Managed iOS/iPad devices are struck with no network under below conditions
Enrolling a Supervised iOS device
Send InstallProfile command with AppLock payload (https://developer.apple.com/documentation/devicemanagement/applock)
Now when the above managed device loses network connection with MDM server due to unknown network issues - the device is out of contact with MDM server and device is locked.
Since such AppLock payload installed devices are placed in remote locations, it becomes difficult for Admins to recover such devices with no network connectivity. The devices have to be brought in from remote location and recover them.
Under such conditions, it would be better to allow the end user to change the Network configuration manually to reconnect the device with MDM server.
This option can also be allowed only when the device can’t ping MDM server.
Device Management
RSS for tagAllow administrators to securely and remotely configure enrolled devices using Device Management.
Post
Replies
Boosts
Views
Activity
It would often be useful to deactivate horizontal scrolling, especially for number sheets.
So I have customized these 2 files.
But no success. Nothing happens. Scrolling is still possible in both directions. Vertically and horizontally.
Does anyone have an ingenious idea?
Is there or will there be an update to the depsim and vppsim simulator tools? The current version is significantly out-of-date in terms of features and fails to start due to the developer not being verified (ironically).
I have an MDM supervised device with an installed managed app, that activates a content-filter solution to filter traffic system-wide. Is it possible in any way for the user to install a third party content-filter app that would somehow overtake the control of content filtering from my app? I'm asking this because I've tested such a case with my another test content-filter solution and it takes control over content filtering from my content-filter – I think this is possible only because my device is in developer mode, but I'm not entirely sure, and I need a confirmation that it would not be possible to happen in an end used environment.
I have a in-house delivered app, I updated certificates and delivered the app before expiring, inviting users to update. after certificates expiration people who did not update now must remove the app loosing personal data, and download it again, but app crashes.
I know that since iOS 18 in order to trust again an in-house identity, restart is required. What I need to know, is if there is some documentation where is explained the following:
if I remove the only app delivered by in-house enterprise profile I have on a customer device, via home, long time tap gesture, "remove the app" then I install again the app, the profile reappears under "VPN and device management" and results already as "trusted"
instead if I remove the app directly from settings > VPN and device management, when I re-install the app VPN and device management reappears and developer/app is not trusted, in it asks me to trust again the developer and during the operation, restarts the device, asks me device code and so on.
so, my final question is:
since it is clear to me that there is a difference between two removal methods, where is this logic described? Is it only present for in-house distribution?
Is there a way to restrict an end user from potentially editing a supervised device through Apple Configurator? It seems that Apple Configurator allows to make undesirable changes to a supervised device, like removing profiles, which would in turn be detrimental to the intended experience on the device, if a user would actually be able to perform such changes.
I have 5-6 mac minis connected to my windows server 2022 and the accounts that connect to the mac are network account. How do I block the network users from accessing or using certain apps like terminal and passwords?
I've installed two different profiles and having no issues using them until iOS 17, 18.0 (certainly for 17, but not so sure for 18).
But after upgrading to 18.2 and even developer beta 18.3, installed profiles are not showing on the Setting / General / VPN & Device Management.
So I can't even uninstall, also I can't reinstall unless I factory reset by iPhone, iPad and not using iCloud backups.
First profile is DNS profile downloaded from website(NextDNS) and the second profile is made by my own, configuration for the cellular APN setting.
(DNS setting is shown on the setting but there's no profile showing, I did not uninstalled or removed it)
(Installing the custom celluar configuration profile failed, since it's already installed but just not showing as above)
All happens on my iPad pro M1 12.9, ipad mini 2021, iphone 12 mini(18.3, else are 18.2), and iphone 16 pro max.
Want to know if it's bug, and any resolution excluding factory reset and start using from scratch(It's very useless solution). Thank you.
I'm trying to use DDM manager Safari Extensins in macOS Sequoia. I generate json and load it by mdm and ddm , but it doesn't seems to work. The json I loading is the following:
{
"Type": "com.apple.configuration.safari.extensions.settings",
"Payload": {
"ManagedExtensions": {
"*": {
"State": "AlwaysOn",
"PrivateBrowsing": "AlwaysOn",
"AllowedDomains": [],
"DeniedDomains": []
}
}
},
"Identifier": "com.test.safari"
}
This following image is macOS Sequoia Console log. It show the "com.apple.configuration.safari.extensions.settings" had been run successfully, and no errors.
macOS Sequoia response is the following:
{
"StatusItems" : {
"management" : {
"declarations" : {
"activations" : [
{
"active" : true,
"identifier" : "com.example.act",
"valid" : "valid",
"server-token" : "5cc191206d1b1933"
}
],
"configurations" : [
{
"active" : true,
"identifier" : "com.test.safari",
"valid" : "unknown",
"server-token" : "29d3ec5ab48e6367"
}
],
"assets" : [
],
"management" : [
]
}
}
},
"Errors" : [
]
}
you can see macOS Sequoia response , The "valid" value is always "unknown" at ""identifier" : "com.test.safari", but "Errors" is empty, Safari app don't load extensions , the SafariExtensionSettings" ddm don't work, Is there anything wrong with "SafariExtensionSettings" json? or how can I debug it
Hi,
I am trying to enable declarative management on my device ( it is already enrolled as a sharedIpad with DEP).
When sendind the command, the device's response contains an error. It is not acknowledged. Either on the device channel or on the user channel.
The device channel returns :
'ErrorChain': [{'ErrorCode': 4, 'ErrorDomain': 'RMErrorDomain', 'LocalizedDescription': 'Feature Disabled: Device Channel.'}], 'Status': 'Error',
and the user channel returns :
'ErrorChain': [{'ErrorCode': 12021, 'ErrorDomain': 'MDMErrorDomain', 'LocalizedDescription': '“DeclarativeManagement” is not a valid request type.', 'USEnglishDescription': '“DeclarativeManagement” is not a valid request type.'}], 'Status': 'Error',
Does DEP device support declarative management?
Thanks.
I'm trying to use DDM manager Safari Extensins in macOS Sequoia. I generate json and load it by mdm and ddm , but it doesn't seems to work. The json I loading is the following:
{
"Type": "com.apple.configuration.safari.extensions.settings",
"Payload": {
"ManagedExtensions": {
"*": {
"State": "AlwaysOn",
"PrivateBrowsing": "AlwaysOn",
"AllowedDomains": [],
"DeniedDomains": []
}
}
},
"Identifier": "com.test.safari"
}
macOS Sequoia response is the following:
{
"StatusItems" : {
"management" : {
"declarations" : {
"activations" : [
{
"active" : true,
"identifier" : "com.example.act",
"valid" : "valid",
"server-token" : "5cc191206d1b1933"
}
],
"configurations" : [
{
"active" : true,
"identifier" : "com.test.safari",
"valid" : "unknown",
"server-token" : "29d3ec5ab48e6367"
}
],
"assets" : [
],
"management" : [
]
}
}
},
"Errors" : [
]
}
you can see, The "valid" value is always "unknown" at ""identifier" : "com.example.act", but "Errors" is empty, Safari app don't load extensions , the SafariExtensionSettings" ddm don't work, Is there anything wrong with "SafariExtensionSettings" json? or how can I debug this bug .
I’m looking for advice on implementing an Active Supervision Mode for enhanced parental control. My goal is to restrict access to both iOS system apps and third-party applications to create a safer and more tailored digital experience for my child.
Here’s what I’d like to achieve:
App Restrictions: Block specific apps (both iOS and third-party) and allow access only to approved ones.
Time Limits: Set daily usage limits for individual apps or app categories.
Content Filtering: Apply restrictions to block inappropriate content and age-inappropriate apps.
Remote Management: Manage these settings remotely from my device for added convenience.
Activity Monitoring: View app usage stats or receive alerts for policy violations.
I understand that Screen Time on iOS offers basic parental controls, but I’m exploring whether iOS supports more advanced capabilities natively or through additional configurations.
I’ve also heard that enrolling a device in Apple Business Manager (ABM) and linking it to an MDM (Mobile Device Management) solution might provide greater control. If this is a viable solution, could anyone provide guidance on:
Enrolling a personal or family-owned device into Apple Business Manager.
Linking an MDM for configuring app restrictions and monitoring usage.
Alternatively, if there are third-party parental control apps that work seamlessly with iOS to achieve these goals, I’d appreciate your recommendations!
Thanks in advance for your insights!
我有十一台M4芯片的mac mini,目前通过AC2将设备挂载在ABM中。目前有10台通过接口 “https://mdmenrollment.apple.com/device/activationlock” 启用企业激活锁去出现INTERNAL_SERVER_ERROR错误,只有一台成功了,成功那台设备使用的ABM账号与其他设备使用的ABM账号不同所属组织也不同。
I have eleven M4 chip Mac mini devices, currently mounted in ABM through AC2. Currently, there are 10 units that have passed the interface“ https://mdmenrollment.apple.com/device/activationlock ”Enabling the enterprise activation lock resulted in an INTERNAL_SERVER-ERROR error, and only one device succeeded. The successful device used a different ABM account than the other failed devices and belonged to a different organization.
When clicking Upload for the CSR file, there is no APNS certificate available for download.
Instead, the portal redirects to https://www.apple.com/filenotfound
MDM Push Certificates are critical for the operation of managed devices, if they expire, all devices will have to be reenrolled creating a catastrophic event for all the customers devices.
Please review and given how critical this service for renewing certificates is for your customers, please also make sure it is always available without downtimes.
Let me know if you need more details,
Thank you,
Sergio
Hi,team:
I have configured SystemExtensions and WebContentFilter for supervised devices through mdm, and set NonRemovableFromUISystemExtensions in SystemExtensions, but found that my network filter cannot be deleted in macOS10, macOS11 and macOS12, but it can still be turned off by selecting the network filter in the network and choosing to disable the service. However, it cannot be turned off in macOS13, macOS14 and macOS15. How can I prevent supervised devices from turning off the network filter in 10, 11 and 12?
The macOS 10.15.7 image is as follows:
macOS15.1.1 cannot delete and cannot close the image as follows:
Hope to receive your reply!
Hi,team:
I know that the MDM system extension configuration parameter RemovableSystemExtensions can only be valid after macOS12+, but can I also use this parameter between macOS10.15-12? Even if he is ineffective. Will this cause any problems with the system. I want to use the same MDM configuration file for the devices I manage, which have systems between macOS10.15-15.I hope to receive your confirmation
Importing an existing self- signed trusted root certificate no longer triggers option to trust cert in Settings / About / Certificate Trust Settings In iOS 18.
Cert installed manually from internal website, as email attachment, and using profile in Configurator all produce same result.
Same cert and processes work on iOS 16.7.10, iOS 17.6.1 and iPadOS 18.0
But not on iOS 18.0 nor beta iOS 18.1 beta5 on iPhone 16
Also tried regening a new test root on macOS Sonoma and installing using Configurator. No difference.
It’s broken - I’ve reported it by Feedback - it’s a vital security flaw.
Anyone else see this or have a workaround?
Hi Apple Community,
I have been Testing with key allowAccountModification in macOS Restriction Payload and found some contrasting behavior
In macOS 14, macOS 15.1 in both of the OS Version when allowAccountModification is set to False it restricts adding new Account in System Settings and this is expected behavior
How ever things are contrasting and not going as expected in the below situation
When macOS 14 Version has 2 profiles for Restriction Payload one with allowAccountModification set to False and another with allowAccountModification set to True it restricts adding Apple Account
When macOS 15.1 Version has 2 profiles for Restriction Payload one with allowAccountModification set to False and another with allowAccountModification set to True it allows adding Apple Account
I remember when restrictions payload keys are contrasting across different profile Apple Uses the most restrictive one among them. But in macOS 15.1 the behavior is unexpected. Is this a issue in 15.1 and is there any list of macOS versions which shows this unexpected behavior
Hi Apple Community,
If a macOS Device is FileVault Encrypted, We are using the keys FDE_HasInstitutionalRecoveryKey, FDE_HasPersonalRecoveryKey from SecurityInfo to know the Device Encryption Type. But Some times rarely we get FDE_Enabled as true but both the above mentioned keys as false
Also we get SecurityInfo Response patterns like these only if FileVault is enabled in Device with iCloud as option to unlock the disk
Can we confirm this pattern or is there any way to know if device is encrypted with options other than Personal / Institutional Types
<plist version="1.0">
<dict>
<key>CommandUUID</key>
<string>SecurityInfo</string>
<key>SecurityInfo</key>
<dict>
......
......
......
<key>FDE_Enabled</key>
<true/>
<key>FDE_HasInstitutionalRecoveryKey</key>
<false/>
<key>FDE_HasPersonalRecoveryKey</key>
<false/>
......
......
......
<key>Status</key>
<string>Acknowledged</string>
<key>UDID</key>
<string>..............</string>
</dict>
</plist>
My application supports Custom URL Schema which is used to perform an open operation. My application is used as a helper app for MDM, hence it will be installed as a Managed Application.
I want only the other Managed Applications to be able to invoke the Custom URL Schema and not allow it for unmanaged applications. Is there any such provision provided by Apple MDM protocol?