I captured plaintext versions of the various Q&A threads from the Slack-hosted Q&A for Device Management on Tuesday, June 7th 2022. If interested, please see the attached "Notes from Slack": Notes from Slack

I took notes during the "Custom app distribution and device management" lab. If interested, please see the attached "Notes from lab": Notes from lab

I captured plaintext versions of the various Q&A threads from the Slack-hosted Q&A for Device Management on Wednesday, June 8th 2022. If interested, please see the attached "Notes from Slack": Notes from Slack

I captured plaintext versions of the various Q&A threads from the Slack-hosted Q&A for Device Management on Thursday, June 9th 2022. If interested, please see the attached "Notes from Slack": Notes from Slack

I am currently trying to use EC2 mac instances to run a CI/CD pipeline which involves running tests with electron/selenium. In order to run these tests openGL needs to be available. Im currently getting there error on line 49 of https://chromium.googlesource.com/chromium/src/+/8f066ff5113bd9d348f0aaf7ac6adc1ca1d1cd31/ui/gl/init/gl_initializer_mac.cc. With the output on the instance giving: 2022-06-09 19:38:25.937 Electron[52243:188559] +[NSXPCSharedListener endpointForReply:withListenerName:]: an error occurred while attempting to obtain endpoint for listener 'ClientCallsAuxiliary': Connection interrupted [52245:0609/193826.555969:ERROR:gl_initializer_mac.cc(65)] Error choosing pixel format. [52245:0609/193826.556035:ERROR:gl_initializer_mac.cc(193)] GLSurfaceCGL::InitializeOneOff failed. [52245:0609/193826.664827:ERROR:viz_main_impl.cc(188)] Exiting GPU process due to errors during initialization The root cause of this is there is no display connected to the mac mini. Using vnc to screen share with the host (which creates a display) fixes allows openGL to work as expected. Unfortunately this is not a solution/workaround for my use case as I will need to restart/reboot these instances after each run. I have tested this multiple times and after rebooting the instance the display is no longer present. (I have verified the displays being recognized / not being recognized with displayplacer list) Is there any way to make the mac mini host think that it has a display without relying on physical workarounds (I dont have physical access to the machine) or use software like BetterDummy that I can't run in a script.

There isnt any comparable service to Business essentials in Europe at the moment as of ease of use. When will it be available?

We tried this Global Preference configuration profile payload to enable fast switching in the device, but unfortunately, after successfully applying the payload, fast user switching still remains disabled in the device with the user restricted to modify the setting. PFA the screenshot of the settings applied in the Profile as well as a screenshot of Login Window settings. OS version: macOS 12.1 <dict> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadUUID</key> <string>7b3041b6-d1fb-43d8-af8c-1028cde8b534</string> <key>PayloadType</key> <string>.GlobalPreferences</string> <key>PayloadOrganization</key> <string>MDM</string> <key>PayloadIdentifier</key> <string>7b3041b6-d1fb-43d8-af8c-1028cde8b534</string> <key>PayloadDisplayName</key> <string>Mac Global Preference payload</string> <key>MultipleSessionEnabled</key> <true/> <key>LULookupDisabled</key> <false/> <key>com.apple.autologout.AutoLogOutDelay</key> <integer>0</integer> </dict>

I created a profile using the Configurator app to add 2 E-Mail accounts with SMIME signing enabled. I added the certificates to the the profile as well and selected them in the E-Mail Accounts advanced settings. The certificates are Issued by Digicert. However even though the certificate shows up in the advanced settings and is selected my Mail app keeps telling me that: Unable to Sign You can't send signed messages because a signing identity for the address "@.***" could not be found. Go to the Advanced settings for this account to choose a signing identity. I tried: removing the profile and manually setup the accounts recreating the profile from scratch creating a seperate profile that only installs the certificates SMIME signing is enabled and the required certificate is selected. The same certificates work on my MAC and Windows devices. The file format is .p12.

I took notes during the "What's new in managing Apple Devices" session. If interested, please see the attached "Notes from session": Session Notes For the session video, please see the following link: https://developer.apple.com/wwdc22/10045

Is there a way to push multiple apps in a single request using "InstallApplication" command via MDM? The request seems to take only one app at a time. We are an MDM platform vendor and hoping to deploy all the licenses-assigned apps during the initial device enrollment time. Any sample list request snippet would be helpful.

When Disallow the creation of VPN configurations is enabled through MDM restriction on an iOS device, 3rd party VPN applications are still able to create and enable a VPN configuration and connections.

When reinstalling MacOS I run into issues in the Remote Management section during installation. After establishing a network connection, I proceed to the Remote Management section of the installation and the setup is failing with an error "Unable to connect to the MDM server for your organisation.". Is there any way how I can resolve this issue manually? Because there is no way how to bypass this step in the setup.

I am posting here as I am a loss for what to try next. I want to remotely install an application with an endpoint security system extension using my MDM (MicroMDM). To do this, I am sending an InstallEnterpriseApplication command to my MDM server to install an application containing a system extension with an endpoint security entitlement. The application installs without error according to install.log. However, when I inspect the app that was installed, its contents have been modified. This breaks codesigning and the application cannot load the endpoint security system extension anymore. HOWEVER, when I take the exact same installer.pkg and double click it from Finder to manually install it by hand, the resulting application is unmodified and as expected! I know the MDM server isn't modifying the application because when I download the installer from the URL that's in my manifest and hash it, the hash matches the original installer file I had before I uploaded it to my MDM. Is there an issue with MDMs installing applications with system extensions/endpoint security entitlement? I know this is not an issue with my codesigning or packaging because everything works fine when I double click the package installer and install it by hand. Has anyone run into this? Here is my manifest.plist: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>items</key> <array> <dict> <key>assets</key> <array> <dict> <key>kind</key> <string>software-package</string> <key>md5-size</key> <integer>10485760</integer> <key>md5s</key> <array> <string>HASH1</string> <string>HASH2</string> <string>HASH3</string> </array> <key>url</key> <string>https://mdm-testing.sys/repo/installer.pkg</string> </dict> </array> </dict> </array> </dict> </plist>

We are pushing a HomeScreenlayout payload with no "docks" array . The behaviour in iOS's is the dock at the bottom is disappeared. But in ipadOS's , dock is still at the bottom with recent apps listed there. Attached is Screenshot for the ipad's behaviour . Payload : <integer>1</integer> <key>PayloadUUID</key> <string>____________-</string> <key>PayloadType</key> <string>com.apple.homescreenlayout</string> <key>PayloadOrganization</key> <string>MDM</string> <key>PayloadIdentifier</key> <string>_______________</string> <key>PayloadDisplayName</key> <string>Homescreen Layout</string> <key>Pages</key> <array> <array> <dict> <key>BundleID</key> <string>com.apple.mobilephone</string> <key>Type</key> <string>Application</string> </dict> <dict> <key>BundleID</key> <string>com.apple.Preferences</string> <key>Type</key> <string>Application</string> </dict> <dict> <key>BundleID</key> <string>com.google.ios.youtube</string> <key>Type</key> <string>Application</string> </dict> <dict> <key>BundleID</key> <string>com.manageengine.mdm.iosagent</string> <key>Type</key> <string>Application</string> </dict> </array> </array> Is it possible remove the dock from iPadOS or is there anything am i missing to disable the dock or distinguish between dock added apps and Recent Apps?

We have a use case such that we want all the network calls from the mac device to go through VPN. We tried using the OnDemand field in VPN. Unfortunately those user's with admin privilege still able to disconnect from VPN. Even if we enabled OnDemand. Admin users can disconnect by disabling the OnDemand option in VPN settings. We noticed that there is an option to restrict the OnDemand option in iOS as mentioned here using the field OnDemandUserOverrideDisabled However, this is not supported in macOS. Can anyone suggest a mechanism to restrict users from disabling VPN?

In the latest update of macOS 12.3, the Login Window Items payload does not work. However, it is working until macOS 12.1. The profile applies successfully but the required apps are not listed under the Login Window Items tab in Users & Groups. Here is the payload we tried in both the OS versions             <key>PayloadVersion</key>             <integer>1</integer>             <key>PayloadUUID</key>             <string>bdcc8534-8a2e-40b5-bf65-17ab9247319c</string>             <key>PayloadType</key>             <string>com.apple.loginitems.managed</string>             <key>PayloadOrganization</key>             <string>MDM</string>             <key>PayloadIdentifier</key>             <string>bdcc8534-8a2e-40b5-bf65-17ab9247319c</string>             <key>PayloadDisplayName</key>             <string>Mac Login Window Item</string>             <key>AutoLaunchedApplicationDictionary-managed</key>             <array>                 <dict>                     <key>Path</key>                     <string>/Applications/Safari.app</string>                     <key>Hide</key>                     <false/>                 </dict>             </array>         </dict>

In the document by Apple over here, it says that AlwaysOn VPN is supported in macOS 10.7+. However, AlwaysOn doesn't seem to work in macOS even in that latest OS. We came across a post where it states that it is supported only for iOS. We had a requirement for supporting AlwaysOn VPN for macOS. Also, in the console log, we found the following error while sending a profile with AlwaysOn VPN configuration error 16:19:45.716722+0530 mdmclient NEConfiguration initWithVPNPayload: failed error 16:19:45.717076+0530 mdmclient [ERROR] <<<<< PlugIn: InstallPayload [NEProfileIngestionPlugin] Error: Error Domain=ConfigProfilePluginDomain Code=-319 "The ‘VPN Service’ payload could not be installed. The VPN service could not be created." UserInfo={NSLocalizedDescription=The ‘VPN Service’ payload could not be installed. The VPN service could not be created.} <<<<<

We have sent the payload for restricting all the apps except Youtube and MEMDM app . Payload is listed below. The Problem is we are restricted all the apps except the apps that were offloaded before . the icon of the offloaded apps appears in the homescreen. Attached the Screenshot for the above offloaded icons with multiapp kiosk enabled Is this the expected behaviour? Or anything am i missing. Can anyone help me with this? Payload Sent to the Device :-> <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadUUID</key> <string>------------</string> <key>PayloadType</key> <string>Configuration</string> <key>PayloadOrganization</key> <string>-----</string> <key>PayloadIdentifier</key> <string>----------------</string> <key>PayloadDisplayName</key> <string>MultiApp Kiosk</string> <key>PayloadRemovalDisallowed</key> <true/> <key>PayloadContent</key> <array> <dict> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadUUID</key> <string>----------------</string> <key>PayloadType</key> <string>com.apple.applicationaccess</string> <key>PayloadOrganization</key> <string>MDM</string> <key>PayloadIdentifier</key> <string>---------------</string> <key>PayloadDisplayName</key> <string>AppLock Whitelist Policy</string> <key>whitelistedAppBundleIDs</key> <array> <string>com.google.ios.youtube</string> <string>com.manageengine.mdm.iosagent</string> <string>com.apple.webapp</string> </array> <key>allowListedAppBundleIDs </key> <array> <string>com.google.ios.youtube</string> <string>com.manageengine.mdm.iosagent</string> <string>com.apple.webapp</string> </array> </dict> </array> </dict> </plist>

Dears, For BYOD devices, especially personal devices, what are the ways we can enroll the devices to ABM? We are looking for a way to do this which can be done by the users them self by using a website or app. Also to remove the device later from a console.