Apple iPad Air device failing to enroll through ABM with "failed to retrieve configuration" error. This error occurs while reaching Apple ABM for fetching MDM server enrollment details. When we checked console logs when enrolling the device we found following error: ​default 13:54:07.229022+1000 teslad Error: Error Domain=MCCloudConfigurationErrorDomain Code=34004 "The cloud configuration server is unavailable or busy." UserInfo={NSLocalizedDescription=The cloud configuration server is unavailable or busy., CloudConfigurationErrorType=CloudConfigurationFatalError} default 13:54:07.229120+1000 Setup Service completed default 13:54:07.230096+1000 Setup Could not retrieve cloud configuration. Error: <Error domain: MCCloudConfigErrorDomain, code 33001>\ Feedback raised along with screenshot and console logs as well : FB17785513. Please analyse this issue and reply back to us.

I have created a jwt token with headers { 'typ': 'JWT', 'alg': 'RS256' } and claim as : { 'iss': dep server UUID from Accounts call, 'iat': epoc time in seconds, 'jti': random uuid, 'service_type': 'com.apple.maid' } And signed the token with private key created during DEP MDM server creation. On the device I see Verification error when tried to login with Managed Apple account. In ABM, Access management setting was set to Managed Devices /Supervised only. Any help would be appreciated.

I'm the IT Admin in my company. We use Microsoft Intune, which is a Mobile Device Management tool, to manage our devices and apps. I created an app protection policy, restricting the data can only be shared between the allowed apps. For example, if our user want to copy the content in Outlook for iOS to WeChat or personal memo, the action will be blocked. However, may be it's too strict, here is the scenario that we need to hadle: A user selected the content in the Outlook for iOS mail, and wanted to use the "translate" function to do translation. Before the app protection policy was deployed, he can do the translation successfully. And now, it's blocked. Therefore, we need to find a way to exempt the app "Translate" so that users can do the translation successfully. We put the value "com.apple.Translate"(this is a package ID listed in the official document of Apple) to the exemption, but it's not working. May I know what is the correct "value" for the iOS native Translate APP? I need to put this value to our app protection policy to exempt Translate app. Thank you so much.

How to test ManagedAppConfigurationProvider without MDM ? Task { /* Configuration provider task */ for await configuration in configurationProvider.configurations(MyAppConfiguration.self) { self.configuration = configuration ?? MyAppConfiguration.defaultConfiguration } } Can the existence of a configuration be simulated, e.g. by storing a mocked configuration in UserDefaults? The UserDefaults key "com.apple.configuration.managed" seems not relevant here.

This is in reference to the feedback ticket : https://feedbackassistant.apple.com/draft/57929340, we would like to know if there are any test enterprise websites that Apple can suggest to test passkeys declaration.

how can i generate MDM Push Certificate for my own MDM server. Please guide me on that.

We’re looking for best practices to remotely update iOS apps that are deployed in Single App Mode (SAM) or Autonomous Single App Mode (ASAM), managed through MDM. Imagine a typical use case: an iPad installed as a self-service kiosk at an airport restaurant. We need to update the app periodically without: Displaying any prompts to the user Relying on the user to approve or initiate the update (since the device is unattended) Sending technicians onsite, as many devices are in remote locations MDM providers have stated, “This is how Apple handles it,” without offering a workable solution. We’re hoping someone here has experience or suggestions for: Seamless or silent app updates in SAM/ASAM Update workflows that avoid interruptions or user interaction Any proven strategies or automation options under MDM supervision Any insight or documented approaches would be greatly appreciated. Thank you!

I am checking the response of DeviceInformation Command to collect network information from iPad. On iPad(iPad Pro 11, M4) devices that use WiFi without inserting Usim or Esim, network values ​​such as CurrentMCC and ICCID are received in response to the DeviceInformation command. cf.)Even though it may be garbage value, I blurred the unique information just in case. <key>ServiceSubscriptions</key> <array> <dict> <key>CarrierSettingsVersion</key> <string>61.0</string> <key>CurrentCarrierNetwork</key> <string></string> <key>CurrentMCC</key> <string>450</string> <key>CurrentMNC</key> <string>08</string> <key>EID</key> <string>blah blah</string> <key>ICCID</key> <string>blah balh</string> <key>IMEI</key> <string>blah blah</string> <key>IsDataPreferred</key> <true/> <key>IsRoaming</key> <true/> <key>IsVoicePreferred</key> <false/> <key>Label</key> <string>Provisioning</string> <key>LabelID</key> <string>00000000-0000-0000-0000-000000000000</string> <key>PhoneNumber</key> <string></string> <key>Slot</key> <string>CTSubscriptionSlotOne</string> <key>SubscriberCarrierNetwork</key> <string>iPad</string> </dict> </array> This is a bit weird. If I collect the same information from an iPhone(iPhone 15 Pro Max) that only uses wifi and does not use Usim or Esim, it does not respond with values ​​like ICCID, CurrentMCC, etc. <key>ServiceSubscriptions</key> <array> <dict> <key>IMEI</key> <string>blah blah</string> <key>Slot</key> <string>CTSubscriptionSlotOne</string> </dict> <dict> <key>EID</key> <string>blah blah</string> <key>IMEI</key> <string>blah blah</string> <key>Slot</key> <string>CTSubscriptionSlotTwo</string> </dict> </array> I'm confused by the network information collected. Is there a reason why the collected network information of iPad and iPhone are different?

I am trying to find clarification on something. We are seeing strange cases where customer devices seem to unenroll themselves after a period of MDM inactivity. This seems to tie into roughly when their identity certificate has expired. We can't confirm this because the device has since unenrolled. Is there any case where an Apple device will automatically unenroll if it's identity certificate has expired? This doesn't always seem to happen - I had a device respond immediately after being switched off for a year - but could this be down to some devices being DEP enrolled and others manually enrolled?

As we know, we can't add restrictions payload in the mobileconfig when registing the device. We are developing MDM by ourselfs, met some trouble. Please help.

Hello, I'm currently working on implementing app installation features, referencing the app.managed.yaml declaration on GitHub: https://github.com/apple/device-management/blob/0a4527c5ea21825fd23e08273ccdb9e2302458ce/declarative/declarations/configurations/app.managed.yaml My question pertains to the InstallBehavior.Version key. The current specification indicates its type as <integer>: key: Version title: Version supportedOS: iOS: introduced: '26.0' macOS: introduced: '26.0' visionOS: introduced: '26.0' type: <integer> Is there a way to specify the app version using a string format, such as x.y.z, instead of the integer (App Store External Version Identifier - EVID)? Allowing for a simpler version specification would make app version management through MDM more flexible and efficient. I believe this would significantly streamline the deployment and operation of Apple devices within organizations. Any guidance or consideration for this would be greatly appreciated. Thank you.

I have come across this Hideable attribute for managed apps, introduced in iOS 18.1, and I've encountered some behavior that seems to contradict the official documentation. According to Apple's documentation for app.managed.yaml, setting the Hideable key to false under the Attributes section should prevent a user from hiding the app. The documentation explicitly states: If false, the system prevents the user from hiding the app. It doesn't affect the user's ability to leave it in the App Library, while removing it from the Home Screen. I have configured this in my app.managed.yaml and successfully applied the profile to my test device via our MDM server. However, I am still able to hide the application from both the Home Screen and the App Library. Here are the steps I'm taking to hide the app: Long-press the app icon on Home Screen Select "Require Touch ID" Select "Hide and Require Touch ID" Authenticate using Touch ID Select "Hide App" After these steps, the app is no longer visible on the Home Screen or in the App Library, which is contrary to the behavior described in the documentation for when Hideable is set to false. My question is: Is this a known issue or a potential bug in iOS 18.1? Or, is there an additional configuration profile or a specific device supervision requirement that I might be missing to enforce this restriction correctly? Any clarification would be greatly appreciated! Thank you!

I tried the new feature of macOS 26.0 com.apple.configuration.app.managed. A configuration and its activation are defined with the data like this. InstallBehavior: Install: Required License: Assignment: Device iOSApp: true AppStoreID: '1113153706' After distributing the configuration with DeclarativeDevicement MDM command, an error is notified via status channel app.managed.list. "managed": { "list": [ { "state": "failed", "declaration-identifier": "1424a813-113f-5de0-9a75-38bf64f22673", "identifier": "com.microsoft.skype.teams", "name": "Microsoft Teams" } ] } What am I missing in the settings? Thank you

Hello, I am running into a bit of an issue with the Screen Timeout/Screen Lock setting and would like some clarification on. First for a bit of context, I am enrolling personal iOS devices 18.0+ into the company MDM (Intune) with Account Driven User Enrollment. We are trying to set a screen timeout of 5 minutes and immediately after it asks for the passcode on the device, though this setting is not being applied and the device timeout setting can be set as "Never" on the user's end. This is a big security risk for the company I work for and and the issue with being HIPAA compliant. According to the Microsoft Intune Support, "In iOS 18, when using Account-Driven User Enrollment for BYOD (Bring Your Own Device) scenarios, the screen lock timeout setting is indeed marked as “Not Applicable”. This is because Apple’s privacy-preserving model for personal devices restricts administrative control over system-level settings like screen lock or idle timeout." I am needing clarification on the item mentioned from Microsoft Intune Support and if this setting is no longer able to be applied from the MDM with devices enrolled with Account Driven User Enrollment?

I'm currently testing app updates using the App:Managed declarative device management payload, and I have a question regarding app update status reporting. Presently, by subscribing to the app.managed.list status item, we can retrieve a list of managed applications along with their installation status. Additionally, we enable automatic updates for managed App Store apps using the UpdateBehavior.AutomaticAppUpdates key. However, especially when a critical application update is initiated, we frequently find ourselves needing more detailed information about the update process. For instance, having status items similar to softwareupdate.install-state and softwareupdate.failure-reason would be incredibly helpful for user troubleshooting. My question is: Is there a way to obtain a similar level of detailed, real-time status updates for app updates? Any insights you might have, or existing methods to achieve this, would be greatly appreciated. Thank you.

Hi Apple team and community, We’re currently integrating with the Apps and Books for Organizations API as part of our device management solution and would like to highlight a few critical points we've encountered — including a reliability issue, an enhancement suggestion, and a request for clarification on API rate limits. 1. Issue: Intermittent 403 Errors with stoken-authenticated-apps Endpoint We are encountering intermittent 403 Forbidden responses from the stoken-authenticated-apps endpoint. Approximately 30–35% of the requests fail with a 403 status code. These failures are inconsistent — the same request (using the same Content Token and Storefront) may succeed upon retry. All requests are properly authenticated and include the required Cookie and other headers as specified in the API documentation. This issue is impacting our ability to reliably fetch app metadata at scale, particularly in workflows. We’d like to know: Is this a known issue? Could it be due to a rate limit or token misconfiguration? Are any changes required on our end to avoid these failures? 2. Enhancement Request: Include externalVersionId in versionHistory Response The versionHistory extension currently returns: versionString releaseNotes releaseDate However, for Declarative Device Management (DDM) workflows such as App Pinning, we need the externalVersionId as well. Without it, we can't reliably correlate version metadata with the specific version ID required for pinning. Adding externalVersionId would: Enable precise version targeting during App Pinning Improve reliability and automation in managed deployments We request that Apple consider including externalVersionId in the versionHistory response to better support DDM-based app lifecycle management. 3. Rate Limit Clarification We found the following note in the Apps and Books for Organizations API documentation: "The Apps and Books for Organizations API limits the number of requests your app can make using a developer token within a specific period of time. If you exceed this limit, you’ll temporarily receive 429 Too Many Requests error responses for requests that use the token. This error resolves itself shortly after the request rate has reduced." While this confirms that a rate limit is enforced, there is no detailed information about the thresholds — such as the number of allowed requests per minute, hour, or day per developer token. To help us implement proper throttling and retry strategies, we request clarification on the following: What is the exact rate limit threshold per developer token? Are there per-endpoint limits, or is it a global cap for all requests using the token? Does the API return a Retry-After header when the limit is exceeded? What is the recommended backoff strategy for clients to follow when receiving 429 errors? This information would help us implement efficient throttling and error handling logic. Any insights from the Apple team or other developers who’ve encountered these issues would be greatly appreciated!

I want to install Chrome extension via configuration profile without user needing to go to System Settings and install profile manually. Can i install configuraation profile by making user only interact with my app?

Finally got to the stage where the ACME certificate profile is successfully installed. However, the public key/certificate itself isn't appearing in the System Keychain. I'm not sure if this is normal or if it's an indication that something went wrong after the profile installation. Unfortunately, I didn't study the log detail at the time and I'm uncertain of how to retrieve those logs from two days ago for the ACME activities. Can anyone confirm that macOS 26 should be storing ACME-retrieved MDM profile-based certificates in the System Keychain? If they should be there, what can possibly go wrong? The most obvious issue I can see is that the ACME server has requested the certificate with two CN's, which comes from the MDM profile asking for the subject against CN and the OID (2.5.4.3). Both CN's are identical. I'm surprised the profile installed if something is wrong. At first, I assumed Apple had decided to stop installing the certificates into the System Keychain.

Im trying to make my own iOS MDM Server with SCEP. I cant send a response to the PKIOperation without the iPad rejecting it. Can someone post the PKIOperation response structure

The result Plist for the InstalledApplicationList MDM command is reporting duplicate Application identifiers. Sometimes with different version, other times with the same version. The device is MacOS 15.5, Enrolled via ABM (Supervised). Here are a couple samples from the returned list. Duplicate app: <key>BundleSize</key> <integer>398051</integer> <key>Identifier</key> <string>com.adobe.Acrobat.NativeMessagingHost</string> <key>Installing</key> <false/> <key>Name</key> <string>NativeMessagingHost</string> <key>ShortVersion</key> <string>5.0</string> <key>Version</key> <string>5.0</string> </dict> <dict> <key>BundleSize</key> <integer>398051</integer> <key>Identifier</key> <string>com.adobe.Acrobat.NativeMessagingHost</string> <key>Installing</key> <false/> <key>Name</key> <string>NativeMessagingHost</string> <key>ShortVersion</key> <string>5.0</string> <key>Version</key> <string>5.0</string> </dict> Different Version: <key>BundleSize</key> <integer>4197200</integer> <key>Identifier</key> <string>com.adobe.adobe_licutil</string> <key>Installing</key> <false/> <key>Name</key> <string>adobe_licutil</string> <key>ShortVersion</key> <string>11.0.0.39</string> <key>Version</key> <string>11.0.0.39</string> </dict> <dict> <key>BundleSize</key> <integer>4443177</integer> <key>Identifier</key> <string>com.adobe.AcroLicApp</string> <key>Installing</key> <false/> <key>Name</key> <string>AcroLicApp</string> <key>ShortVersion</key> <string>25.001.20432</string> <key>Version</key> <string>25.001.20432</string> </dict> <dict> <key>BundleSize</key> <integer>7380980</integer> <key>Identifier</key> <string>com.adobe.adobe_licutil</string> <key>Installing</key> <false/> <key>Name</key> <string>adobe_licutil</string> <key>ShortVersion</key> <string>10.0.0.274</string> <key>Version</key> <string>10.0.0.274</string> </dict>