Post not yet marked as solved
Hi Apple community,
I am writing this regarding device based activation lock can enable on device which is in 30 days DEP provisional period.
Within the DEP provisional period, I can remove the remote management on my device. So the device is considered to use as my personal device ,not organization owned.
Since MDM device based activation lock can enable during this provisional period, The device no longer be referred to use as my personal device also . what is the use of that 30 days?
Kindly educate us on this case to whether this an intended options or a bug.
Thanks in Advance
Post not yet marked as solved
Deploying certificates with MDM currently has a major limitation that you can only deploy certificates into the login keychain of the "MDM user" which is normally the user present when the device was enrolled.
Does declarative device management certificate management address this at all?
Post not yet marked as solved
i have disabled SIP , but still can't edit or remove read only file system Like ARDAgent.app
is there a way to remove it from my system ?
Macos Monterey
Macbook air13 2017
Post not yet marked as solved
Updated Mac Mini, M1, 2020 to macOS Sonoma 06/07/23. Since updating I am receiving a Remote Management Request for "Apple RCC - DTA + APPLE INTERAL".
It's worth noting that this device was purchased NEW and has never had MDM on it. Previous betas of Ventura have not prompted MDM.
So far I have tried, Erase All Content and Settings, completely wiping the HD and installing a fresh copy of Ventura. Now i am stuck in the MDM lock loop.
Photo is post reset.
Post not yet marked as solved
Hi all,
We deploy custom iOS/ipadOS apps to our iPads via jamf cloud. The apps are add-hoc releases using our distribution profile that includes all the iPads UUID. We then upload the apps to jamf and from there send it to our iPads.
When we deploy new versions of existing apps, we ran into issues where jamf would not update the app. After checking the iPad logs on the console, we found the follow errors that occurs every time jamf tries to push the new app:
default 12:47:03.239756-0700 dmd container_acquire_sandbox_extension: success
default 12:47:03.239780-0700 dmd container_acquire_sandbox_extension com.myCompany.myApp succeeded for path '/private/var/mobile/Containers/Data/Application/93DBC421-803E-48B5-B704-429908066041'
error 12:47:03.240395-0700 cfprefsd rejecting read of { com.myCompany.myApp, mobile, kCFPreferencesCurrentHost, /Library/Managed Preferences/mobile/com.myCompany.myApp.plist, managed: 1 } from process 122 (dmd) because accessing these preferences requires user-preference-read or file-read-data sandbox access
fault 12:47:03.240600-0700 dmd Couldn't read values in CFPrefsManagedSource<0xda8a2c9a0> (Domain: com.myCompany.myApp, User: kCFPreferencesCurrentUser, ByHost: Yes, Container: (null), Contents Need Refresh: Yes): accessing these preferences requires user-preference-read or file-read-data sandbox access
default 12:47:03.240695-0700 dmd Revoking sandbox extension; key = 43
It seems as if the MDM process cannot update the app because of missing entitlements? Weird enough, this does not happen on all our iPads, only on a subset and we have not found the pattern yet to narrow down what the issue is.
We reached out to jamf but they claim the issue is with our app. But we can't really figure out what we would have to do to our app to let the MDM process update it.
When searching for this on google we found some related issues for macOS apps but nothing for iOS/ipadOS.
Any hints or pointers what the issue with our app could be? Thanks!
Post not yet marked as solved
We encountering an issue with HasUpdateAvailable Key is not updating in InstalledApplicationList when the newer app version is available for the device to update from App Store.
Problem Description:
When an App Store app or Custom app has a newer version released, the HasUpdateAvailable Key in Installed Application List is never updating.
In InstalledApplicationList the HasUpdateAvailable value is False even when a newer app version is available to update.
For Example, Google Slides app ( com.google.Slides ) was released a new version - 1.2023.22200 was on June 7, 2023. By checking the device, The InstalledApplicationList response on June 10.
The hasUpdateAvailable key is False, Even though the app has an update available.
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CommandUUID</key>
<string>InstalledApplicationList</string>
<key>InstalledApplicationList</key>
<array>
<dict>
<key>AdHocCodeSigned</key>
<false/>
<key>AppStoreVendable</key>
<true/>
<key>BetaApp</key>
<false/>
<key>BundleSize</key>
<integer>198696960</integer>
<key>DeviceBasedVPP</key>
<false/>
<key>DynamicSize</key>
<integer>143360</integer>
<key>ExternalVersionIdentifier</key>
<integer>857221931</integer>
<key>HasUpdateAvailable</key>
<false/>
<key>Identifier</key>
<string>com.google.Slides</string>
<key>Installing</key>
<false/>
<key>IsAppClip</key>
<false/>
<key>IsValidated</key>
<true/>
<key>Name</key>
<string>Slides</string>
<key>ShortVersion</key>
<string>1.2023.20201</string>
<key>Version</key>
<string>1.2023.20201</string>
</dict>
</array>
<key>Status</key>
<string>Acknowledged</string>
<key>UDID</key>
<string>00008020-XXXXXXXXXXXX</string>
</dict>
</plist>
Note :- We are experiencing this issue in multiple OS version for most of the apps. All the devices which we tested are compatible with the latest app version
Post not yet marked as solved
After we wipe the Mac using MDM EraseDevice command, the screen appears asking for PIN and when we enter the correct PIN provided in EraseDevice command, it says Try again in 24284826 minutes, which is like 46 years. We could recover this by connecting the device to LAN, but can we avoid this screen?
?
Post not yet marked as solved
Is it possible to deploy a custom app though AEM/MDM and User Enrolment onto non-enterpise devices (BYOD) also in other countries? (meaning that e.g. the AEM account is in one country and the user that needs to install the app is located in another country)
Or asked differently:
When using User Enrolment for MDM, the user registers with a Managed Apple ID provided via ABM. Can the user then download a custom app that was made available via ABM in country A, even if his personal/private Apple ID is registered to country B?
Post not yet marked as solved
Hello,
basically I want to achieve the following.
I have an iPhone that should establish a vpn connection over every network connection (cellular, wifi) => always on demand.
There is only one big requirement. Default should be "VPN Profile A".
If it is connect to a special wifi, let's call it "SpecialWifi", it should use "VPN Profile B".
The "only" problem is, that I have to switch manually the vpn profile, weather I'm connected to "SpecialWifi" or not.
So my question is, is it possible that the vpn profile switch is done automatically or do I have to switch it manually?
This is my mobileconfig file, that works with my vpn gateway.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<!-- Default VPN Profile -->
<dict>
<key>UserDefinedName</key>
<string>Default VPN Profile</string>
<key>PayloadDisplayName</key>
<string>Default VPN Profile</string>
<key>PayloadIdentifier</key>
<string>com.apple.vpn.managed.default</string>
<key>PayloadType</key>
<string>com.apple.vpn.managed</string>
<key>PayloadUUID</key>
<string>xxxx</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>Proxies</key>
<dict>
<key>HTTPEnable</key>
<integer>0</integer>
<key>HTTPSEnable</key>
<integer>0</integer>
</dict>
<key>VPN</key>
<dict>
<key>AuthName</key>
<string>DEFAULT</string>
<key>AuthenticationMethod</key>
<string>Password</string>
<key>RemoteAddress</key>
<string>DEFAULT</string>
</dict>
<key>VPNSubType</key>
<string>net.openvpn.connect.app</string>
<key>VPNType</key>
<string>VPN</string>
<key>VendorConfig</key>
<dict>
DefaultVPNEndpointConfiguration
</dict>
<key>OnDemandEnabled</key>
<integer>1</integer>
<key>OnDemandRules</key>
<array>
<dict>
<key>InterfaceTypeMatch</key>
<string>WiFi</string>
<key>SSIDMatch</key>
<array>
<string>SpecialWifi</string>
</array>
<key>Action</key>
<string>Disconnect</string>
</dict>
<dict>
<key>Action</key>
<string>Connect</string>
</dict>
</array>
<key>IPv4</key>
<dict>
<key>OverridePrimary</key>
<integer>1</integer>
</dict>
</dict>
<!-- Special Wifi VPN Profile -->
<dict>
<key>UserDefinedName</key>
<string>Special wifi Profile</string>
<key>PayloadDisplayName</key>
<string>Special wifi Profile</string>
<key>PayloadIdentifier</key>
<string>com.apple.vpn.manged.specialwifi</string>
<key>PayloadType</key>
<string>com.apple.vpn.managed</string>
<key>PayloadUUID</key>
<string>xxxx</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>Proxies</key>
<dict>
<key>HTTPEnable</key>
<integer>0</integer>
<key>HTTPSEnable</key>
<integer>0</integer>
</dict>
<key>VPN</key>
<dict>
<key>AuthName</key>
<string>DEFAULT</string>
<key>AuthenticationMethod</key>
<string>Password</string>
<key>RemoteAddress</key>
<string>DEFAULT</string>
</dict>
<key>VPNSubType</key>
<string>net.openvpn.connect.app</string>
<key>VPNType</key>
<string>VPN</string>
<key>VendorConfig</key>
<dict>
SpecialVPNEndpointConfiguration
</dict>
<key>OnDemandEnabled</key>
<integer>1</integer>
<key>OnDemandRules</key>
<array>
<dict>
<key>InterfaceTypeMatch</key>
<string>WiFi</string>
<key>SSIDMatch</key>
<array>
<string>SpecialWifi</string>
</array>
<key>Action</key>
<string>Connect</string>
</dict>
<dict>
<key>Action</key>
<string>Disconnect</string>
</dict>
</array>
<key>IPv4</key>
<dict>
<key>OverridePrimary</key>
<integer>1</integer>
</dict>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>VPN Configuration</string>
<key>PayloadIdentifier</key>
<string>myidentifier.xxxxx</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>xxxx</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
Thanks for helping
We have the following issues on a iPad enrolled as Shared iPad via MDM using Apple Business Manager (ABM)
We are unable to use the mail app in Shared iPad. The following error message is shown “This iPad is restricted from creating mail accounts”. When checked from MDM whether any such account restriction was added, they was none added to this device.
We are also unable to add accounts via Settings app as well.
And also when checking the Shared iPad restriction documentation, mail app is not in the restricted list for Shared iPad
https://support.apple.com/en-mt/guide/apple-school-manager/axm3a8bb0ab8/web
Kindly let us know whether we can add mail accounts manually in Shared iPad device.
OS Version : iPadOS 16.5
Post not yet marked as solved
Problem Description:
A App Store (VPP - B2B) app distributed to a device through MDM is not installing. The "InstalledApplicationList" response doesn't have the app in it. The "ManagedApplicationList" response has the app with status as "ManagedButUninstalled". But this cannot happen since there is a restriction - allowAppRemoval is set to false for this device which prevents the removal of installed apps in that device. This is applied before the app was distributed to MDM.
Steps to reproduce:
Enroll a device in MDM.
Use restrictions payload[com.apple.applicationaccess] with a key "allowAppRemoval" set to "true".
Distribute an app to device.
Perform operations to fetch "InstalledApplicationList" and "ManagedApplicationList".
Expected Result:
The device should install the app successfully and ManagedApplicationList response should return "Managed" status for the app.
Actual Result:
The device doesn't install the app and "ManagedApplicationList" returns "ManagedButUninstalled" status.
InstallApplication Response:
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CommandUUID</key>
<string>InstallApplication;Collection=899898</string>
<key>Identifier</key>
<string>pad.xxxx.ilD</string>
<key>State</key>
<string>Installing</string>
<key>Status</key>
<string>Acknowledged</string>
<key>UDID</key>
<string>000000-00000000-00000000</string>
</dict>
</plist>
ManagedApplicationList Response:
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CommandUUID</key>
<string>ManagedApplicationList</string>
<key>ManagedApplicationList</key>
<dict>
<key>com.manageengine.mdm.iosagent</key>
<dict>
<key>ExternalVersionIdentifier</key>
<integer>857024336</integer>
<key>HasConfiguration</key>
<true/>
<key>HasFeedback</key>
<true/>
<key>IsValidated</key>
<true/>
<key>ManagementFlags</key>
<integer>5</integer>
<key>Status</key>
<string>Managed</string>
</dict>
<key>com.teamviewer.teamviewerQS</key>
<dict>
<key>ExternalVersionIdentifier</key>
<integer>851678159</integer>
<key>HasConfiguration</key>
<false/>
<key>HasFeedback</key>
<false/>
<key>IsValidated</key>
<true/>
<key>ManagementFlags</key>
<integer>5</integer>
<key>Status</key>
<string>Managed</string>
</dict>
<key>pad.xxxx.ilD</key>
<dict>
<key>ExternalVersionIdentifier</key>
<integer>857489710</integer>
<key>HasConfiguration</key>
<true/>
<key>HasFeedback</key>
<false/>
<key>IsValidated</key>
<false/>
<key>ManagementFlags</key>
<integer>5</integer>
<key>Status</key>
<string>ManagedButUninstalled</string>
</dict>
</dict>
<key>Status</key>
<string>Acknowledged</string>
<key>UDID</key>
<string>000000-00000000-00000000</string>
</dict>
</plist>
Restrictions Response:
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CommandUUID</key>
<string>Restrictions</string>
<key>GlobalRestrictions</key>
<dict>
<key>intersection</key>
<dict>
<key>autonomousSingleAppModePermittedAppIDs</key>
<dict>
<key>values</key>
<array>
<string>pad.xxxx.ilD</string>
</array>
</dict>
<key>whitelistedAppBundleIDs</key>
<dict>
<key>values</key>
<array>
<string>pad.xxxx.ilD</string>
<string>com.manageengine.mdm.iosagent</string>
<string>com.teamviewer.teamviewerQS</string>
</array>
</dict>
</dict>
<key>restrictedBool</key>
<dict>
<key>allowAppRemoval</key>
<dict>
<key>value</key>
<false/>
</dict>
</dict>
<key>restrictedValue</key>
<dict>
<key>maxInactivity</key>
<dict>
<key>value</key>
<integer>5</integer>
</dict>
</dict>
<key>union</key>
<dict>
<key>blacklistedAppBundleIDs</key>
<dict>
<key>values</key>
<array>
<string>com.google.Drive</string>
<string>com.apple.news</string>
</array>
</dict>
</dict>
</dict>
<key>Status</key>
<string>Acknowledged</string>
<key>UDID</key>
<string>000000-00000000-00000000</string>
</dict>
</plist>
Post not yet marked as solved
Anyone testing the new CellularPrivateNetwork.GeofenceItem in a profile? I am not seeing the phone under test switch from the private cellular (or non-public) connection (set as the preferred, when available) to the public cellular connection when I move outside of the set geofence. It has had no affect. The profile is accepted and the parameters are all in scope of the function. Anyone else finding the same, or did they identify additional settings that needed to be applied if you found it to work?
Post not yet marked as solved
Our app uses Cordova with a Cordova Local Webserver plugin. This plugin uses the url http://localhost: with a randomly chosen port. Some of the devices that our app runs on are MDM configured and have Content Filters enabled which only allows a finite list of website URLs to be accessed. This configuration has always worked in the past. Starting with the release of iPadOS 16.5, our app now hangs because the content filters are now preventing access to http://localhost. We've tried adding http://localhost, plus any derivative of that URL (i.e. http://localhost:, http://localhost:*, etc.) to the Allowed Website list, but this does not help.
Wondering if anyone else has encountered this issue.
Post not yet marked as solved
Hello there.
We have an endpoint security service that consists of a command-line tool and a client app that bundles a network extension (the command-line tool runs as a daemon via Launch Services and communicates with the extension via XPC). It works when installed manually under all OS versions, and under MacOS 12.x (Monterey) and earlier when provisioned via MDM.
However, beginning with some version of 13.x (Ventura), MDM provisioning is insufficient. The daemon is unable to connect to the extension via XPC.
Under "Full Disk Access" in System Pref^H^H^H^HSettings, an entry for our component appears but the switch is off. Turning the switch on manually at this point does not change the situation; the daemon apparently remains unable to talk to the extension.
It seems as though some additional entitlement or declaration is now needed in the MDM mobileconfig to make things work under 13.x and above, but after trying a multitude of combinations, I'm at a loss. Any hints?
Post not yet marked as solved
Hi all!
We are considering switching from App Store deployment to "enterprise" deployment via Apple Business Manager and Mobile Device Management for our custom app. I am getting contradictory information on this:
Can you deploy a custom app to employees of a company via Apple Business Manager WITHOUT the need of the app getting into the App Store?
The reason we are considering the switch is that we fear that Apple might reject our app for not having enough use for the "general public" and are therefore looking for a way to avoid the App Store review process. So if deploying via ABM/MDM still requires the app the get into the App Store and pass to App Store review process, that would be no use at all.
Post not yet marked as solved
We are unable to find the documentation for DDM in Managing apps. We searched the Apple Documentation for the newly introduced API and declarations announced (which are given below) but we could not find any results on this.
Documentation for New Apps and Books for Organizations API that replaces ContentMetaData API
Documentation for "com.apple.configuration.app.managed" DDM Configuration
Documentation for "app.managed.list" DDM status
The documentation has not been updated with these cases. Kindly help us on this.
Post not yet marked as solved
I am trying to get AccountConfiguration command to work on Macos. I send the admin name ,password and SkipPrimarySetupAccountCreation to the device.The Create Account got skipped as expected and the device recognizes the account and asks for the password, however for some reason it is not accepting the password that we enter. I am using the same password that was used in creation of the passwordHash key, sent in the command.May I know what im missing in the Password hash creation
Post not yet marked as solved
We're looking at ways to distribute an app to our clients. Its a business to business app.
For various reasons we'd like to avoid the Apple Business Manager if possible and distributing B2B apps with enterprise is against Apples policies.
We were informed by one of our clients that its possible to distribute the app by signing it with a developer distribution cert (non-enterprise) and just pushing the ipa through an MDM.
Is this possible and if so what's needed to accomplish this?
If it's not possible are there any other options other than the ABM?
Post not yet marked as solved
Hello! If you see this post on stackoverflow, it's because I posted in both places.
I have an app that I'm doing receipt validation via the validateReceipt endpoint (for iOS15) and the new StoreKit2 AppTransaction for iOS16. All is well until...
A user reported that the app keeps telling him that there is no app receipt to validate and wants him to sign in and get a new receipt. Trouble is, his iPad is under device management from Mosyle and he doesn't have the account ID or password to sign in with. Well duh, of course not, that's handled by IT.
My understanding is that the receipt is tied to the user account and the device that the app is on, so if the app is being distributed from a server then the receipt won't match the device, or possibly isn't even part of the distribution. I'm unclear on this, as all I'm getting is an alert about the receipt. I'm adding more code to detect and report on what might be happening inside the app, but in the meanwhile I have to figure out what to do to get rid of the warning prompt.
My questions, after having read volumes of unhelpful information about MDM's, are simple. Is there a way to detect inside the app if the app was installed via an MDM? Can I tell from inside the app if the device is registered in an MDM? And how can I tell that the app is authorized to run on the device if the receipt validation methods aren't, well, valid?
I have tried multiple combinations of search terms yet nowhere can I find out how to detect a valid MDM configuration and thus not look at the receipt. It seems the answer is either that developers aren't checking their receipt or that the solution is so blazingly simple that I'm just not seeing it.
Post not yet marked as solved
There is a Reddit Post (https://www.reddit.com/r/ios/comments/14k2kq1/how_to_configure_a_secondary_doh_dns_to_my_iphone/) about a secondary DoH DNS setting in iPhone.
But it seems that the DNSSettings doesn't support this.
DNSSettings (Required) A dictionary that defines a configuration for an encrypted DNS server.
It can only specify "an" encrypted DNS server.
Maybe I missed something. Is there a way to create a profile to support a primary and a secondary DNS-over-HTTPS DNS servers ?
I guess, however, iOS doesn't support 2 DoH DNS servers as the traditional DNS servers. Then Apple could consider to support primary and secondary DoH DNS.
