I'm trying to use DDM manager Safari Extensins in macOS Sequoia. I generate json and load it by mdm and ddm , but it doesn't seems to work. The json I loading is the following: { "Type": "com.apple.configuration.safari.extensions.settings", "Payload": { "ManagedExtensions": { "*": { "State": "AlwaysOn", "PrivateBrowsing": "AlwaysOn", "AllowedDomains": [], "DeniedDomains": [] } } }, "Identifier": "com.test.safari" } This following image is macOS Sequoia Console log. It show the "com.apple.configuration.safari.extensions.settings" had been run successfully, and no errors. macOS Sequoia response is the following: { "StatusItems" : { "management" : { "declarations" : { "activations" : [ { "active" : true, "identifier" : "com.example.act", "valid" : "valid", "server-token" : "5cc191206d1b1933" } ], "configurations" : [ { "active" : true, "identifier" : "com.test.safari", "valid" : "unknown", "server-token" : "29d3ec5ab48e6367" } ], "assets" : [ ], "management" : [ ] } } }, "Errors" : [ ] } you can see macOS Sequoia response , The "valid" value is always "unknown" at ""identifier" : "com.test.safari", but "Errors" is empty, Safari app don't load extensions , the SafariExtensionSettings" ddm don't work, Is there anything wrong with "SafariExtensionSettings" json? or how can I debug it

I'm trying to use DDM manager Safari Extensins in macOS Sequoia. I generate json and load it by mdm and ddm , but it doesn't seems to work. The json I loading is the following: { "Type": "com.apple.configuration.safari.extensions.settings", "Payload": { "ManagedExtensions": { "*": { "State": "AlwaysOn", "PrivateBrowsing": "AlwaysOn", "AllowedDomains": [], "DeniedDomains": [] } } }, "Identifier": "com.test.safari" } macOS Sequoia response is the following: { "StatusItems" : { "management" : { "declarations" : { "activations" : [ { "active" : true, "identifier" : "com.example.act", "valid" : "valid", "server-token" : "5cc191206d1b1933" } ], "configurations" : [ { "active" : true, "identifier" : "com.test.safari", "valid" : "unknown", "server-token" : "29d3ec5ab48e6367" } ], "assets" : [ ], "management" : [ ] } } }, "Errors" : [ ] } you can see, The "valid" value is always "unknown" at ""identifier" : "com.example.act", but "Errors" is empty, Safari app don't load extensions , the SafariExtensionSettings" ddm don't work, Is there anything wrong with "SafariExtensionSettings" json? or how can I debug this bug .

Hi, I'm glad to hear that the service discovery process is improved on iOS/iPadOS 18.2 mentioned here. https://support.apple.com/en-ca/guide/deployment/dep4d9e9cd26/1/web/1.0 I tried it on my development MDM server. Set default MDM for iPad to my development MDM server on Apple Business Manager. Call the new API https://developer.apple.com/documentation/devicemanagement/account_driven_enrollment_profile and 200 OK is returned However the service discovery fails with the following error. Invalid well-known response for https://{my email's comain name}/.well-known/com.apple.remotemanagement?user-identifier={my email}&model-family=iPad: <NSHTTPURLResponse: 0x300a9f420> Invalid well-known response for https://axm-servicediscovery.apple.com/mdmBaseURL?user-identifier={my email}&model-family=iPad: <NSHTTPURLResponse: 0x3009047a0> It seems fallback process to https://axm-servicediscovery.apple.com/mdmBaseURL actually works but it returns 404 Not Found error. How can we use this awesome feature? Thank you :)

Backup and restore Personal IOS data to a Supervised device? We currently have around 200+ iPhone users that are using their devices as personal devices. We are planning on moving them to Intune using Automated Device Enrollment (Supervised). Is it any way possible to backup their devices, do a factory reset, enroll them in Intune, then restore the old data? Is it possible to do backup and restore in this situation? Is there an alternative way to restore the data back to a supervised device?

我有十一台M4芯片的mac mini，目前通过AC2将设备挂载在ABM中。目前有10台通过接口 “https://mdmenrollment.apple.com/device/activationlock” 启用企业激活锁去出现INTERNAL_SERVER_ERROR错误，只有一台成功了，成功那台设备使用的ABM账号与其他设备使用的ABM账号不同所属组织也不同。 I have eleven M4 chip Mac mini devices, currently mounted in ABM through AC2. Currently, there are 10 units that have passed the interface“ https://mdmenrollment.apple.com/device/activationlock ”Enabling the enterprise activation lock resulted in an INTERNAL_SERVER-ERROR error, and only one device succeeded. The successful device used a different ABM account than the other failed devices and belonged to a different organization.

Hi,team: I have configured SystemExtensions and WebContentFilter for supervised devices through mdm, and set NonRemovableFromUISystemExtensions in SystemExtensions, but found that my network filter cannot be deleted in macOS10, macOS11 and macOS12, but it can still be turned off by selecting the network filter in the network and choosing to disable the service. However, it cannot be turned off in macOS13, macOS14 and macOS15. How can I prevent supervised devices from turning off the network filter in 10, 11 and 12? The macOS 10.15.7 image is as follows: macOS15.1.1 cannot delete and cannot close the image as follows: Hope to receive your reply！

When clicking Upload for the CSR file, there is no APNS certificate available for download. Instead, the portal redirects to https://www.apple.com/filenotfound MDM Push Certificates are critical for the operation of managed devices, if they expire, all devices will have to be reenrolled creating a catastrophic event for all the customers devices. Please review and given how critical this service for renewing certificates is for your customers, please also make sure it is always available without downtimes. Let me know if you need more details, Thank you, Sergio

Hi,team: I know that the MDM system extension configuration parameter RemovableSystemExtensions can only be valid after macOS12+, but can I also use this parameter between macOS10.15-12? Even if he is ineffective. Will this cause any problems with the system. I want to use the same MDM configuration file for the devices I manage, which have systems between macOS10.15-15.I hope to receive your confirmation

We have noticed that if we apply forceDelayedSoftwareUpdates in Restrictions profile, it causes ScheduleOSUpdates to fail or go into an invalid state. For example: On my iOS device, we have set the forceDelayedSoftwareUpdates to 90 days which removed the latest iOS update iOS 18.2 from the Software Updates section on the device. Post this, if I schedule an update for iOS 18.2 using ScheduleOSUpdateCommand, it fails to download. If I schedule the same without forceDelayedSoftwareUpdates, the update works as expected. Please help what could be the reason for this behavior as forceDelayedSoftwareUpdates should not block ScheduleOSUpdates.

Hi Apple Community, I have been Testing with key allowAccountModification in macOS Restriction Payload and found some contrasting behavior In macOS 14, macOS 15.1 in both of the OS Version when allowAccountModification is set to False it restricts adding new Account in System Settings and this is expected behavior How ever things are contrasting and not going as expected in the below situation When macOS 14 Version has 2 profiles for Restriction Payload one with allowAccountModification set to False and another with allowAccountModification set to True it restricts adding Apple Account When macOS 15.1 Version has 2 profiles for Restriction Payload one with allowAccountModification set to False and another with allowAccountModification set to True it allows adding Apple Account I remember when restrictions payload keys are contrasting across different profile Apple Uses the most restrictive one among them. But in macOS 15.1 the behavior is unexpected. Is this a issue in 15.1 and is there any list of macOS versions which shows this unexpected behavior

Hi Apple Community, If a macOS Device is FileVault Encrypted, We are using the keys FDE_HasInstitutionalRecoveryKey, FDE_HasPersonalRecoveryKey from SecurityInfo to know the Device Encryption Type. But Some times rarely we get FDE_Enabled as true but both the above mentioned keys as false Also we get SecurityInfo Response patterns like these only if FileVault is enabled in Device with iCloud as option to unlock the disk Can we confirm this pattern or is there any way to know if device is encrypted with options other than Personal / Institutional Types <plist version="1.0"> <dict> <key>CommandUUID</key> <string>SecurityInfo</string> <key>SecurityInfo</key> <dict> ...... ...... ...... <key>FDE_Enabled</key> <true/> <key>FDE_HasInstitutionalRecoveryKey</key> <false/> <key>FDE_HasPersonalRecoveryKey</key> <false/> ...... ...... ...... <key>Status</key> <string>Acknowledged</string> <key>UDID</key> <string>..............</string> </dict> </plist>

I work with https://developer.apple.com/documentation/devicemanagement/activationlockrequest?language=objc. The same codes work well on other devices, such as iphone, ipad, mac air. What causes? What can i do to resovle it?

is it possible to push app updates in Single App Mode via Intune?

I have private certificate authority. Root &gt; Intermediate &gt; Leaf. When I install the Root Certificate, it shows in Settings &gt; General &gt; About &gt; Certificate Trust Settings in iOS 18.1.1 However, when I install the Intermediate Certificate (including the CA Bundle), the Intermediate CA Certificate is not shown in the Certificate Trust Settings. All my leaf certificates are issued by the Intermediate CA. Is this a bug? If not, how can this be solved? TIA!

I am trying to create a DNS over HTTPS and DNS over TLS server that requires authentication with a client certificate and configure it in the Device Management Profile for use from the iPhone. I have set the PayloadCertificateUUID in DNSSettings, but it appears that the client certificate is not being used. Is there anything I should check in advance when using a p12 file with PayloadCertificateUUID? Configuration Profile <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>PayloadType</key> <string>Configuration</string> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadUUID</key> <string>295E68E5-39F0-46D1-94E4-4A49EC8392E2</string> <key>PayloadIdentifier</key> <string>com.example.dns</string> <key>PayloadDisplayName</key> <string>My DNS</string> <key>PayloadRemovalDisallowed</key> <false/> <key>PayloadContent</key> <array> <dict> <key>PayloadType</key> <string>com.apple.dnsSettings.managed</string> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadUUID</key> <string>4CCEE94D-7B72-46AB-87AD-5A368F937339</string> <key>PayloadIdentifier</key> <string>com.example.dns.names</string> <key>PayloadDisplayName</key> <string>My DNS</string> <key>PayloadDescription</key> <string>DNS Settings</string> <key>PayloadCertificateUUID</key> <string>07A96080-5FAE-4026-937D-F578530E1444</string> <key>DNSSettings</key> <dict> <key>DNSProtocol</key> <string>TLS</string> <key>ServerName</key> <string><!-- my DoT server name --></string> </dict> <key>ProhibitDisablement</key> <false/> </dict> <dict> <key>PayloadType</key> <string>com.apple.security.pkcs1</string> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadUUID</key> <string>260CC26A-2DD1-4B16-B8C0-AF1E655576AD</string> <key>PayloadIdentifier</key> <string>com.example.certs.intermediate-ca</string> <key>PayloadDisplayName</key> <string>Intermediate CA</string> <key>PayloadDescription</key> <string>Intermediate CA</string> <key>PayloadCertificateFileName</key> <string>ca-chain.cert.cer</string> <key>PayloadContent</key> <data><!-- contents of Intermediate CA certificate --></data> </dict> <dict> <key>PayloadType</key> <string>com.apple.security.root</string> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadUUID</key> <string>E5DB74AA-3C5F-470B-AAE0-DF072095A2EC</string> <key>PayloadIdentifier</key> <string>com.example.certs.root-ca</string> <key>PayloadDisplayName</key> <string>Root CA</string> <key>PayloadDescription</key> <string>Root CA</string> <key>PayloadCertificateFileName</key> <string>ca.cert.cer</string> <key>PayloadContent</key> <data><!-- contents of Root CA certificate --></data> </dict> <dict> <key>PayloadType</key> <string>com.apple.security.pkcs12</string> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadUUID</key> <string>07A96080-5FAE-4026-937D-F578530E1444</string> <key>PayloadIdentifier</key> <string>com.example.certs.client.iseebi</string> <key>PayloadDisplayName</key> <string>Client Certificate</string> <key>PayloadDescription</key> <string>Client Certificate</string> <key>Password</key> <string><!-- password of p12 --></string> <key>PayloadCertificateFileName</key> <string>Key.p12</string> <key>PayloadContent</key> <data><!-- contents of p12 --></data> </dict> </array> </dict> </plist> iPhone console log Connection 3742: enabling TLS Connection 3742: starting, TC(0x0) Connection 3742: asked to evaluate TLS Trust Connection 3742: TLS Trust result 0 Connection 3742: asked for TLS Client Certificates Connection 3742: issuing challenge for client certificates, DNs(1) Connection 3742: asked for TLS Client Certificates Connection 3742: received response for client certificates (-1 elements) Connection 3742: providing TLS Client Identity (-1 elements) Connection 3742: providing TLS Client Identity (-1 elements) Connection 3742: connected successfully Connection 3742: TLS handshake complete Connection 3742: ready C(N) E(N) Connection 3742: received viability advisory(Y) Connection 3742: read-side closed Connection 3742: read-side closed Connection 3742: read-side closed Connection 3742: cleaning up Connection 3742: done server log (stunnel) LOG5[9]: Service [dns] accepted connection from <IP> LOG6[9]: Peer certificate required LOG7[9]: TLS state (accept): before SSL initialization LOG7[9]: TLS state (accept): before SSL initialization LOG7[9]: Initializing application specific data for session authenticated LOG7[9]: SNI: no virtual services defined LOG7[9]: OCSP stapling: Server callback called LOG7[9]: OCSP: Validate the OCSP response LOG6[9]: OCSP: Status: good LOG6[9]: OCSP: This update: 2024.12.06 08:32:00 LOG6[9]: OCSP: Next update: 2024.12.13 08:31:58 LOG5[9]: OCSP: Certificate accepted LOG7[9]: OCSP: Use the cached OCSP response LOG7[9]: OCSP stapling: OCSP response sent back LOG7[9]: TLS state (accept): SSLv3/TLS read client hello LOG7[9]: TLS state (accept): SSLv3/TLS write server hello LOG7[9]: TLS state (accept): SSLv3/TLS write change cipher spec LOG7[9]: TLS state (accept): TLSv1.3 write encrypted extensions LOG7[9]: TLS state (accept): SSLv3/TLS write certificate request LOG7[9]: TLS state (accept): SSLv3/TLS write certificate LOG7[9]: TLS state (accept): TLSv1.3 write server certificate verify LOG7[9]: TLS state (accept): SSLv3/TLS write finished LOG7[9]: TLS state (accept): TLSv1.3 early data LOG7[9]: TLS state (accept): TLSv1.3 early data LOG7[9]: TLS alert (write): fatal: unknown LOG3[9]: SSL_accept: ssl/statem/statem_srvr.c:3510: error:0A0000C7:SSL routines::peer did not return a certificate LOG5[9]: Connection reset/closed: 0 byte(s) sent to TLS, 0 byte(s) sent to socket LOG7[9]: Deallocating application specific data for session connect address LOG7[9]: Local descriptor (FD=10) closed LOG7[9]: Service [dns] finished (0 left)

I created a mobileconfig file on our self-developed MDM server and used Apple Configurator with a USB cable to prepare the device. However, the profile installation failed and show the mdm payload is invalid must to be removed. I suspect that the issue might be related to the CA (Certificate Authority) in the configuration, even though I have provided the ROOT SSL CA and the .p12 file. What CA file should I include in the mobileconfig to resolve this issue? using Apple Configurator to edit the mobileconfig file, but the MDM service is no longer displayed. How should I handle this

On devices running iOS 18+, when a web app kiosk policy is pushed via an MDM and the device is restarted. The touch screen doesn't respond on the device. So the device is currently in a brick state. Since we can't enter the password we can't get the logs from the device and it is even hard to recover the device. On restart the device isn't connecting to the internet so it isn't possible to remove the kiosk policy as well. This only happens on devices running iOS 18+ and with web app kiosk profile.

I have the following setup: Managed domain (pdfforge.org) Managed app (Dropbox) with Files app integration. This can also occur with the following setup: A custom browser is installed as managed (ex Firefox) No managed domains Managed app (Dropbox) with Files app integration. Trying to upload a file from Dropbox in this managed domain by clicking on the Dropbox folder causes the folder to disappear and instead I am rerouted to the On My Phone directory. On subsequent tries, sometimes the folder opens and I can see the files, but while scrolling the files disappear. This makes it unable to upload any files from Dropbox to this managed domain. If both the managed app and domains are not set up, then everything works normally. Is this happening to everyone else? I also tried with Nextcloud and Google Drive.

We're implementing an MDM system and would like to know if we can get the type of CPU for an enrolled device, I know we can use IsAppleSilicon from the Device Information command but it would be good to know if it's an M1, M2, M3 etc. We can implement a mapping of product name to CPU type, e.g. Mac16,1 has an M4 chip but this would mean ongoing maintenance that we'd prefer to avoid. Is there a public web API (ideally first-party provided by Apple) that can be used to lookup details of a device by product name or similar? Slightly related is the Declarative Device Management documentation for StatusDeviceModelMarketingName offers an alternative of: use device.model.configuration-code to look up the marketing name through the web API but doesn't mention which web API.

Ref- https://support.apple.com/en-in/guide/deployment/dep3b4cf515/web When we deploy an Payload with identifier "com.apple.airprint" , It will add the deployed printer configurations to printers list in mac. Which additionally needs the mac user to add it from Settings -> Printers -> Add Printer -> (Deployed Printer Configuration will be listed here) Select the printer -> Click Add . Screenshot where user need to add it manually after profile association is attached below. Now the Printer is available to be used ,when an share option in any document is clicked. Why this flow requires multiple to and fro. Can it be able to deploy the printer straight to Printers available List instead of manually adding from the above screenshot