Drive</string> <string>com.apple.news</string> </array> </dict> </dict> </dict> <key>Status</key> <string>Acknowledged</string> <key>UDID</key> <string>000000-00000000-00000000</string> </dict> </plist>

We have the following issues on a iPad enrolled as Shared iPad via MDM using Apple Business Manager (ABM) We are unable to use the mail app in Shared iPad. The following error message is shown “This iPad is restricted from creating mail accounts”. When checked from MDM whether any such account restriction was added, they was none added to this device. We are also unable to add accounts via Settings app as well. And also when checking the Shared iPad restriction documentation, mail app is not in the restricted list for Shared iPad https://support.apple.com/en-mt/guide/apple-school-manager/axm3a8bb0ab8/web Kindly let us know whether we can add mail accounts manually in Shared iPad device. OS Version : iPadOS 16.5

After we wipe the Mac using MDM EraseDevice command, the screen appears asking for PIN and when we enter the correct PIN provided in EraseDevice command, it says Try again in 24284826 minutes, which is like 46 years. We could recover this by connecting the device to LAN, but can we avoid this screen? ?

We encountering an issue with HasUpdateAvailable Key is not updating in InstalledApplicationList when the newer app version is available for the device to update from App Store. Problem Description: When an App Store app or Custom app has a newer version released, the HasUpdateAvailable Key in Installed Application List is never updating. In InstalledApplicationList the HasUpdateAvailable value is False even when a newer app version is available to update. For Example, Google Slides app ( com.google.Slides ) was released a new version - 1.2023.22200 was on June 7, 2023. By checking the device, The InstalledApplicationList response on June 10. The hasUpdateAvailable key is False, Even though the app has an update available. <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CommandUUID</key> <string>InstalledApplicationList</string> <key>InstalledApplicationList</key> <array> <dict> <key>AdHocCodeSigned</key> <false/> <key>AppStoreVendable</key> <true/> <key>BetaApp</key> <false/> <key>BundleSize</key> <integer>198696960</integer> <key>DeviceBasedVPP</key> <false/> <key>DynamicSize</key> <integer>143360</integer> <key>ExternalVersionIdentifier</key> <integer>857221931</integer> <key>HasUpdateAvailable</key> <false/> <key>Identifier</key> <string>com.google.Slides</string> <key>Installing</key> <false/> <key>IsAppClip</key> <false/> <key>IsValidated</key> <true/> <key>Name</key> <string>Slides</string> <key>ShortVersion</key> <string>1.2023.20201</string> <key>Version</key> <string>1.2023.20201</string> </dict> </array> <key>Status</key> <string>Acknowledged</string> <key>UDID</key> <string>00008020-XXXXXXXXXXXX</string> </dict> </plist> Note :- We are experiencing this issue in multiple OS version for most of the apps. All the devices which we tested are compatible with the latest app version

Hi Apple community, I am writing this regarding device based activation lock can enable on device which is in 30 days DEP provisional period. Within the DEP provisional period, I can remove the remote management on my device. So the device is considered to use as my personal device ,not organization owned. Since MDM device based activation lock can enable during this provisional period, The device no longer be referred to use as my personal device also . what is the use of that 30 days? Kindly educate us on this case to whether this an intended options or a bug. Thanks in Advance

Hi Apple community, We encountering an issue with Declarative Management app events when attempting bulk app distribution through our Mobile Device Management (MDM) solution. Description of the Issue: During bulk app distribution, the expected app events defined in the Declarative Management framework are not functioning as intended. While individual app deployments work fine and trigger the desired events, the problem arises specifically when distributing apps in the bulk of more than 20 apps. My Status-Subscription Configuration, { "Type": "com.apple.configuration.management.status-subscriptions", "Identifier": "DEFAULT_STATUS_CONFIG_0", "ServerToken": "2", "Payload": { "StatusItems": [ { "Name": "account.list.caldav" }, { "Name": "account.list.carddav" }, { "Name": "account.list.exchange" }, { "Name": "account.list.google" }, { "Name": "account.list.ldap" }, { "Name": "account.list.mail.incoming" }, { "Name": "account.list.mail.outgoing" }, { "Name": "account.list.subscribed-calendar" }, { "Name": "device.identifier.serial-number" }, { "Name": "device.identifier.udid" }, { "Name": "device.model.family" }, { "Name": "device.model.identifier" }, { "Name": "device.model.marketing-name" }, { "Name": "device.operating-system.build-version" }, { "Name": "device.operating-system.family" }, { "Name": "device.operating-system.marketing-name" }, { "Name": "device.operating-system.supplemental.build-version" }, { "Name": "device.operating-system.supplemental.extra-version" }, { "Name": "device.operating-system.version" }, { "Name": "mdm.app" }, { "Name": "passcode.is-compliant" }, { "Name": "passcode.is-present" } ] } } Has anyone encountered a similar issue where Declarative Management app events fail to trigger during bulk app distribution? If so, I would greatly appreciate any insights, recommendations, or potential workarounds you may have discovered. Additionally, if you have any suggestions for further troubleshooting steps or resources to explore, please feel free to share them. Thank you in advance for your time.

Issue Description: We tested App Store app update deployment in an iPad with OS version 16.4.1. We put the app AppLock mode in device using a MDM. Then we pushed a update for the app from MDM. The device didn't update the app but the command was successfully sent from MDM and device acknowledged it. When we removed the app from AppLock mode and closed it, the app updated instantly. For enterprise apps, we have observed that while pushing the app update to devices when it is in AppLock mode, the app closes automatically and the app updates and opens automatically in AppLock mode. But for app store apps this behavior is different like mentioned above. Also, if the app is not in AppLock mode and if the app update is pushed when the app is running in foreground, the device asks for update prompt. If we accept it, the app doesn't update automatically. If we close the app manually, then the app is updated instantly. Kindly educate us on this case on App Store App as to whether this an intended behavior or a bug.

https://developer.apple.com/documentation/devicemanagement/homescreenlayout With Respect to the above link, we have deployed HomeScreenLayout Policy to device with iPadOS Version 16.4. Irrespective of all the os's, we cant able to restrict the App Library , whatever we do. Attached screenshot of the App Library shown in Home screen Layout. Is it possible to restrict this or not . Can anyone help on this.

https://developer.apple.com/documentation/devicemanagement/homescreenlayout With Respect to the above link, we have deployed HomeScreenLayout Policy to device with iPadOS Version 16.4. Irrespective of all the os's, we cant able to restrict the App Library , whatever we do. Attached screenshot of the App Library shown in Home screen Layout. Is it possible to restrict this or not . Can anyone help on this.

Description: <key>allowSpotlightInternetResults</key> <dict> <key>value</key> <false/> </dict> <key>allowAssistant</key> <dict> <key>value</key> <false/> </dict> I have added the restriction profile with the above restriction keys and values . along with a App Lock Policy locked to a single app. The problem am facing is, the app was locked to a particular app as per the policy . But User can able to open safari preview search view using the spotlight search. Atached Screenshot for the safarii preview in App Lock Policy Enabled Device

Hi Apple Team, We tend to update the MDM profile Supplied to the Mobile Devices when the Name of the organisation was changed by the customer we change the value of PayloadOrganization. When it comes to User Enrollment The organisation name will be shown in Settings Tab and also in Profiles Page. After performing update in MDM profile The Organisation name in the profile's page have been updated but The Organisation name in settings tab wasn't updated Old Name : APNS_ORG_NAME New Name : NEWNAME1