Device Management

RSS for tag

Allow administrators to securely and remotely configure enrolled devices using Device Management.

Device Management Documentation

Post

Replies

Boosts

Views

Activity

MDM Passcode Payload Causing Delay In Device Unlock
Hi Apple Team , We have a. Bunch of macOS devices in our Fleet Which has MDM Passcode Payload Applied. We have observed a huge delay in unlocking the user account at login Screen after the Credentials are presented, Where as Removing the Passcode Payload makes the User to unlock their account at login Screen Immediately. Can someone help with this issue any OS Updates helps this ? Have Filed a FeedBack: FB15143190 (MDM Passcode Payload Causing Delay In Device Unlock) Also there is a Discussion reg this Passode Policy Issue
1
0
375
Sep ’24
Remote control is possible even if "allowVideoConferencingRemoteControl" in the restriction setting is set to false
We have confirmed the operation using iOS18 beta devices regarding the item "allowVideoConferencingRemoteControl" which is implemented for iOS18 beta. Remote control can be requested even if “allowVideoConferencingRemoteControl" is set to "true" or "false". Please tell me the following. Is it an expected behavior that there is no control regarding remote control whether "allowVideoConferencingRemoteControl" is true or false? I have confirmed the operation by following the procedure below, but is the procedure to confirm the control of "allowVideoConferencingRemoteControl" correct? Steps taken Create a profile with "allowVideoConferencingRemoteControl" set to "false" in the restriction settings Distribute to the terminal Make a video call with facetime between iOS18 beta devices One device performs screen sharing of the device with Share Play, and the other device requests remote control. Even if "allowVideoconferencingRemoteControl" is set to "false" in the restriction settings, remote control requests are still made.
1
0
493
Sep ’24
IOS MDM Activation Unlock Not Working
Hello, I am working on a MDM solution. I am facing issue to while Activation Unlock Iphone by MDM server. I am following this https://developer.apple.com/documentation/devicemanagement/device_assignment/activation_lock_a_device/creating_and_using_bypass_codes documentation as reference. I am able to activation lock the device from mdm server but while unlocking the device I am getting below error "?xml version="1.0" encoding="UTF-8"?> ns:escrowKeyDeviceServicesResponse version="1" xmlns:ns="http://www.apple.com/cds/mdmescrowKeyDeviceServices/xml"> error code="1002" message="com.apple.cds.cyclops.mdm.MDMServiceException: No registered escrow key found"/> /ns:escrowKeyDeviceServicesResponse>" I am sending below request for Unlock Url=https://deviceservices-external.apple.com/deviceservicesworkers/escrowKeyUnlock?Device_Serial=XXXXXXXX&productType=iPhone12,8&imei=XXXXXXX&imei2=XXXXXXXXXXXXXX&meid=XXXXXXXXXX Body=escrowKey=VT2DK-YR647-HWAY-096C-ER7P-89J1&orgName=ORGNAME&guid=9C1AE0D42A38A23AFFE59 Below working request for Activation Lock URL=https://mdmenrollment.apple.com/device/activationlock Body = { "Device" :"Serial_Number", "EscrowKey" :"B83C6E662299F3AF202656C4D7A434A319A34241A2892792132EECE56F6D898A", "LostMessage":"Message" } Any idea what could cause this error.
3
0
652
Aug ’24
Inquiry about Running Enterprise Apps in Killed State and MDM Payload Management
Inquiry about Running Enterprise Apps in Killed State and MDM Payload Management:- I am developing an enterprise iOS application that needs to perform specific tasks or network calls even when the app is in a killed state (i.e., when it is not actively running in the foreground or background). I understand that standard iOS restrictions prevent apps from executing code while in this state, but I am exploring potential solutions within the scope of enterprise apps and MDM (Mobile Device Management) capabilities.
0
0
423
Sep ’24
How to create an enterprises app that run in kill state? and How managed By MDM payloads for this?
Inquiry about Running Enterprise Apps in Killed State and MDM Payload Management:- I am developing an enterprise iOS application that needs to perform specific tasks or network calls even when the app is in a killed state (i.e., when it is not actively running in the foreground or background). I understand that standard iOS restrictions prevent apps from executing code while in this state, but I am exploring potential solutions within the scope of enterprise apps and MDM (Mobile Device Management) capabilities.
0
0
372
Sep ’24
How can i put matchdomains inside the NEApprule object for the iOS using MDM
I am configuring the per app VPN deployment for iOS application and want to configure the match domain per app rules so that only the traffic from that match domain will trigger the VPN for the included app. I found the documentation on portal but I can't find any MDM related page. https://developer.apple.com/documentation/networkextension/neapprule/1406488-matchdomains
3
0
277
Aug ’24
Regarding User Enrollment Testing
Hi Team, The User Enrollment introduced by Apple back was really great I was trying to test out that .As per the implementation details provided by apple for Simple Authentication - User Enrollment Flow. Below are the steps I followed to implement it. Step 1) Making a /.well-known/com.apple.remotemanagement url and sending a json as for byod which apple has detected successfully. Step 2) Apple making a POST request to BaseServer URL of MDM to get enrollment profile ( At this Step as there is not Authorization header I sent a 401 with WWW-Authenticate header with scheme and url as mentioned by apple) Step 3) Apple has requested With GET to get the html page to show to the user from the url mentioned in WWW-Authenticate header. Step 4) Here there is a tweak the HTML page I actually shown doesn't contains any form as it is for testing purposes. I Simply had a button which upon clicking sends a POST to my url with empty JSON using axios library where from the server I sent a 308 redirect with Location header as mentioned by apple apple-remotemanagement-user-login://authentication-results?access-token=dXNlci1pZGVudGl0eQ Where after I expect the ASWebAuthenticationSession to end and apple to start Second Enrollment attempt with acces token as Authorization Bearer token But the Screen showing the HTML page doesn't go away and neither apple started any steps to get the Enrollment profile from MDM server . Am I commiting any mistakes here.Could you please help on going with it.
2
0
1.1k
Oct ’22
MDM activation of system extensions causes other apps to be killed
I sent the description file through MDM in advance and configured the system extension and web content filter. When my code uses activationRequestForExtension:queue: to activate the system extension, other security app processes will be killed. I received the following message. May I ask why this may be? 2024-09-02 11:42:19.737229 (gui/501/killed_bundleid [679]) : exited due to SIGPIPE | sent by killed_app[679], ran for 301372ms 2024-09-02 11:42:19.737239 (gui/501/killed_bundleid [679]) : service state: exited 2024-09-02 11:42:19.737245 (gui/501/killed_bundleid [679]) : internal event: EXITED, code = 0 2024-09-02 11:42:19.737247 (gui/501/killed_bundleid [679] ]) : job state = exited 2024-09-02 11:42:19.737274 (gui/501 [100003]) : service inactive: killed_bundleid 2024-09-02 11:42:19.737277 (gui/501/killed_bundleid [679]) : service state: not running 2024-09-02 11:42:19.737282 (pid/679 [killed_app]) : shutting down 2024-09-02 11:42:19.737310 (pid/679 [killed_app]) : cleaning up
3
0
584
Sep ’24
Is there any difference between starting the network filter by sending a configuration file from MDM and starting the network filter through sharedManager?
Hi, Team: Is there any difference in the underlying logic between starting the network filter by configuring the MDM description file through the first connection below and starting the network filter through the second connection in the code? First connection:https://developer.apple.com/documentation/devicemanagement/webcontentfilter?language=objc Second connection: https://developer.apple.com/documentation/networkextension/nefiltermanager?language=objc
1
0
476
Sep ’24
WiFi Lock (aka 'Join only Wi-Fi networks installed by a Wi-Fi payload') issues
I am experiencing issues when pushing the "WiFi Lock" profile via MDM or the "Join only Wi-Fi networks installed by a Wi-Fi payload'" Restriction via Apple configurator 2. I am pushing a WiFi Authentication profile along side it which means that the wifi lock profile is suppose to force the device to only be able to connect to the wifi authentication profile that was pushed to the device via MDM. However, what end up happening, the device "forgets" or does not recognize the pushed wifi auth profile that it has after device reboot. It ends up not showing any available wifi networks and wont allow the device to connect to wifi. The only way i can fix it, is if i push the wifi authentication profile to the device again via cellular. It then remembers it and will connect. But as soon as the device reboots and sometimes it does not even need to reboot it will forget it. What could be going on with this?
1
0
622
Dec ’22
How to uninstall system extensions
Hi,Team: I successfully installed the system extension through MDM and want to uninstall it through RemovableSystemExtensions, but this command does not support versions below macOS 12. Is there any other way to pause or uninstall the system extension? Can I delete the configuration file that allows system extensions through MDM? Or send and delete the configuration file of AllowedSystemExtensions?
0
0
465
Aug ’24
When developing a network filter, MDM has configured AllowedSystemExtensions and succeeded, but a reminder still appears when savingToPreferencesWithCompletionHandler
Hi, Team: I developed a network filter and used MDM to issue a description file. By configuring AllowedSystemExtensions, I can avoid the reminder of loading system extensions during installation. However, when savingToPreferencesWithCompletionHandler, I will still be reminded that my network data is monitored. How can I configure MDM to avoid this reminder? And why can I still delete the filter from the network filter conditions even though I configured it in mobileconfig in the following way. NonRemovableFromUISystemExtensions com.mysystemextensionid
1
0
608
Aug ’24
Need clarity on "restrict-software-update-require-admin-to-install" setting
In MDM Software Update settings(https://developer.apple.com/documentation/devicemanagement/softwareupdate), there is a key "restrict-software-update-require-admin-to-install" which apparently controls if the standard users are allowed to install apps and software updates. But so far, even if this is set to true, a standard user is able to download apps from Appstore. We noticed that when we publish a pkg to be installed via MDM, then that does not get installed if the above setting is set to true. Please provide clarity on what this setting controls.
0
3
353
Aug ’24
Seeking help for MDM activation lock issue
We have encountered an issue while developing our own Apple MDM solution. The issue occurs in the activation lock scenario. We have implemented the activation and deactivation of the activation lock feature in accordance with the following documentation. 1:https://developer.apple.com/documentation/devicemanagement/activation_lock_a_device 2:https://developer.apple.com/documentation/devicemanagement/device_assignment/activation_lock_a_device/creating_and_using_bypass_codes#3734453 Activationlock Request URI : https://mdmenrollment.apple.com/device/activationlock Request Method : POST Request Headers : [Accept:"text/plain, application/json, application/*+json, /", X-ADM-Auth-Session:"1723449441118O1O649496FAD285FDC77565EC075E770547O90695212BB76419F8E43B2F68BE7A6C6O67033512O11Op1OA0EA85747E70D2D6941C4F6662166CAF22C2193COC298C61ECC7B9E9C14EB2A20305F7E41", X-Server-Protocol-Version:"3", Content-Type:"application/json", Content-Length:"133"] Request Body : {"device":"K2LP4HQXJ4","escrow_key":"QRV7D-JPPMQ-Z90N-1VN8-L1PN-45Q2","lost_message":"xxxxx"} Response : {"serial_number":"K2LP4HQXJ4","response_status":"SUCCESS"} escrowKeyUnlock Request URI : https://deviceservices-external.apple.com/deviceservicesworkers/escrowKeyUnlock?serial=K2LP4HQXJ4&imei=357174298879232&meid=35717429887923&productType=iPhone14,2 Request Method : POST Request Headers : [Accept:"text/plain, application/json, application/*+json, /", Content-Type:"application/x-www-form-urlencoded", Content-Length:"189"] Request Body : orgName=xxxxx&guid=xxxxx&escrowKey=QRV7D-JPPMQ-Z90N-1VN8-L1PN-45Q2 Response : 404 <ns:escrowKeyDeviceServicesResponse version="1" xmlns:ns="http://www.apple.com/cds/mdmescrowKeyDeviceServices/xml"></ns:escrowKeyDeviceServicesResponse> Who can help me check if there are any errors in the way I'm calling these two APIs, and how to correct them?
1
0
466
Aug ’24