Hi,
I have a couple of questions about how to proceed and prepare the implementation for the DeviceLock MDM command for macOS in a secure and proper manner.
https://developer.apple.com/documentation/devicemanagement/device-lock-command
In documentation "PIN" is "(string) The six-character PIN for Find My. This value is available in macOS 10.8 and later." - is this the PIN that is used to unlock the device?
Is there any video online that I can see how the process would look like for the end user with locking and unlocking a device?
What should be done before sending a DeviceLock command? What should be done to safely test the command without bricking a device.
How to unlock a device that was locked with a DeviceLock command? Is there any Unlock command or can the user unlock device with the provided PIN earlier?
Thank you for any help!
Business and Enterprise
RSS for tagDesign great apps that support companies and organizations of all sizes.
Posts under Business and Enterprise tag
37 Posts
Sort by:
Post
Replies
Boosts
Views
Activity
What is the proper payload for the FDEFileVault?
Do I need to provide a user password in the payload to proceed with turning on the FileVault? Isn't that a privacy issue?
Why UserEntersMissingInfo does not work for me?
How to properly turn off FileVault - every try failed?
Below I attach tested payloads and results.
Test 1:
Enable: "On"
Result 1:
Error
ErrorCode: -319
LocalizedDescription: The ‘FileVault Settings’ payload could not be installed. User authentication failed.
Test 2:
Enable: "On"
Username: "username on a device"
Result 2:
Error
ErrorCode: -319
LocalizedDescription: The ‘FileVault Settings’ payload could not be installed. User authentication failed.
Test 3:
Enable: "On"
Username: "username on a device"
Password: "password of the user"
Result 3:
Success: FileVault turned On
Test 4:
After previously turning On FileVault successfully after restarting a machine.
Enable: "Off"
Result 4:
Fail: FileVault didn't turn off, but the profile in settings updated. The machine restart didn't help.
Test 5:
Enable: "On"
UserEntersMissingInfo: True
Result 5:
Error
ErrorCode: -319
LocalizedDescription: The ‘FileVault Settings’ payload could not be installed. User authentication failed.
Test 6:
Enable: "On"
Username: "username on a device"
UserEntersMissingInfo: True
Result 6:
Error
ErrorCode: -319
LocalizedDescription: The ‘FileVault Settings’ payload could not be installed. User authentication failed.
Test 7:
This is example payload from: https://developer.apple.com/documentation/devicemanagement/fdefilevault#Profile-Example
Defer: True
Enable: "On"
ShowRecoveryKey: True
UseKeychain: False
UseRecoveryKey: True
UserEntersMissingInfo: False
Result 7:
Success: FileVault turned On
Test 8:
Same as test 4, but after turning on like test 7.
Test 9:
Defer: True
Enable: "Off"
ShowRecoveryKey: True
UseKeychain: False
UseRecoveryKey: True
UserEntersMissingInfo: False
Result 9:
Fail: FileVault didn't turn off, but the profile in settings updated. The machine restart didn't help.
Test 10:
Defer: True
Enable: "Off"
ShowRecoveryKey: True
UseKeychain: False
UseRecoveryKey: True
UserEntersMissingInfo: True
Result 10:
Fail: FileVault didn't turn off, but the profile in settings updated. The machine restart didn't help.
Test 11:
Defer: True
Enable: "Off"
ShowRecoveryKey: True
UseKeychain: False
UseRecoveryKey: True
UserEntersMissingInfo: True
DeferForceAtUserLoginMaxBypassAttempts: 0
Result 11:
Fail: FileVault didn't turn off, but the profile in settings updated. The machine restart didn't help.
Test 12:
UserEntersMissingInfo: True
Enable: "Off"
Username: "username on a device"
Result 12:
Fail: FileVault didn't turn off, but the profile in settings updated. The machine restart didn't help.
The MDM was installed correctly and other commands are working fine. I have tried to send the InstallProfile with custom configuration to the device, but it was displayed as not signed. How to sign the payload for InstallProfile command and where it should be included in the payload / command?
The payload I sent to a mac with MDM installed:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Payload</key>
<data>
BASE64_HERE
</data>
<key>RequestType</key>
<string>InstallProfile</string>
</dict>
</plist>
Decoded base64 from the payload above was:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadContent</key>
<dict>
<key>com.example.myapp</key>
<dict>
<key>test_key</key>
<string>test_value</string>
</dict>
</dict>
<key>PayloadDisplayName</key>
<string>My App Configuration</string>
<key>PayloadIdentifier</key>
<string>com.org_name.mdm.profile.uq_id_here</string>
<key>PayloadType</key>
<string>com.apple.ManagedClient.preferences</string>
<key>PayloadUUID</key>
<string>UUID4 HERE</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>App Configuration Profile</string>
<key>PayloadIdentifier</key>
<string>com.example.myapp.config</string>
<key>PayloadOrganization</key>
<string>ORG NAME</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>ANOTHER UUID4 HERE</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
System logs from Device:
[*] Processing server request: InstallProfile for: <Device>
[ERROR] System keychain reported it is unavailable but will proceed as if it is.
[*] === CPF_InstallProfile === com.example.myapp.config (user: <Computer>) (source: 'MDM')
[*] >>>>> Sending HTTP request (PUT) [Acknowledged(InstallProfile)
[*] <<<<< Received HTTP response (200) [Acknowledged(InstallProfile)
[*] Processing server request: ProfileList for: <Device>
[*] >>>>> Sending HTTP request (PUT) [Acknowledged(ProfileList)
[*] <<<<< Received HTTP response (200) [Acknowledged(ProfileList)
Also the ProfileList didn't include the installed profile. Is it because it was unsigned? How it should be signed?
Main Issue
We are experiencing an issue where iOS devices become unresponsive when attempting to shutdown or reboot from the lock screen while locked into Single App Mode via MDM or Apple Configurator.
Steps to Reproduce:
Start any iOS device.
Use Apple Configurator or an MDM solution to enable Single App Mode.
Wait for the device to lock into the specified app.
Lock the device so that it goes to the lock screen.
Hold the Power button and Volume Up button until the shutdown/emergency screen appears.
At this point, the device becomes unresponsive.
After approximately 30 seconds, the message "Guided Access app unavailable. Please contact your administrator" appears.
The device is now frozen, and the only way to recover is to force restart it using Apple's forced restart method (Apple Support Link).
Additional Issue:
Additionally, we observe that when using an app in Single App Mode, attempting to reboot the device and canceling the reboot prevents any subsequent reboot attempts until a force restart is performed.
Steps to Reproduce This Behavior:
Lock the iOS device into Single App Mode.
Use the app normally.
Attempt to shut down the device by holding the Power and Volume Up buttons.
The shutdown/emergency screen appears as expected.
Cancel the shutdown by tapping "Cancel."
The device returns to the lock screen.
Swipe up to return to the app.
Attempt to shut down the device again using the same method.
Nothing happens—the shutdown screen no longer appears.
The only way to reboot the device now is through a forced restart.
This appears to be a bug in Single App Mode behavior, potentially related to Guided Access restrictions. Has anyone else encountered this issue?
Is this the right place to report this issue? or should I report it elsewhere?
I have more videos and material showing how to reproduce this issue if needed.
While setting up the MDM server, I got the following error:
Please tell me what the error is and how to fix it.
ProfileConnection Error com.apple.ManagedConfiguration 12:33:23.432323+0900 ManagedConfiguration PerfPowerServices MDM profile installation check failed with error:NSError.
Desc : Connectiong process 'com.apple.managedconfiguration.profiled-access' lacks permission
US Desc: Calling process lacks 'com.apple.managedconfiguration.profiled-access' entitlement
Domain : MCXPCErrorDomain
Code : 39000
Type : MCFatalError
Params : (
"com.apple.managedconfiguration.profiled-access"
)
Last week we received this e-mail from Apple, without any information about reasons. Our infrastructure builds on Apple infrastructure and contains more than 1000 iOS devices. We have paid enterprise account until April 2025. Why Apple cancelled our membership?
We are reaching out to inform you that your Apple Developer Enterprise Program ("ADEP") membership will be terminated, effective February 12, 2025.
Please be assured that this decision is not a result of any action or inaction on your part, and it is not subject to appeal.
As of February 12, 2025, you will no longer have access to your membership and account-related services for developing and distributing in-house, internal use software. Certificates, identifiers, and provisioning profiles will be revoked, and the apps associated with your account will no longer function.
In accordance with Section 11.3 of the ADEP Agreement, please immediately destroy all Apple Confidential Information that is in your possession or control and note your continuing obligations upon termination. Nothing in this letter should be construed as a waiver of any rights or remedies Apple may have, all of which are hereby reserved.
Backup and restore Personal IOS data to a Supervised device?
We currently have around 200+ iPhone users that are using their devices as personal devices. We are planning on moving them to Intune using Automated Device Enrollment (Supervised).
Is it any way possible to backup their devices, do a factory reset, enroll them in Intune, then restore the old data?
Is it possible to do backup and restore in this situation? Is there an alternative way to restore the data back to a supervised device?
Friday we were preparing to publish our final build in TestFlight. Our developer informed me that the account holder had to agree to new terms and agreements. I am the sole user of this account, and tried to login (1 week ago I was still able to login). To my surprise I got the notification “account locked”, ”you need to reset your password”. I followed the required step: filling in the phone number on file (which is my phone number). After filling this in the page informed me that they’d get back to me in 1 day.
On Saturday I received an email from no_reply@apple with the following “We have received the request for access to your account and we have denied access.” There was no further information in the email why this would be.
I tried Apple support but they tell me they can not reactivate the account and I should apply for a new Apple ID. This sounds really strange as it would mean I would lose access to our currently published application forever?
But in general I am just shocked how they can deny access to an account, which is even a paid one (Developer Program), and not help me out. I am able to supply all identification (passport). I have access to the email that we use to login. I have access to the mobile phone number that is connected for exactly this reason (two factor authentication).
Anyone with similar experience and/or solutions?
Our company has been trying to register for the Apple Developer Enterprise Program since September 15, 2024. However, it wasn’t until early November that we received an email requesting our business information. Following that, we contacted Apple’s team on November 15, 2024, to answer their interview questions.
Now, more than a month has passed since that call, and we still have no idea about the status of our approval. When I check the account, it always shows 'Your enrollment is being processed. Your enrollment ID is 8K8SXNKA89.' I’ve also emailed Apple Support but have not received any further response.
How much longer will this process take? Apple’s handling of this is excessively slow and frustrating
Hello! Everybody. We receive messages from our partners and customers about Enterprise Program Cancellation at 12 of February 2025. Is it a worldwide phenomenon and the Enterprise program will no longer be available for everyone or it is an issue with our customers and partners?
Thank you very much for your replies!
Hello! I really need someone's help!
At the end of August, I accepted the changes to the financial agreement. For some reason, this led to the re-processing of the banking information in my account in the AppStoreConnect.
And now, for two and a half months, I have been seeing a message in the "Business" section of the AppStoreConnect:
"Your banking updates are processing, and you should see the changes in 24 hours. You won't be able to make any additional updates until then."
And now I can't change this information or add another bank account.
During all this time, Apple did not attempt to make payments to this bank account and my money just hung up without being able to withdraw it.
I tried to contact financial support several times, but all my requests went unanswered. Here is the ID of the last request, if it somehow speeds up the search for a solution: Case-ID: 10193100
Do you have any ideas what the problem might be and how I can fix this situation?
Thanks!
Dear Apple Team,
As an MDM (Mobile Device Management) service provider, we are writing to bring attention to an issue that is affecting many of our customers who manage large fleets of iOS devices. Specifically, we have encountered challenges with the app update process via MDM, which is impacting both kiosk devices and non-kiosk devices in a variety of use cases.
Issue 1: App Updates Delayed on Kiosk Devices
Many of our customers are deploying kiosk devices that are used 24/7 independently with no attendants. In these cases, when an app update is sent through MDM via the installApplication command, the installation does not begin immediately. Instead, the update starts only after the device is locked. However, since these kiosk devices are running continuously, they are rarely locked, preventing the app update from occurring.
To force the update, administrators need to manually remote lock or physically lock the device, which is a time-consuming process. This becomes even more challenging for devices like Apple TV, where remotely locking and unlocking the device to complete app updates is especially difficult, making it hard to keep the apps up to date in a timely manner.
Issue 2: User Cancellations of Critical Updates on Non-Kiosk Devices
In the case of non-kiosk devices, customers are encountering another challenge: when a critical update is pushed during business hours, users are often prompted to install the update. However, many users tend to cancel the update, leaving devices unpatched and potentially vulnerable. This behavior can delay the deployment of important security patches, which is a critical concern for organizations managing sensitive data or business-critical apps.
Request for a Solution
Our customers have expressed the need for a more reliable and forceful app update mechanism. Specifically, we are requesting the following features to improve the app update experience:
Scheduled app updates: The ability to schedule app updates, similar to the way OS updates are handled. If the user does not install the update within a specified timeframe, the update should begin automatically or prompt the user with a stronger reminder.
Force install option: A feature that would allow MDM administrators to force an app update immediately, without relying on user intervention. This would ensure that critical updates are installed promptly, improving security and system stability across all devices.
These features are essential for many of our customers who rely on timely and consistent app updates to maintain security, functionality, and compliance across their managed devices. Without these options, they face challenges in ensuring devices are kept up-to-date, which can result in security vulnerabilities and operational disruptions.
We kindly request that Apple consider adding these functionalities to improve the MDM app update process and provide a more reliable experience for both kiosk and non-kiosk device management.
Thank you for your attention to this matter. We look forward to your feedback and any potential improvements in future iOS updates.
Raised in the same manner as feedback: FB15910292
Hi,
I am currently a Phd student from CMU working on a XR project with Vision Pro. I found the latest released enterprise APIs can be really helpful for our project, especially the configuration of the object tracking provider.
However, I found a personal developer account can not access those APIs. And also it requires me to be a founder of the organization of the university when I try to update my account to an organization(CMU). I wonder is there any way to let the student still have a chance to try those fantastic APIs and some research based on them?
I really need those functions and I believe what I am working on is also going to be a great demo of the Vision Pro.
Thanks,
Greetings,
We have been rejected in the review of our App for a code non-compliance with 4.3 Design guidelines. Our App appears to be similar to others, and indeed it is similar in functionality and appearance. The others that are similar have been developed by us as well, these being customisations that are specifically targeted at the companies or accounts we deal with.
The truth is that we have gone through several reviews of the other Apps before when we submitted them for publication at the time.
We know that there are other development companies that customise Apps for different brands and in these cases there has been no reason for rejection by the Apple Store.
We are beginning to think that there may be certain factors that are directly influencing the rejection of this App:
The mockups or screenshots we are using are similar to those of another App we have published with the same functionalities.
The backgrounds of the App have a gem of colours similar to that of the other App.
And now we wonder:
Is it possible that he rejected it solely because of design issues with the presentation screenshots and backgrounds of the App?
Apart from the appeal that can be submitted to the Store via the review form, is there any way to contact Apple by phone to determine exactly why the App was rejected?
How do other companies upload the same custom App and get it reviewed?
I got sent an activation code through one of these apple emails and it can’t access the code because I don’t know where to go. Please help if you can!
My name is Tom Shannon, a developer with Omnia (d.b.a Aequilibrium Inc.). We were recently approved for some of the Enterprise APIs for the Vision Pro.
You can reference the history through our Case-ID: 9237594
We are contacting you for assistance as we have downloaded the entitlement license provided and added it to our target for an application under the bundle id: com.omnia.spatialbrowser
Then under my project and with my developer account, which is under the Aequilibrium Inc. account (279PV9XKZ2), we tried to add the Barcode Scanner Enterprise API entitlement, but this does not show up as an option for us.
I am on XCode 16.1 beta (16B5001e) for reference! Any help would be greatly appreciated.
Best,
Hi,
I run a midsize business. Apple recommends for company owned devices and for other reasons to use Apple Business managed Apple IDs for the employees. After that, you have to use a MDM System for e.g. deploying apps and licenses.
Testflight is an app that can be deployed too. But....Testflight can not more than to say "Hello" on a managed device. The use of Testflight and to test our developed apps is not possible with a managed ID.
Can anyone explain to me this thinking or what is recommended than. Setting up a private Apple ID for that purpose...which on the other hand, Apple do not want or does not recommend.
Inquiry about Running Enterprise Apps in Killed State and MDM Payload Management:- I am developing an enterprise iOS application that needs to perform specific tasks or network calls even when the app is in a killed state (i.e., when it is not actively running in the foreground or background). I understand that standard iOS restrictions prevent apps from executing code while in this state, but I am exploring potential solutions within the scope of enterprise apps and MDM (Mobile Device Management) capabilities.
Inquiry about Running Enterprise Apps in Killed State and MDM Payload Management:-
I am developing an enterprise iOS application that needs to perform specific tasks or network calls even when the app is in a killed state (i.e., when it is not actively running in the foreground or background). I understand that standard iOS restrictions prevent apps from executing code while in this state, but I am exploring potential solutions within the scope of enterprise apps and MDM (Mobile Device Management) capabilities.
Dear Apple Developer Support Team,
We are seeking a solution that would allow us to include the CarPlay entitlement while distributing our app using an enterprise profile. Could you please provide guidance on how we might achieve this? Are there any alternative approaches or considerations that could help us navigate this limitation?
Your expertise and advice would be greatly appreciated as we work to ensure our app meets the needs of our users while complying with Apple’s guidelines.
Thank you for your time and support.