We'd like to determine if there is a configuration declaration that is active on a device as part of a predicate. The current logic (based on the WWDC 22 session) is: SUBQUERY(@status(management.declarations.configurations), $declaration, ($declaration.@key(identifier) == "com.abc.declarationname" AND $declaration.@key(active) == true)).@count == 1 The goal is that if the declaration is active, then a predicate should evaluate to true. This query does not appear to be working. Should we be able to use @status(management.declarations.activations) in a predicate? If so, what are we missing to attempt to determine if the declaration is active? If I search the existing status objects that are sent from the device, it is showing as active in the status channel.

Issue - Safari application not fetched from system_profile command Use case - We are trying to get list of installed applications in the mac. For this we use System_profiler command to fetch the details list. It is working good, but the thing is , It doesnt fetch Safari app as an installed Application. Command used - **/usr/sbin/system_profiler SPApplicationsDataType** Can anyone suggest any other way to fetch the installed applications list from the mac , which includes all the apps (including safari app) and remains effective ?

Hello, I am an iOS developer managing an MDM app. In this app, we are only using the camera restriction feature. Can the MDM status (specifically, the camera state) be changed while the user's screen is locked? We want to communicate with our server in the background and apply changes, but there is no known information about this. I would appreciate your help!

Why is MDM camera restriction designed not to work on the lock screen?

In the RequestRequiresNetworkTether property, the definition of “network-tethered” is unclear, and there seems to be a discrepancy between the actual behavior and the description in the documentation. We would like to clarify the definition of the connection state that “network-tethered” means and the specific behavior requirements when the property is set to true. Explanation of the document The description “If true, the device must be network-tethered to run the command. I was not sure whether it refers to “network connection” or “tethered communication” as the Japanese translation. Actual operation verification results The error message was “The device is not tethered. (MDMErrorDomain:12081)”. Error occurs when only carrier communication is used The following connection conditions work normally (as in the case of false) Wifi communication Combination of carrier communication and Wifi communication Tethering communication Combination of carrier communication and tethering communication Tethering connection (both parent and child devices) Inconsistencies Although the document description could be interpreted as a simple network connection requirement, actual operation is limited only to carrier communications alone Error message uses language regarding tethering, but actual tethering connection works fine

VPP API v2 returns 9609 "Unable to find the registered user." when I disassociate assets from an existing user. Repro step: 1. Create user POST https://vpp.itunes.apple.com/mdm/v2/users/create { "users": [ { "clientUserId": "client-1", "managedAppleId": "valid managed apple id" } ] } => user is associated 2. Retire user POST https://vpp.itunes.apple.com/mdm/v2/users/retire { "users": [ { "clientUserId": "client-1" } ] } => user is retired 3. Recreate user with the same clientUserId POST https://vpp.itunes.apple.com/mdm/v2/users/create { "users": [ { "clientUserId": "client-1", "managedAppleId": "valid managed apple id" } ] } => user is associated 4. Associate asset POST https://vpp.itunes.apple.com/mdm/v2/assets/associate { "assets": [ { "adamId": "408709785" } ], "clientUserIds": [ "client-1" ] } => asset associated 5. Disassociate asset POST https://vpp.itunes.apple.com/mdm/v2/assets/disassociate { "assets": [ { "adamId": "408709785" } ], "clientUserIds": [ "client-1" ] } => {"errorNumber":9609,"errorMessage":"Unable to find the registered user."} Notes associate API works fine with the same payload. disassociate work with v1 API.

Hello Developers, We are encountering a consistent Kernel Panic issue on an iPhone device after sending a "Clear Passcode" command via our MDM solution. We're looking for insights or confirmation if others have experienced similar behavior. Device & Environment Details: Device: iPhone13,2 (iPhone 12 Pro) OS Version: iPhone OS 18.3.2 (Build 22D82) (Please note this appears to be a future/beta build identifier) Action Triggering Panic: Sending MDM ClearPasscode command. Roots Installed: 0 (Device is not jailbroken) Incident ID: 4B41C0AE-EE93-4051-BEE4-AB98438C10F0 Panic Log Summary: The kernel panic log clearly indicates the issue originates from the Secure Enclave Processor (SEP). The key panic string is: panic(cpu 3 caller 0xfffffff02357bc1c): SEP Panic: :sks /sks : 0x1000b15fc 0x0003ad60 0x0003ad44 0x100028698 0x10002cae4 0x10002a908 0x10002bc10 0x100045330 [hgggrhlvs] Panic app vers: 1827.80.10 Panic app UUID: 4C066E88-EB93-33C3-BCA7-C5F5474831CC ... Root task vers: AppleSEPOS-2772.80.2 Root task UUID: A39D6C5D-D07D-33EE-85A3-9105A8D93CE2 ... sks /sks 0x329cc/0x326e0/0x1314131413141314 ert/BOOT Use code with caution. The SEP Panic and reference to :sks /sks strongly suggest an issue within the Secure Key Store subsystem of the SEP. The panic occurred on CPU core 3. The kernel backtrace points to the com.apple.driver.AppleSEPManager kernel extension as the immediate caller in the main kernel that initiated the panic process after receiving the signal from the SEP. Analysis/Interpretation: Based on the log, it appears that the MDM ClearPasscode command, which necessarily interacts with the SEP's Secure Key Store via the AppleSEPManager driver, triggered an internal fault or bug within the SEP firmware (AppleSEPOS). This SEP-level panic subsequently caused the main iOS kernel to panic. Questions: Has anyone else encountered similar SEP panics, specifically involving the SKS subsystem, particularly after issuing MDM commands like ClearPasscode on iOS 18.x builds (especially 18.3.2 / 22D82)? Is this a known issue in this specific iOS/SEP firmware version? Are there any suggested workarounds for clearing passcodes via MDM on affected devices/OS versions, or any further diagnostic steps recommended? We appreciate any insights or shared experiences the community might have on this issue. Thank you.

Hi, Is there a method to hide individual items in System Settings that is not Deprecated? It needs some of the settings set and hidden for the end user. I found the DisabledSystemSettings key however it is marked as Deprecated and does not include all the new items, especially those related to Apple Intelligence. Is there any method other than “Restrictions” that does not hide and only set individual settings ? It needs to hide items in system settings :)

We are trying to develop an app that will be responsible for managing 5000+ managed iPads through Intune MDM. The user flow is to have a device locked to a single app when a user is not logged in, but to make the device available to other apps once a user is authenticated. We already tried UIAccessibility GuidedAccess Mode and autonomous single app mode but those were not sufficient due to our need to be able to toggle this from the background. When the device may be asleep. So another way we could achieve this functionality would be to control all app access under a launching mechanism. That way we could allow one app to be visible in our MDM configuration and try to access our business app through that using deep links. If this were to work, we would have to be able to hide an app and still make it launchable from the manager. Any ideas? Thanks

Hello, we use an MDM profile that enables FDA for our program. The Identifier is set to be the path to our program. We'd like to have a profile that allows multiple CodeSignatures. Our older programs are signed with a different certificate than the current ones. We tried deploying 2 profiles (one for the 'old certificate' signed binary and the other for the 'new certificate' signed binary). But it looks like that MacOS accepts only one. I have also tried to use ProfileCreator to generate a profile with 2 entries, but it fails to do it. Manually editing the XML file and adding new entries does not work either. I'd like to know if there's a workaround for this issue.

I am using system_profiler command to check on the installed application list from mac device. **Terminal command to check installed java version - ** But while running /usr/sbin/system_profiler SPApplicationsDataType -xml , I cant able to find Java as an installed application. Is this a known issue or do we have any alternative workaround to fetch the same?

During MDM Automated Device Enrollment of Apple TV, the web view defined by configuration_web_url is not working. We are using the web view to display the usage policy for all devices. While the web view functions correctly for other devices, it is resulting in an error specifically for Apple TV. Could you please clarify whether Apple plans to implement support for this feature on Apple TV in the future or if it will not be supported? Referring to configuration_web_url in: https://developer.apple.com/documentation/devicemanagement/profile

May I know the checking mechanism for the ios Provisioning profile? Is my Apple app distributed by MDM inside the organisation? If the Provisioning profile is expired , what is the behaviour when user run the App and how to perform the checking mechanism , is it performed at user client side device or Apple server via online access.

I am having an issue with duplicated SCEP client certificates on an iOS device. We deployed an SCEP profile via MDM, then deleted and redeployed it via MDM. In Settings > General > VPN & Device Management, only one SCEP profile is visible. However, Safari shows duplicated certificates when a server requests a client certificate. We have tried removing the cert profile on MDM and unenrolling the device from MDM, but only the latest certificate got removed, leaving previous ones stuck on the device or in the Safari app. We have found no way to remove these duplicated certificates other than factory reset the devices. This appears to be a potential iOS bug affecting certificate cleanup. We need assistance to resolve this issue. Also, the issue is difficult to reproduce but has happened to a number of our managed devices.

In Device management profile, VPN.VPN.OnDemandRulesElement Action->Disconnect Example payload: OnDemandEnabled1OnDemandRules ActionDisconnectInterfaceMatchCellular When install my vpn payload with above configuration, I was unable to connect vpn manually when i try with wifi interface Based on the doc, VPN should tear down when i connect with specific type interface(here cellular) i was unable to connec the vpn when i'm in cellular network good but when i connect to wifi still the same is happening. Is this a bug? tried in ios 18

I have created a jwt token with headers { 'typ': 'JWT', 'alg': 'RS256' } and claim as : { 'iss': dep server UUID from Accounts call, 'iat': epoc time in seconds, 'jti': random uuid, 'service_type': 'com.apple.maid' } And signed the token with private key created during DEP MDM server creation. On the device I see Verification error when tried to login with Managed Apple account. In ABM, Access management setting was set to Managed Devices /Supervised only. Any help would be appreciated.

I'm the IT Admin in my company. We use Microsoft Intune, which is a Mobile Device Management tool, to manage our devices and apps. I created an app protection policy, restricting the data can only be shared between the allowed apps. For example, if our user want to copy the content in Outlook for iOS to WeChat or personal memo, the action will be blocked. However, may be it's too strict, here is the scenario that we need to hadle: A user selected the content in the Outlook for iOS mail, and wanted to use the "translate" function to do translation. Before the app protection policy was deployed, he can do the translation successfully. And now, it's blocked. Therefore, we need to find a way to exempt the app "Translate" so that users can do the translation successfully. We put the value "com.apple.Translate"(this is a package ID listed in the official document of Apple) to the exemption, but it's not working. May I know what is the correct "value" for the iOS native Translate APP? I need to put this value to our app protection policy to exempt Translate app. Thank you so much.

How to test ManagedAppConfigurationProvider without MDM ? Task { /* Configuration provider task */ for await configuration in configurationProvider.configurations(MyAppConfiguration.self) { self.configuration = configuration ?? MyAppConfiguration.defaultConfiguration } } Can the existence of a configuration be simulated, e.g. by storing a mocked configuration in UserDefaults? The UserDefaults key "com.apple.configuration.managed" seems not relevant here.

Hello all, We have built our own MDM solution as we plan to support quite a few devices running iOS. Manual activation is running fine and devices are checking in. We have setup ABM with Device management service setup and linked to our MDM. We have added reseller via Apple customer number and purchased devices are showing in ABM. We have setup default management service assignment as well. When we are setting up a device it gives an error: Remote Management The configuration for your iPhone could not be downloaded from . cancelled Error in the device log is as follows: Jun 11 14:16:36 iPhone Setup(DMCUtilities)[626] : <DMCHTTPRequestor: 0x84cfd7d40> cannot accept the authentication method NSURLAuthenticationMethodClientCertificate Jun 11 14:16:36 iPhone Setup(CFNetwork)[626] : Task <663D2346-4B73-4DB2-A134-B1A7DC58E70B>.<1> auth completion disp=2 cred=0x0 Jun 11 14:16:36 iPhone Setup(CFNetwork)[626] : Task <663D2346-4B73-4DB2-A134-B1A7DC58E70B>.<1> summary for task failure {transaction_duration_ms=285, response_status=-1, connection=7, reused=1, reused_after_ms=0, request_start_ms=0, request_duration_ms=0, response_start_ms=0, response_duration_ms=0, request_bytes=0, request_throughput_kbps=0, response_bytes=0, response_throughput_kbps=0, cache_hit=false} Jun 11 14:16:36 iPhone Setup(CFNetwork)[626] : Connection 7: TLS Client Certificates encountered error 1:89 Jun 11 14:16:36 iPhone Setup(CFNetwork)[626] : Task <663D2346-4B73-4DB2-A134-B1A7DC58E70B>.<1> finished with error [-999] Error Domain=NSURLErrorDomain Code=-999 UserInfo={NSErrorFailingURLStringKey=, NSErrorFailingURLKey=, _NSURLErrorRelatedURLSessionTaskErrorKey=, _NSURLErrorFailingURLSessionTaskErrorKey=, NSLocalizedDescription=} Jun 11 14:16:36 iPhone Setup(CFNetwork)[626] : Connection 7: encountered error(1:89) Jun 11 14:16:36 iPhone Setup(CFNetwork)[626] : Connection 7: cleaning up Jun 11 14:16:36 iPhone Setup(CFNetwork)[626] : Connection 7: summary for unused connection {protocol="http/1.1", domain_lookup_duration_ms=0, connect_duration_ms=0, secure_connection_duration_ms=0, private_relay=false, idle_duration_ms=0} Jun 11 14:16:36 iPhone Setup(DMCUtilities)[626] : <DMCHTTPRequestor: 0x84cfd7d40> failed to communicate with the MDM server. Error: NSURLError:Desc : cancelled Domain : NSURLErrorDomain Code : -999 Extra info: { NSErrorFailingURLKey = "https://mdm.domainname/enroll"; NSErrorFailingURLStringKey = "https://mdm.domainname/enroll"; "_NSURLErrorFailingURLSessionTaskErrorKey" = "LocalDataTask <663D2346-4B73-4DB2-A134-B1A7DC58E70B>.<1>"; "_NSURLErrorRelatedURLSessionTaskErrorKey" = ( "LocalDataTask <663D2346-4B73-4DB2-A134-B1A7DC58E70B>.<1>" ); }

how can i generate MDM Push Certificate for my own MDM server. Please guide me on that.