Hello,
I have an issue with DurationUntilRemoval—it never deletes my profile. I installed it via my MDM server and also tried installing it using Apple Configurator 2. The device is in supervised mode.
Here is my profile:
** DurationUntilRemoval**
** 3600**
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDescription</key>
<string>Configures restrictions</string>
<key>PayloadDisplayName</key>
<string>Restrictions</string>
<key>PayloadIdentifier</key>
<string>com.apple.applicationaccess.82B4587F-86F6-406B-9D27-03A799379EB5</string>
<key>PayloadType</key>
<string>com.apple.applicationaccess</string>
<key>PayloadUUID</key>
<string>82B4587F-86F6-406B-9D27-03A799379EB5</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>allowActivityContinuation</key>
<true/>
<key>allowAddingGameCenterFriends</key>
<true/>
<key>allowAirPlayIncomingRequests</key>
<true/>
<key>allowAirPrint</key>
<true/>
<key>allowAirPrintCredentialsStorage</key>
<true/>
<key>allowAirPrintiBeaconDiscovery</key>
<true/>
<key>allowAppCellularDataModification</key>
<true/>
<key>allowAppClips</key>
<true/>
<key>allowAppInstallation</key>
<true/>
<key>allowAppRemoval</key>
<true/>
<key>allowApplePersonalizedAdvertising</key>
<true/>
<key>allowAssistant</key>
<true/>
<key>allowAssistantWhileLocked</key>
<true/>
<key>allowAutoCorrection</key>
<true/>
<key>allowAutoUnlock</key>
<true/>
<key>allowAutomaticAppDownloads</key>
<true/>
<key>allowBluetoothModification</key>
<true/>
<key>allowBookstore</key>
<true/>
<key>allowBookstoreErotica</key>
<true/>
<key>allowCamera</key>
<true/>
<key>allowCellularPlanModification</key>
<true/>
<key>allowChat</key>
<true/>
<key>allowCloudBackup</key>
<true/>
<key>allowCloudDocumentSync</key>
<true/>
<key>allowCloudPhotoLibrary</key>
<true/>
<key>allowContinuousPathKeyboard</key>
<true/>
<key>allowDefinitionLookup</key>
<true/>
<key>allowDeviceNameModification</key>
<true/>
<key>allowDeviceSleep</key>
<true/>
<key>allowDictation</key>
<true/>
<key>allowESIMModification</key>
<true/>
<key>allowEnablingRestrictions</key>
<true/>
<key>allowEnterpriseAppTrust</key>
<true/>
<key>allowEnterpriseBookBackup</key>
<true/>
<key>allowEnterpriseBookMetadataSync</key>
<true/>
<key>allowEraseContentAndSettings</key>
<true/>
<key>allowExplicitContent</key>
<true/>
<key>allowFilesNetworkDriveAccess</key>
<true/>
<key>allowFilesUSBDriveAccess</key>
<true/>
<key>allowFindMyDevice</key>
<true/>
<key>allowFindMyFriends</key>
<true/>
<key>allowFingerprintForUnlock</key>
<true/>
<key>allowFingerprintModification</key>
<true/>
<key>allowGameCenter</key>
<true/>
<key>allowGlobalBackgroundFetchWhenRoaming</key>
<true/>
<key>allowInAppPurchases</key>
<true/>
<key>allowKeyboardShortcuts</key>
<true/>
<key>allowManagedAppsCloudSync</key>
<true/>
<key>allowMultiplayerGaming</key>
<true/>
<key>allowMusicService</key>
<true/>
<key>allowNews</key>
<true/>
<key>allowNotificationsModification</key>
<true/>
<key>allowOpenFromManagedToUnmanaged</key>
<true/>
<key>allowOpenFromUnmanagedToManaged</key>
<true/>
<key>allowPairedWatch</key>
<true/>
<key>allowPassbookWhileLocked</key>
<true/>
<key>allowPasscodeModification</key>
<true/>
<key>allowPasswordAutoFill</key>
<true/>
<key>allowPasswordProximityRequests</key>
<true/>
<key>allowPasswordSharing</key>
<true/>
<key>allowPersonalHotspotModification</key>
<true/>
<key>allowPhotoStream</key>
<true/>
<key>allowPredictiveKeyboard</key>
<true/>
<key>allowProximitySetupToNewDevice</key>
<true/>
<key>allowRadioService</key>
<true/>
<key>allowRemoteAppPairing</key>
<true/>
<key>allowRemoteScreenObservation</key>
<true/>
<key>allowSafari</key>
<true/>
<key>allowScreenShot</key>
<true/>
<key>allowSharedStream</key>
<true/>
<key>allowSpellCheck</key>
<true/>
<key>allowSpotlightInternetResults</key>
<true/>
<key>allowSystemAppRemoval</key>
<true/>
<key>allowUIAppInstallation</key>
<true/>
<key>allowUIConfigurationProfileInstallation</key>
<true/>
<key>allowUSBRestrictedMode</key>
<true/>
<key>allowUnpairedExternalBootToRecovery</key>
<false/>
<key>allowUntrustedTLSPrompt</key>
<true/>
<key>allowVPNCreation</key>
<true/>
<key>allowVideoConferencing</key>
<true/>
<key>allowVoiceDialing</key>
<true/>
<key>allowWallpaperModification</key>
<true/>
<key>allowiTunes</key>
<true/>
<key>forceAirDropUnmanaged</key>
<false/>
<key>forceAirPrintTrustedTLSRequirement</key>
<false/>
<key>forceAssistantProfanityFilter</key>
<false/>
<key>forceAuthenticationBeforeAutoFill</key>
<false/>
<key>forceAutomaticDateAndTime</key>
<false/>
<key>forceClassroomAutomaticallyJoinClasses</key>
<false/>
<key>forceClassroomRequestPermissionToLeaveClasses</key>
<false/>
<key>forceClassroomUnpromptedAppAndDeviceLock</key>
<false/>
<key>forceClassroomUnpromptedScreenObservation</key>
<false/>
<key>forceDelayedSoftwareUpdates</key>
<false/>
<key>forceEncryptedBackup</key>
<false/>
<key>forceITunesStorePasswordEntry</key>
<false/>
<key>forceLimitAdTracking</key>
<false/>
<key>forceWatchWristDetection</key>
<false/>
<key>forceWiFiPowerOn</key>
<false/>
<key>forceWiFiWhitelisting</key>
<false/>
<key>ratingApps</key>
<integer>1000</integer>
<key>ratingMovies</key>
<integer>1000</integer>
<key>ratingRegion</key>
<string>us</string>
<key>ratingTVShows</key>
<integer>1000</integer>
<key>safariAcceptCookies</key>
<real>2</real>
<key>safariAllowAutoFill</key>
<true/>
<key>safariAllowJavaScript</key>
<true/>
<key>safariAllowPopups</key>
<true/>
<key>safariForceFraudWarning</key>
<false/>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>papala</string>
<key>PayloadIdentifier</key>
<string>MacBook-Pro-Kyrylo-2.4A2954CA-57A5-44D9-8AD3-546407A0CAD4</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>BEED8448-8866-43EB-AC3C-1C3C652AADE4</string>
<key>PayloadVersion</key>
<integer>1</integer>
it's just test profile, without difficult stuff, but it doesn't work too
What is wrong?
Device Management
RSS for tagAllow administrators to securely and remotely configure enrolled devices using Device Management.
Post
Replies
Boosts
Views
Activity
Hi,
I have a couple of questions about how to proceed and prepare the implementation for the DeviceLock MDM command for macOS in a secure and proper manner.
https://developer.apple.com/documentation/devicemanagement/device-lock-command
In documentation "PIN" is "(string) The six-character PIN for Find My. This value is available in macOS 10.8 and later." - is this the PIN that is used to unlock the device?
Is there any video online that I can see how the process would look like for the end user with locking and unlocking a device?
What should be done before sending a DeviceLock command? What should be done to safely test the command without bricking a device.
How to unlock a device that was locked with a DeviceLock command? Is there any Unlock command or can the user unlock device with the provided PIN earlier?
Thank you for any help!
I'm looking at the Apple official document below and getting the app's information.
https://developer.apple.com/documentation/devicemanagement/getting-app-and-book-information-legacy
However, I couldn't get the custom app's information for a few days ago. The result item is empty.
This is a URL that is normally viewed.
https://uclient-api.itunes.apple.com/WebObjects/MZStorePlatform.woa/wa/lookup?version=2&p=mdm-lockup&caller=MDM&platform=volumestore&cc=jp&id=1202716089
This is the URL that gives an empty response to the result.
https://uclient-api.itunes.apple.com/WebObjects/MZStorePlatform.woa/wa/lookup?version=2&p=mdm-lockup&caller=MDM&platform=volumestore&cc=jp&id=1556411142
In ABM/ASM, the number of applications used and the number of available applications are all viewed normally.
Is there anything else I can check?
Please reply.
Thank you.
I have a simple organization-info declaration that contains the following:
"Identifier": "com.example.declaration.org-info",
"Payload": {
"Email": "info@example.com",
"Name": "Example Organization Info",
"URL": "http://example.com"
},
"ServerToken": "c23b40ca47b11420",
"Type": "com.apple.management.organization-info"
}
And an activation that includes the org-info declaration:
"Identifier": "com.example.activation.org-info",
"Payload": {
"StandardConfigurations": [
"com.example.declaration.org-info"
]
},
"ServerToken": "5f6c37a6a0c44e35",
"Type": "com.apple.activation.simple"
}
When I check the status of the declaration, I see the following error:
"StatusItems": {
"management": {
"declarations": {
"activations": [
{
"reasons": [
{
"details": {
"Identifier": "com.example.activation.org-info",
"ServerToken": "5f6c37a6a0c44e35",
"ConfigurationIdentifiers": "com.example.declaration.org-info"
},
"description": "Activation (com.example.activation.org-info:5f6c37a6a0c44e35) is missing configurations.",
"code": "Error.MissingConfigurations"
}
],
"active": false,
"identifier": "com.example.activation.org-info",
"valid": "valid",
"server-token": "5f6c37a6a0c44e35"
}
],
"configurations": [],
"assets": [],
"management": [
{
"active": false,
"identifier": "com.example.declaration.org-info",
"valid": "valid",
"server-token": "542fded47e432de3"
}
]
}
}
},
"Errors": []
}
I'm not seeing the error in either the activation or the declaration that might throw this error. Does anyone have any insight?
What is the proper payload for the FDEFileVault?
Do I need to provide a user password in the payload to proceed with turning on the FileVault? Isn't that a privacy issue?
Why UserEntersMissingInfo does not work for me?
How to properly turn off FileVault - every try failed?
Below I attach tested payloads and results.
Test 1:
Enable: "On"
Result 1:
Error
ErrorCode: -319
LocalizedDescription: The ‘FileVault Settings’ payload could not be installed. User authentication failed.
Test 2:
Enable: "On"
Username: "username on a device"
Result 2:
Error
ErrorCode: -319
LocalizedDescription: The ‘FileVault Settings’ payload could not be installed. User authentication failed.
Test 3:
Enable: "On"
Username: "username on a device"
Password: "password of the user"
Result 3:
Success: FileVault turned On
Test 4:
After previously turning On FileVault successfully after restarting a machine.
Enable: "Off"
Result 4:
Fail: FileVault didn't turn off, but the profile in settings updated. The machine restart didn't help.
Test 5:
Enable: "On"
UserEntersMissingInfo: True
Result 5:
Error
ErrorCode: -319
LocalizedDescription: The ‘FileVault Settings’ payload could not be installed. User authentication failed.
Test 6:
Enable: "On"
Username: "username on a device"
UserEntersMissingInfo: True
Result 6:
Error
ErrorCode: -319
LocalizedDescription: The ‘FileVault Settings’ payload could not be installed. User authentication failed.
Test 7:
This is example payload from: https://developer.apple.com/documentation/devicemanagement/fdefilevault#Profile-Example
Defer: True
Enable: "On"
ShowRecoveryKey: True
UseKeychain: False
UseRecoveryKey: True
UserEntersMissingInfo: False
Result 7:
Success: FileVault turned On
Test 8:
Same as test 4, but after turning on like test 7.
Test 9:
Defer: True
Enable: "Off"
ShowRecoveryKey: True
UseKeychain: False
UseRecoveryKey: True
UserEntersMissingInfo: False
Result 9:
Fail: FileVault didn't turn off, but the profile in settings updated. The machine restart didn't help.
Test 10:
Defer: True
Enable: "Off"
ShowRecoveryKey: True
UseKeychain: False
UseRecoveryKey: True
UserEntersMissingInfo: True
Result 10:
Fail: FileVault didn't turn off, but the profile in settings updated. The machine restart didn't help.
Test 11:
Defer: True
Enable: "Off"
ShowRecoveryKey: True
UseKeychain: False
UseRecoveryKey: True
UserEntersMissingInfo: True
DeferForceAtUserLoginMaxBypassAttempts: 0
Result 11:
Fail: FileVault didn't turn off, but the profile in settings updated. The machine restart didn't help.
Test 12:
UserEntersMissingInfo: True
Enable: "Off"
Username: "username on a device"
Result 12:
Fail: FileVault didn't turn off, but the profile in settings updated. The machine restart didn't help.
My institution uses Blackboard and iPads to conduct assessments, and I’m trying to find some proctoring tools. Students conduct the assessments directly on Blackboard using either Safari or Chrome.
I know that Apple has a function that does EXACTLY what I’m looking for, but from what I understand, this function has to be made available by Safari or Chrome:
https://developer.apple.com/documentation/automaticassessmentconfiguration
I don’t know whether either of these two browsers have this function enabled, and whether it can be switched on and off for custom-made Blackboard assessments. Is this a possibility? Are there other options?
I know Blackboard offers built-in and third-party proctoring, but contacting them is difficult, and my company does not give me the appropriate authority to speak directly with Blackboard. So, I’m not able to find out about the feasibility, costs, etc. of this option.
Any help would be greatly appreciated.
Hello
We have devices setup with in ABM and managed with Intune. Having only ever setup shared iPad's, we have a new request with managing iPhone's.
The customer wants the iPhone's managed, but users enabled to purchase apps for the app store using their own credit card (or Apple ID) These are not BYOD devices and federated sign is not an option at this time. Can this be done with example User affinity profiles?
Many thanks
<!-- Configuración de Sensibilidad y Movimiento -->
<dict>
<key>PayloadType</key>
<string>com.android.settings</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadIdentifier</key>
<string>com.ios.freefire.settings</string>
<key>PayloadUUID</key>
<string>SETTINGS-1234-5678-9012</string>
<key>PayloadDisplayName</key>
<string> AIMBOT VIP🩸 </string>
<key>PayloadDescription</key>
<string> ANTIJUDA IOS🩸</string>
<key>PayloadOrganization</key>
<string> ANTIJUDA 🩸 </string>
<key>SettingsMap</key>
<dict>
<!-- Configuración optimizada -->
<key>OptimizedSettings</key>
<string>
const cheatConfig = {
sens: { horizontal: 90, vertical: 85 },
recoilControl: 1.3,
aimAssist: { strength: 1.25, angle: 0.75, smoothing: 0.8 },
precisionBoost: true,
targetLockSpeed: 2.0,
bulletComp: true,
fovRange: 30,
weapon: { switchDelay: 0.15, swayReduction: true },
prediction: 1.1,
headshot: { priority: true, angleLimit: 15, adjust: 1.05 },
reactionBoost: 0.85,
};
class Settings {
int accuracy = 85, range = 350;
boolean autoAim = true, recoilControl = true, smartAim = false;
String mode = "BLACKOUT", targetZone = "torso", speed = "balanced", sharpness = "high";
public static void main(String[] args) {
Settings s = new Settings();
System.out.println("Mode: " + s.mode + ", Accuracy: " + s.accuracy + "%, Range: " + s.range + "m");
System.out.println("Auto Aim: " + s.autoAim + ", Target Zone: " + s.targetZone);
System.out.println("Speed: " + s.speed + ", Sharpness: " + s.sharpness);
System.out.println("Recoil Control: " + s.recoilControl + ", Smart Aim: " + s.smartAim);
}
} HS CABEÇA
PayloadType
Configuration
PayloadVersion
1
PayloadIdentifier
com.example.configprofile
PayloadUUID
CONFIG-1234-5678-9012
PayloadDisplayName
AIMBOT 80%🩸
PayloadDescription
ANTIJUDA IOS% 🩸
PayloadOrganization
XITADO🩸
We've been waiting almost 3 years for Business Essentials to be available in Canada. Does anyone know the timeline for releases outside of the US?
Hi there,
I am trying to create an IPsec policy for remote access for iOS devices. Is the full updated list with all the settings, which are supported?
I could only find this article:
https://support.apple.com/de-de/guide/deployment/depdf31db478/web
But I am sure it's not updated:
Authentication Algorithms: HMAC-MD5 or HMAC-SHA1.
Same for DH Groups 2-5
Hello everybody,
We are trying to configure Device APN settings by sending IOS device configuration profiles through OTA. Please refer below url for details which we are following :
https://developer.apple.com/library/archive/documentation/NetworkingInternet/Conceptual/iPhoneOTAConfiguration/Introduction/Introduction.html#//apple_ref/doc/uid/TP40009505
We’ve encountered an issue where the APN (Access Point Name) settings are not populating correctly on iOS devices, even though we are sending the configuration via our Device Management Center (DMC) and the configuration message is being pushed correctly over the air (OTA).
Path to the APN fields:
Settings > Mobile > Mobile Data Network > APN
Tested iOS version: 17.3, 17.5, 18.2, 18.3
Configuration message received:
Configuration message installed:
APN fields are empty:
Could you give us any suggestions ?
Thank you very much.
Main Issue
We are experiencing an issue where iOS devices become unresponsive when attempting to shutdown or reboot from the lock screen while locked into Single App Mode via MDM or Apple Configurator.
Steps to Reproduce:
Start any iOS device.
Use Apple Configurator or an MDM solution to enable Single App Mode.
Wait for the device to lock into the specified app.
Lock the device so that it goes to the lock screen.
Hold the Power button and Volume Up button until the shutdown/emergency screen appears.
At this point, the device becomes unresponsive.
After approximately 30 seconds, the message "Guided Access app unavailable. Please contact your administrator" appears.
The device is now frozen, and the only way to recover is to force restart it using Apple's forced restart method (Apple Support Link).
Additional Issue:
Additionally, we observe that when using an app in Single App Mode, attempting to reboot the device and canceling the reboot prevents any subsequent reboot attempts until a force restart is performed.
Steps to Reproduce This Behavior:
Lock the iOS device into Single App Mode.
Use the app normally.
Attempt to shut down the device by holding the Power and Volume Up buttons.
The shutdown/emergency screen appears as expected.
Cancel the shutdown by tapping "Cancel."
The device returns to the lock screen.
Swipe up to return to the app.
Attempt to shut down the device again using the same method.
Nothing happens—the shutdown screen no longer appears.
The only way to reboot the device now is through a forced restart.
This appears to be a bug in Single App Mode behavior, potentially related to Guided Access restrictions. Has anyone else encountered this issue?
Is this the right place to report this issue? or should I report it elsewhere?
I have more videos and material showing how to reproduce this issue if needed.
The security configuration updates have been enforced through automatic update policy enabled through an MDM policy. However our end users would like to know when these updates are triggered by the device and installed successfully. We can see on a few devices that even though the automatic updates are enabled there are many devices with config updates pending. Also is there a way to manually install these config updates as the end user cannot see these updates listed in the software update section.
Hello Apple Community,
We are integrating Apple Tap to Pay into our Point of Sale (POS) application. Our organization manages a fleet of supervised iPhones using Apple Business Manager (ABM) and Mobile Device Management (MDM) to onboard devices with preferred settings and automatically install our POS app via MDM-assigned licenses, then our OPS team installs our devices at merchant location and trains their staff on how to operate our service.
So far, we have avoided using Apple IDs on these devices, as our setup has relied solely on MDM enrollment and app deployment. However, Apple Tap to Pay requires an Apple ID and Passcode, which presents a challenge for automation at scale.
Our Questions:
1. Generally speaking, is there a recommended flow to manage Apple ID and Passcode for our case?
2. Is Managed Apple ID supported by Tap To Pay flow?
3. Is there a way to automate creation of Managed (or regular one if Managed is not supported by Tap to Pay) Apple ID and assignment into supervised iPhone via Apple MDM protocol?
4. Both regular and managed Apple ID requires 2FA via phone number. It appears Passkeys and Authentication Apps are not supported. What is recommended way to manage 2FA phone numbers on a scale of thousands of merchants?
5. Is there a way to enforce/assign specific passcode into supervised iPhone via Apple MDM protocol?
Key Considerations:
• Devices are corporate-owned and supervised.
• Practice shows that merchant staff is unable to manage Apple ID or any sort of iPhone credentials on their own due to frequent staff rotation and sometimes malicious actions by former employees.
• MDM is used to manage deployment, security policies, and app installations and updates.
• The goal is to avoid requiring end-users to manually sign in with Apple IDs and assign Passcode on each device.
Thank you!
We are attempting to block the attachment of photos from the Photos/Gallery app when sending emails or sharing on social media applications such as Gmail, Outlook, and other platforms. These are MDM Managed Applications While file attachments (e.g., PDFs, documents) are successfully blocked, photo attachments are not being restricted, allowing users to attach photos without limitations.
We are applying the below restriction to the device through an MDM
allowOpenFromUnmanagedToManaged: false
https://developer.apple.com/documentation/devicemanagement/restrictions
Steps to Reproduce:
Open the Photos or Gallery app on a mobile device.
Open Gmail, Outlook, or a social media application (e.g., Facebook, Instagram).
Open the Photos or Gallery app on a mobile device.
Select a photo to attach.
Try to attach the selected photo to an email or post.
Observe that the photo is successfully attached, despite restrictions on file attachments.
We are using management properties in DDM to assign configurations and assets to a particular device, and one of those properties should be updated by a business app on the device.
For example, if the business application is not launched every 30 days, then a predicate should evaluate to false and the device put into single app mode to force the application to run.
If, however, the app is launched any time in the 30 days, then the counter should be reset. Essentially trying to enforce that users in the field cannot work offline for extended periods of time without getting the latest dataset from the company.
The single app mode part is very clear and the predicate to assign the configuration based on the date in the management property seems logical.
However, the question is: Can a predicate be built upon data that is updated by the custom MDM app? ie: If the app is launched on the device without connectivity, can a property be updated that the DDM predicate system can access that can be used as an input property? such as "last launch time" or "last check-in" of the custom app?
Alternately, could the custom MDM app read any of the management properties set via DDM? That way the user would know the value that the DDM configuration for restricting the device.
Managed iOS/iPad devices are struck with no network under below conditions
Enrolling a Supervised iOS device
Send InstallProfile command with AppLock payload (https://developer.apple.com/documentation/devicemanagement/applock)
Now when the above managed device loses network connection with MDM server due to unknown network issues - the device is out of contact with MDM server and device is locked.
Since such AppLock payload installed devices are placed in remote locations, it becomes difficult for Admins to recover such devices with no network connectivity. The devices have to be brought in from remote location and recover them.
Under such conditions, it would be better to allow the end user to change the Network configuration manually to reconnect the device with MDM server.
This option can also be allowed only when the device can’t ping MDM server.
It would often be useful to deactivate horizontal scrolling, especially for number sheets.
So I have customized these 2 files.
But no success. Nothing happens. Scrolling is still possible in both directions. Vertically and horizontally.
Does anyone have an ingenious idea?
Is there or will there be an update to the depsim and vppsim simulator tools? The current version is significantly out-of-date in terms of features and fails to start due to the developer not being verified (ironically).
I have a in-house delivered app, I updated certificates and delivered the app before expiring, inviting users to update. after certificates expiration people who did not update now must remove the app loosing personal data, and download it again, but app crashes.
I know that since iOS 18 in order to trust again an in-house identity, restart is required. What I need to know, is if there is some documentation where is explained the following:
if I remove the only app delivered by in-house enterprise profile I have on a customer device, via home, long time tap gesture, "remove the app" then I install again the app, the profile reappears under "VPN and device management" and results already as "trusted"
instead if I remove the app directly from settings > VPN and device management, when I re-install the app VPN and device management reappears and developer/app is not trusted, in it asks me to trust again the developer and during the operation, restarts the device, asks me device code and so on.
so, my final question is:
since it is clear to me that there is a difference between two removal methods, where is this logic described? Is it only present for in-house distribution?