Hi, I am trying to enable declarative management on my device ( it is already enrolled as a sharedIpad with DEP). When sendind the command, the device's response contains an error. It is not acknowledged. Either on the device channel or on the user channel. The device channel returns : 'ErrorChain': [{'ErrorCode': 4, 'ErrorDomain': 'RMErrorDomain', 'LocalizedDescription': 'Feature Disabled: Device Channel.'}], 'Status': 'Error', and the user channel returns : 'ErrorChain': [{'ErrorCode': 12021, 'ErrorDomain': 'MDMErrorDomain', 'LocalizedDescription': '“DeclarativeManagement” is not a valid request type.', 'USEnglishDescription': '“DeclarativeManagement” is not a valid request type.'}], 'Status': 'Error', Does DEP device support declarative management? Thanks.

Is there a way to check if DDM(Declarative Device Management) is enabled on a device?

My application supports Custom URL Schema which is used to perform an open operation. My application is used as a helper app for MDM, hence it will be installed as a Managed Application. I want only the other Managed Applications to be able to invoke the Custom URL Schema and not allow it for unmanaged applications. Is there any such provision provided by Apple MDM protocol?

We want to set key-value pair (installation_token: xxxxx) into an app installed by MDM. Formerly we could set the key-value using Settings MDM command like this. <dict> <key>Command</key> <dict> <key>RequestType</key> <string>Settings</string> <key>Settings</key> <array> <dict> <key>Configuration</key> <dict> <key>installation_token</key> <string>xxxxxxx</string> </dict> <key>Identifier</key> <string>com.cloudflare.cloudflareoneagent</string> <key>Item</key> <string>ApplicationConfiguration</string> </dict> </array> </dict> We can still use this for the apps installed withInstallApplication MDM command, however we cannot apply this configuration into the app using Declarative Device Management. When we try it, we got an error like this. <dict> <key>CommandUUID</key> <string>.............</string> <key>Settings</key> <array> <dict> <key>ErrorChain</key> <array> <dict> <key>ErrorCode</key> <integer>12008</integer> <key>ErrorDomain</key> <string>MDMErrorDomain</string> <key>LocalizedDescription</key> <string>Could not modify apps managed by Declarative Device Management.</string> <key>USEnglishDescription</key> <string>Could not modify apps managed by Declarative Device Management.</string> </dict> </array> <key>Identifier</key> <string>com.cloudflare.cloudflareoneagent</string> <key>Item</key> <string>ApplicationConfiguration</string> <key>Status</key> <string>Error</string> </dict> </array> How can we work with managed application configuration with DDM?

Hello, We are trying to use the Managed App Distribution framework with our mdm following the documentation here : https://developer.apple.com/documentation/managedappdistribution But on the first load we don't get anything, the app keep getting stuck inside the following code without sending an error or getting the managed apps for try await result in ManagedAppLibrary.currentDistributor.availableApps { content = try result.get().map(Content.managedApp) } If we update the list of available managed apps in our mdm, the function execute and so we have all the apps displayed as expected, but if we close and re-open the app it'll again not display anything until we update the managed apps list. How can we fetched our managed apps at anytime and not only when the list is updated ? Why this method seems to be waiting for an update instead of just fetching the available managed apps when we call it ?

I'm trying to set up a configuration profile on a supervised device for a kid's phone. I want to force a VPN 100% of the time except for local network activity and some specific domains. Or at the very least, have a few apps go outside the tunnel. Apple makes this IMPOSSIBLE even though according to the documentation it should be possible. The IKEv2 vpntype has a key "OnDemandUserOverrideDisabled" which is supposed to prevent a user from toggling off the vpn, which obviously defeats the purpose of having it. However, as other users have posted, this DOES NOT WORK. So anyone can just turn off the vpn and be connected to the internet unprotected. On the "AlwaysOn" vpntype, the element "ApplicationExceptions" which would allow you to list a few applications that can go outside the tunnel DOES NOT WORK. This is critical because so many domains automatically block vpn servers and it's a huge pain. Also local network activity also gets blocked, which makes it impossible to connect to local devices. And there's no split tunneling possible with this vpntype. So basically, it's impossible. I WOULDN'T BE SURPRISED IF APPLE DID THIS INTENTIONALLY TO KEEP KIDS ADDICTED AND IN DANGER SO THEY USE THE PHONE MORE.

Here https://github.com/apple/device-management/blobelease/mdm/commands/information.device.yaml#L3246 it is mentioned that for querying Managed attestation certificate the ios device needs to have A11 Bionic and later, Wanted to understand how to get this information programmatically i.e is Apple sending chip information for iphone and ipad devices as part of some sample ? or is there a way to query this information from the device ? Here https://github.com/apple/device-management/blobelease/mdm/commands/information.device.yaml#L3246 it is mentioned that for querying Managed attestation certificate the macos device needs to have Apple Silicon, using IsAppleSilicon https://github.com/apple/device-management/blobelease/mdm/commands/information.device.yaml#L357 property is fine ? Can we use this field to determine if the device is Apple silicon ? Same question for Apple TV as well - How to get the information if a device is having A12 Bionic and later ? and same for Apple watch, how to know if a device is S4 and later ?

When a DeviceInformation command along with ManagedAttestion data in the query along with a new nonce and after 7 days last time we queried for fresh certificate, is there a possibility that a) we will get a DeviceInformation response without a Managed attestion certificte. OR b) We will get a cached certificate Also, what's the average increase in expected response time when we query Managed attestation certificate in DeviceInformation.

out of 37 devices, 7 are inactive( al are ios ). We have checked one of the devices and the broadcast message was sent successful. Additionally, Cx confirmed that the location history is shown properly. We restarted the device, checked the date and time, and found it to be correct. We also switched to a different network, but that doesn't change anything. The sync from the Hexnode app was successful. We reinstalled the MDM profile, yet it doesn't change anything. We renewed the APNs once and checked, but the scan device action remains pending.

macOS devices- dep enrolled device - configured an email policy and it gets stuck on pending status. The rest of the policies and actions like lock device and scan device are executed successfully. While enrollment using DEP, if there is account creation config present in Dep configuration profile , At the time of enrollment we don't receive the user token and user channel is not present. The keys UserID and EnrollmentUserID in TokenUpdate is not present. As a result we can't successfully push the email policy. Is the inference correct or is there anything else we are missing out.

I got sent an activation code through one of these apple emails and it can’t access the code because I don’t know where to go. Please help if you can!

On October 4, 2024, the enterprise app we are using showed a "(app name) is no longer available" pop-up on certain devices and the app was not available. And if those users delete the app and reinstall it, "I can't install (app name) because I can't verify integrity, I can't install this app" pop up. The profile of the app was renewed in February this year, and membership, certificate, and profile were all not expired. Currently, the problem has been solved by re-deploying the app, Please tell me the cause of the phenomenon and how to take preventive measures.

**Hi Apple Developer Community, Good Morning ** My Personal MacBook Air M1: Mac OS: Sequoia, Version 15.0 Please note, this is my personal MacBook and I am the only one who is using it. I can see System Configuration, Configuration Profiles and Kerberos on my personal MacBook Air M1 System Folder ---&amp;amp;amp;amp;amp;amp;amp;amp;amp;gt; Library ----&amp;amp;amp;amp;amp;amp;amp;amp;amp;gt; Configuration profile, System Configuration folders ?. Attaching herewith the snapshot of the same. Can some throw light on the same. Do I need to remove the configuration profile, system configuration from my personal MacBook Air M1 which is seen in System Folder ---&amp;amp;amp;amp;amp;amp;amp;amp;amp;gt; Library ----&amp;amp;amp;amp;amp;amp;amp;amp;amp;gt; Configuration profile, System Configuration folders ? Also, I cannot edit the user in my name. **Kindly assist me with the same. Thanks and Regards,** Omkar

We are in the process of replacing the TripleDES algorithm with AES in our MDM solution. However, after switching the encryption algorithm, we encountered the following error on Apple devices during enrollment: Error: "-26275 error decrypting response payload (mdmclient(SCEP))" Do Apple devices support AES encryption during the enrollment process, or are there any known limitations that prevent its use? Technical Details: During enrollment, when the device attempts to install the Management Profile, it requests the MDM server to retrieve the device certificate from the SCEP URL. We send the certificate by creating Enveloped CMS content, using TripleDES as the algorithm identifier. If we switch the algorithm to AES, we observe the error mentioned above. We are also using TripleDES when preparing the CMS content for the enrollment profile, which works without issues.

I am looking into bypassing the following popup when setting up an iPhone 15 Pro: Would the SkipKey SIMSetup allow to bypass having the following window popup upon initial setup? So far all settings are bypassed during the initial setup of the phone and the application of Wi-Fi. The only issue present in the setup I want to achieve is prohibiting this window regarding eSIM set up.

https://support.apple.com/en-gb/guide/deployment/dep6fa9dd532/web dangles a carrot about being able to facilitate "A list of domains that the Shared iPad sign-in screen displays. The user can pick a domain from the list to complete their Managed Apple ID." - this sounds ideal! In the absence of this seemingly being supported by Apple Configurator or iMazing Profile Editor at the time of writing, I have tried to create my own but I fall foul of knowing what PayloadIdentifier or PayloadType to use? This is the draft/work in progress/doomed to failure config so far (which doesn't - as expected - work): <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>HasRemovalPasscode</key> <false/> <key>PayloadContent</key> <array> <dict> <key>PayloadDescription</key> <string>Configures Managed Domains</string> <key>PayloadDisplayName</key> <string>Domains</string> <key>PayloadIdentifier</key> <string>com.apple.domains.DE12211A-CFDD-4F8C-8D7B-72E569CE3B6C</string> <key>PayloadType</key> <string>com.apple.domains</string> <key>PayloadUUID</key> <string>DE12211A-CFDD-4F8C-8D7B-72E569CE3B6C</string> <key>PayloadVersion</key> <integer>1</integer> <key>WebDomains</key> <array> <string>domain.com</string> </array> </dict> </array> <key>PayloadDescription</key> <string>For Shared iPad login convenience</string> <key>PayloadDisplayName</key> <string>DefaultDomain</string> <key>PayloadIdentifier</key> <string>Tom.77CF3CA5-4A48-41DD-9179-EF6F4C5E786E</string> <key>PayloadRemovalDisallowed</key> <true/> <key>PayloadType</key> <string>Configuration</string> <key>PayloadUUID</key> <string>A5594F17-155B-4A1C-8696-3F502D118C37</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </plist> The support article is probably ~2-year old information so I'd have thought that by now that this would be documented somewhere - am I just not looking hard enough?

We are doing application assignment to personal iOS devices that are enrolled in MDM via User Enrollment. However, we're experiencing some odd behavior when assigning licenses. We are getting back errors from the devices when doing assignments: code: 12064, domain: MDMErrorDomain, description: Could not retrieve licence for the app with iTunes Store ID 422689480. code: 2605, domain: DeviceManagement.error, description: No licence was found for app "com.google.Gmail". However, we are not seeing license exhaustion on the Apple Business Manager side for our location. We are not clear what would cause the 12064 or 2605 errors. We have tried re-sending the command to install the app, and we have tried un-enrolling devices and re-enrolling, as well as updating the VPP Token for the location. We have gathered sysdiagnoses from affected devices, but it's not clear what causes this. What other causes are there for 12064 and 2605 errors? How can we work around these?

Since this file is protected by SIP, it can't just be changed by an installer/app without prompting the user. If the user chooses to deny the request, the sudo file won't be updated with a security critical pam module. I need to insert our custom pam module into /etc/pam.d/sudo without the user being able to deny the operation.

Analytics report issues

I'm developing an ACME server to issue identity certificates to macOS/iOS devices for MDM attestation, following RFC 8555. Per RFC, the client creates an order, performs authorization, verifies the challenge, and finalizes the order by submitting a CSR to the CA. In my setup, the CA sometimes takes longer to issue the certificate (around 50 seconds). According to RFC 8555, if certificate issuance isn’t complete after the /finalize call, the server should respond with an "order" object with a "processing" status. The client should then send a POST-as-GET request to the order resource (e.g., /order/<order_id>) to check the current state. If the CA still hasn’t issued the certificate, the server should return the order object with the same "processing" status and include a "Retry-After" header, indicating when the client should retry. The client is expected to poll the order resource at this specified interval with POST-as-GET requests. However, it seems the Apple ACME client ignores the "Retry-After" header and instead returns the error: "Profile failed - Order status is processing, not yet valid" immediately upon the first poll response with "processing." Apple ACME client deviating from the RFC documentation. Has anyone found a reliable solution to this issue? Or does Apple supports asynchronous order finalization? Ref -https://datatracker.ietf.org/doc/html/rfc8555#:~:text=A%20request%20to%20finalize%20an%20order%20will%20result%20in%20error,to%20the%20%22certificate%22%20field%20of%20the%20order.%20%20Download%20the%0A%20%20%20%20%20%20certificate. To work around this, I’m holding the /finalize call until the CA issues the certificate. This works when issuance is quick (under 20 seconds), but if it takes more than that , the client times out. Interestingly, the Apple ACME client’s timeout appears shorter than the usual 60-second URLSession default.