Hello,
We are working with an iOS app that is distributed as a Public Unlisted App Store app. Our MDM allows us to import the app by URL, but when added this way, the app is marked as unmanaged in the inventory. Because of that, we cannot assign a Managed App Configuration payload to it in the normal way.
What we are trying to achieve:
Deliver a configuration profile to all enrolled devices before the app is installed.
When the user installs the app from the MDM catalog, the app should immediately see the configuration values.
Questions we’re hoping to clarify:
Is it technically feasible to pre-provision a Managed App Configuration for an app in this scenario, by pushing a .mobileconfig profile to all devices?
If yes, what would be the correct payload format and content of such a .mobileconfig file?
We’ve tested a profile format we found here that uses com.apple.managed-app-config PayloadType and a ManagedAppConfiguration key with the bundle ID nested inside, but iOS reports this as “payload not recognized.” From what we understand, that may not be part of Apple’s schema.
Any guidance from Apple or the community on whether this use case is possible (and, if so, what the valid profile format should look like) would be very helpful.
Note: For a complicated company policy, at the moment we are not able to participate in ABM.
Thanks in advance!
Managed Settings
RSS for tagSet restrictions for certain settings, such as locking accounts in place, preventing password modification, filtering web traffic, and shielding apps.
Posts under Managed Settings tag
82 Posts
Sort by:
Post
Replies
Boosts
Views
Activity
How can my password manager app redirect users to the “AutoFill Passwords & Passkeys” settings page?
Hi all,
I’m building a password manager app for iOS. The app implements an ASCredentialProviderExtension and has the entitlement com.apple.developer.authentication-services.autofill-credential-provider.
From a UX perspective, I’d like to help users enable my app under:
Settings → General → AutoFill & Passwords
What I’ve observed:
Calling UIApplication.openSettingsURLString only opens my app’s own Settings page, not the AutoFill list.
Some apps (e.g. Google Authenticator) appear to redirect users directly into the AutoFill Passwords & Passkeys screen when you tap “Enable AutoFill.”
1Password goes even further: when you tap “Enable” in 1Password App, it shows a system pop-up, prompts for Face ID, and then enables 1Password as the AutoFill provider without the user ever leaving the app.
Questions:
Is there a public API or entitlement that allows apps to deep-link users directly to the AutoFill Passwords & Passkeys screen?
Is there a supported API to programmatically request that my app be enabled as an AutoFill provider (similar to what 1Password seems to achieve)?
If not, what is the recommended approach for guiding users through this flow?
Thanks in advance!
Topic:
Privacy & Security
SubTopic:
General
Tags:
Wallet
Authentication Services
Passkeys in iCloud Keychain
Managed Settings
Hello,
I have noticed that the ShieldConfiguration is only requested when opening a target app, and never when the application token is moved to a different shield while the target app remains in foreground.
This causes problems because many times the wrong ShieldConfiguration is displayed (recycled) instead of requesting a new ShieldConfiguration.
This bug has been around since the introduction of the Screen Time API in 2020 and is has not been addressed.
Bug reports:
FB14237883
FB17902392
Please fix asap!! Not acceptable to have bugs not being addressed for more than 5 years.
Most concerning: This is still reproducing on iOS 26 beta 7!!
Thanks a lot for your help.
Topic:
App & System Services
SubTopic:
General
Tags:
Family Controls
Device Activity
Managed Settings
Screen Time
I'm working on an app for iOS that will help people get tasks done.
Within the app, we use a ManagedSettingsStore to let the user setup distracting apps. When the user opens any of those apps while it is being shielded, our ShieldConfiguration target opens and displays a screen that we configure with the description of the task they are supposed to do. On the bottom of the view, there are two buttons, one to start the task, and another to dismiss and return to their home screen.
I want to have the button that starts the task open up the main application and deeplink to the focus view with the task that they started. Currently, the only thing that we can tell the system to do is via a ShieldActionResponse which is an enum with 3 cases: none, close, or defer.
None of these three allow us to open the main application. I have found no workarounds that allow us to do it either. I've tried creating a custom URL scheme and calling UIApplication.shared.open(url), but there is no shared application available within the action extension. I have tried using a NSExtensionContext to open a url, but that does not work either. I have even tried starting a live activity to show the user what task they are working on and have a live timer, but that does not work either.
I know it is technically possible, because an app I downloaded does it perfectly. The app is called "Ascent: Screen Time Control". Is there some sort of extension I am missing, or entitlement I have not requested? Any help would be very appreciated.
Topic:
App & System Services
SubTopic:
General
Tags:
Family Controls
Device Activity
Managed Settings
Screen Time
When using the ManagedSettings API to block apps everything is blocked as expected (the app itself, Notifications, Live Activities on the Lock Screen etc) except for Compact Live Activities of those apps (that are shown in the Dynamic Island). I feel the expected behavior would be to block also the Compact Live Activities.
Our use case:
In Spoilerblock we want to prevent users from being exposed to spoilers before they've had time to watch for example a sports game.
Current workaround:
Right now the best we can do is to ask the user to disable Live Activities for apps that could expose results, to not risk being exposed to a spoiler.
Summary:
When applying a configuration profile that uses allowListedAppBundleIDs to permit a defined set of apps, essential Apple Watch apps are unexpectedly removed from the paired Watch — even though their associated iPhone bundle IDs are explicitly included.
This issue occurs with a minimal profile, and has been consistently reproducible on the latest versions of iOS and watchOS.
Impact:
This behavior severely limits the use of Apple Watch in managed environments (e.g., education, family management, accessibility contexts), where allowlisting is a key control mechanism. It also suggests either:
Undocumented internal dependencies between iOS and watchOS apps, or
A possible regression in how allowlists interact with Watch integration.
Steps to Reproduce:
Create a configuration profile with a Restrictions payload containing only the allowListedAppBundleIDs key.
Allow a broad list of essential system apps, including all known Apple Watch-related bundle IDs:
com.apple.NanoAlarm
com.apple.NanoNowPlaying
com.apple.NanoOxygenSaturation
com.apple.NanoRegistry
com.apple.NanoRemote
com.apple.NanoSleep
com.apple.NanoStopwatch
com.apple.NanoWorldClock
(All the bundles can be seen in the Attached profile)
Install the profile on a supervised or non-supervised iPhone paired with an Apple Watch.
Restart both devices.
Observe that several core Watch apps (e.g. Heart Rate, Activity, Workout) are missing from the Watch.
Expected Behavior:
All apps explicitly included in the allowlist should function normally. System apps — especially those tied to hardware like Apple Watch — should remain accessible unless explicitly excluded.
Actual Behavior:
Multiple Apple Watch system apps are removed or hidden, despite their iPhone bundle IDs being listed in the allowlist.
Test Environment:
iPhone running iOS 18
Apple Watch running watchOS 11
Profile includes only the allowListedAppBundleIDs key
Issue confirmed on fresh devices with no third-party apps
Request for Apple Engineering:
Please confirm whether additional internal or undocumented bundle IDs are required to preserve Apple Watch functionality when allowlisting apps.
If this behavior is unintended, please treat this as a regression or bug affecting key system components.
If intentional, please provide formal documentation listing all required bundle IDs for preserving Watch support with allowlisting enabled.
Attachment:
.mobileconfig profile demonstrating the issue (clean, minimal, reproducible)
Attached test profile = https://drive.google.com/file/d/12YknGWuo1bDG-bmzPi0T41H6uHrhDmdR/view?usp=sharing
Topic:
Business & Education
SubTopic:
Device Management
Tags:
Managed Settings
Apple Watch
Device Management
So when we select an app that needs to have a shield configured for family controls (managed settings), when selecting an individual application (say like Instagram), it works well but when I select a whole category (say like Social) it doesn't work well. here's the exact code for how I choose which application needs to be shielded:
class ShieldConfigurationExtension: ShieldConfigurationDataSource {
override func configuration(shielding application: Application) -> ShieldConfiguration {
return ShieldConfiguration(
backgroundBlurStyle: .systemChromeMaterial,
backgroundColor: UIColor(red: 220.0/255, green: 20.0/255, blue: 60.0/255, alpha: 1.00),
icon: iconImage,
title: ShieldConfiguration.Label(text: "You CAN'T give up now!", color: .white),
subtitle: ShieldConfiguration.Label(text: "Just a little bit more you got this", color: .white),
primaryButtonLabel: ShieldConfiguration.Label(text: "GRINDSET", color: .white),
primaryButtonBackgroundColor: .black,
secondaryButtonLabel: ShieldConfiguration.Label(text: "Move Fast", color: .black)
)
}
Now this works well for application selection alone, but there isn't any for category selection as such. And the same is shown in its execution that a category goes back to default shielding. What API should I use for category shielding?
Hello,
my app is frequently loosing / forgetting the Screen Time Permission that had been granted previously on iOS 26.
I have experienced it myself, sysdiagnose is in this radar:
FB18997699
But also also my App Store users who have updated to iOS 26 already have reported this bug.
It would be great if Apple could ensure that this bug is addressed before iOS 26 is released to the public.
Topic:
App & System Services
SubTopic:
General
Tags:
Family Controls
Device Activity
Managed Settings
Screen Time
Hello!
I am experiencing some strange bugs around DeviceActivityEvents:
When creating a DeviceActivityEvent we can assign a threshold and applicationTokens.
The idea is, that after the user has spent said threshold on said apps, eventDidReachThreshold is called.
includesPastActivity is set to false.
On iOS 26 however, it happens (quite reliably after updating to a new beta seed) quite often that eventDidReachThreshold is called immediately (after a couple of seconds) instead of waiting for the threshold to be met.
Is anyone else seeing similar issues on iOS 26?
Only workaround I have found is to ask users to re-grant Screen Time permissions. This only holds for about two weeks though or at most until the next iOS 26 beta update is installed.
Feedback filed under:
FB18061981
FB18927456
Topic:
App & System Services
SubTopic:
General
Tags:
Family Controls
Device Activity
Managed Settings
Screen Time
Hello,
I’m building an app that helps people spend less time on social media apps.
For that, I make heavy use of Apple’s Screen Time APIs, such as ManagedSettings and FamilyControls.
When an app is locked using a ShieldConfiguration, the user has to open my app in order to unlock it (e.g. enter a code).
This is very cumbersome because no documented API exists to open the parent app (=my app) from the ShieldActionDelegate (also part of my app) when the user presses a button of the ShieldConfiguration.
The ShieldActionDelegate callback just offers three options in its ShieldActionResponse:
.none
.defer
.close
.openParentApp is missing.
We are working around this limitation by sending a local push notification that the user has to tap on.
This has multiple drawbacks:
It has to be ensured that notification permission has been granted.
It has to be ensured that notifications can be delivered even while focus is enabled.
Features such as Apple Intelligence notification summaries and notification prioritization can heavily delay delivering notifications and thus frustrate the user.
Neither my users nor myself do understand why this is not possible in a smoother way, at least according to the documentation.
There are 3rd party apps that have such functionality, they can directly open their own app from a button press in the Shield, see here:
https://apps.apple.com/us/app/applocker-passcode-lock-apps/id1132845904
It would be great if Apple could level the playfield for all developers and document how this is achievable, because technically it clearly is.
Thanks a lot and have a great day!
Hello everyone,
I’m developing an app using the FamilyControls framework, I distributed through TestFlight the other day using the “Family Controls” distribution (not Development). Everything works as expected in dev builds — but for external TestFlight testers, nothing in the FamilyControls framework seems to function.
I'm using the correct Family Controls capability in Xcode (added via Signing & Capabilities).
The com.apple.developer.family-controls entitlement is present in my .entitlements file.
All the users who reported the issue had correctly given screen time permissions to the app.
Would really appreciate some help regarding where the issue could come from.
I found that in iOS 18.5, DeviceActivityCenter startMonitoring cannot start multiple monitors, even if their names and periods are different, and restarting the phone cannot solve it. My app uses DeviceActivityCenter, which makes the entire function unusable. (I have less than 20 monitors)
Topic:
App & System Services
SubTopic:
General
Tags:
Family Controls
Device Activity
Managed Settings
Hello,
I’m presenting the familyActivityPicker from a presented sheet in my application.
When I select some apps, categories or websites and tap “Done”, the familyActivityPicker is dismissed but the presenting sheet is also dismissed on iOS 18.4, iOS 18.5, iOS 26 beta 1 and 2. If I tap on “Cancel” from the familyActivityPicker, the sheet is also dismissed on iOS 18.4, iOS 18.5, iOS 26 beta 1 and 2.
The same code works perfectly fine on iOS 18.0, iOS 18.1, iOS 18.2 and iOS 18.3.
Is this a known-issue?
If opened the feedback FB18369821 for this.
Regards,
Axel
Topic:
App & System Services
SubTopic:
General
Tags:
SwiftUI
Family Controls
Managed Settings
Screen Time
Hello,
I already have got approval from Apple for com.apple.developer.family-controls entitlement
When I am building my app, there is one part where I need to check the list of applications which I have blocked with my app.
To get the list I have to have com.apple.developer.managed-settings entitlement ...
Now how and where show I get hold of it ?
I already got permission for Family Control, how do I get hold of this now ?
How to programmatically check if ApplicationToken or ActivityCategoryToken is expired in FamilyActivityPicker?
I'm building a Screen Time-based parental control app using FamilyControls and ManagedSettings. We use FamilyActivityPicker to allow the user to select apps and categories to restrict, and we apply the shield using:
store.shield.applications = .specific(selection.applicationTokens)
store.shield.applicationCategories = .specific(selection.categoryTokens)
Sometimes, we observe that the shield silently fails to apply — no error is thrown, but the restrictions aren't enforced. I suspect this may be due to expired or invalid tokens, possibly if the app was removed or the selection became stale.
My Questions:
Can ApplicationToken or ActivityCategoryToken expire or become invalid over time?
If yes, is there a supported or recommended way to detect whether a token is still valid before applying it to the shield?
Is comparing the current shield values (store.shield.applications and store.shield.applicationCategories) after applying them a reliable validation method?
What's the best practice to handle expired tokens (e.g. re-prompt the FamilyActivityPicker, or show a fallback)?
What Is the Expiration Duration of Tokens from FamilyActivityPicker?
Any guidance or insight from the Screen Time/FamilyControls team would be greatly appreciated!
Thank you!
How can I use the Screen Time API to set a restriction for a child account from my app running on the parent’s account?
Hello,
How do apps like App Lock implement app-opening from a shield? Is this supported for 3rd-party apps or limited to partners?
https://apps.apple.com/us/app/app-lock/id6448239603
How to test ManagedAppConfigurationProvider without MDM ?
Task { /* Configuration provider task */
for await configuration in configurationProvider.configurations(MyAppConfiguration.self) {
self.configuration = configuration ?? MyAppConfiguration.defaultConfiguration
}
}
Can the existence of a configuration be simulated, e.g. by storing a mocked configuration in UserDefaults? The UserDefaults key "com.apple.configuration.managed" seems not relevant here.
Topic:
Business & Education
SubTopic:
Device Management
Tags:
Frameworks
Managed Settings
Device Management
Hi,
I am developing a Screen Time App and I am having issues with the ShieldConfigurationExtension (ShieldConfigurationDataSource). I know this extensions is sandboxed but I should be able to read data from the main app.
I am using SwiftData as my database, but I am unable to initialize it in the extensions with an error indicating insufficient file permissions. I have App Group set up and I am able to share data using UserDefaults but that is just inconvenient.
Is there any way I could just open the SwiftData in read only mode so that I could display the user some info on the shield?
SwiftData Init:
private func setupContainer() throws {
let schema = Schema([
DogEntity.self,
HouseEntity.self
])
// Use app group container if available
let config: ModelConfiguration
if let containerURL = FileManager.default.containerURL(
forSecurityApplicationGroupIdentifier: "group.\(Bundle.app.bundleIdentifier ?? "")"
) {
config = ModelConfiguration(schema: schema, url: containerURL.appendingPathComponent("default.sqlite"))
} else {
config = ModelConfiguration(schema: schema)
}
self.container = try ModelContainer(for: schema, configurations: [config])
}
Error in extension:
fault: Attempt to add read-only file at path file:///private/var/mobile/Containers/Shared/AppGroup/51431199-5919-4AE6-940C-6FE3C53EEB46/default.sqlite read/write. Adding it read-only instead. This will be a hard error in the future; you must specify the NSReadOnlyPersistentStoreOption.
error: (3) access permission denied
error: Encountered exception error during prepareSQL for SQL string 'SELECT TBL_NAME FROM SQLITE_MASTER WHERE TBL_NAME = 'Z_METADATA'' : access permission denied with userInfo {
NSFilePath = "/private/var/mobile/Containers/Shared/AppGroup/51431199-5919-4AE6-940C-6FE3C53EEB46/default.sqlite";
NSSQLiteErrorDomain = 3;
} while checking table name from store: <NSSQLiteConnection: 0x154100300>
error: Store failed to load. <NSPersistentStoreDescription: 0x15402d590> (type: SQLite, url: file:///private/var/mobile/Containers/Shared/AppGroup/51431199-5919-4AE6-940C-6FE3C53EEB46/default.sqlite) with error = Error Domain=NSCocoaErrorDomain Code=256 "The file “default.sqlite” couldn’t be opened." UserInfo={NSFilePath=/private/var/mobile/Containers/Shared/AppGroup/51431199-5919-4AE6-940C-6FE3C53EEB46/default.sqlite, NSSQLiteErrorDomain=3} with userInfo {
NSFilePath = "/private/var/mobile/Containers/Shared/AppGroup/51431199-5919-4AE6-940C-6FE3C53EEB46/default.sqlite";
NSSQLiteErrorDomain = 3;
}
Any help appreciated 🙂
Topic:
App & System Services
SubTopic:
General
Tags:
Family Controls
Managed Settings
Screen Time
SwiftData
Hi!
I completed the enrollment for my company on April 22, 2024. And since then we have successfully placed our application in the Store and continue to work on it.
On March 27, 2025, I needed to renew my participation in the Apple Developer Program and I did it successfully - I received a confirmation letter from you. However, later I discovered that my order was canceled and now, when I go to developer.applе.com, I am offered to go through the enrollment procedure! I'm confused! It is not clear what to do in such a situation?!
I will be grateful for any help!