Issue Description: We have observed that the DDM Status response is expected to be provided daily at specific timestamps or sometimes randomly for certain devices to obtain the complete DDM status report. The following daily pattern is observed for DDM requests to MDM: Endpoint -> Status Endpoint -> Tokens After receiving a full report from DDM, it proceeds to fetch any changes in declarations from DDM via a tokens request. In iOS 17/macOS 14 also, the same full reports are received daily, but they include new properties in the status report, such as "FullReport": true. Sample Status Response : { "StatusItems" : { "FullReport" : true, "client-capabilities" : { "supported-versions" : [ "1.0.0" ], "supported-payloads" : { "declarations" : { "activations" : [ "com.apple.activation.simple" ], "assets" : [ "com.apple.asset.credential.acme", "com.apple.asset.credential.certificate", "com.apple.asset.credential.identity", "com.apple.asset.credential.scep", "com.apple.asset.credential.userpassword", "com.apple.asset.data", "com.apple.asset.useridentity" ], "configurations" : [ "com.apple.configuration.account.caldav", "com.apple.configuration.account.carddav", "com.apple.configuration.account.exchange", "com.apple.configuration.account.google", "com.apple.configuration.account.ldap", "com.apple.configuration.account.mail", "com.apple.configuration.account.subscribed-calendar", "com.apple.configuration.legacy", "com.apple.configuration.legacy.interactive", "com.apple.configuration.management.status-subscriptions", "com.apple.configuration.management.test", "com.apple.configuration.passcode.settings", "com.apple.configuration.security.certificate", "com.apple.configuration.security.identity", "com.apple.configuration.security.passkey.attestation", "com.apple.configuration.softwareupdate.enforcement.specific", "com.apple.configuration.watch.enrollment" ], "management" : [ "com.apple.management.organization-info", "com.apple.management.properties", "com.apple.management.server-capabilities" ] }, "status-items" : [ "account.list.caldav", "account.list.carddav", "account.list.exchange", "account.list.google", "account.list.ldap", "account.list.mail.incoming", "account.list.mail.outgoing", "account.list.subscribed-calendar", "device.identifier.serial-number", "device.identifier.udid", "device.model.family", "device.model.identifier", "device.model.marketing-name", "device.model.number", "device.operating-system.build-version", "device.operating-system.family", "device.operating-system.marketing-name", "device.operating-system.supplemental.build-version", "device.operating-system.supplemental.extra-version", "device.operating-system.version", "device.power.battery-health", "management.client-capabilities", "management.declarations", "mdm.app", "passcode.is-compliant", "passcode.is-present", "security.certificate.list", "softwareupdate.failure-reason", "softwareupdate.install-reason", "softwareupdate.install-state", "softwareupdate.pending-version", "test.array-value", "test.boolean-value", "test.dictionary-value", "test.error-value", "test.integer-value", "test.real-value", "test.string-value" ] }, "supported-features" : { } } }, "device" : { "identifier" : { "serial-number" : "S7T95QN0XP", "udid" : "00000-AAAAA-111111-BBBBB" }, "model" : { "marketing-name" : "iPhone 14 Plus", "number" : "AB523HN/A", "identifier" : "iPhone14,8", "family" : "iPhone" }, "operating-system" : { "marketing-name" : "iOS 17.0", "family" : "iOS", "supplemental" : { "extra-version" : "", "build-version" : "21A5312c" }, "build-version" : "21A5312c", "version" : "17.0" } }, "mdm" : { "app" : [ { "version" : "1452", "state" : "managed", "external-version-id" : "123456789", "identifier" : "com.xxxxx.yyyy.zzzz", "name" : "App Name", "short-version" : "23.XX.XY" }, { // app details }, { // app details }, { // app details }, etc... ] }, "passcode" : { "is-present" : true, "is-compliant" : true }, "management" : { "declarations" : { "activations" : [ { "active" : true, "identifier" : "DEFAULT_ACT_0", "valid" : "valid", "server-token" : "1" } ], "configurations" : [ { "active" : true, "identifier" : "DEFAULT_STATUS_CONFIG_0", "valid" : "valid", "server-token" : "2" } ], "assets" : [ ], "management" : [ ] } }, "security" : { "certificate" : { "list" : [ ] } }, "softwareupdate" : { "install-reason" : { "reason" : [ ] }, "install-state" : "none", "pending-version" : { }, "failure-reason" : { "count" : 0 } } "Errors" : [ ] } Followed by Tokens Request : <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Endpoint</key> <string>tokens</string> <key>MessageType</key> <string>DeclarativeManagement</string> <key>UDID</key> <string>00000-AAAAA-111111-BBBBB</string> </dict> </plist> May I know if this is a behavior, and is it possible to control DDM status report polling data or time? Thanks in Advance

Hi Apple Community, Problem Description: Regarding the transition from MDM (Mobile Device Management) profiles to DDM (Declarative Device Management) profiles, as announced during WWDC 2023, this marks a significant step forward in simplifying our device management process. When we attempted to test this transition with the 17 developer beta OS version devices, we encountered a notable challenge. Specifically, when trying to apply a DDM Webclip legacy profile configuration to a device that already had the same profile applied through MDM. We received the following status response from DDM: "The profile “<profile_identifier>” cannot replace an existing profile." As a result, the configuration was not applied. However, after removing the existing applied MDM profile and then reapplying the same profile as a legacy profile via DDM, the configuration was successfully applied. My DDM Configuration: { "Type": "com.apple.configuration.legacy", "Identifier": "DEFAULT_APP_CATALOG_CLIP_CONFIG", "ServerToken": "3", "Payload": { "ProfileURL": "https://mdmtest:8080/certificates/appConfig.mobileconfig" } } My DDM Status Response : { "StatusItems" : { "management" : { "declarations" : { "activations" : [ { "active" : true, "identifier" : "DEFAULT_ACT_0", "valid" : "valid", "server-token" : "1" }, { "active" : false, "identifier" : "DEFAULT_APP_CATALOG_CLIP_ACT", "valid" : "valid", "server-token" : "3" } ], "configurations" : [ { "reasons" : [ { "details" : { "Error" : "The profile “<profile_identifier>” cannot replace an existing profile." }, "description" : "Configuration cannot be applied", "code" : "Error.ConfigurationCannotBeApplied" }, { "details" : { "Identifier" : "DEFAULT_APP_CATALOG_CLIP_ACT", "ServerToken" : "3" }, "description" : "Activation “DEFAULT_APP_CATALOG_CLIP_ACT:3” has errors.", "code" : "Error.ActivationFailed" } ], "active" : false, "identifier" : "DEFAULT_APP_CATALOG_CLIP_CONFIG", "valid" : "invalid", "server-token" : "3" }, { "active" : true, "identifier" : "DEFAULT_STATUS_CONFIG_0", "valid" : "valid", "server-token" : "2" } ], "assets" : [ ], "management" : [ ] } } }, "Errors" : [ ] } Kindly help us with this issue. Note : We have posted a feedback in Feedback Assistant portal FB13132059 - along with device sysdiagnose.

【1、问题描述】 在iOS17Beta3、iOS17Beta4上，安装并信任mdm.mobileconfig描述文件后，没有安装APP的弹窗，导致所有iOS17Beta版的客户，无法安装APP。这给我们造成了深远的影响，同时也深深的困扰着我们。 【2、问题对比分析】 我们对比发现，在同一个服务器环境下。iOS15.4、iOS16.6上安装完mdm.mobileconfig后可以正常弹窗，下载安装APP。iOS17Beta版却不行。 【3、问题猜测】 在分析了网络请求后，我们发现iOS16、iOS17Beta版，tokenupdate上报过程（Topic、Token、UDID、PushMagic、UnlockToken等参数都有上报）。iOS16每次安装完mdm.mobileconfig描述文件后,Token没有变动。iOS17Beta每次安装完mdm.mobileconfig描述文件后,Token会发生变化。 重要信息：----> iOS17Beta，tokenupdate过程中token变了之后，用新的token马上推送会失败; 服务器延迟一段时间推送(约6秒左右)后才会成功。 【4、请求您的解答】 对于以上现象，请求您的答复: a、iOS17 Beta版，在安装mdm.mobileconfig完成后，是不是和以往系统(iOS16、iOS15等) 做了变动？ b、iOS17Beta版及以后iOS17正式版，是否每次安装完mdm.mobileconfig描述文件后，tokenupdate过程Token都会变动？并且要延迟一段时间才能推送成功？

I am looking for the examples demo'd by Frank in session wwdc21-10041. I don't seem to find it anywhere. Any lead is appreciated.

We are unable to find the documentation for DDM in Managing apps. We searched the Apple Documentation for the newly introduced API and declarations announced (which are given below) but we could not find any results on this. Documentation for New Apps and Books for Organizations API that replaces ContentMetaData API Documentation for "com.apple.configuration.app.managed" DDM Configuration Documentation for "app.managed.list" DDM status The documentation has not been updated with these cases. Kindly help us on this.

I took notes during the "Explore advances in declarative device management" session. If interested, please see the attached "Notes from session": Notes from session For the session video, please see the following link: https://developer.apple.com/wwdc23/10041

Deploying certificates with MDM currently has a major limitation that you can only deploy certificates into the login keychain of the "MDM user" which is normally the user present when the device was enrolled. Does declarative device management certificate management address this at all?