We are in the process of replacing the TripleDES algorithm with AES in our MDM solution. However, after switching the encryption algorithm, we encountered the following error on Apple devices during enrollment:
Error: "-26275 error decrypting response payload (mdmclient(SCEP))"
Do Apple devices support AES encryption during the enrollment process, or are there any known limitations that prevent its use?
Technical Details:
During enrollment, when the device attempts to install the Management Profile, it requests the MDM server to retrieve the device certificate from the SCEP URL.
We send the certificate by creating Enveloped CMS content, using TripleDES as the algorithm identifier. If we switch the algorithm to AES, we observe the error mentioned above.
We are also using TripleDES when preparing the CMS content for the enrollment profile, which works without issues.
Device Management
RSS for tagAllow administrators to securely and remotely configure enrolled devices using Device Management.
Post
Replies
Boosts
Views
Activity
A profile that contains setting of allowVPNCreation is false was installed duiring activation in my requirements.
The iOS version is 18.
AllowVPNCreation is first, setting the app's network is second, the app can't use network.
Setting the app's network is first, AllowVPNCreation is second, the app works well.
For example:
Scene 1
Step 1: Install a profile that contains a setting where allowVPNCreation is false during activation.
Step 2: Complete activation and enter the main screen.
Step 3: Tap App Store, the screen displays network unavailable, needs to be set in Setting.
Step 4: Open the network setting for App Store, but still closed.And the network settings for other apps are all closed;
Step 5: Remove the profile.
Step 6: After a minute, opening the network setting for App Store is work.
Result: AllowVPNCreation effects app's newtork after entering the system for the first time. It don't happen below iOS 18.
Scene 2
Step 1: The app's network setting is ok.
Step 2: Install a profile that contains a setting where allowVPNCreation is false.
Result: No effect。The same result below iOS 18.
Is this a bug or new features, how to handle?
Could you please provide guidance on what is required to set up an Apple MDM server from scratch? Specifically, I would like to understand the necessary steps, tools, certifications, and best practices involved in the process. Any resources or documentation you could recommend would also be appreciated.
**Hi Apple Developer Community,
Good Morning **
My Personal MacBook Air M1:
Mac OS: Sequoia, Version 15.0
Please note, this is my personal MacBook and I am the only one who is using it.
I can see System Configuration, Configuration Profiles and Kerberos on my personal MacBook Air M1
System Folder ---> Library ----> Configuration profile, System Configuration folders ?.
Attaching herewith the snapshot of the same.
Can some throw light on the same.
Do I need to remove the configuration profile, system configuration from my personal MacBook Air M1 which is seen in
System Folder ---> Library ----> Configuration profile, System Configuration folders ?
Also, I cannot edit the user in my name.
**Kindly assist me with the same.
Thanks and Regards,**
Omkar
On October 4, 2024, the enterprise app we are using showed a "(app name) is no longer available" pop-up on certain devices and the app was not available.
And if those users delete the app and reinstall it, "I can't install (app name) because I can't verify integrity, I can't install this app" pop up.
The profile of the app was renewed in February this year, and membership, certificate, and profile were all not expired.
Currently, the problem has been solved by re-deploying the app,
Please tell me the cause of the phenomenon and how to take preventive measures.
I got sent an activation code through one of these apple emails and it can’t access the code because I don’t know where to go. Please help if you can!
macOS devices- dep enrolled device - configured an email policy and it gets stuck on pending status. The rest of the policies and actions like lock device and scan device are executed successfully.
While enrollment using DEP, if there is account creation config present in Dep configuration profile , At the time of enrollment we don't receive the user token and user channel is not present.
The keys UserID and EnrollmentUserID in TokenUpdate is not present.
As a result we can't successfully push the email policy. Is the inference correct or is there anything else we are missing out.
out of 37 devices, 7 are inactive( al are ios ). We have checked one of the devices and the broadcast message was sent successful. Additionally, Cx confirmed that the location history is shown properly. We restarted the device, checked the date and time, and found it to be correct. We also switched to a different network, but that doesn't change anything. The sync from the Hexnode app was successful. We reinstalled the MDM profile, yet it doesn't change anything. We renewed the APNs once and checked, but the scan device action remains pending.
When a DeviceInformation command along with ManagedAttestion data in the query along with a new nonce and after 7 days last time we queried for fresh certificate, is there a possibility that
a) we will get a DeviceInformation response without a Managed attestion certificte. OR
b) We will get a cached certificate
Also, what's the average increase in expected response time when we query Managed attestation certificate in DeviceInformation.
How to get hardware information for Managed device attestation querying for iphone, ipad and AppleTv
Here https://github.com/apple/device-management/blobelease/mdm/commands/information.device.yaml#L3246 it is mentioned that for querying Managed attestation certificate the ios device needs to have A11 Bionic and later, Wanted to understand how to get this information programmatically i.e is Apple sending chip information for iphone and ipad devices as part of some sample ? or is there a way to query this information from the device ?
Here https://github.com/apple/device-management/blobelease/mdm/commands/information.device.yaml#L3246 it is mentioned that for querying Managed attestation certificate the macos device needs to have Apple Silicon, using IsAppleSilicon https://github.com/apple/device-management/blobelease/mdm/commands/information.device.yaml#L357 property is fine ? Can we use this field to determine if the device is Apple silicon ?
Same question for Apple TV as well - How to get the information if a device is having A12 Bionic and later ? and same for Apple watch, how to know if a device is S4 and later ?
I'm trying to set up a configuration profile on a supervised device for a kid's phone. I want to force a VPN 100% of the time except for local network activity and some specific domains. Or at the very least, have a few apps go outside the tunnel.
Apple makes this IMPOSSIBLE even though according to the documentation it should be possible. The IKEv2 vpntype has a key "OnDemandUserOverrideDisabled" which is supposed to prevent a user from toggling off the vpn, which obviously defeats the purpose of having it. However, as other users have posted, this DOES NOT WORK. So anyone can just turn off the vpn and be connected to the internet unprotected.
On the "AlwaysOn" vpntype, the element "ApplicationExceptions" which would allow you to list a few applications that can go outside the tunnel DOES NOT WORK. This is critical because so many domains automatically block vpn servers and it's a huge pain. Also local network activity also gets blocked, which makes it impossible to connect to local devices. And there's no split tunneling possible with this vpntype.
So basically, it's impossible. I WOULDN'T BE SURPRISED IF APPLE DID THIS INTENTIONALLY TO KEEP KIDS ADDICTED AND IN DANGER SO THEY USE THE PHONE MORE.
Hi everyone,
We are currently integrating Apple DDM into our existing MDM system and encountered an issue where an update to a declaration failed with the message: "Activation xxxxx is missing configurations." While we know how to fix the issue, I'm quite concerned about potential impacts.
An incorrect activation could deactivate the current one, leading to the automatic removal of all profiles and apps. Given that unexpected server errors can occasionally occur, this could significantly impact end-users if their apps are suddenly removed.
I'm looking for a way to prevent activations from "failing to update then lost everything" or a safer method to deploy updated version of activations, especially given the potential for unexpected server errors or logic bugs. This could significantly affect end-users if their apps suddenly disappear.
If anyone has any insights, thoughts, or best practices to share regarding activation updates, I would greatly appreciate your input.
Leo Chan
btm_launchagent.txt
I have a menu bar app which should be triggered to start when a system extension is successfully installed.
The menu bar app is configured as a agent which should be started by SMAppServer.
SMAppService register/unregister the agent successfully when the program is running locally.
When doing the program installation through JamfNow, which is a MDM system, it fails with following error.
I think the problem here is that the backgroundtaskmanagementd trys to register the agent with an invalid uid=-1 or uid: 4294967295(0xFFFFFFFF).
2024-10-02 10:45:33.100537+0200 0x156d4 Activity 0x1b927 88 0 smd: (BackgroundTaskManagement) BTMManager.getEffectiveDisposition
2024-10-02 10:45:33.103478+0200 0x156dd Default 0x1b927 282 0 backgroundtaskmanagementd: [com.apple.backgroundtaskmanagement:main] effectiveItemDisposition: appURL=file:///Applications/Company%20Agent.app/, type=agent, url=Contents/Library/LaunchAgents/com.Company.agent.notifier.plist -- file:///, config={
BTMConfigArguments = (
);
BTMConfigBundleIdentifiers = (
);
BTMConfigExecutablePath = "Contents/Resources/CompanyNotifier.app/Contents/MacOS/CompanyNotifier";
BTMConfigLabel = "com.Company.agent.notifier";
}
2024-10-02 10:45:33.103544+0200 0x156dd Info 0x1b927 282 0 backgroundtaskmanagementd: [com.apple.backgroundtaskmanagement:main] effectiveItemDisposition: result=[disabled, allowed, visible, not notified]
2024-10-02 10:45:33.105120+0200 0x156d4 Default 0x1b927 88 0 smd: (BackgroundTaskManagement) [com.apple.backgroundtaskmanagement:main] getEffectiveDisposition: disposition=[disabled, allowed, visible, not notified], have LWCR=true
2024-10-02 10:45:33.105181+0200 0x156d4 Default 0x0 88 0 smd: [com.apple.xpc.smd:all] Found status: 0 for <private>
2024-10-02 10:45:33.240190+0200 0x154da Default 0x0 88 0 smd: [com.apple.xpc.smd:SMAppServiceFactory] Setting up BundleProgram keys for <private>
2024-10-02 10:45:33.240250+0200 0x154da Default 0x0 88 0 smd: [com.apple.xpc.smd:SMAppServiceFactory] Setting up BundleProgram keys for <private>
2024-10-02 10:45:33.240388+0200 0x154da Activity 0x1b92a 88 0 smd: (BackgroundTaskManagement) BTMManager.registerLaunchItemWithAuditToken
2024-10-02 10:45:33.243990+0200 0x156dd Default 0x1b92a 282 0 backgroundtaskmanagementd: [com.apple.backgroundtaskmanagement:main] registerLaunchItem: pid=3626, uid=-1, type=agent, parentURL=<private>, url=<private>, config=<private>
2024-10-02 10:45:33.244917+0200 0x156dd Default 0x1b92a 282 0 backgroundtaskmanagementd: [com.apple.backgroundtaskmanagement:main] registerLaunchItem: found existing item: uuid=AC0DBC9B-7A16-443E-ABFC-05DF0F534C08, name=CompanyNotifier, type=managed agent, disposition=[disabled, allowed, visible, notified], identifier=com.Company.agent.notifier, url=Contents/Library/LaunchAgents/com.Company.agent.notifier.plist -- file:///
2024-10-02 10:45:33.245238+0200 0x156dd Debug 0x1b92a 282 0 backgroundtaskmanagementd: [com.apple.backgroundtaskmanagement:main] BTMStore: save scheduled.
2024-10-02 10:45:33.245281+0200 0x156dd Debug 0x1b92a 282 0 backgroundtaskmanagementd: [com.apple.backgroundtaskmanagement:main] RecordSet notification scheduled for uid -1
....
2024-10-02 10:45:33.252358+0200 0x154da Error 0x0 88 0 smd: [com.apple.xpc.smd:SMAppService] Unable to submit job: <private> error: Error Domain=OSLaunchdErrorDomain Code=112 UserInfo={NSLocalizedFailureReason=<private>}
2024-10-02 10:45:33.252707+0200 0x156d4 Default 0x1b92a 88 0 smd: [com.apple.xpc.smd:all] Update request for identifier: <private> uid: 4294967295
2024-10-02 10:45:33.253190+0200 0x156dd Default 0x1b92a 282 0 backgroundtaskmanagementd: [com.apple.backgroundtaskmanagement:main] getItemWithIdentifier: identifier=com.Company.agent.notifier, uid=-1
2024-10-02 10:45:33.253759+0200 0x156d4 Error 0x1b92a 88 0 smd: [com.apple.xpc.smd:btm] Error getting BTMItem with Identifier: <private> uid: 4294967295 error: (null)
2024-10-02 10:45:33.253803+0200 0x156d4 Error 0x1b92a 88 0 smd: [com.apple.xpc.smd:all] Unable to find BTMItem for <private> in 4294967295
2024-10-02 10:45:33.253835+0200 0x156d4 Error 0x1b92a 88 0 smd: [com.apple.xpc.smd:all] Update operation returned error: 3, but no reply expected so error will be silent
2024-10-02 10:45:33.661537+0200 0x156dd Debug 0x0 282 0 backgroundtaskmanagementd: [com.apple.backgroundtaskmanagement:main] sending notification for uid -1, type 131080
2024-10-02 10:45:33.665159+0200 0x154fa Info 0x1b853 282 0 backgroundtaskmanagementd: [com.apple.backgroundtaskmanagement:main] fetchSFLItemsMatching: type=managed user item app
2024-10-02 10:45:33.665374+0200 0x154fa Activity 0x15dd3 282 0 backgroundtaskmanagementd: (BackgroundTaskManagement) BTMManager.userDataDidChange
2024-10-02 10:45:33.666041+0200 0x154da Activity 0x1b92d 88 0 smd: (BackgroundTaskManagement) BTMManager.userDataDidChange
2024-10-02 10:45:33.666651+0200 0x154fa Debug 0x15dd3 282 0 backgroundtaskmanagementd: (BackgroundTaskManagement) [com.apple.backgroundtaskmanagement:main] -[BTMManager handleUserDataDidChangeNotification:]: uid=-1, type=131080
2024-10-02 10:45:33.666085+0200 0x154da Debug 0x1b92d 88 0 smd: (BackgroundTaskManagement) [com.apple.backgroundtaskmanagement:main] -[BTMManager handleUserDataDidChangeNotification:]: uid=-1, type=131080
2024-10-02 10:45:36.218160+0200 0x154fa Debug 0x0 282 0 backgroundtaskmanagementd: [com.apple.backgroundtaskmanagement:main] -[BTMStore handleWriteTimer] entered
2024-10-02 10:45:36.218254+0200 0x154fa Debug 0x0 282 0 backgroundtaskmanagementd: [com.apple.backgroundtaskmanagement:main] -[BTMStore _save] entered
2024-10-02 10:45:36.224738+0200 0x154fa Default 0x0 282 0 backgroundtaskmanagementd: [com.apple.backgroundtaskmanagement:main] BTMStore: store saved to /var/db/com.apple.backgroundtaskmanagement/BackgroundItems-v9.btm
Could it be a problem from the MDM system JamfNow or somewhere else?
The whole logs is as attached.
Thanks!
Hello,
Return to service allows providing a Wifi profile when Erasing device to go with barely zero-touch ; is there a way to provide a client certificate used for 802.x auth or is the WiFiProfileData limited to com.apple.wifi.managed payload ?
I currently have a bunch of profiles that cannot be removed whatsoever. iOS 18.0 (22A3354), Apple Configurator Version 2.17 (9A15) (happens in the stable configurator version, too) On trying to remove the profiles via Apple Configurator, I get the error message
The profile “[profile name]” does not have the expected certificate for removal. [DMCInstallationErrorDomain – 0xFA8 (4008)]
The problem with that is,
The profile was installed a day ago using the exact same MacBook that I now try to remove it. Nothing has changed.
The profile was signed, but it's signed with the same Supervision Identity that I now still have in Apple Configurator. The SHA256 fingerprint I see inside iOS matches the one I see on macOS in the Configurator in the "Show Supervision Identity..." section.
So there should be absolutely no reason why the profile removal fails.
I'm not entirely sure if this is relevant, but the affected profile's PayloadIdentifier has an at-sign in it. The docs say this is supposed to be
A reverse-DNS style identifier (com.example.myprofile, for example) that identifies the profile
so an at-sign might not be valid - but the UI in the Configurator does not have an issue with it.
The only way to get rid of these profiles appears to be a full wipe, which is what I'll do soon. If there is any information I can provide before the wipe (or a better channel to report this on), I'm happy to.
I'm interesting to use network (and internet too) access on iPhone only through pre-configured (by corporate profile) VPN connection.
If the VPN connection is unavailable for some reason then network must to be unaccessable.
Which ways I have to solve my problem? I need to use some 3rd party software or it can be solved by MDM Profile?
Best regards, Grigoriy.
Opening a fresh post as the other seem old/abandoned. I’m trying to add a fail-safe URLprobe to DNS setting profile (DNS over http) for the case that the iPhone/iPad connects to a wifi hotspot with captive portal without internet access. I use OnDemandRules to circumvent known problematic SSID names a specific (wildcard) domains - both working just fine and the requests are falling-back to a system resolver for such a requests.
I’ve added a URLStringProbe which supposed to check availability of the internet.
The probe should trigger on 200 OK response code and use the DNSSettings or fallback to a system resolver in the case of any other outcome, according to the documentation:
A URL to probe. If this URL is successfully fetched (returning a 200 HTTP status code) without redirection, this rule matches.
https://developer.apple.com/documentation/devicemanagement/dnssettings/ondemandruleselement
https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf
Tested on iPhone 14 (iOS 18.1) but it doesn’t work. I’m using Clouflare https://1.1.1.1/index.html for the sake of simplicity and do some adjustment in IP/path for testing purposes
using https to enforce TLS (to avoid hijack/MitM from a captive portal)
using a direct IP (in this case Cloudflare) so I don't need to resolve a domain to execute the probe itself
Anyway, I’ve changed the URL for a testing purposes to return either 404, redirect or timeout and in all cases cases the probe acts the same way like for 200 OK response.
My expectation is that probe should test negative and go to next rule which is
<key>Action</key>
<string>Disconnect</string>
and thus use the system resolver which will allow the system to detect a captive portal and display sign-in popup to the captive portal
Any idea where might be the issue?
Example 1 - with all rules
<key>DNSSettings</key>
<dict>
<key>DNSProtocol</key>
<string>HTTPS</string>
<key>ServerURL</key>
<string>https://dnsserverexample.com/v1/something/id/dns-query</string>
<key>ServerAddresses</key>
<array/>
<key>SupplementalMatchDomains</key>
<array/>
</dict>
<key>ProhibitDisablement</key>
<true/>
<key>OnDemandRules</key>
<array>
<dict>
<key>Action</key>
<string>Disconnect</string>
<key>SSIDMatch</key>
<array>
<string>whitelistedSSID1</string>
<string>whitelistedSSID1</string>
</array>
</dict>
<dict>
<key>Action</key>
<string>EvaluateConnection</string>
<key>ActionParameters</key>
<array>
<dict>
<key>DomainAction</key>
<string>NeverConnect</string>
<key>Domains</key>
<array>
<string>*.whitelisteddomainexample.com</string>
<string>*.whitelisteddomainexample2.com</string>
</array>
</dict>
</array>
</dict>
<dict>
<key>URLStringProbe</key>
<string>https://1.1.1.1/index.html</string>
<key>Action</key>
<string>Connect</string>
</dict>
<dict>
<key>Action</key>
<string>Disconnect</string>
</dict>
</array>
</dict>
Example 2 - just URL probe and fail-open for iphone
<key>DNSSettings</key>
<dict>
<key>DNSProtocol</key>
<string>HTTPS</string>
<key>ServerURL</key>
<string>https://dnsserverexample.com/v1/something/id/dns-query</string>
<key>ServerAddresses</key>
<array/>
<key>SupplementalMatchDomains</key>
<array/>
</dict>
<key>ProhibitDisablement</key>
<true/>
<key>OnDemandRules</key>
<array>
<dict>
<key>URLStringProbe</key>
<string>https://1.1.1.1/index.html</string>
<key>Action</key>
<string>Connect</string>
</dict>
<dict>
<key>Action</key>
<string>Disconnect</string>
</dict>
</array>
Also I’ve tried to debug similar issue in the past on MacOS. I’ve tried to add debug profiles NetworkDiagnostic.mobileconfig and mDNSResponder.mobileconfig but I don't see any logs related to OnDemandRules processing - any clue how to get some insight into the rules processing/evaluation?
I would like to contact about an issue with the iOS 18 update.
With the release of the new iPhone 16, camera controls have been added.
however, when using MDM, there is an issue where the camera control button settings change after blocking and unblocking the camera.
1. If the camera control button is originally set to 'Camera', when you block and unblock the camera through MDM, the button setting changes to 'None'.
Shouldn't the camera control settings be maintained even after blocking and unblocking the camera?
If this is a known issue, can you tell me when it will be fixed and updated?
The original text is in Chinese, and below is the content translated using OpenAI.
問題描述:
因為一些因素,所以公司申請了兩個企業憑證,其中Entity Name一樣,但Team ID不一樣。現在發現iPhone16系列裝置的使用者,無法同時使用兩個憑證打包出來的APP,不是都會閃退就是其中一個會閃退。
重現問題的逐步說明:
測試的情況有兩種:
從iPhone16之前的裝置轉移資料到iPhone16,這兩個APP打開都會閃退
直接在iPhone16安裝這兩個APP,則第一個安裝的APP可以正常使用,第二個安裝的APP會閃退。如果想要切換能使用的APP,需要到 一般-VPN與裝置管理-INNOLUX CORPORATION ,點擊”刪除App”,然後更換安裝順序。
如果是舊裝置升級到iOS 18,則不會有該問題
期望的結果:
兩個APP都能正常使用
實際看到的結果:
如果是舊裝置移轉資料到iPhone16,則都會閃退:如果是直接在iPhone16安裝這兩個APP,則第一個安裝的APP可以正常使用,第二個安裝的APP會閃退。
OpenAI Translation:
Problem Description: Due to certain factors, the company applied for two enterprise certificates, which have the same Entity Name but different Team IDs. It has now been discovered that users of the iPhone 16 series devices are unable to use apps packaged with both certificates simultaneously; either both apps crash or one of them crashes.
Step-by-Step Reproduction of the Issue:
There are two testing scenarios:
Transferring data from a device prior to the iPhone 16 to the iPhone 16 results in both apps crashing upon opening.
Directly installing both apps on the iPhone 16 allows the first installed app to function normally, while the second installed app crashes. To switch to the functioning app, one must go to Settings - VPN & Device Management - INNOLUX CORPORATION, click "Delete App," and then change the installation order.
If an older device is upgraded to iOS 18, this issue does not occur.
Expected Result: Both apps should function normally.
Actual Observed Result: If data is transferred from an older device to the iPhone 16, both apps crash. If both apps are directly installed on the iPhone 16, the first installed app works normally while the second installed app crashes.
Hello team! I am trying to update an app via MDM on macOS sequoia. It has always worked fine for me since macOS 13. But now I get this error in the console when trying to update the app:
Preflight canceled with coordinator: (null) error: Error Domain=ASDErrorDomain Code=663 "The app is running and we don't have the context to quit it, failing install." UserInfo={NSDebugDescription=The app is running and we don't have the context to quit it, failing install.}
Always updated even if the app was open without problems before macOS 15.
Regards