Hi, According to https://developer.apple.com/videos/play/wwdc2022/10096/, agent user can disable login item on Ventura. In enterprise environment, IT admin may want some processes are always running in launch daemon. Is there a MDM rule to forbidden agent user to disable special login item? Thank you!

We have a project that compiles an app for both x64 and arm64 Mac machines. This build is done via Visual Studio MSBuild with specific RIDs and Mac native code via xcode. Using the 'packages' application we build an distribution package, which contains the two pkgs for the specific architectures. The project contains settings to pick the correct PKG according to the architecture running the installation ('packages' will include a JavaScript script in the Distribution file for this). This all works just fine when running the final PKG manually. But when deploying via Intune as LOB this doesn't work well. It seems Intune will skip the complete Distribution file and will install all the PKGs included in to distribution package. The logfile shows that both x64 and arm64 are installed Install.log This will result in the x64 to be installed, and being overwritten by the arm64 installation. And a non-functional app on a x64 based Mac. We edited the preinstall.sh for both packages and do another architecture check and error-out when running on a wrong platform; but that doesn't work either: Intune will cancel the whole installation transaction when one pkg fails. Resulting in a non-installed package. What would be a good way to create an universal installation/distribution package with both architectures which would be able to be deployed via intune?

I forgot my Admin Password and I am logged into a basic account without admin rights, so I started searching for admin-account-password.bypass-options, and I found a way to reset it by shutting the iMac down, restarting it, and pressing "Command" + "R", until the loading bar appears. Afterwards, there should be an "Utilities" button on the dock, but I can't find it. I was supposed to click "Utilities", then "Terminal", and then type in "reset password", but I can't find the "Utilities" button. I downloaded MacOS Ventura Developer Beta 2, so maybe this method only works with MacOS X and later but not MacOS Ventura so I wanted to ask you guys, if someone could help me out. Thanks for reading this article and I hope you know the answer!

Hi, I'm implementing support for device attestation support on step-ca, and the attestation certificate, the leaf one in the x5c payload, doesn't include the nonce extension with the challenge token or the SHA256 version of it as it explains in https://developer.apple.com/videos/play/wwdc2022/10143/ Is this implemented? Can it be a device-related problem, meaning that older models do not support this?

The TokenUpdateRequest documentation to an MDM suggests it may be possible for devices to send additional token update messages to the check-in server. "... the iOS device may now send additional Token Update messages to the check-in server at any time while it has a valid MDM enrollment." https://developer.apple.com/documentation/devicemanagement/tokenupdaterequest (1) What triggers are there for the device to resend the TokenUpdateRequest and/or how often it occurs? Additionally the mdm command documentation mentions retry behavior for the put/check-in.  "If the device disconnects from the MDM server while processing a command, it caches the result of the command and reports the result when it reconnects." https://developer.apple.com/documentation/devicemanagement/implementing_device_management/sending_mdm_commands_to_a_device (2) I would like to know the retry policy (maximum number of times, frequency) in this case.

What were you doing on the device just before the crash occurred? Pushed an App update for the autonomous kiosk enabled mode via MDM Which of the following did you encounter on-screen when the system crash occurred Stuck on Black Screen (Had to Force Reboot device) Steps to Reproduce: Created two versions of the enterprise app, which will enter guided access mode on launch. With MDM, we have created a Autonomous Kiosk Profile with the app(say Version 1) we created and pushed the profile to the device . Checked that the profile payload is in correct format . On Launching the App , the device enters kiosk mode and i was unable to exit the app (Expected Behaviour). Other Functionalities of the app worked good. Now pushed another enterprise app of higher version (say Version 2) . Actual Behaviour : App got to background and app is seen to updating with a loading symbol over it. After App got successfully updated, App Launches and done. The Device hangs. Cant touch anything or move to background or lock the screen. I could only get back the device only after starting remote Restart command from MDM. Expected Behaviour : On App update , App should get updated and then App should be again relaunched automatically on successful update . System shouldn’t be freezed. can anyone help me with this case? Whether this is the behaviour or anything to add in guided access enabled app? Thanks in Advance

Hello, what's the status of managing books with UserEnrollment context ? I remember this used to work with a glitch : end user has to log in into Books with his/her managed Apple id (which could be problematic as you can't have both your books and organization books). But I'm currently not able to make it work - A VPP user is associated (silent invite) to the right managed apple id, enough time (more than an hour) happened since a license has been associated to the VPP user and fetching the license from the API shows it has been set properly. But installing the app via MDM always ends with error: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Command</key> <dict> <key>MediaType</key> <string>Book</string> <key>RequestType</key> <string>InstallMedia</string> <key>iTunesStoreID</key> <integer>1525146196</integer> </dict> <key>CommandUUID</key> <string>e802d682-e8b1-6253-04f5-736dab7ecd13</string> </dict> </plist> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CommandUUID</key> <string>e802d682-e8b1-6253-04f5-736dab7ecd13</string> <key>EnrollmentID</key> <string>971BB6F0-CA43-4B5E-9A1A-7BEF7A7BC286</string> <key>ErrorChain</key> <array> <dict> <key>ErrorCode</key> <integer>12047</integer> <key>ErrorDomain</key> <string>MDMErrorDomain</string> <key>LocalizedDescription</key> <string>A VPP purchase record for the item could not be found.</string> <key>USEnglishDescription</key> <string>A VPP purchase record for the item could not be found.</string> </dict> <dict> <key>ErrorCode</key> <integer>2615</integer> <key>ErrorDomain</key> <string>DeviceManagement.error</string> <key>LocalizedDescription</key> <string>Could not find Volume Purchase Programme assignment.</string> </dict> </array> <key>Status</key> <string>Error</string> </dict> </plist>``` Is this still a supported workflow ? Installing an App works without any issue in the same context.

Our MDM server is hosted with our enterprise. All the devices pass through the proxy & firewall server to reach it. Due to some misconfiguration, our proxy server responded with 401 to all the requests. Later we noticed that the MDM profile is missing from some of the devices. On checking with the MDM team, they forwarded us to Apple documents saying this is out of their control and 401 response would remove MDM profile. Could this be handled in such a way that, MDM server could have some control over this, say only MDM server can send 401 to remove the profile. Has anyone faced this. Any help this would be appreciated.

Hi there, I know we can configure Default and Data APN via a .mobileconfig file but I don't see any way to configure the APN associated with a Personal Hotspot connection in this way. Is this possible at all? Thanks Alan

Some customers wants to add a remote file address in the Files App -> Connect to Server option. For now , We cant find any api's to add this to the device via any Commands /Profiles . Is it not at all possible to add this to Files app or am i missing something? If it is not yet supported and no apis available , Will it be available in Future ? Needed some help here.

For creating APNS certificate, we use a signed CSR from our MDM vendor which is a .plist file. We were using this for quite some years now. But currently APNS portal throws error saying invalid file type (as attached below) Is the Portal updated to support only .csr / .txt / .rtf? Can anyone help to use the correct file format. (P.S: Works if we edit the extension & upload it)

For the Apps & Books Notifications API, I'm looking for more information on the expected values for tracking assignments and user events. For assignment tracking, the documentation lists: "result": "SUCCESS", "type": "ASSOCIATE" "result": "SUCCESS", "type": "DISASSOCIATE" I assume "ASSOCIATE" and "DISASSOCIATE" are the supported values for "type". Also, "result" is either "SUCCESS" or "FAILURE"? As for tracking user events, the documentation lists: "result": "SUCCESS", "type": "CREATE", I assume "CREATE" , "UPDATE" , and "RETIRE" are the supported values for "type" and that "SUCCESS" and "FAILURE" are the supported values for "result"? Looking to get confirmation on this. Thank you! Best, Adam

Is software update error 41 the equivalent of a theoretical “DownloadAlreadyPresent” UpdateResults item? When MDM sends ScheduleOSUpdate w/ DownloadOnly to a device that had previously downloaded the update by itself (device has automatic update downloads enabled), it returns: The operation couldn't be completed. (com.apple.softwareupdateservices.errors error 41 Should MDM treat that as a success and move on to InstallASAP?

You explain at 6:08 that "In iOS and iPadOS 15, we used a simple access token authorization mechanism to allow the MDM server to verify the identity of users. What exactly was the "simple access token authorization mechanism"? I would like to know the outline of the mechanism. If you have a URL that explains the mechanism, please send it to us. Thank you,

Unable to install "xxxx" Code: -402620388 User Info: {   IDERunOperationFailingWorker = IDEInstalliPhoneLauncher; } -- No code signature found. Domain: com.apple.dt.MobileDeviceErrorDomain Code: -402620388 User Info: {   DVTRadarComponentKey = 261622;   MobileDeviceErrorCode = "(0xE800801C)";   "com.apple.dtdevicekit.stacktrace" = ( 0  DTDeviceKitBase           0x000000012004ac41 DTDKCreateNSErrorFromAMDErrorCode + 220 1  DTDeviceKitBase           0x000000012008732f __90-[DTDKMobileDeviceToken installApplicationBundleAtPath:withOptions:andError:withCallback:]_block_invoke + 155 2  DVTFoundation            0x0000000110cb387e DVTInvokeWithStrongOwnership + 71 3  DTDeviceKitBase           0x0000000120087057 -[DTDKMobileDeviceToken installApplicationBundleAtPath:withOptions:andError:withCallback:] + 1409 4  IDEiOSSupportCore          0x000000011ff60978 __118-[DVTiOSDevice(DVTiPhoneApplicationInstallation) processAppInstallSet:appUninstallSet:installOptions:completionBlock:]_block_invoke.301 + 3520 5  DVTFoundation            0x0000000110dec3ba __DVT_CALLING_CLIENT_BLOCK__ + 7 6  DVTFoundation            0x0000000110decece __DVTDispatchAsync_block_invoke + 196 7  libdispatch.dylib          0x00007ff81b8e00cc _dispatch_call_block_and_release + 12 8  libdispatch.dylib          0x00007ff81b8e1317 _dispatch_client_callout + 8 9  libdispatch.dylib          0x00007ff81b8e7317 _dispatch_lane_serial_drain + 672 10 libdispatch.dylib          0x00007ff81b8e7dfd _dispatch_lane_invoke + 366 11 libdispatch.dylib          0x00007ff81b8f1eee _dispatch_workloop_worker_thread + 753 12 libsystem_pthread.dylib       0x00007ff81ba94fd0 _pthread_wqthread + 326 13 libsystem_pthread.dylib       0x00007ff81ba93f57 start_wqthread + 15 ); } -- Analytics Event: com.apple.dt.IDERunOperationWorkerFinished : {   "device_model" = "iPhone12,1";   "device_osBuild" = "16.0 (20A5283p)";   "device_platform" = "com.apple.platform.iphoneos";   "launchSession_schemeCommand" = Run;   "launchSession_state" = 1;   "launchSession_targetArch" = arm64;   "operation_duration_ms" = 28218;   "operation_errorCode" = "-402620388";   "operation_errorDomain" = "com.apple.dt.MobileDeviceErrorDomain";   "operation_errorWorker" = IDEInstalliPhoneLauncher;   "operation_name" = IDEiPhoneRunOperationWorkerGroup;   "param_consoleMode" = 0;   "param_debugger_attachToExtensions" = 0;   "param_debugger_attachToXPC" = 1;   "param_debugger_type" = 5;   "param_destination_isProxy" = 0;   "param_destination_platform" = "com.apple.platform.iphoneos";   "param_diag_MainThreadChecker_stopOnIssue" = 0;   "param_diag_MallocStackLogging_enableDuringAttach" = 0;   "param_diag_MallocStackLogging_enableForXPC" = 1;   "param_diag_allowLocationSimulation" = 1;   "param_diag_gpu_frameCapture_enable" = 2;   "param_diag_gpu_shaderValidation_enable" = 0;   "param_diag_gpu_validation_enable" = 1;   "param_diag_memoryGraphOnResourceException" = 0;   "param_diag_queueDebugging_enable" = 1;   "param_diag_runtimeProfile_generate" = 0;   "param_diag_sanitizer_asan_enable" = 0;   "param_diag_sanitizer_tsan_enable" = 0;   "param_diag_sanitizer_tsan_stopOnIssue" = 0;   "param_diag_sanitizer_ubsan_stopOnIssue" = 0;   "param_diag_showNonLocalizedStrings" = 0;   "param_diag_viewDebugging_enabled" = 1;   "param_diag_viewDebugging_insertDylibOnLaunch" = 1;   "param_install_style" = 0;   "param_launcher_UID" = 2;   "param_launcher_allowDeviceSensorReplayData" = 0;   "param_launcher_kind" = 0;   "param_launcher_style" = 0;   "param_launcher_substyle" = 0;   "param_runnable_appExtensionHostRunMode" = 0;   "param_runnable_productType" = "com.apple.product-type.application";   "param_runnable_type" = 2;   "param_testing_launchedForTesting" = 0;   "param_testing_suppressSimulatorApp" = 0;   "param_testing_usingCLI" = 0;   "sdk_canonicalName" = "iphoneos16.0";   "sdk_osVersion" = "16.0";   "sdk_variant" = iphoneos; } --

TLDR; does a profile need to be deployed with an MDM server? Is there a way to add a configuration profile (.mobileconfig file) to Xcode device emulator without an MDM server (aka drag and drop the profile into the emulator)? Because right now I am getting an error saying that the "profile must be installed by an Mobile Device Management server". I am asking because I'm doing a proof of concept project and am trying to perform testing before I bring in the MDM server portion.

I'm curious about suggested workflows for a 3rd party ACME server handling a request for a managed device. Specifically, when the MDM server does not control the ACME server like it likely would when using the ACME payload for the MDM client identity. i.e., an organization with a CA that can distribute client identities using ACME; how should ACME servers validate the request is authorized? The server, of course, would be able to validate that the attestation is valid from Apple, but how would an ACME server validate that the request is authorized for a device? I would assume that the ACME server would use the ClientIdentifier key similarly to a SCEP challenge. And that identifier should be populated in MDM either as a static challenge or dynamically fetched by MDM from the ACME service? Or possibly that the ACME service would need a connection (i.e., through a restful API) to the MDM server to validate it is a device under management and fetch the generated client identifier and therefore determine that the device is authorized to request certs from the enterprise CA? It would be great if the device could attest that it is under management and have an OID for the check-in URL or the APNS topic is registered against. This might eliminate the ACME server's need to authorize a request against the MDM server or help improves the validation of the request etc. In any case, I'm curious on folks' thoughts around this in general :)

I captured plaintext versions of the various Q&A threads from the Slack-hosted Q&A for Device Management on Tuesday, June 7th 2022. If interested, please see the attached "Notes from Slack": Notes from Slack

I captured plaintext versions of the various Q&A threads from the Slack-hosted Q&A for Device Management on Thursday, June 9th 2022. If interested, please see the attached "Notes from Slack": Notes from Slack