I captured plaintext versions of the various Q&A threads from the Slack-hosted Q&A for Device Management on Wednesday, June 8th 2022. If interested, please see the attached "Notes from Slack": Notes from Slack

I am currently trying to use EC2 mac instances to run a CI/CD pipeline which involves running tests with electron/selenium. In order to run these tests openGL needs to be available. Im currently getting there error on line 49 of https://chromium.googlesource.com/chromium/src/+/8f066ff5113bd9d348f0aaf7ac6adc1ca1d1cd31/ui/gl/init/gl_initializer_mac.cc. With the output on the instance giving: 2022-06-09 19:38:25.937 Electron[52243:188559] +[NSXPCSharedListener endpointForReply:withListenerName:]: an error occurred while attempting to obtain endpoint for listener 'ClientCallsAuxiliary': Connection interrupted [52245:0609/193826.555969:ERROR:gl_initializer_mac.cc(65)] Error choosing pixel format. [52245:0609/193826.556035:ERROR:gl_initializer_mac.cc(193)] GLSurfaceCGL::InitializeOneOff failed. [52245:0609/193826.664827:ERROR:viz_main_impl.cc(188)] Exiting GPU process due to errors during initialization The root cause of this is there is no display connected to the mac mini. Using vnc to screen share with the host (which creates a display) fixes allows openGL to work as expected. Unfortunately this is not a solution/workaround for my use case as I will need to restart/reboot these instances after each run. I have tested this multiple times and after rebooting the instance the display is no longer present. (I have verified the displays being recognized / not being recognized with displayplacer list) Is there any way to make the mac mini host think that it has a display without relying on physical workarounds (I dont have physical access to the machine) or use software like BetterDummy that I can't run in a script.

I took notes during the "Custom app distribution and device management" lab. If interested, please see the attached "Notes from lab": Notes from lab

There isnt any comparable service to Business essentials in Europe at the moment as of ease of use. When will it be available?

I took notes during the "What's new in managing Apple Devices" session. If interested, please see the attached "Notes from session": Session Notes For the session video, please see the following link: https://developer.apple.com/wwdc22/10045

I created a profile using the Configurator app to add 2 E-Mail accounts with SMIME signing enabled. I added the certificates to the the profile as well and selected them in the E-Mail Accounts advanced settings. The certificates are Issued by Digicert. However even though the certificate shows up in the advanced settings and is selected my Mail app keeps telling me that: Unable to Sign You can't send signed messages because a signing identity for the address "@.***" could not be found. Go to the Advanced settings for this account to choose a signing identity. I tried: removing the profile and manually setup the accounts recreating the profile from scratch creating a seperate profile that only installs the certificates SMIME signing is enabled and the required certificate is selected. The same certificates work on my MAC and Windows devices. The file format is .p12.

Is there a way to push multiple apps in a single request using "InstallApplication" command via MDM? The request seems to take only one app at a time. We are an MDM platform vendor and hoping to deploy all the licenses-assigned apps during the initial device enrollment time. Any sample list request snippet would be helpful.

When Disallow the creation of VPN configurations is enabled through MDM restriction on an iOS device, 3rd party VPN applications are still able to create and enable a VPN configuration and connections.

I am posting here as I am a loss for what to try next. I want to remotely install an application with an endpoint security system extension using my MDM (MicroMDM). To do this, I am sending an InstallEnterpriseApplication command to my MDM server to install an application containing a system extension with an endpoint security entitlement. The application installs without error according to install.log. However, when I inspect the app that was installed, its contents have been modified. This breaks codesigning and the application cannot load the endpoint security system extension anymore. HOWEVER, when I take the exact same installer.pkg and double click it from Finder to manually install it by hand, the resulting application is unmodified and as expected! I know the MDM server isn't modifying the application because when I download the installer from the URL that's in my manifest and hash it, the hash matches the original installer file I had before I uploaded it to my MDM. Is there an issue with MDMs installing applications with system extensions/endpoint security entitlement? I know this is not an issue with my codesigning or packaging because everything works fine when I double click the package installer and install it by hand. Has anyone run into this? Here is my manifest.plist: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>items</key> <array> <dict> <key>assets</key> <array> <dict> <key>kind</key> <string>software-package</string> <key>md5-size</key> <integer>10485760</integer> <key>md5s</key> <array> <string>HASH1</string> <string>HASH2</string> <string>HASH3</string> </array> <key>url</key> <string>https://mdm-testing.sys/repo/installer.pkg</string> </dict> </array> </dict> </array> </dict> </plist>

We are pushing a HomeScreenlayout payload with no "docks" array . The behaviour in iOS's is the dock at the bottom is disappeared. But in ipadOS's , dock is still at the bottom with recent apps listed there. Attached is Screenshot for the ipad's behaviour . Payload : <integer>1</integer> <key>PayloadUUID</key> <string>____________-</string> <key>PayloadType</key> <string>com.apple.homescreenlayout</string> <key>PayloadOrganization</key> <string>MDM</string> <key>PayloadIdentifier</key> <string>_______________</string> <key>PayloadDisplayName</key> <string>Homescreen Layout</string> <key>Pages</key> <array> <array> <dict> <key>BundleID</key> <string>com.apple.mobilephone</string> <key>Type</key> <string>Application</string> </dict> <dict> <key>BundleID</key> <string>com.apple.Preferences</string> <key>Type</key> <string>Application</string> </dict> <dict> <key>BundleID</key> <string>com.google.ios.youtube</string> <key>Type</key> <string>Application</string> </dict> <dict> <key>BundleID</key> <string>com.manageengine.mdm.iosagent</string> <key>Type</key> <string>Application</string> </dict> </array> </array> Is it possible remove the dock from iPadOS or is there anything am i missing to disable the dock or distinguish between dock added apps and Recent Apps?

We have a use case such that we want all the network calls from the mac device to go through VPN. We tried using the OnDemand field in VPN. Unfortunately those user's with admin privilege still able to disconnect from VPN. Even if we enabled OnDemand. Admin users can disconnect by disabling the OnDemand option in VPN settings. We noticed that there is an option to restrict the OnDemand option in iOS as mentioned here using the field OnDemandUserOverrideDisabled However, this is not supported in macOS. Can anyone suggest a mechanism to restrict users from disabling VPN?

In the latest update of macOS 12.3, the Login Window Items payload does not work. However, it is working until macOS 12.1. The profile applies successfully but the required apps are not listed under the Login Window Items tab in Users & Groups. Here is the payload we tried in both the OS versions             <key>PayloadVersion</key>             <integer>1</integer>             <key>PayloadUUID</key>             <string>bdcc8534-8a2e-40b5-bf65-17ab9247319c</string>             <key>PayloadType</key>             <string>com.apple.loginitems.managed</string>             <key>PayloadOrganization</key>             <string>MDM</string>             <key>PayloadIdentifier</key>             <string>bdcc8534-8a2e-40b5-bf65-17ab9247319c</string>             <key>PayloadDisplayName</key>             <string>Mac Login Window Item</string>             <key>AutoLaunchedApplicationDictionary-managed</key>             <array>                 <dict>                     <key>Path</key>                     <string>/Applications/Safari.app</string>                     <key>Hide</key>                     <false/>                 </dict>             </array>         </dict>

In the document by Apple over here, it says that AlwaysOn VPN is supported in macOS 10.7+. However, AlwaysOn doesn't seem to work in macOS even in that latest OS. We came across a post where it states that it is supported only for iOS. We had a requirement for supporting AlwaysOn VPN for macOS. Also, in the console log, we found the following error while sending a profile with AlwaysOn VPN configuration error 16:19:45.716722+0530 mdmclient NEConfiguration initWithVPNPayload: failed error 16:19:45.717076+0530 mdmclient [ERROR] <<<<< PlugIn: InstallPayload [NEProfileIngestionPlugin] Error: Error Domain=ConfigProfilePluginDomain Code=-319 "The ‘VPN Service’ payload could not be installed. The VPN service could not be created." UserInfo={NSLocalizedDescription=The ‘VPN Service’ payload could not be installed. The VPN service could not be created.} <<<<<

We tried this Global Preference configuration profile payload to enable fast switching in the device, but unfortunately, after successfully applying the payload, fast user switching still remains disabled in the device with the user restricted to modify the setting. PFA the screenshot of the settings applied in the Profile as well as a screenshot of Login Window settings. OS version: macOS 12.1 <dict> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadUUID</key> <string>7b3041b6-d1fb-43d8-af8c-1028cde8b534</string> <key>PayloadType</key> <string>.GlobalPreferences</string> <key>PayloadOrganization</key> <string>MDM</string> <key>PayloadIdentifier</key> <string>7b3041b6-d1fb-43d8-af8c-1028cde8b534</string> <key>PayloadDisplayName</key> <string>Mac Global Preference payload</string> <key>MultipleSessionEnabled</key> <true/> <key>LULookupDisabled</key> <false/> <key>com.apple.autologout.AutoLogOutDelay</key> <integer>0</integer> </dict>

We have sent the payload for restricting all the apps except Youtube and MEMDM app . Payload is listed below. The Problem is we are restricted all the apps except the apps that were offloaded before . the icon of the offloaded apps appears in the homescreen. Attached the Screenshot for the above offloaded icons with multiapp kiosk enabled Is this the expected behaviour? Or anything am i missing. Can anyone help me with this? Payload Sent to the Device :-> <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadUUID</key> <string>------------</string> <key>PayloadType</key> <string>Configuration</string> <key>PayloadOrganization</key> <string>-----</string> <key>PayloadIdentifier</key> <string>----------------</string> <key>PayloadDisplayName</key> <string>MultiApp Kiosk</string> <key>PayloadRemovalDisallowed</key> <true/> <key>PayloadContent</key> <array> <dict> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadUUID</key> <string>----------------</string> <key>PayloadType</key> <string>com.apple.applicationaccess</string> <key>PayloadOrganization</key> <string>MDM</string> <key>PayloadIdentifier</key> <string>---------------</string> <key>PayloadDisplayName</key> <string>AppLock Whitelist Policy</string> <key>whitelistedAppBundleIDs</key> <array> <string>com.google.ios.youtube</string> <string>com.manageengine.mdm.iosagent</string> <string>com.apple.webapp</string> </array> <key>allowListedAppBundleIDs </key> <array> <string>com.google.ios.youtube</string> <string>com.manageengine.mdm.iosagent</string> <string>com.apple.webapp</string> </array> </dict> </array> </dict> </plist>

I am using an MDM solution to set Dock settings of macOS device. When I set "autohide-immutable" key as true, "Automatically hide." button should be locked. But in our case, "Automatically hide" button is not locked until we change, or click some other option in the Dock Settings. After clicking an option in Dock Settings, "Automatically Hide" button gets locked. The problem in here is that we can also click "Automatically Hide" button and change it's value before it is locked. https://developer.apple.com/documentation/devicemanagement/dock

The InstallProfile command to install a configuration profile on a Mac is available on both the Device Channel and the User Channel for macOS, according to.. https://developer.apple.com/documentation/devicemanagement/install_a_profile What is it then, in my construction of this command, that determines on which channel it is sent? In other words, how do I force it to use the Device Channel (since mine contains device configuration payloads) and not the User channel?

requireManagedPasteboard - boolean If true, copy and paste functionality respects the allowOpenFromManagedToUnmanaged and allowOpenFromUnmanagedToManagedrestrictions. Also available for user enrollment. As it is suggested , It doesn't allow the text to be copied from managed apps and pasted in any unmanaged app and also ViceVersa. But there is an another way to get the text to other Unmanaged/Managed App by highlighting a text from mail content and click on the 'share' option leads the text to be opened in the destination App. Steps: Pushed a Managed Account to Native Mail App. Pushed a Restriction with "requireManagedPasteboard" Opened a Mail and highlighted the text contents Click on Share Option . It will list all the app (both Managed and Unmanaged ) to share the text. I clicked on Notes App. The Highlighted Text got moved to the Notes App. The Same when tried to Copied and pasted in Notes App. It says "Enabled Restriction for Copy/Paste " Attached the screenshot where does the "Share" Option appear. Kindly check whether this is the default behaviour or anything am i missing?

I'm developing an app that has a URL blocking feature(Web Content Filter). Want to upload on the app store so any user can download the app. To do that I've to set up MDM server. I've Company / Organization account. Can anyone guide me through MDM Process? I have a few questions. What kind of account is needed? What things need to be done from the app(mobile) side? What things need to be done from the server-side? What will be the procedure to create MDM profile and distribute it to the app store user.

Hi, We are an MDM Solution, who is trying to collect the Data Usage Datas from iOS Devices. We have our own Native app, there we can able to get the data usage with some limitations While trying to fetch continuously, it shows usage for maximum upto 4GB. After 4 GB, it again resets the current count and starts from 0 . Forum Link Also These Above data fetched on one instance resets to zero on Restarting Device, So we are planning for Content Filter Provider extensions to get a track of data usage. We have no clear Documentations to use this. With Some third party domain references , Below are the Questions on it. For Content Filtering to be working , We need to add a plugin web content Filter with apps distribution Certificate as its authentication. -> As we are an MDM solution ,Is it needed to give all the cx our Distribution Certificate with its private key? Will the Content Filtering will satisfy our needs, as we can see that it works on tight container ? Is it possible to collect the data usages of the device without any limitations? It will good ,if there was a proper apple document to use this extension. Is it any there? Also will it be possible to use this without the distribution Certificate Authentication? Apple Doc: Link Any Suggestions are welcome. Thanks in Advance