Ref- https://support.apple.com/en-in/guide/deployment/dep3b4cf515/web When we deploy an Payload with identifier "com.apple.airprint" , It will add the deployed printer configurations to printers list in mac. Which additionally needs the mac user to add it from Settings -> Printers -> Add Printer -> (Deployed Printer Configuration will be listed here) Select the printer -> Click Add . Screenshot where user need to add it manually after profile association is attached below. Now the Printer is available to be used ,when an share option in any document is clicked. Why this flow requires multiple to and fro. Can it be able to deploy the printer straight to Printers available List instead of manually adding from the above screenshot

I’m looking for advice on implementing an Active Supervision Mode for enhanced parental control. My goal is to restrict access to both iOS system apps and third-party applications to create a safer and more tailored digital experience for my child. Here’s what I’d like to achieve: App Restrictions: Block specific apps (both iOS and third-party) and allow access only to approved ones. Time Limits: Set daily usage limits for individual apps or app categories. Content Filtering: Apply restrictions to block inappropriate content and age-inappropriate apps. Remote Management: Manage these settings remotely from my device for added convenience. Activity Monitoring: View app usage stats or receive alerts for policy violations. I understand that Screen Time on iOS offers basic parental controls, but I’m exploring whether iOS supports more advanced capabilities natively or through additional configurations. I’ve also heard that enrolling a device in Apple Business Manager (ABM) and linking it to an MDM (Mobile Device Management) solution might provide greater control. If this is a viable solution, could anyone provide guidance on: Enrolling a personal or family-owned device into Apple Business Manager. Linking an MDM for configuring app restrictions and monitoring usage. Alternatively, if there are third-party parental control apps that work seamlessly with iOS to achieve these goals, I’d appreciate your recommendations! Thanks in advance for your insights!

Dear Apple Team, As an MDM (Mobile Device Management) service provider, we are writing to bring attention to an issue that is affecting many of our customers who manage large fleets of iOS devices. Specifically, we have encountered challenges with the app update process via MDM, which is impacting both kiosk devices and non-kiosk devices in a variety of use cases. Issue 1: App Updates Delayed on Kiosk Devices Many of our customers are deploying kiosk devices that are used 24/7 independently with no attendants. In these cases, when an app update is sent through MDM via the installApplication command, the installation does not begin immediately. Instead, the update starts only after the device is locked. However, since these kiosk devices are running continuously, they are rarely locked, preventing the app update from occurring. To force the update, administrators need to manually remote lock or physically lock the device, which is a time-consuming process. This becomes even more challenging for devices like Apple TV, where remotely locking and unlocking the device to complete app updates is especially difficult, making it hard to keep the apps up to date in a timely manner. Issue 2: User Cancellations of Critical Updates on Non-Kiosk Devices In the case of non-kiosk devices, customers are encountering another challenge: when a critical update is pushed during business hours, users are often prompted to install the update. However, many users tend to cancel the update, leaving devices unpatched and potentially vulnerable. This behavior can delay the deployment of important security patches, which is a critical concern for organizations managing sensitive data or business-critical apps. Request for a Solution Our customers have expressed the need for a more reliable and forceful app update mechanism. Specifically, we are requesting the following features to improve the app update experience: Scheduled app updates: The ability to schedule app updates, similar to the way OS updates are handled. If the user does not install the update within a specified timeframe, the update should begin automatically or prompt the user with a stronger reminder. Force install option: A feature that would allow MDM administrators to force an app update immediately, without relying on user intervention. This would ensure that critical updates are installed promptly, improving security and system stability across all devices. These features are essential for many of our customers who rely on timely and consistent app updates to maintain security, functionality, and compliance across their managed devices. Without these options, they face challenges in ensuring devices are kept up-to-date, which can result in security vulnerabilities and operational disruptions. We kindly request that Apple consider adding these functionalities to improve the MDM app update process and provide a more reliable experience for both kiosk and non-kiosk device management. Thank you for your attention to this matter. We look forward to your feedback and any potential improvements in future iOS updates. Raised in the same manner as feedback: FB15910292

Hello, We are trying to use the Managed App Distribution framework with our mdm following the documentation here : https://developer.apple.com/documentation/managedappdistribution But on the first load we don't get anything, the app keep getting stuck inside the following code without sending an error or getting the managed apps for try await result in ManagedAppLibrary.currentDistributor.availableApps { content = try result.get().map(Content.managedApp) } If we update the list of available managed apps in our mdm, the function execute and so we have all the apps displayed as expected, but if we close and re-open the app it'll again not display anything until we update the managed apps list. How can we fetched our managed apps at anytime and not only when the list is updated ? Why this method seems to be waiting for an update instead of just fetching the available managed apps when we call it ?

out of 37 devices, 7 are inactive( al are ios ). We have checked one of the devices and the broadcast message was sent successful. Additionally, Cx confirmed that the location history is shown properly. We restarted the device, checked the date and time, and found it to be correct. We also switched to a different network, but that doesn't change anything. The sync from the Hexnode app was successful. We reinstalled the MDM profile, yet it doesn't change anything. We renewed the APNs once and checked, but the scan device action remains pending.

Would it be possible to prevent deletion of specific apps on iOS devices using MDM.

btm_launchagent.txt I have a menu bar app which should be triggered to start when a system extension is successfully installed. The menu bar app is configured as a agent which should be started by SMAppServer. SMAppService register/unregister the agent successfully when the program is running locally. When doing the program installation through JamfNow, which is a MDM system, it fails with following error. I think the problem here is that the backgroundtaskmanagementd trys to register the agent with an invalid uid=-1 or uid: 4294967295(0xFFFFFFFF). 2024-10-02 10:45:33.100537+0200 0x156d4 Activity 0x1b927 88 0 smd: (BackgroundTaskManagement) BTMManager.getEffectiveDisposition 2024-10-02 10:45:33.103478+0200 0x156dd Default 0x1b927 282 0 backgroundtaskmanagementd: [com.apple.backgroundtaskmanagement:main] effectiveItemDisposition: appURL=file:///Applications/Company%20Agent.app/, type=agent, url=Contents/Library/LaunchAgents/com.Company.agent.notifier.plist -- file:///, config={ BTMConfigArguments = ( ); BTMConfigBundleIdentifiers = ( ); BTMConfigExecutablePath = "Contents/Resources/CompanyNotifier.app/Contents/MacOS/CompanyNotifier"; BTMConfigLabel = "com.Company.agent.notifier"; } 2024-10-02 10:45:33.103544+0200 0x156dd Info 0x1b927 282 0 backgroundtaskmanagementd: [com.apple.backgroundtaskmanagement:main] effectiveItemDisposition: result=[disabled, allowed, visible, not notified] 2024-10-02 10:45:33.105120+0200 0x156d4 Default 0x1b927 88 0 smd: (BackgroundTaskManagement) [com.apple.backgroundtaskmanagement:main] getEffectiveDisposition: disposition=[disabled, allowed, visible, not notified], have LWCR=true 2024-10-02 10:45:33.105181+0200 0x156d4 Default 0x0 88 0 smd: [com.apple.xpc.smd:all] Found status: 0 for <private> 2024-10-02 10:45:33.240190+0200 0x154da Default 0x0 88 0 smd: [com.apple.xpc.smd:SMAppServiceFactory] Setting up BundleProgram keys for <private> 2024-10-02 10:45:33.240250+0200 0x154da Default 0x0 88 0 smd: [com.apple.xpc.smd:SMAppServiceFactory] Setting up BundleProgram keys for <private> 2024-10-02 10:45:33.240388+0200 0x154da Activity 0x1b92a 88 0 smd: (BackgroundTaskManagement) BTMManager.registerLaunchItemWithAuditToken 2024-10-02 10:45:33.243990+0200 0x156dd Default 0x1b92a 282 0 backgroundtaskmanagementd: [com.apple.backgroundtaskmanagement:main] registerLaunchItem: pid=3626, uid=-1, type=agent, parentURL=<private>, url=<private>, config=<private> 2024-10-02 10:45:33.244917+0200 0x156dd Default 0x1b92a 282 0 backgroundtaskmanagementd: [com.apple.backgroundtaskmanagement:main] registerLaunchItem: found existing item: uuid=AC0DBC9B-7A16-443E-ABFC-05DF0F534C08, name=CompanyNotifier, type=managed agent, disposition=[disabled, allowed, visible, notified], identifier=com.Company.agent.notifier, url=Contents/Library/LaunchAgents/com.Company.agent.notifier.plist -- file:/// 2024-10-02 10:45:33.245238+0200 0x156dd Debug 0x1b92a 282 0 backgroundtaskmanagementd: [com.apple.backgroundtaskmanagement:main] BTMStore: save scheduled. 2024-10-02 10:45:33.245281+0200 0x156dd Debug 0x1b92a 282 0 backgroundtaskmanagementd: [com.apple.backgroundtaskmanagement:main] RecordSet notification scheduled for uid -1 .... 2024-10-02 10:45:33.252358+0200 0x154da Error 0x0 88 0 smd: [com.apple.xpc.smd:SMAppService] Unable to submit job: <private> error: Error Domain=OSLaunchdErrorDomain Code=112 UserInfo={NSLocalizedFailureReason=<private>} 2024-10-02 10:45:33.252707+0200 0x156d4 Default 0x1b92a 88 0 smd: [com.apple.xpc.smd:all] Update request for identifier: <private> uid: 4294967295 2024-10-02 10:45:33.253190+0200 0x156dd Default 0x1b92a 282 0 backgroundtaskmanagementd: [com.apple.backgroundtaskmanagement:main] getItemWithIdentifier: identifier=com.Company.agent.notifier, uid=-1 2024-10-02 10:45:33.253759+0200 0x156d4 Error 0x1b92a 88 0 smd: [com.apple.xpc.smd:btm] Error getting BTMItem with Identifier: <private> uid: 4294967295 error: (null) 2024-10-02 10:45:33.253803+0200 0x156d4 Error 0x1b92a 88 0 smd: [com.apple.xpc.smd:all] Unable to find BTMItem for <private> in 4294967295 2024-10-02 10:45:33.253835+0200 0x156d4 Error 0x1b92a 88 0 smd: [com.apple.xpc.smd:all] Update operation returned error: 3, but no reply expected so error will be silent 2024-10-02 10:45:33.661537+0200 0x156dd Debug 0x0 282 0 backgroundtaskmanagementd: [com.apple.backgroundtaskmanagement:main] sending notification for uid -1, type 131080 2024-10-02 10:45:33.665159+0200 0x154fa Info 0x1b853 282 0 backgroundtaskmanagementd: [com.apple.backgroundtaskmanagement:main] fetchSFLItemsMatching: type=managed user item app 2024-10-02 10:45:33.665374+0200 0x154fa Activity 0x15dd3 282 0 backgroundtaskmanagementd: (BackgroundTaskManagement) BTMManager.userDataDidChange 2024-10-02 10:45:33.666041+0200 0x154da Activity 0x1b92d 88 0 smd: (BackgroundTaskManagement) BTMManager.userDataDidChange 2024-10-02 10:45:33.666651+0200 0x154fa Debug 0x15dd3 282 0 backgroundtaskmanagementd: (BackgroundTaskManagement) [com.apple.backgroundtaskmanagement:main] -[BTMManager handleUserDataDidChangeNotification:]: uid=-1, type=131080 2024-10-02 10:45:33.666085+0200 0x154da Debug 0x1b92d 88 0 smd: (BackgroundTaskManagement) [com.apple.backgroundtaskmanagement:main] -[BTMManager handleUserDataDidChangeNotification:]: uid=-1, type=131080 2024-10-02 10:45:36.218160+0200 0x154fa Debug 0x0 282 0 backgroundtaskmanagementd: [com.apple.backgroundtaskmanagement:main] -[BTMStore handleWriteTimer] entered 2024-10-02 10:45:36.218254+0200 0x154fa Debug 0x0 282 0 backgroundtaskmanagementd: [com.apple.backgroundtaskmanagement:main] -[BTMStore _save] entered 2024-10-02 10:45:36.224738+0200 0x154fa Default 0x0 282 0 backgroundtaskmanagementd: [com.apple.backgroundtaskmanagement:main] BTMStore: store saved to /var/db/com.apple.backgroundtaskmanagement/BackgroundItems-v9.btm Could it be a problem from the MDM system JamfNow or somewhere else? The whole logs is as attached. Thanks!

Hi I have tried the code given on link https://developer.apple.com/documentation/appdistribution/fetching-and-displaying-managed-apps. This code is not compilable in Xcode 16.1. After some fixes i am able to run the code but i am getting Error registering for message: [App catalog changed]: An unspecified, unrecoverable error occurred. Kindly help me with this.

I would like to explore the option of restricting system prompts to share information with ChatGPT on my company's laptops. Is this possible, and if so, how can it be implemented? Should this be centralized, or should each user handle it individually?

It seems there was a new security feature added to macOS 15 - and now it asks every time after reboot if user wishes to continue and allow access the app to record screen and audio, while capture is blocked. Which renders remote access apps useless, a specially for headless computers like my Mac mini.

Sometime since July 2024 the list of devices in our Enterprise Account is showing the same device and UDID 6 times. Looking at the DATE REGISTERED field it is apparent that each instance of the device represents the 'old' device that should have been 'deleted' when the annual device reset was actioned. The date registered field shows dates with 2019, 2020, 2021, and so till 2024 (most recent). I have 'disabled' two of the entries to see what happens, and those instances were disabled as expected without impacting the other instances. However, when attempting a re-enable of them, an error throws saying that they cant be enabled because that UDID already exists - obviously the other instances. For now, I have left 4 active duplicates in place, and the 2 disabled ones as they are, and plan to deal with this again - if it re-occurs in 2025. It does not seem to have impacted provisioing profiles - so will leave well enough alone. I am sure if I disable all of them, I will not be able to re-enabled any of them. Is this a know issue? Is this the best strategy? - ie, wait till device reset next year and hope issue is resolved. This post had similar issue, in 2023, but no response Forum Post 733264

I'm developing an ACME server to issue identity certificates to macOS/iOS devices for MDM attestation, following RFC 8555. Per RFC, the client creates an order, performs authorization, verifies the challenge, and finalizes the order by submitting a CSR to the CA. In my setup, the CA sometimes takes longer to issue the certificate (around 50 seconds). According to RFC 8555, if certificate issuance isn’t complete after the /finalize call, the server should respond with an "order" object with a "processing" status. The client should then send a POST-as-GET request to the order resource (e.g., /order/<order_id>) to check the current state. If the CA still hasn’t issued the certificate, the server should return the order object with the same "processing" status and include a "Retry-After" header, indicating when the client should retry. The client is expected to poll the order resource at this specified interval with POST-as-GET requests. However, it seems the Apple ACME client ignores the "Retry-After" header and instead returns the error: "Profile failed - Order status is processing, not yet valid" immediately upon the first poll response with "processing." Apple ACME client deviating from the RFC documentation. Has anyone found a reliable solution to this issue? Or does Apple supports asynchronous order finalization? Ref -https://datatracker.ietf.org/doc/html/rfc8555#:~:text=A%20request%20to%20finalize%20an%20order%20will%20result%20in%20error,to%20the%20%22certificate%22%20field%20of%20the%20order.%20%20Download%20the%0A%20%20%20%20%20%20certificate. To work around this, I’m holding the /finalize call until the CA issues the certificate. This works when issuance is quick (under 20 seconds), but if it takes more than that , the client times out. Interestingly, the Apple ACME client’s timeout appears shorter than the usual 60-second URLSession default.

I was able to setup a release test for an iOS app for distribution using a web server. It works perfectly fine for all the devices I registered for the deployment profile. However every time I try to distribute a Unity based Vision Pro application using the same process for building the package and set up for distribution it does not work. Safari only shows a message telling me: "Cannot connect to ." When trying to install the iOS app from the same server it shows the message "Do you want to install ?" and installation completes correctly. My iOS is a simple hello world app generated by Xcode. My Unity app is an AR app targeting com.apple.platform.xros. According to documentation there should not be any difference in deployment profiles/signing for iOS apps vs. visionOS apps. What am I doing wrong? Any hint is appreciated how to continue.

Since this file is protected by SIP, it can't just be changed by an installer/app without prompting the user. If the user chooses to deny the request, the sudo file won't be updated with a security critical pam module. I need to insert our custom pam module into /etc/pam.d/sudo without the user being able to deny the operation.

I'm reaching out to discuss a significant issue related to how iOS handles app login sessions, particularly in the context of MDM (Mobile Device Management) and the Outlook app. In our organization, we use MDM to distribute applications, including Outlook, with certificate-based authentication for BYOD (Bring Your Own Device) devices. This setup allows users to log in seamlessly to their accounts. However, we've encountered a concerning behavior: when a user unenrolls from MDM, which automatically removes the distributed apps and certificates, they can later reinstall the app from the App Store and find themselves automatically logged back into their previous accounts without any authentication prompts. Here’s a detailed breakdown of the situation: Initial Installation: Users enroll their devices in MDM, which installs the necessary apps and certificates on those devices. Session Storage: After the initial login, the app stores the session locally on the device. App Deletion: When users un enroll their devices from MDM, it automatically removes the distributed apps and certificates. Reinstallation: Days or weeks later, when they reinstall the Outlook app from the App Store, they find themselves automatically logged back into their accounts. This behavior raises important concerns: Lack of Authentication: The app retaining user sessions even after deletion allows users to access their accounts without re-authentication, which could lead to potential unauthorized access and undermines the effectiveness of certificate-based authentication and two-factor authentication (2FA). Note: This issue is not limited to Outlook; we've observed similar behavior with many other apps. Need for a Solution - Given the implications of this behavior, we are looking for effective solutions to prevent it. Specifically, we need options within the MDM framework to: Restrict Session Retention: Implement settings that ensure any app deleted via MDM will lose all stored sessions and require re-authentication upon reinstallation. Default Settings for MDM-Distributed Apps: Ideally, this would be a default feature for all apps distributed through MDM, ensuring that user sessions are not retained after app deletion. Has anyone else experienced this issue? Are there any existing settings or workarounds within MDM platforms to mitigate this problem? Your insights and experiences would be invaluable as we navigate this challenge. Thank you!

When the user pushed the lock device action on a macOS 14, it returned an acknowledgement but the device wasn't locked. Which resulted in loss of data on the device.

I'm developing an ACME server to issue identity certificates to macOS/iOS devices for MDM attestation, following RFC 8555. Per RFC, the client creates an order, performs authorization, verifies the challenge, and finalizes the order by submitting a CSR to the CA. In my setup, the CA sometimes takes longer to issue the certificate (around 50 seconds). According to RFC 8555, if certificate issuance isn’t complete after the /finalize call, the server should respond with an "order" object with a "processing" status. The client should then send a POST-as-GET request to the order resource (e.g., /order/<order_id>) to check the current state. If the CA still hasn’t issued the certificate, the server should return the order object with the same "processing" status and include a "Retry-After" header, indicating when the client should retry. The client is expected to poll the order resource at this specified interval with POST-as-GET requests. However, it seems the Apple ACME client ignores the "Retry-After" header and instead returns the error: "Profile failed - Order status is processing, not yet valid" immediately upon the first poll response with "processing." Apple ACME client deviating from the RFC documentation. Has anyone found a reliable solution to this issue? Ref -https://datatracker.ietf.org/doc/html/rfc8555#:~:text=A%20request%20to%20finalize%20an%20order%20will%20result%20in%20error,to%20the%20%22certificate%22%20field%20of%20the%20order.%20%20Download%20the%0A%20%20%20%20%20%20certificate. To work around this, I’m holding the /finalize call until the CA issues the certificate. This works when issuance is quick (under 20 seconds), but if it takes more than that , the client times out. Interestingly, the Apple ACME client’s timeout appears shorter than the usual 60-second URLSession default.

We have network system extension which is fundamental part of our application and needs to be installed before the application can run. In many cases we need the installation to be automated, i.e. without logged-in user (with the help of MDM solution like JAMF). Is there a way to activate the extension fully automated without logged-in users? I tried to call 'open -W -a /Application/' from the package's post install script. But seems launch fails if no user is logged in.

Hello, I am writing a NetworkExtension VPN using custom protocol and our client would like to able to use 5G network slice on the VPN, is this possible at all? From Apple's documentation, I found the following statement: If both network slicing and VPN are configured for an app or device, the VPN connection takes precedence over the network slice, rendering the network slice unused. Is it possible to assign a network slice on a NetworkExtension-based VPN and let the VPN traffic uses the assign network slice? Many thanks

Hi, I have a question regarding reading the configuration of a managed app deployed via an MDM system. The application has an Action Extension and can receive shared files via this extension. The problem I am facing is that I can read the managed configuration in the host app by accessing the UserDefaults.standard.object(forKey: "com.apple.configuration.managed") dictionary. With this, I can configure the host app. However, I am unable to read this configuration key in the Action Extension part of the application. My question is whether there is any possibility to read the managed configuration even in the extension. So far, I have been unable to figure out how to read it. I found the sample code, but it was not very helpful since it is very basic and does not deal with extensions at all. Any hints are appreciated.