I took notes during the "What's new in managing Apple Devices" session. If interested, please see the attached "Notes from session":
Session Notes
For the session video, please see the following link: https://developer.apple.com/wwdc22/10045
Device Management
RSS for tagAllow administrators to securely and remotely configure enrolled devices using Device Management.
Posts under Device Management tag
180 Posts
Sort by:
Post
Replies
Boosts
Views
Activity
just upgraded my local iPhone 15 to iOS 18 Beta 3, and I enrolled the device to MDM server.
Then ran EraseDevice command with ReturnToService as enabled. https://developer.apple.com/documentation/devicemanagement/erasedevicecommand/command/returntoservice
MDM command request body:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Command</key>
<dict>
<key>DisallowProximitySetup</key>
<false/>
<key>PreserveDataPlan</key>
<true/>
<key>RequestType</key>
<string>EraseDevice</string>
<key>ReturnToService</key>
<dict>
<key>Enabled</key>
<true/>
<key>WiFiProfileData</key>
<data>WiFi Profile Base64</data>
<key>MDMProfileData</key>
<data>MDM Profile Base64</data>
</dict>
</dict>
<key>CommandUUID</key>
<string>0001_EraseDevice</string>
</dict>
</plist>
MDM executed the command successfully.
The device erased itself, and opened Hello Screen after few secs, but device did not went to the Home Screen, however same works fine on iOS 17.
I'd like to try ManagedAppView describe here: https://developer.apple.com/documentation/appdistribution/fetching-and-displaying-managed-apps
// Define a model that obtains a list of managed apps.
@Observable final class PortalViewModel {
enum Content: Identifiable {
case managedApp(ManagedApp), developerContent(title: String, action: (ManagedContentOfferState) -> Void)
var id: String {
switch self {
case let .managedApp(app):
return app.id
case let .developerContent(title, _):
return title
}
}
}
var contents: [Content] = []
func getApps() async {
do {
for try await result in ManagedAppLibrary.currentDistributor.availableApps {
contents = try result.get().map(Content.managedApp)
}
} catch {
// Handle errors here.
print("ERROR==>\(error)")
}
}
}
struct PortalView: View {
private var viewModel = PortalViewModel()
var body: some View {
List(viewModel.contents) { content in
switch content {
case let .managedApp(managedApp):
ManagedAppView(app: managedApp)
case let .developerContent(title, action):
ManagedContentView(primaryLabel: title, offerState: .custom(title: "Request"), offerAction: action) {
Image("house")
}
}
}
.managedContentStyle(.compact)
.task { await viewModel.getApps() }
}
}
I already configured an entitlement for this UI
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.developer.managed-app-distribution.install-ui</key>
<array>
<string>managed-app</string>
</array>
</dict>
</plist>
However the screen keeps blank with an error message "Error registering for message: [App catalog changed]: An unspecified, unrecoverable error occurred." on executing ManagedAppLibrary.currentDistributor.availableApps
And the console log probably implies that this playground app (MDM Agent for SwiftUI) should be available on App Store and installed as managed.
Jul 16 02:20:17 iPhone MDM Agent for SwiftUI(libxpc.dylib)[1395] <Notice>: [0x105a155c0] activating connection: mach=true listener=false peer=false name=com.apple.managedappdistributiond.xpc
Jul 16 02:20:17 iPhone managedappdistributiond(libxpc.dylib)[1320] <Notice>: [0xc2a1e4dc0] activating connection: mach=false listener=false peer=true name=com.apple.managedappdistributiond.xpc.peer[1395].0xc2a1e4dc0
Jul 16 02:20:17 iPhone managedappdistributiond[1320] <Notice>: [TXNaf44] \M-p\M^_\M^P\M^O Beginning transaction (<private>)
Jul 16 02:20:17 iPhone managedappdistributiond[1320] <Notice>: Activity associated with <private>ED4BF49B
Jul 16 02:20:17 iPhone dmd[169] <Notice>: Received request: <DMFFetchAppsRequest: 0xbdc8e48c0>, from client: <CATTaskSession: 0xbdc850aa0 { state = Connected, session = 04530509-57B9-41D3-BEBC-3F07673E8BFC, transport = <CATXPCTransport: 0xbdc96c9b0 { state = Connected }> }>
Jul 16 02:20:17 iPhone dmd(libxpc.dylib)[169] <Notice>: [0xbdc1ab700] activating connection: mach=true listener=false peer=false name=com.apple.accountsd.accountmanager
Jul 16 02:20:17 iPhone accountsd(AccountsDaemon)[112] <Notice>: "<private> (<private>) received"
Jul 16 02:20:17 iPhone accountsd(libxpc.dylib)[112] <Notice>: [0xcc2804f00] activating connection: mach=false listener=false peer=true name=com.apple.accountsd.accountmanager.peer[169].0xcc2804f00
Jul 16 02:20:17 iPhone dmd[169] <Notice>: Add operation: <DMDFetchAppsOperation: 0xbdc360000 { name = (null), ID = 4161DF16-B5EE-4C2F-AFC7-ED66C9EF6216, state = A-- [0], completed = -1/-1 }>
Jul 16 02:20:17 iPhone dmd(libxpc.dylib)[169] <Notice>: [0xbdc1ab700] invalidated because the current process cancelled the connection by calling xpc_connection_cancel()
Jul 16 02:20:17 iPhone dmd[169] <Notice>: Operation will start: <DMDFetchAppsOperation: 0xbdc360000 { name = (null), ID = 4161DF16-B5EE-4C2F-AFC7-ED66C9EF6216, state = A-- [0], completed = -1/-1 }>
Jul 16 02:20:17 iPhone dmd(Accounts)[169] <Notice>: "The connection to ACDAccountStore was invalidated."
Jul 16 02:20:17 iPhone dmd[169] <Notice>: Fetch apps with bundle ids: ( "com.companyname.MDM-Agent-for-SwiftUI"
), store item id: (null)
Jul 16 02:20:17 iPhone dmd(AppStoreDaemon)[169] <Notice>: [ASDUpdatesService]: getManagedUpdatesWithCompletionBlock
Jul 16 02:20:17 iPhone accountsd(libxpc.dylib)[112] <Notice>: [0xcc2804f00] invalidated after getting a no-senders notification - client is gone
Jul 16 02:20:17 iPhone appstored[189] <Notice>: [XPCServiceEntitlements]: We have the entitlement: com.apple.itunesstored.private for pid: 169 result: 1
Jul 16 02:20:17 iPhone appstored[189] <Notice>: [8D8ED625] getManagedUpdates requested for client: com.apple.dmd
Jul 16 02:20:17 iPhone appstored[189] <Notice>: [8D8ED625] Returning 0 available and 0 recent update(s)
Jul 16 02:20:17 iPhone appstored[189] <Notice>: [8D8ED625] getManagedUpdates completed successfully
Jul 16 02:20:17 iPhone dmd(AppStoreDaemon)[169] <Notice>: [ASDUpdatesService]: getUpdatesWithCompletionBlock
Jul 16 02:20:17 iPhone appstored[189] <Notice>: [XPCServiceEntitlements]: We have the entitlement: com.apple.itunesstored.private for pid: 169 result: 1
Jul 16 02:20:17 iPhone appstored[189] <Notice>: [C7CA1AFD] getUpdates requested for client: com.apple.dmd
Jul 16 02:20:17 iPhone appstored[189] <Notice>: [C7CA1AFD] Returning 0 available and 0 recent update(s)
Jul 16 02:20:17 iPhone appstored[189] <Notice>: [C7CA1AFD] getUpdates completed successfully
Jul 16 02:20:17 iPhone dmd[169] <Notice>: Lifecycle is not stale for bundle ID: com.companyname.MDM-Agent-for-SwiftUI
Jul 16 02:20:17 iPhone dmd[169] <Notice>: Operation will finish: <DMDFetchAppsOperation: 0xbdc360000 { name = (null), ID = 4161DF16-B5EE-4C2F-AFC7-ED66C9EF6216, state = AE- [0], completed = -1/-1 }>
Jul 16 02:20:17 iPhone managedappdistributiond[1320] <Error>: Hosting app <private> with persona <private> is not managed
Jul 16 02:20:17 iPhone managedappdistributiond[1320] <Error>: Error in <private>: An unspecified, unrecoverable error occurred.
Jul 16 02:20:17 iPhone managedappdistributiond[1320] <Notice>: [TXNaf44] \M-p\M^_\M^P\M^O Ending transaction (<private>) (<private>)
Jul 16 02:20:17 iPhone MDM Agent for SwiftUI(ManagedAppDistribution)[1395] <Error>: Error registering for message: [App catalog changed]: An unspecified, unrecoverable error occurred.
So, how can we develop and debug ManagedAppDistribution?
(NOTE the test device is supervised and managed using DDM.)
We need to do some operations in a login screen, but when the user uses a WPA2-Enterprise network, the authentication to this network is only possible after the login process has already been completed.
Is there a way to change the network on login screen or a way to authenticate on the WPA2-Enterprise network before a completed login?
STEPS TO REPRODUCE
1 - Use a WPA2-Enterprise
2 - Set WPA2-Enterprise as Auto-Join/Principal
3 - Reboot the Machine
4 - On the logon screen it's impossible to authenticate on the enterprise network even then type the username and password.
There is new porperty introduced in iOS 18 Beta for VPN i.e CellularSliceUUID
But there is no description available for the same. Could you please let us know how this property can impact VPN?
https://developer.apple.com/documentation/devicemanagement/vpn?changes=latest_major&language=objc
I am having two issues with an IKEv2 VPN profile and certificates, and I am using Apple Configurator to create the profile. We have a self-signed CA that consists of an intermediate/root chain. The first issue is that when I load the intermediate and/or root into the Certificates section, then, in the VPN section, select Certificate for Machine Authentication, the VPN doesn't connect, and from Console, we get the error "Trust evaluate failure: [leaf MissingIntermediate]." If I load the server cert, the profile connects. I am lost as to why this works, I would assume we would need only the intermediate and/or root.
Second issue I am running into, is that when I put the Intermediate CA name into "Server Certificate Issuer Common Name" the VPN does not connect at all. With the server cert or not.
If I can provide any more information at all, please let me know. With this being a public forum, I didn't want to include much from my organization but can send it privately. Thank you in advance for any assistance.
Screenshot of the console error is attached
Hi Team,
We are trying to set MDM with NETransparentProxyManager to auto-approve the proxy, but it did not work.
We have tried the below Apple document for NETransparentProxyManager.
https://developer.apple.com/documentation/devicemanagement/vpn/transparentproxy.
Attached is the config file.
ApplicationProxy.VPN.mobileconfg.txt
could you please suggest how to configure NETransparentProxyManager via MDM?
We are configuring a passcode policy through MDM where the password expiration is set to 2 months for local accounts (not domain joined). Occasionally, we receive prompts to change the password a few days before it expires. Please refer to the image below.
We would like to clarify the following:
What is the default timing for these reminders? Specifically, how many days before the password expiration do these prompts typically start appearing?
Can we adjust the number of days before these reminders appear?
If yes, can this adjustment be made through MDM settings or via a script?
When a package is published via MDM using the Install Enterprise app command provided by Apple
On one of the devices, this command is failing with com.apple.appstored.xpc exception but works fine on other macOS devices having the same restrictions and OS version. We tried restarting the device and also the appstored process via Activity Monitor but it was in vain.
I am attaching system logs that contain the exception and stack trace when the command failed.
ExceptionLogs
In our Device Configuration Policy (MDM Policy) We have Excluded Domains that should prevent VPN traffic for that domain but it's not working for iOS 17.5.1 but were working before!
We are using JAMF profile to configure automatic proxy configuration URL on macOS. The configuration looks as following:
#scutil --proxy
<dictionary> {
BypassAllowed : 0
ExceptionsList : <array> {
0 : https://exception.com
}
FTPPassive : 0
FallBackAllowed : 0
HTTPEnable : 0
HTTPSEnable : 0
ProxyAutoConfigEnable : 1
ProxyAutoConfigURLString : https://pac.com/FailbackWithExclusionsENDUSERS.pac
SOCKSEnable : 0
}
This configuration works fine with normal network. When user tries to connect to a Captive Portal Network, the captive portal login page does not appear but an error page appears as shown below
We need help to identify what is wrong with this configuration causing this error.
Using Apple configurator, I cannot transfer over iPhone 8 ( installed iOS 16.7.8) because of this message:
Si è verificato un errore inatteso con “iPhone di Sandro”.
Impossibile completare l’operazione. Blocco risorsa evitato [NSPOSIXErrorDomain – 0xB (11)]
How can I fix it?
Im experiencing an error code 12026 when trying to install an app with iTunes Store ID 1163307568 and has tried various solutions but is still unable to install the app. Tried revoking the licenses and pushing the apps again but the error prompt persists.
We have also tried syncing VPP, checking the app license, and purchasing a mild surplus, but still getting the error.
I appreciate any suggestions on a problem we're having. Here's what's happening:
We use Visual Studio to create Xamarin and MAUI apps.
We have several apps that all have In-House provisioning profiles attached to the same certificate. Developers upload ipa files to our internal website, so our QA team can install and test them. We have done this in this way for several years.
As of a month or so ago, one of these apps will not install after download. Under the app icon on the device there is a download icon before the app name, and tapping the icon receives in the error message, "This app cannot be installed because its integrity could not be verified."
Something else that stated around the same time is that while the name of our enterprise certificate "iPhone Distribution OurCompanyName" shows in the Signing Identity dropdown. When we select it and open the list again, the list now also has "Unknown (iPhone Distribution OurCompanyName)" as a selection. Timing can't be a coincidence. It must be connected to the problem.
I have made new certificates and provisioning profiles (Ad-Hoc and In-House) several times, but nothing I have tried over the past three days has worked. And, as I mentioned, we have many other apps that work just fine.
Is there a way to deploy a client certificate (mTLS) payload with an Application using MDM?
What alternatives are there for accomplishing this? A .p12 is fine if that is the only option, however the app would need to import it into it's keychain and delete the .p12 file (or the MDM would need to do so).
The customer is trying to enroll macOS devices to Hexode via Apple Business Manager (without reset). Upon running the command sudo profiles renew -type enrollment, he received the below error.
Error: DEP enrollment failed: The cloud configuration server is unavailable. (MDMDeviceEnrollment:103)
Upon running the command sudo profiles show -type enrollment in Terminal, he received the following output.
Error fetching Device Enrollment configuration: (34006) Error Domain=MCCloudConfigurationErrorDomain Code=34006 "The cloud configuration server is unavailable." UserInfo={CloudConfigurationErrorType=CloudConfigurationFatalError, NSLocalizedDescription=The cloud configuration server is unavailable., NSUnderlyingError=0x6000012f0060 {Error Domain=com.apple.MobileActivation.ErrorDomain Code=-1 "Failed to create reference key." UserInfo={NSLocalizedDescription=Failed to create reference key., NSUnderlyingError=0x6000012f00c0 {Error Domain=com.apple.MobileActivation.ErrorDomain Code=-1 "Failed to create ref key." UserInfo={NSLocalizedDescription=Failed to create ref key., NSUnderlyingError=0x6000012f0150 {Error Domain=NSOSStatusErrorDomain Code=-25308 "failed to generate asymmetric keypair" (errKCInteractionNotAllowed / errSecInteractionNotAllowed: / Interaction is not allowed with the Security Server.) UserInfo=0x6000009f0440 (not displayed)}}}}}}
The device was assigned to the Hexnode server and listed in DEP devices in Hexnode. It seems to be an Intel device and we tried following troubleshooting steps. He said another user tried out the case and was encountering the same errors. He tried the following steps as part of troubleshooting.
Installed pending OS updates
Re-assigned device to Hexnode server
Cleared NVRAM/PRAM
Switched networks
Turned off firewall and proxies on the device
Re-assigned DEP configuration profile to devices
Re-configured DEP and APNs
Enrolling the device using the enrollment URL does work and he's able to deploy actions as well. He is willing to reset the device and check as well, but he has ~30 devices in ABM that are remote and in use. Since 2 devices encountered the case, he would like to know more about what happened.
We noticed that Apple Login fails if we try to login with Managed Apple ID on iOS 17.2 & 17.3
This issue could have been introduced in iOS 17 but we did not have iOS 17.0 or 17.1 to validate this.
There are few prerequisites to this:
Should be a supervised device. It can be enrolled in ABM or ASM.
Apple ID should be Managed Apple ID
Device should have a passcode policy
Device should have “allowListedAppBundleIDs” added in the “com.apple.applicationaccess” payload
If either of the above conditions are not met, then the issue does not happen.
If the device is set up in the above way and we try to login with Managed Apple ID, then the login fails.
Please refer the recording at this link: https://drive.google.com/file/d/1XG17loAuH_GB1IyGdwD8txjkHZWqGeD1/view?usp=drive_link
We reproduced the issue three times and got the log files:
Issue occurred at: 21st March 2024 at 19:54:58 IST
a. Log file name: sysdiagnose_2024.03.21_19-55-26+0530_iPhone-OS_iPhone_21D50(07.54.58 pm).tar.gz
b. Link: https://drive.google.com/file/d/1nk-cQPrVEZrAUgVmrxPCsSRDd4aNF8eK/view?usp=drive_link
Issue occurred at: 21st March 2024 at 19:59:44 IST
a. Log file name: sysdiagnose_2024.03.21_20-00-02+0530_iPhone-OS_iPhone_21D50(07.59.44 pm).tar.gz
b. Link: https://drive.google.com/file/d/1VPcF77G2SK2c1rBK4S2GbLCAiQEeYPOB/view?usp=drive_link
Issue occurred at: 21st March 2024 at 20:03:27 IST
a. Log file name: sysdiagnose_2024.03.21_20-03-39+0530_iPhone-OS_iPhone_21D50(08.03.27 pm).tar.gz
b. Link: https://drive.google.com/file/d/1zlLLMd0ugJoiZtmpWlarREFDl1vjZoWP/view?usp=drive_link
During the above tests, this was the setup
Passcode Policy:
a. requireAlphanumeric: true
b. minLength: 13
c. allowSimple: false
allowListedAppBundleIDs: This can be anything but atleast one of them should be enabled. For example
a. com.apple.AppStore
b. com.apple.MobileAddressBook
c. com.apple.calculator
d. com.apple.camera
e. com.apple.DocumentsApp
f. com.apple.facetime
What results I expected: The user should be able to login without an issue
What results I actually saw: The user does not login
We also created a ticket in Feedback assistant in March but haven't received any response: FB13694721
Since the release of macOS 14.0, we have encountered issues with the Content Filtering MDM Payload. This problem is unusual but can be resolved by restarting the system.
Prerequisites:
macOS 14 or higher
Any Mac with a Silicon (ARM) processor
Restrictions Payload and Parental Content Filtering Payload must be installed on the device, either manually or through any MDM service
Issue Details:
When the Parental Content Filtering Payload is removed after installation, it causes internet issues, and browsers display "The site can't be reached".
This affects applications as well, with Safari being the only application that continues to work.
The issue can be resolved by either re-adding the Content Filtering Payload or restarting the Mac.
Links:
Restriction Payload: https://drive.google.com/file/d/1buwLFgbjTRXij9ZSv1QrDeRnWbFfKNtq/view?usp=drive_link
Content Filtering Payload: https://drive.google.com/file/d/1eAJiBg4N__dML65MRDH7hYCocuTqOCcu/view?usp=drive_link
System Logs: https://drive.google.com/drive/folders/1hKKNAoMn_4x1CqMTxz1bPrUucCbftjO9?usp=drive_link
Screen Recording: https://drive.google.com/file/d/1uS8CJqe9p9DG9XzhUnIsY35eme4Dxs60/view?usp=drive_link
Hello all, this may not be the right place to get answers for this but not sure where else to put it. Currently we are using the Apple Software lookup service to fetch available iOS updates that can be used to push updates through Declarative Management. This works fine however we have are now running into an issue https://gdmf.apple.com/v2/pmv, does not have a valid SSL certificate, which during the prototyping phase was fine as we turned off SSL cert validation to get the feature to work. Now that we are moving to make this a formal development we need to turn this on, but obviously with the URL having an invalid cert this causes all requests to throw invalid certificate errors (specifically that the root cert isn't trusted, this can also be seen when navigating to the url in a browser. Specifically it returns NET::ERR_CERT_AUTHORITY_INVALID) Is there any chance that the SSL cert for this API can be fixed?
My application supports Custom URL Schema which is used to perform an open operation. My application is used as a helper app for MDM, hence it will be installed as a Managed Application. I want only the other Managed Applications to be able to invoke the Custom URL Schema and not allow it for unmanaged applications. Is there any such provision provided by Apple MDM protocol?
Trying to enroll a device, but during the installation of the enrollment profile getting the error message - The profile (com.xxxxxx.mdm:c1c8048f-1450-447 3-8bba-1c714c4ce492) could not be installed due to an unexpected error. CPProfileManager:-65002"