Our app is currently employing an SSO extension. Our implementation of beginAuthorization(with request: ASAuthorizationProviderExtensionAuthorizationRequest) seems to be working correctly, as we are able to process the request and complete the SSO. Unfortunately we seem to be running into trouble getting an associated UI to display for our users. Our info.plist file for the extension has the value NSExtensionPrincipalClass:$(PRODUCT_MODULE_NAME).AuthenticationViewController and we have an accompanying storyboard file named AuthenticationViewController.xib where the file's owner is set to our custom view controller. We have added a window and some views to this storyboard file and linked them to our view controller which is also named AuthenticationViewController The window will appear when the extension is activated. However, this window will appear behind the safari window we have open, and we cannot seem to bring it to the front of the other views. Traditional methods do not seem to work since the extension cannot access a sharedApplication object. We have tried other methods, including using NSRunningApplication.runningApplications to locate the extension via bundle identifier and activate it, but activation still does not bring it to the front of all open windows. We also tried using presentAuthorizationViewController(completion: @escaping (Bool, Error?) -> Void) to no avail. We got true for our result in the completion closure, but we couldn't get the UI to display at all in that case. We fear that we may be misguided in our approach, and have not configured our storyboard correctly to achieve the desired result. We have been able to find no example of this for macOS so any help would be greatly appreciated!

** Hi Community,** We have been testing on using oauth2 for User Enrollment.Where as per doc provided we have supplied the method, authorization-url, token-url, redirect-url, client-id in the 401 response from MDM Server Authorization Request As mentioned the apple client performed authorization request by adding state, login_hint to the Authorization-url and the params mentioned above and successfully received the authorization code after the user makes a login with the IDP. <<<<< Request GET /oauth2/authorization?response_type=code &client_id=XXXXXXXXXX &redirect_uri=apple-remotemanagement-user-login:/oauth2/redirection &state=XXXXXXXXXX &login_hint=useroa@example.com HTTP/1.1 Host: mdmserver.example.com ------- MULTIPLE REQUESTS BETWEEN CLIENT Server ---------- >>>>> Response HTTP/1.1 308 Permanent Redirect Content-Length: 0 Location: apple-remotemanagement-user-login:/oauth2/redirection ?code=XXXXXXXXXX&state=XXXXXXXXXX . Token Request Using the code received from authorization server apple client performs this step to get the access_token and refresh_token.I am using a authorization server created by default in my Okta domain and this step fails. <<<<< Request POST /oauth2/token HTTP/1.1 Content-Type: application/x-www-form-urlencoded Content-Length: 195 grant_type=authorization_code &code=XXXXXXXXXXXX &redirect_uri=apple-remotemanagement-user-login:/oauth2/redirection &client_id=XXXXXXXXXX >>>>> Response HTTP/2 401 Unauthorized Content-Type: application/json { "error": "invalid_client", "error_description": "Client authentication failed. Either the client or the client credentials are invalid." } When debugged this issue, As per Okta's doc https://developer.okta.com/docs/guides/implement-grant-type/authcode/main/#exchange-the-code-for-tokens The client must specify Their credentials in Authorization header as Authorization : Basic <client_id>:<client_secret> in order to get the access_token And Also as per RFC-6749 https://www.rfc-editor.org/rfc/rfc6749#section-4.1.3 The Confidential Clients must specify their client_id, client_secret provided by the authorization server to receive the access_tokens. May I know how to overcome this issue or did I missed any steps that may include the Authorization header Thanks in Advance,.

Hi Apple Team, We are excited by looking on the new updates introduced in WWDC23. In a Session named "Do More With Managed Apple IDs" Where There is Sign In Policy Introduced For Managed Apple IDs Any Device Managed Devices Only Supervised Devices Only And as a MDM Vendor We need to Support GetToken CheckIn Request to Support Sign In Policy Managed Devices Only, Supervised Devices Only and have some doubts regarding this. When the Policy is Set To Managed Device Only and we don't have DEP Tokens Registered by Customer with us.How could we able generate the JWT Signed Token with the necessary serverUUID. In case 1) Even though if I have DEP Token with me How could I choose the necessary serverUUID If the device had managed by MDM through Profile Based Enrollments. Can you please provide with appropriate solution to overcome this

I've not been able to find instructions for m y scenario. Both Macs are running Sonoma. They are both logged in as me via iCloud. What/where are the settings to enable me to remotely access the other Mac from a different house in a different town?

I am trying apple declarative management protocol. I would like to get management.client-capabilities from device on demand apart from incremental updates when device upgrades. Is this possible by some declaration or workaround without reenrolling device ? Sample subscription: { "Identifier": "status-subscriptions1", "ServerToken": "$serverToken", "Type": "com.apple.configuration.management.status-subscriptions", "Payload": { "StatusItems": [ { "Name": "device.operating-system.build-version" }, { "Name": "device.identifier.serial-number", }, { "Name": "device.identifier.udid", }, { "Name" : "device.model.family", }, { "Name" : "device.model.identifier", }, { "Name" : "device.model.marketing-name", }, { "Name" : "device.model.number", }, { "Name" : "device.operating-system.family", }, { "Name" : "device.operating-system.marketing-name", }, { "Name" : "device.operating-system.supplemental.build-version", }, { "Name" : "device.operating-system.supplemental.extra-version", }, { "Name" : "device.operating-system.version", }, { "Name" : "diskmanagement.filevault.enabled", }, { "Name": "mdm.app" }, { "Name": "management.client-capabilities", }, { "Name": "security.certificate.list", }, { "Name": "passcode.is-compliant", }, { "Name": "passcode.is-present", } ] } }

Hello, ContentFilterUUID in WebContentFilter payload can be used for "Per-App content filter" - the UUID can be used in app attributes, as stated in the doc: A globally-unique identifier for this content filter configuration. Managed apps with the same ContentFilterUUID in their app attributes have their network traffic processed by the content filter. Do I understand right that if we want the profile to be globally applied, it should NOT contain the ContentFilterUUID key ? We're seeing cases where setting the key would make the profile doing nothing on the device, but the documentation is not 100% clear on this. Any clarification would be very appreciated ! Thanks

Hi Apple Community, Problem Description: Regarding the transition from MDM (Mobile Device Management) profiles to DDM (Declarative Device Management) profiles, as announced during WWDC 2023, this marks a significant step forward in simplifying our device management process. When we attempted to test this transition with the 17 developer beta OS version devices, we encountered a notable challenge. Specifically, when trying to apply a DDM Webclip legacy profile configuration to a device that already had the same profile applied through MDM. We received the following status response from DDM: "The profile “<profile_identifier>” cannot replace an existing profile." As a result, the configuration was not applied. However, after removing the existing applied MDM profile and then reapplying the same profile as a legacy profile via DDM, the configuration was successfully applied. My DDM Configuration: { "Type": "com.apple.configuration.legacy", "Identifier": "DEFAULT_APP_CATALOG_CLIP_CONFIG", "ServerToken": "3", "Payload": { "ProfileURL": "https://mdmtest:8080/certificates/appConfig.mobileconfig" } } My DDM Status Response : { "StatusItems" : { "management" : { "declarations" : { "activations" : [ { "active" : true, "identifier" : "DEFAULT_ACT_0", "valid" : "valid", "server-token" : "1" }, { "active" : false, "identifier" : "DEFAULT_APP_CATALOG_CLIP_ACT", "valid" : "valid", "server-token" : "3" } ], "configurations" : [ { "reasons" : [ { "details" : { "Error" : "The profile “<profile_identifier>” cannot replace an existing profile." }, "description" : "Configuration cannot be applied", "code" : "Error.ConfigurationCannotBeApplied" }, { "details" : { "Identifier" : "DEFAULT_APP_CATALOG_CLIP_ACT", "ServerToken" : "3" }, "description" : "Activation “DEFAULT_APP_CATALOG_CLIP_ACT:3” has errors.", "code" : "Error.ActivationFailed" } ], "active" : false, "identifier" : "DEFAULT_APP_CATALOG_CLIP_CONFIG", "valid" : "invalid", "server-token" : "3" }, { "active" : true, "identifier" : "DEFAULT_STATUS_CONFIG_0", "valid" : "valid", "server-token" : "2" } ], "assets" : [ ], "management" : [ ] } } }, "Errors" : [ ] } Kindly help us with this issue. Note : We have posted a feedback in Feedback Assistant portal FB13132059 - along with device sysdiagnose.

Hello Community, My devices are listed on the Apple MDM. Previously few days back they were working fine as they were responding to every command pushed via MDM but today they are not responding neither updating their status even of active/inactive etc anything? Kindly your kind help would be needed

Hi Team, I want to send server capability to iphone for watchos pairing token . I tried following payload and its not working. Can you provide example of it?. Also how to find server protocol version. I could not find any documentation around it. { "Identifier": "server-capabilities-list", "ServerToken": "$serverToken", "Type": "com.apple.management.server-capabilities", "Payload": { "Version": "2", "SupportedFeatures": { "com.apple.mdm.token" : {}, } } } https://developer.apple.com/documentation/devicemanagement/managementservercapabilities

Hello, I had to create an IKE VPN profile to use this service from my Mac running Ventura, so I was directed to the Apple Configurator application where I was able to find how to proceed, except that the import was not successful. not, here are the logs that I capture on the ProfilesSettingsExt processes: [ERROR] [501:CPPrefPaneExt:&lt;0x3faf&gt;] [CE] XPC: InstallProfile &lt;User:501&gt; ==&gt; Error Domain=ConfigProfilePluginDomain Code=-319 "Les données utiles « Service VPN » n’ont pas pu être installées. Le serveur VPN n’a pas pu être créé." UserInfo={NSLocalizedDescription=Les données utiles « Service VPN » n’ont pas pu être installées. Le serveur VPN n’a pas pu être créé.} [501:CPPrefPaneExt] Number of &lt;Device&gt; profiles found: 0 (Filtered: 0) [501:CPPrefPaneExt] ReloadProfiles: device profiles: 0 [501:CPPrefPaneExt] === CPF_GetInstalledProfiles === (&lt;User: 501&gt;) [501:CPPrefPaneExt] Number of &lt;User: 501&gt; profiles found: 0 (Filtered: 0) [501:CPPrefPaneExt] ReloadProfiles: user profiles: 0 [501:CPPrefPaneExt] Building ProfilesListView with sections:Optional(0) selection:Binding&lt;Set&lt;String&gt;&gt;(transaction: SwiftUI.Transaction(plist: []), location: SwiftUI.LocationBox&lt;SwiftUI.FunctionalLocation&lt;Swift.Set&lt;Swift.String&gt;&gt;&gt;, _value: Set([])) emptyList:Optional("Aucun profil installé") oip: true disableRemove: true [501:CPPrefPaneExt] ProfileInstall: PROGRESS: &lt;Completed&gt; [501:CPPrefPaneExt] [CE] Profile installation (IKEv2 test (laptop.64286FD8-B086-4A63-A1BB-D9CFA279F231:08BFF8E1-3296-43E6-9CEC-A40B31A4A7D4)) ==&gt; Error Domain=ConfigProfilePluginDomain Code=-319 "Les données utiles « Service VPN » n’ont pas pu être installées. Le serveur VPN n’a pas pu être créé." UserInfo={NSLocalizedDescription=Les données utiles « Service VPN » n’ont pas pu être installées. Le serveur VPN n’a pas pu être créé.} Warning: -[NSWindow makeKeyWindow] called on _NSAlertPanel 0x7fa91294aa50 which returned NO from -[NSWindow canBecomeKeyWindow]. order window: 15f op: 1 relative: 15f related: 0 Item (&lt;private&gt;) is attached but is too large to fit without clipping. minWidth=72.000000 It works if I try to import L2TP or IPSEC profiles with total random parameters.

Issue Description: We have observed that the DDM Status response is expected to be provided daily at specific timestamps or sometimes randomly for certain devices to obtain the complete DDM status report. The following daily pattern is observed for DDM requests to MDM: Endpoint -> Status Endpoint -> Tokens After receiving a full report from DDM, it proceeds to fetch any changes in declarations from DDM via a tokens request. In iOS 17/macOS 14 also, the same full reports are received daily, but they include new properties in the status report, such as "FullReport": true. Sample Status Response : { "StatusItems" : { "FullReport" : true, "client-capabilities" : { "supported-versions" : [ "1.0.0" ], "supported-payloads" : { "declarations" : { "activations" : [ "com.apple.activation.simple" ], "assets" : [ "com.apple.asset.credential.acme", "com.apple.asset.credential.certificate", "com.apple.asset.credential.identity", "com.apple.asset.credential.scep", "com.apple.asset.credential.userpassword", "com.apple.asset.data", "com.apple.asset.useridentity" ], "configurations" : [ "com.apple.configuration.account.caldav", "com.apple.configuration.account.carddav", "com.apple.configuration.account.exchange", "com.apple.configuration.account.google", "com.apple.configuration.account.ldap", "com.apple.configuration.account.mail", "com.apple.configuration.account.subscribed-calendar", "com.apple.configuration.legacy", "com.apple.configuration.legacy.interactive", "com.apple.configuration.management.status-subscriptions", "com.apple.configuration.management.test", "com.apple.configuration.passcode.settings", "com.apple.configuration.security.certificate", "com.apple.configuration.security.identity", "com.apple.configuration.security.passkey.attestation", "com.apple.configuration.softwareupdate.enforcement.specific", "com.apple.configuration.watch.enrollment" ], "management" : [ "com.apple.management.organization-info", "com.apple.management.properties", "com.apple.management.server-capabilities" ] }, "status-items" : [ "account.list.caldav", "account.list.carddav", "account.list.exchange", "account.list.google", "account.list.ldap", "account.list.mail.incoming", "account.list.mail.outgoing", "account.list.subscribed-calendar", "device.identifier.serial-number", "device.identifier.udid", "device.model.family", "device.model.identifier", "device.model.marketing-name", "device.model.number", "device.operating-system.build-version", "device.operating-system.family", "device.operating-system.marketing-name", "device.operating-system.supplemental.build-version", "device.operating-system.supplemental.extra-version", "device.operating-system.version", "device.power.battery-health", "management.client-capabilities", "management.declarations", "mdm.app", "passcode.is-compliant", "passcode.is-present", "security.certificate.list", "softwareupdate.failure-reason", "softwareupdate.install-reason", "softwareupdate.install-state", "softwareupdate.pending-version", "test.array-value", "test.boolean-value", "test.dictionary-value", "test.error-value", "test.integer-value", "test.real-value", "test.string-value" ] }, "supported-features" : { } } }, "device" : { "identifier" : { "serial-number" : "S7T95QN0XP", "udid" : "00000-AAAAA-111111-BBBBB" }, "model" : { "marketing-name" : "iPhone 14 Plus", "number" : "AB523HN/A", "identifier" : "iPhone14,8", "family" : "iPhone" }, "operating-system" : { "marketing-name" : "iOS 17.0", "family" : "iOS", "supplemental" : { "extra-version" : "", "build-version" : "21A5312c" }, "build-version" : "21A5312c", "version" : "17.0" } }, "mdm" : { "app" : [ { "version" : "1452", "state" : "managed", "external-version-id" : "123456789", "identifier" : "com.xxxxx.yyyy.zzzz", "name" : "App Name", "short-version" : "23.XX.XY" }, { // app details }, { // app details }, { // app details }, etc... ] }, "passcode" : { "is-present" : true, "is-compliant" : true }, "management" : { "declarations" : { "activations" : [ { "active" : true, "identifier" : "DEFAULT_ACT_0", "valid" : "valid", "server-token" : "1" } ], "configurations" : [ { "active" : true, "identifier" : "DEFAULT_STATUS_CONFIG_0", "valid" : "valid", "server-token" : "2" } ], "assets" : [ ], "management" : [ ] } }, "security" : { "certificate" : { "list" : [ ] } }, "softwareupdate" : { "install-reason" : { "reason" : [ ] }, "install-state" : "none", "pending-version" : { }, "failure-reason" : { "count" : 0 } } "Errors" : [ ] } Followed by Tokens Request : <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Endpoint</key> <string>tokens</string> <key>MessageType</key> <string>DeclarativeManagement</string> <key>UDID</key> <string>00000-AAAAA-111111-BBBBB</string> </dict> </plist> May I know if this is a behavior, and is it possible to control DDM status report polling data or time? Thanks in Advance

We are facing issue SSO from some days its was working fine few days before. In apple devices, we are facing issue that once user enters the username and password, it is asking again when user logs in. All things were fine no changes in system only thing, this issue started happening for may be iOS 16 updated. We have implemented SSO using Microsoft AD. Things working for all other OS (Windows, Android) except iOS.

I am looking for a documentation of key value pairs for Apple's own iPad-Apps (Files, Settings, Safari, …) to use with Managed App Config Settings in our MDM. Is there a list somewhere on Apple's website or – even better – is there a way to find out about the key value pairs via MDM? Thanks a lot!

I am getting the response back for DevicePropertiesAttestation and can match the other oids. For nonce value, I am using Base64.encode to match it with what I sent but I am getting a different value. What is the right way to extract this nonce value from response?

Is it expected behavior for an iOS device with the default recommendation cadence to only return the new major update(s) to MDM via AvailableOSUpdates? We'd expect to see both iOS 16 and iOS 17 product keys here. We don't remember this being a problem last year. iPad 11,6 running 16.5.1 that can take 16.7.1 according to GDMF with the default RecommendationCadence is only returning this and not anything in the 16 series: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>AvailableOSUpdates</key> <array> <dict> <key>AllowsInstallLater</key> <false/> <key>Build</key> <string>21A360</string> <key>DownloadSize</key> <integer>3157073669</integer> <key>HumanReadableName</key> <string>iPadOS 17.0.3</string> <key>InstallSize</key> <integer>1328545792</integer> <key>IsCritical</key> <false/> <key>IsSecurityResponse</key> <false/> <key>ProductKey</key> <string>iOSUpdate21A360</string> <key>ProductName</key> <string>iOS</string> <key>RestartRequired</key> <true/> <key>SupplementalBuildVersion</key> <string>21A360</string> <key>Version</key> <string>17.0.3</string> </dict> </array> <key>CommandUUID</key> <string>3e556538-d125-460e-923e-feebca9ac2e5</string> <key>Status</key> <string>Acknowledged</string> <key>UDID</key> <string>00008020-001A4C512E68402E</string> </dict> </plist>

14 Inch 2021 Macbook Pro M1, running Ventura. When the macbook is closed and charging, I attempt to connect via screen sharing from another Macbook pro, 13-inch 2020 M1 also running Ventura. First I have to enter my username and password into a popup before I can even get to the other mac's screen. Then I get to the standard lock screen, showing my username and asking for a password. When I enter my password I see the desktop for a second or two, then it immediately relocks before I can even move the mouse, etc. This happens up to 4 times before I either give up or get through. This is extremely aggravating. I don't have a hot corner to relock the screen or anything like that.

We are having an issue in some iPads, that web clips pushed through MDM started after a while make duplicates of itselves in iPad. So user instead of one web clip IRL Address now has the same 50 times. Nothing is working. When removing from MDM duplicates styl there.

Hi, I just download the ios17 beta profile for my iphone in order to install but when i open the profile download from here then i see thsi code and I have no idea what is this code language and How can i see it in human readable language or any other better than this ?

We would like to be able to control when MDM-enrolled Mac users are notified that their passcode is going to change. The current MDM password settings available for macOS devices does not allow MDM Admins to define when a user should be notified that their passcode is going to change.

I have an ad-hoc app that our company uses internally. I am at a different physical location than where the app is used (on iPad mini 4 units). Is there any way I can remotely update the app from my location? One solution I thought of was to use TestFlight, but that creates an app that will expire in 90 days and has potential for long term problems if it expires before an update. Currently I have to go and gather all the iPads and bring them to my location, install the updates by plugging each unit into my iMac. Is there a better way to do this? Can this be done with DeviceManagement? (assume I know nothing about this)