Hello, I could not find information in the doc (which is still beta, I understand) : how are app upgrade handled by DDM AppManaged ? With MDM, sending InstalledApplication command will upgrade the app to the most suitable recent version ; HasUpdateAvailable flag tells MDM server (more or less accurately) if there is an update and then Organizations can keep apps up to date as quickly as possible if needed. But with DDM, we just have a declaration where we tell the device to install a given app, and that's it. Is there any detail about how the device upgrades apps, and how frequently ? Thanks.

I have found that Declarative management, although intriguing and could be useful in the future, is quite lacking. At this point in development, I don't see an advantage over using MDM commands. In order for a device to apply policies, the device must first post to a server to receive the manifest set, then for each item in the set, the device must post to the server to get the policy. How is that better than posting via MDM to obtain a policy (configuration profile, app, etc.)? It seems there is no benefit in terms of time complexity. In both scenarios the device would need to make O(n) posts. This doesn't solve the scalability issue with regards to the MDM channel. The limitation with regards to available native declarations vs configuration profiles means declarative management is not yet ready for prime time. Although the first attempt at solving this through LegacyProfiles allows for installing ConfigurationProfiles, this method adds another POST, so at this point it's 1 post to get the manifest, then 2 mores posts to get the policy, which is even worse that MDM. Regarding the status channel, the status report is missing quite a bit of device information. Currently, in order to obtain a more complete view of device state using MDM, the MDM server must send a set of commands to get information, installed profiles, apps, certificate, etc. The Status channel includes some of this stuff, but not all of it, which means a device must augment the status channel with some (or all) of these commands.

Hi, I'm looking into ACME Managed Deice Attestation and was wondering about one of the values in the payload - AllowAllAppsAccess. From the documentation: "If true, all apps have access to the private key" but what is the case that you would have this set to true? seems like it opens up the device to potentially malicious software. Also, if this were set to true, how would an app access this private key when it is stored in the Secure Enclave? is there a specific tag that it is stored with?

Is there a way to check if DDM(Declarative Device Management) is enabled on a device?

I'm trying to implement ACME managed device attestation, I have ACME server code written in C# and I've been able to get all of the steps working except for the very last one - issuing the certificate. I so far have not been able to get the device to accept the certificate, the device logs show: Got certificate {length = ......} ACME request flow failed at step 9: Error Domain=NSOSStatusErrorDomain Code=-67673 "failed to obtain certificate" UserInfo={NSLocalizedDescription=failed to obtain certificate} The certificate is issued by an internal CA and the correct root certificate is in the device's trusted certs. I have tried returning the certificate chain as a file response or content response to the device as a "application/pem-certificate-chain" mime type (as outlined as the default in the ACME RFC), returning just the leaf certificate as PEM, returning the leaf certificate as DER with mime type "application/pkix-cert", "application/pkcs7-mime", "application/x-pkcs12" or "application/x-x509-ca-cert", but none of this has worked. Can anyone point me in the right direction to figure out what the issue is?

Hi all. I'm trying to implement a Platform SSO extension for macOS and I'm freaking out. It's so complicated and with almost zero guidance documentation. I established a starting point in my SSO extension and I get the registration request to my beginDeviceRegistrationUsingLoginManager (I managed all the AASA file, MDM stuff). In this method I'm creating a ASAuthorizationProviderExtensionLoginConfiguration and I try to save it into the loginManager (ASAuthorizationProviderExtensionLoginManager which I get from the method) using saveLoginConfiguration. It worked fine, and without changing anything I started getting the next error: failed to save loginConfiguration: Error Domain=com.apple.AuthenticationServices.AuthorizationError Code=1000 "(null)" UserInfo={NSUnderlyingError=0x7ff77ff63b30 {Error Domain=com.apple.PlatformSSO Code=-1008 "Token endpoint URL is not approved profile URL." UserInfo={NSLocalizedDescription=Token endpoint URL is not approved profile URL.}}} This is my configuration: ASAuthorizationProviderExtensionLoginConfiguration *loginConfiguration = [[ASAuthorizationProviderExtensionLoginConfiguration alloc] initWithClientID:@"***" issuer:@"https://auth.platformsso.ping-eng.com/as" tokenEndpointURL:[NSURL URLWithString:@"https://auth.platformsso.ping-eng.com/as/token"] jwksEndpointURL:[NSURL URLWithString:@"https://auth.platformsso.ping-eng.com/as/jwks"] audience:@"***"]; And this is where it breaks: BOOL saveConf = [self.loginManager saveLoginConfiguration:loginConfiguration error:&confError]; Can someone help me with this error please?

Hello Apple Community, Issue encountered during the installation of an app via DDM (Declarative Device Management) on iOS 17.3 devices. When applying an app configuration and managed app list status event through declarative management, the configuration is successfully applied, but the configured app is not being installed on the device. Upon closer inspection, we have identified that the error "ManagedAppDistribution.ManagedAppDistributionError" is being logged during this process. My Configuration: { "Type": "com.apple.configuration.app.managed", "Identifier": "com.mdm.1740e623-4361-498d-af02-b433500d58bd.ManagedAppDDM", "ServerToken": "1706282674113", "Payload": { "AppStoreID": "361309726", "InstallBehavior": { "License": { "VPPType": "Device" }, "Install": "Required" } } } { "Type": "com.apple.configuration.management.status-subscriptions", "Identifier": "com.mdm.9c70c80f-406a-425a-8829-1025652f05c6.ManagedAppListStatus", "ServerToken": "1706282673976", "Payload": { "StatusItems": [ { "Name": "app.managed.list" }, { "Name": "mdm.app" }, { ... } ] } } DDM Response: { "StatusItems": { "management": { "declarations": { "activations": [ { "active": true, "identifier": "DEFAULT_ACT_0", "valid": "valid", "server-token": "1706282674113" } ], "configurations": [ { "active": true, "identifier": "DEFAULT_STATUS_CONFIG_0", "valid": "valid", "server-token": "3" }, { "active": true, "identifier": "com.mdm.1740e623-4361-498d-af02-b433500d58bd.ManagedAppDDM", "valid": "valid", "server-token": "1706282674113" }, { "active": true, "identifier": "com.mdm.9c70c80f-406a-425a-8829-1025652f05c6.ManagedAppListStatus", "valid": "valid", "server-token": "1706282673976" } ], "assets": [], "management": [] } } }, "Errors": [ { "Reasons": [ { "Code": "ManagedAppDistribution.ManagedAppDistributionError.0", "Description": "The operation couldn’t be completed. (ManagedAppDistribution.ManagedAppDistributionError error 0.)" } ], "StatusItem": "app.managed.list" } ] } Note : The ManagedAppDistribution framework extension appears to not be implemented in this context. Kindly help us with this issue. Thanks in advance.

Please tell me about the NotNow status returned by the MDM command for Apple devices. ◾️I would like to check I am aware that there are some MDM commands that return a status NotNow when the device is locked and the command cannot be executed. I am aware of InstallProfileCommand and SecurityInfoCommand. https://developer.apple.com/documentation/devicemanagement/installprofilecommand https://developer.apple.com/documentation/devicemanagement/securityinfocommand Please answer the following two questions. ◾️Question I would appreciate an answer with the official name of the command and the URL of the command's reference, if possible. Question 1 Please tell us if there are commands other than InstallProfileCommand and SecurityInfoCommand that return status NotNow because the command cannot be executed if the terminal is locked. Question 2 Please tell us if any of the following commands return the status NotNow because the command cannot be executed if the terminal is locked. DeviceConfiguredCommand AvailableOSUpdatesCommand ScheduleOSUpdateCommand OSUpdateStatusCommand

Hello, Dear Engineers I have distributed a management profile from Aplle Configurator to my terminal with reference to the following document https://developer.apple.com/documentation/devicemanagement/cellularprivatenetwork Situation: We tested the device in an environment where both Wi-Fi and cellular connections were available, Wi-Fi seemed to have priority in the operation. This is because CellularDataPreferred, which is set in the distributed management profile, is enabled, I would like cellular to be given priority. I am using iPhone 15 (iOS 17.1.2). Question： ・Is there anything else missing besides the Profile Example to make CellularPrivateNetwork's Device Management Profile work properly? ・Has anyone confirmed that CellularPrivateNetwork's Device Management Profile works correctly? BestRegards

hi! https://developer.apple.com/documentation/devicemanagement/applayervpn I have a question about AssociatedDomains in the AppLayerVPN reference above. From the description, I believe that this property triggers the VPN when the app is launched with a universal link and connects to the domain specified in AssociatedDomains. Is that correct in your understanding? I specified "twitter.com" as a test, and the VPN was not triggered when the universal link was executed from safari, etc. How can I make a VPN connection with the domain connection specified in the AssociatedDomains property? If you could please let us know with some real life examples. I will pass on your thanks in advance. Thanks.

I'm encountering a strange issue with PPPC configuration files and app visibility in Security & Privacy for standard users on the latest macOS version. The Scenario: I created a PPPC file granting accessibility and screen recording permissions for my app. I deployed the PPPC file to devices using MDM. Surprisingly, the app doesn't appear under Security & Privacy > Privacy > Screen Recording or Accessibility for standard users. However, if I remove the PPPC file, the app instantly shows up in those locations. What I've Tried: Double-checked the PPPC file syntax and permissions configuration. Redeployed the PPPC file and verified successful installation on devices. Restarted devices and re-registered the MDM profile. The Impact: This issue prevents standard users from granting my app the necessary permissions through the standard system interface. They require admin intervention to grant permissions manually, which is inconvenient and not ideal for our workflow. Seeking Help: I'm reaching out to the community for any insights or suggestions on resolving this issue. Has anyone encountered a similar problem with PPPC files and standard user permissions? Any advice or potential solutions would be greatly appreciated!

Push notification for PWA app is supported on iOS >= 16.4. I want to restrict app usage using Restriction payload of configuration profile. Formerly we could it by defining a restriction like this. (actually via MDM) <key>whitelistedAppBundleIDs</key> <array> <string>com.apple.webapp</string> </array> However on iOS >= 17.0, the notification setting of the PWA app is disappeared!! Without the restriction payload, or with the restriction payload without whitelistedAppBundleIDs, the notification setting for the PWA app is shown as expected. Also we discovered that the issue can be avoided by adding com.apple.WebKit.PushBundle.xxxxxx into the restriction payload. <key>whitelistedAppBundleIDs</key> <array> <string>com.apple.webapp</string> <string>com.apple.WebKit.PushBundle.7880D99FB56F4FF7B5DC019E0EDBCBD0</string> </array> com.apple.WebKit.PushBundle.7880D99FB56F4FF7B5DC019E0EDBCBD0 can be found with console log using Apple Configurator. However it cannot be found via MDM command (ex. InstalledApplicationList). We want to configure and install the restriction payload into multiple devices via MDM. So how can we know the com.apple.WebKit.PushBundle.xxxxxx via MDM? or how can we enable push notification settings for PWA apps with restriction payload? Thank you

I tried the new feature of iOS 17.2 com.apple.configuration.app.managed A configuration and its activation are defined with the data like this. { "Identifier": "389459bf-0902-58dd-be0e-11c83c695a8b", "Type": "com.apple.configuration.app.managed", "Payload": { "InstallBehavior": { "Install": "Required", "License": { "VPPType": "Device" } }, "BundleID": "com.microsoft.Office.Powerpoint" }, "ServerToken": "..." } After distributing the configuration with DeclarativeDevicement MDM command, an error is notified via status channel app.managed.list. { "active": true, "identifier": "389459bf-0902-58dd-be0e-11c83c695a8b", "valid": "valid", "server-token": "21b95e4cb0b616a3ac77a5905ed08756fa36f605ad1a30a9bd347a4a8092532c" }, "app": { "managed": { "list": [ { "state": "failed", "declaration-identifier": "389459bf-0902-58dd-be0e-11c83c695a8b", "identifier": "com.microsoft.Office.Powerpoint", "name": "Microsoft PowerPoint", "reasons": [ { "code": "Error.LicenseNotFound" } ] }, After VPP license for the app is assigned, I tried to issue DeclarativeManagement command again. However iOS device doesn't fetch the configuration because it is not changed. App installation is not retried even after the valid license is assigned. How can we trigger the retrying installation? Thank you

I want to control one iPhone from another iPhone remotely and both of the phones in different places. How to do that ? Using Web Driver Agent how can we achieve this ? We need to capture the frames as well every second like screenshots