https://developer.apple.com/documentation/devicemanagement/systempreferences
The Above documentation of "System Preferences" says deprecated. I assume that some of the panes are not working in latest OS due to this deprecation.
My query is , Is there any other alternative to Disable or Enabled Preference Panes which was attained by SystemPreferences Payload.
I couldn't find any. Is it entirely stopped and in latest OS's ,it wont allowed to restrict those panes?
Device Management
RSS for tagAllow administrators to securely and remotely configure enrolled devices using Device Management.
Posts under Device Management tag
170 Posts
Sort by:
Post
Replies
Boosts
Views
Activity
Hello,
We've been playing the app managed configuration with DDM recently and there is a few thing that we might be missing.
We're trying to replace our existing feature of app installation using the Install Command with DDM. Everything seems to be working as expected but we're having an hard time understanding how to keep an app installed with the ManifestUrl (custom IPA) updated on the device as well as custom apps deployed through Custom Apps with ABM.
We used to send new install command when a new version was released (either with manifest or custom apps) and this will trigger a new app install over the existing app keeping data and updating the app.
We however, cannot figure how to do this with App Managed Configuration with DDM. If we replace the configuration declaration (and therefore changed the declaration Identifier), the app will be uninstalled and then reinstalled again (but not all the time). In that case app data is lost as this is a fresh install of the app.
Is there a way to reinstall over an existing app an updated version of an app available through Manifest or with custom apps ?
The same question would apply to any apps unless I'm mistaken, how do we force apps to be updated?
Thanks for your help,
Jeremy
I'm trying to implement managed device attestation, I have written server code in Go. So far, I have been able to implement all the steps except finalizing order by sending the Certificate url in the json response from where the client can download the certificate.
ACME request flow failed at step 8: Error Domain=NSURLErrorDomain Code=-1002 "unsupported URL" UserInfo={NSLocalizedDescription=unsupported URL, NSErrorFailingURLStringKey=}
For server, I am using localhost with https. The URL in "certificate" field of json response is working in browser/postman. I am not able to figure out what is the exact the cause of this error. As there is no FailingURLStringKey I suspect there might be some issue with key in the json response.
Can anyone point me to the correct direction to figure out what is the issue?
We are considering developing our own MDM server for internal app distribution.
Is it necessary to enroll in the Apple Enterprise Developer Program to develop MDM server?
Currently, our company is only enrolled in the Apple Developer Program and Business Manager.
Additionally, since we have fewer than 100 employees, it is difficult for us to join the Enterprise Program. In this case, is it not possible for us to set up an MDM server?
Cx was unable to login to their cloud account when the policy was pushed on to their device. However, when no policy was pushed cx could login. The issue is with applying whitelist configuration to device with passcode turned on..while whitelisting the app some system bundle identifier is getting blocked, we tried whitelisting all system app available for ios and couldn't find a solution
I've added my organization macbook air m2 2022 via apple configurator, however, the mac it not receiving the Remote Management prompt during setup. I've confirmed that the device in ABM is pointing to the connect server.
Any ideas?
In older versions of macOS, such as those predating Mac OS Sonoma, users had the ability to set the Lock Screen independently from their desktop wallpaper. However, with the introduction of Mac OS Sonoma, this feature seems to have been altered or removed altogether. Currently, there appears to be no option to set the Lock Screen image separately; instead, only changing the desktop wallpaper, changes the Lock Screen image. This change raises questions about whether it is a deliberate alteration in the setting flow or if it could potentially be a bug in the system.
Users may wonder if this adjustment is intended to streamline the interface or if there are plans to reintroduce the ability to customize the Lock Screen image independently of the wallpaper in future updates.
Hi all ,
We are planning to manage about 1 Million+ Apple devices of inclusive of both iPhone and Mac devices under a AxM Account. However while adding VPP Licenses for an App i'm prompted with below error:
" You cannot order more than 100000 copies of same the free item per week"
While our goal is to manage 1 Million devices under same Location token , i have below questions in mind
1 . What is the upper limit of number of Licenses that can be added per app in a Location token?
Currently it says 1 Lakh Licenses per app per week . Wanted to know if there is any limit on this count as it shouldn't surprise us in upcoming weeks.
2 . How many Locations can be created in a AxM Account?
Currently we created about 15 location to see if there are any limit but so far couldn't find any limit on number of locations that can be created. This limit could help us plan our deployment in advance
3 . What is the total number of licenses a VPP Location token can hold ?
As we manage 1 Million Devices for 12 Apps , 1 Million x 12= 12 Million licenses would be transacted in this location token by our MDM Solution , is this okay or will there be any limitations in this count
In Declarative Device Management there is the Get Server Supported Declarations endpoint that is sent via an MDM Check-In request. Is this supposed to return all of the declarations supported by the server, or only the ones that are intended for the device making the request?
This seems like a bad choice of naming for that endpoint and, if my assumption is correct it should be named more along the lines of "Get Device Declarations"
Or am I fundamentally misunderstanding DDM and our server should be sending all declarations we have to the device and the device controls them via activations? This seems counter to the pitch around scalability and performance improvements that DDM offers if we have to send literally everything to the device even if it's known to not be needed, and similarly if the device doesn't support it but the server does then obviously(?) the server shouldn't send it to the device.
Can someone please explain the purpose of the ManagementServerCapabilities declaration in Declarative Device Management?
I understand based on the documentation that it contains a "dictionary that contains the server’s optional protocol features" but what would be an example of an "optional protocol feature"?
I can enroll iOS and macOS devices with success when DEP is not used (OTA). With DEP, I can enroll iOS devices but not macOS devices. In this case, the process fails when the activation profile is received, because the system cannot decrypt the returned payload.
Note that I sign the payload using the server certificate (trusted as the anchored certs are defined accordingly) and I encrypt the payload using the device identity certificate. This identity certificate was obtained when the device reached the enrollment URL (used to sign the inbound payload).
From the console logs, it seems that the device cannot find the aforementioned certificate using the issuer and serial number, which is surprising because this should be the device identity certificate.
I currently use PKCS7 openssl 3 API. I am wondering if I should switch for the CMS functions since it provides a way to define the certificate using it's key identifier rather than the issuer and serial number.
I'm also wondering if certificates are missing in the chain. Any help would be greatly appreciated.
Hi all,
I'm working on a small PoC to get Content Filtering (FilterDataProvider) working on macOS without any user interaction.
So far, I've pushed two payloads to my machine using user-approved MDM enrollment:
com.apple.system-extension-policy
com.apple.webcontent-filter
The application containing the network extension is present in /Applications.
The installation of the profiles both succeed and I can see a Content Filter is created in the Network section of System Settings. Even the status says "Enabled", but the dot remains orange.
Inspecing the system logs (specifically: filtering on process:neagent) shows me the following error:
1. Failed to find a com.apple.networkextension.filter-data extension inside of app com.my.app.containing.the.ext
Only when I submit an activation request using OSSystemExtensionRequest.activationRequest, the network extension starts (without prompts, as expected) and everything works.
Is this expected behaviour? Do I need to submit an activation request through code regardless of the fact that MDM pre-approved the System Extension prompts and created the Content Filter in the System Settings?
Issue:
Our app is currently experiencing an unexpected behavior related to VPN functionality on iOS devices. Despite having the "OnDemandUserOverrideDisabled" parameter set to 1 in our VPN profile, users have reported that they can create a shortcut to disable the "Connect On Demand" feature. However, upon doing so, toggling off the VPN does not re-enable the feature as anticipated. This oversight results in unfiltered browsing, potentially compromising user security and privacy.
Explanation:
The presence of "OnDemandUserOverrideDisabled" set to 1 in our VPN profile should theoretically prevent users from toggling the "Connect On Demand" feature via any means. However, users have found a workaround using shortcuts to bypass this safeguard. Consequently, the VPN does not automatically re-engage after being disabled, leading to unintended consequences for users.
Impact:
The inability to reliably control VPN settings, despite profile configurations, poses a significant risk to user data privacy and security. Unintended unfiltered browsing can expose users to malicious actors and compromise sensitive information.
On WWDC 2023 Apple announced this: https://developer.apple.com/videos/play/wwdc2023/10040/?time=648
And as you can see and hear, they are saying: "In the past, entire System Preference panes were hidden to fulfill this requirement. With the introduction of System Settings, we were able to implement a granular management approach. Instead of hiding entire panes, the administrator can restrict modifications of a specific setting which now shows a label about its management state."
But where Apple Developer documentation can I find the payload for this? The only thing I was abble to find is https://developer.apple.com/documentation/devicemanagement/systempreferences which is DEPRECEATED for 13.0 macOS.
Our keyboard extension can be accessed independently in China region with native app like Notes or Safari, however the keyboard can only be opened in the app under same project in Taiwan region.
I've checked some articles about how MDM managing extensions, also make sure our RequestOpenAccess option of keyboard extension info.plist also set to Yes.
I'm not sure is there anything I missed, or I just need to inform client that they need to reach out their MDM manager and modify some restrictions?
If keyboard supports mobile device management (MDM), it can work with managed apps.
App extensions give third-party developers a way to provide functionality to other apps or even to key systems built into the operating systems
Allow full access to custom keyboard in iOS
Hi all,
I'm implementing Intune MAM to secure applications on iOS. However, I need my users to be able to save files (e.g. attachments in an email in the Outlook app) to iOS Files. To do so, I'm trying to put Files in exception of my Intune MAM policy and I need to obtain the Files "CFBundleURLSchemes" value from the info.plist file of the Files app. I'm not able to get that information.
Are any of you able to get that somehow?
Thanks!
I'm working on a tool which parses the output from the command "profiles -P -o" to check that our MDM profile has been deployed correctly, as there has been issues around profiles being misconfigured. It seems that the framework which the profiles command uses is private, so I'm just wondering could there be a way to get information which is similar to the output from the profiles command without having to directly use the command?
This page indicates https://support.apple.com/en-in/guide/deployment/dep0a2cb7686/web that some usage of fdesetup command line tool is deprecated such as turning on FV using username/password.
However, I don't see any proper information about which options from the fdesetup tool are deprecated and which are still valid?
Any pointers for that?
Thanks,
N
Hey,
I am looking into creating an app that sets limits on what apps can be use while in the apps focused mode. Something similar to Opal or Forest. I saw that the Screen Time API has similar utility for parental control apps, would I be able to use the API for an app tailored to adults with it remaining under guidelines?
Hi everyone.
I've been trying to set up my Macs in Intune. One of the key requirements is to create a push certificate for my environment. I can get past the upload page on the Apple Push Certificate Portal. Once I click the upload button on the web page after choosing my CSR file, I get this the page on the CSR file "The page you’re looking for can’t be found". I get the same message every time I refresh or log back into the page doing these steps. I don't know what to do. Would anyone have any advice on this? Or is this solely an Apple problem? Just if it's of any relevance, I am in Australia.