Hi,
I am consuming the API https://gdmf.apple.com/v2/pmv to get the supported apple OS versions. I do get intermittent 403 exception almost every alternate day.
Is there any way to fix this issue for this API? Is there any better and reliable Apple API to get supported apple OS versions across macos, ios etc?
Device Management
RSS for tagAllow administrators to securely and remotely configure enrolled devices using Device Management.
Post
Replies
Boosts
Views
Activity
We noticed that Apple Login fails if we try to login with Managed Apple ID on iOS 17.2 & 17.3
This issue could have been introduced in iOS 17 but we did not have iOS 17.0 or 17.1 to validate this.
There are few prerequisites to this:
Should be a supervised device. It can be enrolled in ABM or ASM.
Apple ID should be Managed Apple ID
Device should have a passcode policy
Device should have “allowListedAppBundleIDs” added in the “com.apple.applicationaccess” payload
If either of the above conditions are not met, then the issue does not happen.
If the device is set up in the above way and we try to login with Managed Apple ID, then the login fails.
Please refer the recording at this link: https://drive.google.com/file/d/1XG17loAuH_GB1IyGdwD8txjkHZWqGeD1/view?usp=drive_link
We reproduced the issue three times and got the log files:
Issue occurred at: 21st March 2024 at 19:54:58 IST
a. Log file name: sysdiagnose_2024.03.21_19-55-26+0530_iPhone-OS_iPhone_21D50(07.54.58 pm).tar.gz
b. Link: https://drive.google.com/file/d/1nk-cQPrVEZrAUgVmrxPCsSRDd4aNF8eK/view?usp=drive_link
Issue occurred at: 21st March 2024 at 19:59:44 IST
a. Log file name: sysdiagnose_2024.03.21_20-00-02+0530_iPhone-OS_iPhone_21D50(07.59.44 pm).tar.gz
b. Link: https://drive.google.com/file/d/1VPcF77G2SK2c1rBK4S2GbLCAiQEeYPOB/view?usp=drive_link
Issue occurred at: 21st March 2024 at 20:03:27 IST
a. Log file name: sysdiagnose_2024.03.21_20-03-39+0530_iPhone-OS_iPhone_21D50(08.03.27 pm).tar.gz
b. Link: https://drive.google.com/file/d/1zlLLMd0ugJoiZtmpWlarREFDl1vjZoWP/view?usp=drive_link
During the above tests, this was the setup
Passcode Policy:
a. requireAlphanumeric: true
b. minLength: 13
c. allowSimple: false
allowListedAppBundleIDs: This can be anything but atleast one of them should be enabled. For example
a. com.apple.AppStore
b. com.apple.MobileAddressBook
c. com.apple.calculator
d. com.apple.camera
e. com.apple.DocumentsApp
f. com.apple.facetime
What results I expected: The user should be able to login without an issue
What results I actually saw: The user does not login
We also created a ticket in Feedback assistant in March but haven't received any response: FB13694721
Enroll an iOS device via MDM and apply passcode policy with "maxFailedAttempts" setting enabled https://developer.apple.com/documentation/devicemanagement/passcode
Now when the user attempts to unlock device exceeds above "maxFailedAttempts" - the device gets wiped. Now the administrator is unaware of this event.
It would be helpful to get an message/DDM status from device to notify the MDM server that device is wiped due to incorrect passcode attempts.
Is there a way to deploy a client certificate (mTLS) payload with an Application using MDM?
What alternatives are there for accomplishing this? A .p12 is fine if that is the only option, however the app would need to import it into it's keychain and delete the .p12 file (or the MDM would need to do so).
Trying to enroll a device, but during the installation of the enrollment profile getting the error message - The profile (com.xxxxxx.mdm:c1c8048f-1450-447 3-8bba-1c714c4ce492) could not be installed due to an unexpected error. CPProfileManager:-65002"
My application supports Custom URL Schema which is used to perform an open operation. My application is used as a helper app for MDM, hence it will be installed as a Managed Application. I want only the other Managed Applications to be able to invoke the Custom URL Schema and not allow it for unmanaged applications. Is there any such provision provided by Apple MDM protocol?
The customer is trying to enroll macOS devices to Hexode via Apple Business Manager (without reset). Upon running the command sudo profiles renew -type enrollment, he received the below error.
Error: DEP enrollment failed: The cloud configuration server is unavailable. (MDMDeviceEnrollment:103)
Upon running the command sudo profiles show -type enrollment in Terminal, he received the following output.
Error fetching Device Enrollment configuration: (34006) Error Domain=MCCloudConfigurationErrorDomain Code=34006 "The cloud configuration server is unavailable." UserInfo={CloudConfigurationErrorType=CloudConfigurationFatalError, NSLocalizedDescription=The cloud configuration server is unavailable., NSUnderlyingError=0x6000012f0060 {Error Domain=com.apple.MobileActivation.ErrorDomain Code=-1 "Failed to create reference key." UserInfo={NSLocalizedDescription=Failed to create reference key., NSUnderlyingError=0x6000012f00c0 {Error Domain=com.apple.MobileActivation.ErrorDomain Code=-1 "Failed to create ref key." UserInfo={NSLocalizedDescription=Failed to create ref key., NSUnderlyingError=0x6000012f0150 {Error Domain=NSOSStatusErrorDomain Code=-25308 "failed to generate asymmetric keypair" (errKCInteractionNotAllowed / errSecInteractionNotAllowed: / Interaction is not allowed with the Security Server.) UserInfo=0x6000009f0440 (not displayed)}}}}}}
The device was assigned to the Hexnode server and listed in DEP devices in Hexnode. It seems to be an Intel device and we tried following troubleshooting steps. He said another user tried out the case and was encountering the same errors. He tried the following steps as part of troubleshooting.
Installed pending OS updates
Re-assigned device to Hexnode server
Cleared NVRAM/PRAM
Switched networks
Turned off firewall and proxies on the device
Re-assigned DEP configuration profile to devices
Re-configured DEP and APNs
Enrolling the device using the enrollment URL does work and he's able to deploy actions as well. He is willing to reset the device and check as well, but he has ~30 devices in ABM that are remote and in use. Since 2 devices encountered the case, he would like to know more about what happened.
The new profile added to manage the cellular private network is not getting installed on the device end - https://developer.apple.com/documentation/devicemanagement/cellularprivatenetwork?changes=_9
When we try to oinstall the profile we get these error messages.
{'Status': 'Error',
'CommandUUID': '556d4936-7514-4121-af8d-3f0bf855a9e6',
'ErrorChain': [
{'ErrorCode': 4001,
'ErrorDomain': 'MCInstallationErrorDomain',
'USEnglishDescription': 'Profile Installation Failed',
'LocalizedDescription': 'Profile Installation Failed'},
{'ErrorCode': 4001,
'ErrorDomain': 'MCInstallationErrorDomain',
'USEnglishDescription': 'Profile Failed to Install',
'LocalizedDescription': 'Profile Failed to Install'},
{'ErrorCode': 1009,
'ErrorDomain': 'MCProfileErrorDomain',
'USEnglishDescription': u'The profile \u201cprivate network policy\u201d could not be installed.',
'LocalizedDescription': u'The profile \u201cprivate network policy\u201d could not be installed.'},
{'ErrorCode': 4001, 'ErrorDomain': 'MCInstallationErrorDomain',
'USEnglishDescription': u'The payload \u201cPrivate Mobile Networks\u201d could not be installed.',
'LocalizedDescription': u'The payload \u201cPrivate Mobile Networks\u201d could not be installed.'}],
'UDID': '00008101-001E1DCA3A81001E'}
Since the release of macOS 14.0, we have encountered issues with the Content Filtering MDM Payload. This problem is unusual but can be resolved by restarting the system.
Prerequisites:
macOS 14 or higher
Any Mac with a Silicon (ARM) processor
Restrictions Payload and Parental Content Filtering Payload must be installed on the device, either manually or through any MDM service
Issue Details:
When the Parental Content Filtering Payload is removed after installation, it causes internet issues, and browsers display "The site can't be reached".
This affects applications as well, with Safari being the only application that continues to work.
The issue can be resolved by either re-adding the Content Filtering Payload or restarting the Mac.
Links:
Restriction Payload: https://drive.google.com/file/d/1buwLFgbjTRXij9ZSv1QrDeRnWbFfKNtq/view?usp=drive_link
Content Filtering Payload: https://drive.google.com/file/d/1eAJiBg4N__dML65MRDH7hYCocuTqOCcu/view?usp=drive_link
System Logs: https://drive.google.com/drive/folders/1hKKNAoMn_4x1CqMTxz1bPrUucCbftjO9?usp=drive_link
Screen Recording: https://drive.google.com/file/d/1uS8CJqe9p9DG9XzhUnIsY35eme4Dxs60/view?usp=drive_link
Hi,
I would like to introduce you to the problem of my client, who is probably one of the first Apple Business Manger users in Poland.
The client created an ABM instance and verified it. He also created a second administrator account as recommended, and added the first device. The problem was that these accounts were accessed by one person who used Cyber Ark to save credentials. After saving the credentials for the administrator accounts, an error occurred with Cyber Ark and the passwords of these accounts were saved incorrectly. The customer has since lost access to the verified ABM instance with one device already added.
Can you advise me on what to do in this situation? Can https://iforgot.apple.com/ help in any way here?
Thanks a lot for all your help
Best Regards,
XVsorim
The wallet App on a managed business ID is currently not able to store credit cards or flight tickets.
When can we expect to have this functionality? Is there a reason why it's not possible to store the cards at the moment?
Hi All,
I'm trying to figure out why there's something tucked in the release notes for macOS 15b1 and iOS 18b1 saying:
“• Profile-based User Enrollment is no longer supported in macOS 15. For User Enrollment, sign in with a Managed Apple Account in Settings.”
If I'm reading this correctly, "UIE" or User Initiated Enrollment in Jamf parlance, will not be possible on macOS 15 and iOS18 going forward...
But, there is ZERO mention of this in the video about what's new for Management, or what's new for IT document.
I work in higher ed, and sadly, we get a lot of out of band purchases that aren't ADE eligible. And we've been told for years, and continue to be told, that Managed Apple ID's aren't appropriate for Higher Ed.
So this is a big deal if this is being removed, and I find it disturbing it's being tucked away in release notes rather than being broadcast in every location. Heck, for small shops that don't have ASM or ABM, this means no MDM (they won't have managed Apple Accounts to enroll, they won't have ADE)? I happen to use a free Jamf Now system for home managing some personal home devices... I won't be able to do this with macOS 15/iOS 18?
I initially tried to connect the iPad with the MacBook and execute the process. The iPad was reseted but not registered in the Apple Business Manager. After this failed, I tried to scan the blue circle on the iPad in the network area using my phone. However, no blue circle appears. What can I do?
Every device is on the newest software update.
I have seen that in WWDC24 it is stated from Apple and I have seen examples in the video presentation of how to remove Activation Locks from computers from Apple Business Manager.
Well I've tried and so far we can not do that, I need to do something to apply in my organization? there are some release dates?
After I installed the profile certificate in VPN and device management, I can't see the installed certificate in the certificate trust settings
After I installed the profile certificate in VPN and device management, I can't see the installed certificate in the certificate trust settings
Hello,
I’ve run into an issue with a configuration profile on my supervised iPhone. I’m wondering if anyone here might be able to help?
The profile contains the allowListedAppBundleIDs key within the restrictions payload. My Apple Watch is paired with the iPhone. The iPhone was supervised manually with Apple Configurator, hence the Apple Watch has not been directly supervised itself.
The profile works completely as expected when installed on the phone. As soon as the profile is installed on the iPhone, I can witness the apps on the Apple Watch rearrange themselves as some apps are hidden. So clearly the profile is applying its restrictions to the Apple Watch to some degree.
My issue however is that apps listed in the whitelist are hidden from the Watch. The apps that are missing from my Watch are Walkie Talkie, Find My Items, Find My Friends, Messages, Alarm, Remote, Now Playing, Sleep, Meditation and Heart Rate. This is despite the following bundle IDs being listed in the whitelist array: com.apple.findmy.findpeople, com.apple.findmy.finddevices, com.apple.HeartRate, com.apple.SessionTrackerApp, com.apple.NanoWorldClock, com.apple.findmy.finditems, com.apple.Mind, com.apple.NanoOxygenSaturation, com.apple.watchmemojieditor com.apple.NanoSleep com.apple.NanoNowPlaying com.apple.noise com.apple.tincan com.apple.NanoRemote com.apple.NanoAlarm com.apple.private.NanoTimer com.apple.NanoStopwatch
I’ve done some testing, but not sure what I’ve found really. I’ve so far identified 3 scenarios.
Scenario 1: I have the whitelist profile installed on the iPhone. I download an app that appears in the whitelist from my watch (or at least its iPhone version does). The apps show up on the iPhone automatically and can be launched there. These apps cannot be launched on the watch.
Scenario 2: I downloaded a few apps to my watch, that didn’t automatically install on my iPhone at the same time. They were on the whitelist. These ones couldn’t be launched from my Watch. I then downloaded them to the iPhone and they could be launched there (since they were on the whitelist).
Scenario 3: A couple of 3rd party apps on the whitelist could be downloaded and launched from the watch with the whitelist installed.
It seems as though there are different kinds of Apple Watch app and this is what I’ve read elsewhere. First of all there are Watch-only apps, which do not automatically install a companion iPhone app. Secondly there are companion apps, which when installed from the Watch App Store download their companion app to the iPhone in the background. Someone please correct me - I’m bound to be overlooking something here.
So maybe the apps that when installed from Watch automatically install on iPhone and can only be launched from the iPhone have a separate bundle ID for their Watch app which I haven’t included?
Apps that are on the whitelist AND do not automatically install an iPhone app AND can be launched from the Watch, include:
solstice
What3words
So maybe these do not need a companion app, but have the same Bundle ID as their iPhone app?
However, I’m still not sure why many stock Apple Watch apps are missing from the Watch…. The most obvious answer is that I’ve got their Bundle IDs wrong, but I don’t think I have given I extracted the bundle IDs from the App Store pages of the Apple WatchOS apps.
I noticed at this Apple Support page (https://support.apple.com/en-gb/guide/deployment/dep34c5cd30f/1/web/1.0) that there is no mention of whitelisting or blacklisting apps on WatchOS using MDM, yet something definitely happens on the watch when the configuration profile is installed on the iPhone. Furthermore, if I tap on a configuration profile, which comprises a blacklist, on my iPhone it will ask me if I want to install it on the iPhone or Watch. The same pop-up question doesn’t happen when the profile contains a whitelist.
All this to say, I’m massively confused as to why I can’t get this working. I’d really appreciate anyone’s advice which is bound to be expert.
Thank you
Hi,
I was trying to configure the Managed Wi-Fi Settings profile for a Mac device which is running on the Sonoma 14 OS. (https://developer.apple.com/documentation/devicemanagement/wifimanagedsettings?language=objc). I wanted to enable admin authorization for turning Wi-Fi on/off, and for switching between Wi-Fi networks. I followed the docs and tried these restrictions in lower macOS versions(Monterey, Mojave), and they are being enabled in the device-end. However for Sonoma devices, the restrictions are not being enabled(even though the profile is being pushed to the device).
While looking around, I came across the fact that the airport cli utility was discontinued recently(https://www.intuitibits.com/2024/03/14/goodbye-airport/, doesn't allow me to hyperlink). So does that affect the working of the Managed Wi-Fi device profile in any way?
Hi, we have Universal Links configured, but it only works with public URLs. In our environment we need to use managed mode - we don't have a public domain. We have found out, that we need to set AssociatedDomainsEnableDirectDownloads key in Intune. However we are struggling with the right plist format. Has anyone have it configured correctly?
In the case of organizational iPad devices, we need to have them in a more organized way via the homescreenlayout payload. We need to control the dock and the app library. We will be allowing certain apps on the device via allowListedAppBundleIDs, so we want to disable the recent apps in the dock and prevent apps from being duplicated in the app library, including recent apps and Siri suggestions. If there are more options to control the complete screen layout on the device, it would be helpful.