Hi! Notice for the VPN of type "Always On", this site indicates a ApplicationExceptions key. But on the configuration manual it's not found. I'm trying to indicate a couple apps that should be able to bypass the always on vpn, but it doesn't seem to work. Any ideas? THanks appears here: https://developer.apple.com/documentation/devicemanagement/vpn/alwayson/applicationexceptionelement not here: https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf

Hello Forum, If I send the device the "DeviceInformationCommand.Command.RequestType= DeviceInformation" command and "InstalledApplicationListCommand.Command.RequestType = InstalledApplicationList" command , it can be sent successfully, but I don't get a response from the device. https://developer.apple.com/documentation/devicemanagement/get_device_information ------------- our log ---------------------- general.log.5:[2024/03/27 13:23:30] (172.31.54.87) I #TaskUpdateInformationHandler - did:14379, udid:63a6d7edc9f1128808aaee49d80e9539b5fd9cdd, mdm_task_uuids:['0aa5f838-1891-4a9b-b4fd-9d7c0aa365d3', '3f401ea8-be87-499b-a4be-fea2b1dab379'], result:ok, cid:117 general.log.5:[2024/03/28 03:06:34] (172.31.76.98) I #TaskUpdateInformationHandler - did:14379, udid:63a6d7edc9f1128808aaee49d80e9539b5fd9cdd, mdm_task_uuids:['c46b8523-40cd-4c7e-8a5d-0e49c9d26106', '8a99b664-df27-4bc9-8f41-fe39e3a7f3bc'], result:ok, cid:117 It is transmitted successfully to the Apple MDM server, but there is no response from the device. However, policy distribution such as PushSetting works normally. I would like to get some document or help that I can refer to. Thank you.

I am trying to find how to configure an application when using an AppManaged declaration. Using MDM, I would send the install command and include the settings in the 'Configuration' key of the command. I have checked the documentation and rewatched the 2023 WWDC video, but it is not mentioned at all. AppManagedAttributesObject has specific configuration options and doesn't appear to cater for adhoc app specific configurations. Anyone found a way to accomplish this? There are a number of apps (store and enterprise) that require this functionality in order to be configured remotely.

Our MDM customers often claim MDM push is not delivered to device and cannot manage devices via MDM. The user first uninstalled the old description file and then installed the new one, but after the new description file was installed, our mdm server did not receive any notification from Apple about updating the token, only received an Authenticate message We tried to restore network settings but it did not work. We hope to get your help to solve this problem. Currently, we can't figure out where the problem is.

Hi Apple IT Developer Team, In what format should the GetToken response be returned? The session explains "The JSON Web Token should be signed by the MDM server's private key.", but it seems vague to me. A sample response would be appreciated.

Please tell me two things about "Safari Password Autofill Domains" in my domain settings. Incident The behavior of the following items in the Domains setting differs between "no setting" and "edit and delete setting values". Subject: Safari Password Autofill Domains Steps to Reproduce(Delete the setting value) enter any value in "Safari Password Autofill Domains" in the domain settings and save it. Delete the value entered in step 1. Distribute to the terminal. Result If no settings: A pop-up window will appear asking if the password is to be saved in all domains. The key "SafariPasswordAutoFillDomains" is not present in the configuration profile. Edited to remove the value: The "Save Password AutoFillDomains" popup does not appear for all domains. The key "SafariPasswordAutoFillDomains" exists in the configuration profile and an empty array remains. Question 1. Is it expected that the behavior is different when "Safari Password Autofill Domains" is not configured and when the configuration value is edited and removed? Question 2 Is it expected that "" remains in the configuration profile when the setting value is edited and deleted?

Hello, I am currently testing the com.apple.configuration.app.managed declaration, and have failed to get it to work with either VPP OR Enterprise apps. (Testing is being conducted on an iPhone XR with iOS 17.3.1) VPP: Initially errors where returned due to not having a license for the device, so I have set it up to fetch a license before the declaration is return to the device. Said declaration is as follows (I have attempted to switch from Device to User VPP type, as well as attempting to use BundleID or AppStoreID but all have the same result: { "Identifier": "BBC_Test_Install", "Payload": { "AppStoreID": "377382255", "InstallBehavior": { "Install": "Required", "License": { "VPPType": "Device" } } }, "ServerToken": "...", "Type": "com.apple.configuration.app.managed" } The configuration above successfully applies on to the device, and can be seen in the configurations tab in Settings. The install is unsuccessful however, as the app.managed subscription item returns the following result: "app" : { "managed" : { "list" : [ { "state" : "failed", "declaration-identifier" : "BBC_Test_Install", "identifier" : "uk.co.bbc.newsuk", "name" : "BBC News - UK & World Stories" } ] } } The device does not provide any additional information, it was initially returning the following reason when I did not request a licence before the install: "code" : "Error.LicenseNotFound" but this has disappeared now that a licence is requested before hand. No other information can be gleaned so I am at a bit of a loss. It should be noted, I am wipping my device between each test, just to try and get it working on a "fresh" application before attempting to deal with updating the declaration. Enterprise: This also does not seem to be behave, the configuration states a successful application, but it cant be seen in the declrations tab within general settings: "active" : true, "identifier" : "Enterprise_Test_Install", "valid" : "valid", "server-token" : "..." The associated configuration is as follows: { "Identifier": "Enterprise_Test_Install", "Payload": { "InstallBehavior": { "Install": "Required" }, "ManifestURL": "https://my.domain/web/mdm/ios/enterpriseplistgenerator/bundle.id" }, "ServerToken": "...", "Type": "com.apple.configuration.app.managed" } I have had previous success installing enterprise apps through MDM commands so I would have assumed the ManifestURL should have worked the same. The above URL does cause the device to make a secondary request for the application manifest, which returns the following: <?xml version="1.0" encoding="UTF-8"?> <plist version="1.0"> <dict> <key>items</key> <array> <dict> <key>assets</key> <array> <dict> <key>kind</key> <string>software-package</string> <key>url</key> <string>https://my.domain/web/mdm/ios/enterpriseipa/bundle.id</string> </dict> </array> <key>metadata</key> <dict> <key>bundle-identifier</key> <string>bundle.id</string> <key>kind</key> <string>software</string> <key>subtitle</key> <string>testapp</string> <key>title</key> <string>testapp</string> </dict> </dict> </array> </dict> </plist> Which the device then does nothing with (app.managed does not report back anything). When installing the enterprise app through MDM commands the above plist does cause the device to make a secondary call to fetch the applications IPA. Some additional information, help, or insight would be useful, as from my perspective the declaration does not seem to work at all.

Hello, I could not find information in the doc (which is still beta, I understand) : how are app upgrade handled by DDM AppManaged ? With MDM, sending InstalledApplication command will upgrade the app to the most suitable recent version ; HasUpdateAvailable flag tells MDM server (more or less accurately) if there is an update and then Organizations can keep apps up to date as quickly as possible if needed. But with DDM, we just have a declaration where we tell the device to install a given app, and that's it. Is there any detail about how the device upgrades apps, and how frequently ? Thanks.

We have observed that the following command causes NotNow: InstallProfileCommand(https://developer.apple.com/documentation/devicemanagement/installprofilecommand) InstallProvisioningProfileCommand(https://developer.apple.com/documentation/devicemanagement/installprovisioningprofilecommand) SecurityInfoCommand(https://developer.apple.com/documentation/devicemanagement/securityinfocommand) CertificateListCommand(https://developer.apple.com/documentation/devicemanagement/certificatelistcommand) InstallApplicationCommand(https://developer.apple.com/documentation/devicemanagement/installapplicationcommand) ManagedMediaListCommand(https://developer.apple.com/documentation/devicemanagement/managedmedialistcommand) 1,2,3 becomes NotNow while the iOS device is locked. I don't know under what circumstances 4, 5, 6 become NotNow. Please tell me.

I've encountered an issue while reviewing logs from my device and hope someone here can shed some light on it. In the process of diagnosing an application behavior, I noticed that some entries in my logs are marked as , specifically next to bundle IDs, which makes it challenging to understand which app or process is involved. Here are the relevant log entries: Feb 21 17:40:53 vCw-2 suggestd(CoreSuggestionsInternals)[30399] &lt;Notice&gt;: SGDSuggestManager: realtimeSuggestionsForMailOrMessageWithHash: com.apple.MobileSMS : &lt;private&gt; Feb 21 17:40:53 vCw-2 suggestd(CoreSuggestionsInternals)[30399] &lt;Notice&gt;: SGDSuggestManager: realtimeSuggestionsForMailOrMessageWithHash: &lt;private&gt;: results: (null) Feb 21 17:40:53 vCw-2 suggestd(CoreSuggestionsInternals)[30399] &lt;Notice&gt;: SGDSuggestManager: realtimeSuggestionsForMailOrMessageWithHash: com.apple.MobileSMS : &lt;private&gt; Feb 21 17:40:53 vCw-2 suggestd(CoreSuggestionsInternals)[30399] &lt;Notice&gt;: SGDSuggestManager: starting dissection. The identification of this hidden bundle ID is essential for allowing the specific iMessage Business Chat feature to function as intended in our MDM-managed devices. Does anyone have insights into why the bundle ID might be hidden or how to uncover it? Are there tools or methods available that could help me identify this bundle ID for MDM whitelist configuration purposes? I appreciate any guidance or recommendations you can provide. Thank you for your time and assistance.

Hi! We are developing VPN software for the iOS platform, and our customers report a rare issue that we cannot reproduce. We seek any advice about the root cause of such a problem. On every update, we notice an increased number of customer reports saying that the tunnel process is in a "connecting" loop, and to break the loop the customer has to remove the VPN profile from the settings. As none of our testers could reproduce the issue, we have minimal knowledge to work on. What we know so far: The OnDemand rules cause the tunnel process to be restarted in the loop The tunnel process does not start at all. We have logs from our customers, and we know that the application tries to start an extension, but the extension does not start at all. Something in the operating system prevents the extension from starting. The issue reappears on every app update. My theory so far is that the profile gets broken during an update process, but we have no means of confirming that. Is this a known issue? Any advice on how could we reproduce the problem? Thank you in advance for any tips!

I have found that Declarative management, although intriguing and could be useful in the future, is quite lacking. At this point in development, I don't see an advantage over using MDM commands. In order for a device to apply policies, the device must first post to a server to receive the manifest set, then for each item in the set, the device must post to the server to get the policy. How is that better than posting via MDM to obtain a policy (configuration profile, app, etc.)? It seems there is no benefit in terms of time complexity. In both scenarios the device would need to make O(n) posts. This doesn't solve the scalability issue with regards to the MDM channel. The limitation with regards to available native declarations vs configuration profiles means declarative management is not yet ready for prime time. Although the first attempt at solving this through LegacyProfiles allows for installing ConfigurationProfiles, this method adds another POST, so at this point it's 1 post to get the manifest, then 2 mores posts to get the policy, which is even worse that MDM. Regarding the status channel, the status report is missing quite a bit of device information. Currently, in order to obtain a more complete view of device state using MDM, the MDM server must send a set of commands to get information, installed profiles, apps, certificate, etc. The Status channel includes some of this stuff, but not all of it, which means a device must augment the status channel with some (or all) of these commands.

Vision Pro is getting MDM support, which is good for companies that want to bring them into the enterprise, but security needs to be addressed. Does anyone know what cryptographic module VisionOS uses? I didn't see any info here: https://support.apple.com/en-us/103688 or https://support.apple.com/guide/certifications/welcome/web

Hello! I made an iOS app for a research study that blocks network connections with certain websites. I need to block around 2000 web domains. To achieve this, I had two options: Use Screentime API Use Network Extension Screentime API has a limitation that limits the number of websites it can block to 50 (https://developer.apple.com/documentation/managedsettings/webcontentsettings/blockedbyfilter-swift.property). The Network Extension on the other hand requires my device to be in supervised mode, which as I understand it, involves erasing the data on the phone and resetting it. Hence, I am here to ask if there is a way to do this without erasing user data when setting the device into supervised mode. Also, I am open to hearing any other alternatives I could pursue. Thanks!!

We are enrolled in the Apple Developer Program as an organization but still, I don't see any options to create an MDM certificate in the certification section. Kindly guide us the steps and options to enable the same.

https://developer.apple.com/documentation/managedappdistribution https://developer.apple.com/documentation/appdistribution/fetching-and-displaying-managed-apps We have tested the above apple documentation regarding Managed Application Distribution . To Note : We are trying to provide a custom AppStore in our MDM App for Managed Apps. We have done all the steps mentioned in the documentation Got Entitlement and enabled for the app. Used the Exact code in a new swift UI Project Attaching Screenshots for the compile time error , i get First Screenshot , shows an error when building the project with a physical device(iOS 17.4). Seconds one , shows different error when building with a simulator. I have checked all the apple documentations and wwdc videos for further clue on this. But no help ! It will be helpful, if anyone help me with exact working model for this framework.

we have corp own devices (ipad's) that need to disable the ability of users to turn off the location services as well as airplane mode and GPS, how this can be done? Thanks in advance

My company has an iOS and tvOS app which are distributed under the same bundle ID. We have recently released an update to the tvOS app but not the iOS app. Subsequently, some of our customers have told us that their MDM solution (Jamf Pro) does not allow them to install the update. This is because the software shows the latest version as being the iOS version (4.6.6), and it does not appear to share any additional details of the tvOS platform. Meaning all version checks show that the app is up to date. Performing a fresh install does indeed pull the latest version (5.0.3) on AppleTV. And updates can be performed on device manually. This is not suitable for our customers who have over 200 AppleTVs in use. I have contacted Jamf who have suggested I contact Apple. So here I am. From my perspective, it seems like the App Store directory information that MDM providers access does not have separate tvOS and iOS version information meaning that their tools can't tell when a platform version has been updated. This means our only solution would be to update the iOS version and keep it on par with our tvOS version. This isn't really feasible as out iOS usage is around 0.01%.