Device Management

RSS for tag

Allow administrators to securely and remotely configure enrolled devices using Device Management.

Device Management Documentation

Post

Replies

Boosts

Views

Activity

Managing order of Transparent Proxies from MDM like JAMF
There could be a case where-in multiple transparent proxies might exist in the system (for ex., Cisco AnyConnect, GlobalProtect, etc). We want to know if there is a way to order transparent proxies so that the desired transparent proxy gets the request first. During our research, we found a resource which talks about ordering transparent proxies through MDM. https://developer.apple.com/documentation/devicemanagement/vpn/transparentproxy Using this reference, we tried to create a profile and push it through JAMF. Below is the profile that we created and pushed with JAMF. Property List - <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>TransparentProxy</key> <array> <dict> <key>ProviderBundleIdentifier</key> <string>com.paloaltonetworks.GlobalProtect.client.extension</string> <key>Order</key> <string>1</string> </dict> <dict> <key>ProviderBundleIdentifier</key> <string>com.cisco.anyconnect.macos.acsockext</string> <key>Order</key> <string>2</string> </dict> <dict> <key>ProviderBundleIdentifier</key> <string>com.mydomain.transparentproxy</string> <key>Order</key> <string>3</string> </dict> </array> We are not sure if this is the right way to create the profile, though JAMF is not throwing any error while pushing this profile. We see this profile on the local machine as "/Library/Managed Preferences/com.apple.networking.vpn-transparent-list.plist". Is there a way to know if the profile took effect and the order of transparent proxies has changed. Thanks in advance.
0
8
148
2w
iOS Retains Login Sessions Even After App Deletion
I'm reaching out to discuss a significant issue related to how iOS handles app login sessions, particularly in the context of MDM (Mobile Device Management) and the Outlook app. In our organization, we use MDM to distribute applications, including Outlook, with certificate-based authentication for BYOD (Bring Your Own Device) devices. This setup allows users to log in seamlessly to their accounts. However, we've encountered a concerning behavior: when a user unenrolls from MDM, which automatically removes the distributed apps and certificates, they can later reinstall the app from the App Store and find themselves automatically logged back into their previous accounts without any authentication prompts. Here’s a detailed breakdown of the situation: Initial Installation: Users enroll their devices in MDM, which installs the necessary apps and certificates on those devices. Session Storage: After the initial login, the app stores the session locally on the device. App Deletion: When users un enroll their devices from MDM, it automatically removes the distributed apps and certificates. Reinstallation: Days or weeks later, when they reinstall the Outlook app from the App Store, they find themselves automatically logged back into their accounts. This behavior raises important concerns: Lack of Authentication: The app retaining user sessions even after deletion allows users to access their accounts without re-authentication, which could lead to potential unauthorized access and undermines the effectiveness of certificate-based authentication and two-factor authentication (2FA). Note: This issue is not limited to Outlook; we've observed similar behavior with many other apps. Need for a Solution - Given the implications of this behavior, we are looking for effective solutions to prevent it. Specifically, we need options within the MDM framework to: Restrict Session Retention: Implement settings that ensure any app deleted via MDM will lose all stored sessions and require re-authentication upon reinstallation. Default Settings for MDM-Distributed Apps: Ideally, this would be a default feature for all apps distributed through MDM, ensuring that user sessions are not retained after app deletion. Has anyone else experienced this issue? Are there any existing settings or workarounds within MDM platforms to mitigate this problem? Your insights and experiences would be invaluable as we navigate this challenge. Thank you!
1
1
170
2w
Mass deployment of certificates and marking it as trusted
Hello, I have a system, which is able to execute bash/zsh scripts on a set of machines. The default behaviour is that the signature of the script is checked on the machine, which is executing it, and in case if it is not signed properly, the system rejects the execution. An own certificate has to be created for signing the scripts, which means that the certificate has to be installed and marked as trusted on the target machines (which are executing the script). I've been using : "/usr/bin/security add-trusted-cert ..." command to install the certificate on the machines as trusted. Since macOS Big Sur, the above command was prompting the local user for admin credentials. To avoid this, Apple suggested to use the following command to temporarily disable and re-enable the confirmation dialog : 1.: /usr/bin/security authorizationdb write com.apple.trust-settings.admin allow 2.: /usr/bin/security authorizationdb write com.apple.trust-settings.admin admin Now with the release of macOS Sequoia, the above command : "/usr/bin/security authorizationdb write com.apple.trust-settings.admin allow" does not work any more. It gives the following output : NO (-60005) I have the following questions : 1.: Could you please suggest an alternative way for IT administrators to install certificates on their machines, without any user confirmation? 2.: Could you please suggest how the same could be achieved using a bash/zsh script? In which context could the above commands : "/usr/bin/security authorizationdb write com.apple.trust-settings.admin allow" and "/usr/bin/security authorizationdb write com.apple.trust-settings.admin admin" still work? Thank you for your help in advance!
6
2
529
Oct ’24
Assistance Required: Invalid CSR File Format While Uploading to APNs
Dear Apple Developer Support Team, I hope this message finds you well. I am currently utilizing the services at https://identity.apple.com for mobile device management and encountered an issue while attempting to upload a Certificate Signing Request (CSR) file to the portal. The system generated an error indicating that the file format was invalid. Below are the steps I followed to generate the CSR: I first created a private key on my server using the following command: openssl genrsa -out private.key 2048 Next, I generated the CSR file with the following command: openssl req -new -key private.key -out request.csr Despite following these steps, I could not successfully upload the CSR file and obtain the APNs certificate. I would greatly appreciate your guidance on creating and uploading a valid CSR file to avoid this error. Please let me know if there are any specific formatting requirements or additional steps I need to follow. Thank you in advance for your assistance and support.
4
0
293
Oct ’24
Unable to install some vpp apps in user enrolled devices
We are doing application assignment to personal iOS devices that are enrolled in MDM via User Enrollment. However, we're experiencing some odd behavior when assigning licenses. We are getting back errors from the devices when doing assignments: code: 12064, domain: MDMErrorDomain, description: Could not retrieve licence for the app with iTunes Store ID 422689480. code: 2605, domain: DeviceManagement.error, description: No licence was found for app "com.google.Gmail". However, we are not seeing license exhaustion on the Apple Business Manager side for our location. We are not clear what would cause the 12064 or 2605 errors. We have tried re-sending the command to install the app, and we have tried un-enrolling devices and re-enrolling, as well as updating the VPP Token for the location. We have gathered sysdiagnoses from affected devices, but it's not clear what causes this. What other causes are there for 12064 and 2605 errors? How can we work around these?
0
0
335
4w
Enterprise IPA install from web fails with "incompatible platform: com.apple.platform.xros"
I am trying to set up a workflow where Apple Vision Pro users in my organization can install a signed enterprise .ipa file from an internal web page. The relevant link looks something like this: <a role="button" href="itms-services://?action=download-manifest&url=https://my.example.com/path/manifest.plist">Click here to download</a> After verifying that all the mime types were correct on the server and the certificate was valid, I finally attached my AVP headset to my Mac's console app and saw that the errors look like this: [com.example.myapp] Skipping due to incompatible platform: com.apple.platform.xros Could not load download manifest with underlying error: Error Domain=ASDErrorDomain Code=752 "Not compatible with this platform: com.apple.platform.xros" UserInfo={NSDebugDescription=Not compatible with this platform: com.apple.platform.xros} This manifest.plist was made by the "Distribute App" workflow in Xcode 16.0. Multipart question: Is installing VisionOS apps via manifest+ipa over a web connection a supported way of installing apps? If the issue is with com.apple.platform.xros, what should be the platform-identifier for VisonOS apps?
0
0
365
Oct ’24
Managed configuration in iOS app and Action Extension
Hi, I have a question regarding reading the configuration of a managed app deployed via an MDM system. The application has an Action Extension and can receive shared files via this extension. The problem I am facing is that I can read the managed configuration in the host app by accessing the UserDefaults.standard.object(forKey: "com.apple.configuration.managed") dictionary. With this, I can configure the host app. However, I am unable to read this configuration key in the Action Extension part of the application. My question is whether there is any possibility to read the managed configuration even in the extension. So far, I have been unable to figure out how to read it. I found the sample code, but it was not very helpful since it is very basic and does not deal with extensions at all. Any hints are appreciated.
1
0
287
Oct ’24
ManagedAppleIDDefaultDomains
https://support.apple.com/en-gb/guide/deployment/dep6fa9dd532/web dangles a carrot about being able to facilitate "A list of domains that the Shared iPad sign-in screen displays. The user can pick a domain from the list to complete their Managed Apple ID." - this sounds ideal! In the absence of this seemingly being supported by Apple Configurator or iMazing Profile Editor at the time of writing, I have tried to create my own but I fall foul of knowing what PayloadIdentifier or PayloadType to use? This is the draft/work in progress/doomed to failure config so far (which doesn't - as expected - work): <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>HasRemovalPasscode</key> <false/> <key>PayloadContent</key> <array> <dict> <key>PayloadDescription</key> <string>Configures Managed Domains</string> <key>PayloadDisplayName</key> <string>Domains</string> <key>PayloadIdentifier</key> <string>com.apple.domains.DE12211A-CFDD-4F8C-8D7B-72E569CE3B6C</string> <key>PayloadType</key> <string>com.apple.domains</string> <key>PayloadUUID</key> <string>DE12211A-CFDD-4F8C-8D7B-72E569CE3B6C</string> <key>PayloadVersion</key> <integer>1</integer> <key>WebDomains</key> <array> <string>domain.com</string> </array> </dict> </array> <key>PayloadDescription</key> <string>For Shared iPad login convenience</string> <key>PayloadDisplayName</key> <string>DefaultDomain</string> <key>PayloadIdentifier</key> <string>Tom.77CF3CA5-4A48-41DD-9179-EF6F4C5E786E</string> <key>PayloadRemovalDisallowed</key> <true/> <key>PayloadType</key> <string>Configuration</string> <key>PayloadUUID</key> <string>A5594F17-155B-4A1C-8696-3F502D118C37</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </plist> The support article is probably ~2-year old information so I'd have thought that by now that this would be documented somewhere - am I just not looking hard enough?
2
0
290
Oct ’24
Disown Devices 返回 401 UNAUTORIZE
中文: 大家好,我通过https://mdmenrollment.apple.com/session获取到了auth_session_token,并能正常使用device/activationlock、devices、profile/devices这些接口,但是不能正常使用devices/disown(https://mdmenrollment.apple.com/devices/disown)这个接口,接口返回401 UNAUTHORIZED,请问应该怎么处理? English: Hi, I have passed https://mdmenrollment.apple.com/session Obtained auth_dession_token and can use interfaces such as device/activationlock, devices, and profile/devices normally, but cannot use devices/disown normally( https://mdmenrollment.apple.com/devices/disown )How should I handle this interface, which returns 401 UNAUTORIZE?
0
0
187
Oct ’24
MDM SkipKeys for SIMSetup
I am looking into bypassing the following popup when setting up an iPhone 15 Pro: Would the SkipKey SIMSetup allow to bypass having the following window popup upon initial setup? So far all settings are bypassed during the initial setup of the phone and the application of Wi-Fi. The only issue present in the setup I want to achieve is prohibiting this window regarding eSIM set up.
2
0
291
Oct ’24
AES Encryption Breaks Enrollment vs. 3DES
We are in the process of replacing the TripleDES algorithm with AES in our MDM solution. However, after switching the encryption algorithm, we encountered the following error on Apple devices during enrollment: Error: "-26275 error decrypting response payload (mdmclient(SCEP))" Do Apple devices support AES encryption during the enrollment process, or are there any known limitations that prevent its use? Technical Details: During enrollment, when the device attempts to install the Management Profile, it requests the MDM server to retrieve the device certificate from the SCEP URL. We send the certificate by creating Enveloped CMS content, using TripleDES as the algorithm identifier. If we switch the algorithm to AES, we observe the error mentioned above. We are also using TripleDES when preparing the CMS content for the enrollment profile, which works without issues.
0
0
241
Oct ’24
iOS 18 allowVPNCreation restriction causes apps can't use network
A profile that contains setting of allowVPNCreation is false was installed duiring activation in my requirements. The iOS version is 18. AllowVPNCreation is first, setting the app's network is second, the app can't use network. Setting the app's network is first, AllowVPNCreation is second, the app works well. For example: Scene 1 Step 1: Install a profile that contains a setting where allowVPNCreation is false during activation. Step 2: Complete activation and enter the main screen. Step 3: Tap App Store, the screen displays network unavailable, needs to be set in Setting. Step 4: Open the network setting for App Store, but still closed.And the network settings for other apps are all closed; Step 5: Remove the profile. Step 6: After a minute, opening the network setting for App Store is work. Result: AllowVPNCreation effects app's newtork after entering the system for the first time. It don't happen below iOS 18. Scene 2 Step 1: The app's network setting is ok. Step 2: Install a profile that contains a setting where allowVPNCreation is false. Result: No effect。The same result below iOS 18. Is this a bug or new features, how to handle?
1
0
252
Oct ’24
System Configuration, Configuration Profiles and Kerberos on my Personal MacBook Air M1.
**Hi Apple Developer Community, Good Morning ** My Personal MacBook Air M1: Mac OS: Sequoia, Version 15.0 Please note, this is my personal MacBook and I am the only one who is using it. I can see System Configuration, Configuration Profiles and Kerberos on my personal MacBook Air M1 System Folder ---&amp;amp;amp;amp;amp;amp;amp;amp;amp;gt; Library ----&amp;amp;amp;amp;amp;amp;amp;amp;amp;gt; Configuration profile, System Configuration folders ?. Attaching herewith the snapshot of the same. Can some throw light on the same. Do I need to remove the configuration profile, system configuration from my personal MacBook Air M1 which is seen in System Folder ---&amp;amp;amp;amp;amp;amp;amp;amp;amp;gt; Library ----&amp;amp;amp;amp;amp;amp;amp;amp;amp;gt; Configuration profile, System Configuration folders ? Also, I cannot edit the user in my name. **Kindly assist me with the same. Thanks and Regards,** Omkar
0
0
202
Oct ’24
App no longer available Pop-up
On October 4, 2024, the enterprise app we are using showed a "(app name) is no longer available" pop-up on certain devices and the app was not available. And if those users delete the app and reinstall it, "I can't install (app name) because I can't verify integrity, I can't install this app" pop up. The profile of the app was renewed in February this year, and membership, certificate, and profile were all not expired. Currently, the problem has been solved by re-deploying the app, Please tell me the cause of the phenomenon and how to take preventive measures.
0
0
224
Oct ’24
Email profile stays in pending state in DEP devices
macOS devices- dep enrolled device - configured an email policy and it gets stuck on pending status. The rest of the policies and actions like lock device and scan device are executed successfully. While enrollment using DEP, if there is account creation config present in Dep configuration profile , At the time of enrollment we don't receive the user token and user channel is not present. The keys UserID and EnrollmentUserID in TokenUpdate is not present. As a result we can't successfully push the email policy. Is the inference correct or is there anything else we are missing out.
0
0
253
Oct ’24