We use managed Apple accounts for all users in our environment. One of these accounts is associated with an App Store app. Currently the developer console has a banner that says: "There's no credit/debit card on the Apple Online Store associated with your Apple ID to auto-renew your membership." This account, as well as my own admin account, are unable to add a payment method to our Apple account. We're missing the "Payments & Shipping" button on the Manage Account page. How can we renew our developer subscription to keep our app on the App Store? It's critical for us that the account that owns this app is managed. TIA

We have an Apple Watch app and companion iPhone app that we distribute via Enterprise Distribution using OTA manual installation. (We are on an Apple Enterprise Developer Team) With WatchOS 26.4 and earlier, the app would install fine on both the phone and the watch. However, after updating to WatchOS 26.5 (and iOS 26.5), the app will not install on the watch. It will install on the phone and we can trust the developer/run the phone app. However, when we go into the Apple Watch app on the phone and choose "Install" for the app, it tries to install for a minute and then returns an error "The app could not be installed at this time". We have tried the following remedies: Restarting both watch and phone, and reinstalling the app on phone Factory resetting both the watch and the phone, then reinstalling app Generating a new Distribution Certificate and new manual profiles for the app in Apple Developer Looking through console logs from both the phone and the watch Confirmed that we can install other (non-Enterprise) apps on the watch Try installing a basic example app (the default Xcode watch + companion app project) There does not seem to be anything obviously amiss about the app or its packaging, it seems to be something to do with the update to WatchOS 26.5. The closest related errors we have found seems to be these: appconduitd 0x16d43f000 -[ACXInstallQueue _onQueue_deQueueNextOperation]_block_invoke_3: Failed to install app .EnterpriseInstallTest.watchkitapp (p = Y, ui = Y) : Error Domain=ACXErrorDomain Code=8 "Failed to create socket" UserInfo={NSUnderlyingError=0xcf9138e10 {Error Domain=com.apple.identityservices.error Code=20 "Socket open timed out" UserInfo={NSLocalizedDescription=Socket open timed out}}, FunctionName=-[ACXServerInstallOperation _onQueue_prepForTransferAndInstall]_block_invoke, SourceFileLine=370, NSLocalizedDescription=Failed to create socket} appconduitd 0x16d89f000 -[ACXCompanionSyncConnection _installQueuedOrCompletedForWatchBundleID:companionAppBundleID:withName:userInitiated:withError:withCompletion:]_block_invoke: Failed to install app .EnterpriseInstallTest.watchkitapp : Error Domain=ACXErrorDomain Code=8 "Failed to create socket" UserInfo={NSUnderlyingError=0xcf9138e10 {Error Domain=com.apple.identityservices.error Code=20 "Socket open timed out" UserInfo={NSLocalizedDescription=Socket open timed out}}, FunctionName=-[ACXServerInstallOperation _onQueue_prepForTransferAndInstall]_block_invoke, SourceFileLine=370, NSLocalizedDescription=Failed to create socket}

Hi, We're implementing a DDM-capable MDM server. A DEP-enrolled, supervised iPad (iOS 26.4.2) successfully completes manifest synchronization but never proceeds to fetch the individual declaration bodies. Looking for guidance on what we might be missing. Observed flow (from our server logs): We enqueue a DeclarativeManagement MDM command and APNs-wake the device. The command body is: RequestTypeDeclarativeManagement (no Data field) Device acknowledges the command on the Connect endpoint (Status=Acknowledged). Device calls CheckIn with: MessageType = DeclarativeManagement Endpoint = tokens We respond 200 with: { "SyncTokens": { "DeclarationsToken": "", "Timestamp": "2026-05-19T..." } } Device calls CheckIn with: MessageType = DeclarativeManagement Endpoint = declaration-items We respond 200 with: { "Declarations": { "Activations": [{"Identifier":"...","ServerToken":"v1-..."}], "Configurations": [{"Identifier":"...","ServerToken":"v1-..."}], "Assets": [], "Management": [] }, "DeclarationsToken": "" } ---- Nothing further. ---- No request for Endpoint = declaration/activation/ No request for Endpoint = declaration/configuration/ No status report on Endpoint = status The MDM channel is healthy. The same device responds normally to non-DDM commands (DeviceInformation, etc.) immediately before and after this flow. Questions: Is an empty "Management" array acceptable in the declaration-items response, or is at least one declaration (e.g. com.apple.management. organization-info) required before the device will proceed to fetch declaration bodies? The DeclarationsToken returned in step 3 (tokens) and step 4 (declaration-items) are byte-identical. Is that correct, or should they differ in some way? Are there any additional preconditions for the device to begin fetching declaration bodies after receiving the manifest -- e.g. a specific Activation->Configuration linkage we might be missing? Is there a server-side log signal Apple can suggest we look for, or a way to see why the device decided not to fetch? Activation payload sample we publish: { "Type": "com.apple.activation.simple", "Identifier": "...", "ServerToken": "v1-...", "Payload": { "StandardConfigurations": ["<configuration-identifier-from-step-4>"] } } Configuration payload sample we publish: { "Type": "com.apple.configuration.softwareupdate.settings", "Identifier": "...", "ServerToken": "v1-...", "Payload": { ... softwareupdate settings ... } } Any pointers appreciated. Happy to share full server-side logs / payloads if useful. Thanks.

Hello Apple Developer Community, I'm experiencing an invalid_client error (HTTP 400) when attempting to authenticate with the Apple School Manager API using OAuth2 with JWT bearer assertion (RFC 7523). Despite verifying all configuration values and following Apple's documentation, I continue to receive this error. Error Details Error: invalid_client HTTP Status: 400 Bad Request Endpoint: https://appleid.apple.com/auth/oauth2/v2/token Response: {"error": "invalid_client"} My Configuration All values have been verified to match Apple School Manager exactly: Organization ID: 55155430 Key ID: 8136a1f6-c995-4010-b964-bc8278c107ef Client ID (Service ID): SCHOOLAPI.7c0c10a0-4d8a-4ef8-a2be-eda040b65c59 Private Key: Loads correctly, signs JWT properly (ES256) JWT Configuration I'm generating a JWT with the following structure: Header: { "alg": "ES256", "kid": "8136a1f6-c995-4010-b964-bc8278c107ef", "typ": "JWT" } Payload: { "iss": "55155430", "sub": "SCHOOLAPI.7c0c10a0-4d8a-4ef8-a2be-eda040b65c59", "aud": "https://appleid.apple.com", "iat": [timestamp], "exp": [timestamp + 30 days] } Token Request Method: POST Content-Type: application/x-www-form-urlencoded Parameters: grant_type: client_credentials client_assertion_type: urn:ietf:params:oauth:client-assertion-type:jwt-bearer client_assertion: [JWT token] scope: https://api.apple.com/auth/schoolmanager What I've Verified ✅ All configuration values match Apple School Manager exactly ✅ Private key file exists and loads correctly ✅ JWT is generated with correct structure (ES256, proper claims) ✅ Key ID in JWT header matches the Key ID from Apple School Manager ✅ Request format matches OAuth2 RFC 7523 specification ✅ Content-Type header is application/x-www-form-urlencoded ✅ Tried both Client ID and Organization ID as sub claim (both fail with same error) ✅ DNS resolution and API connectivity are working ✅ API account appears active in Apple School Manager interface What I've Tried Using Client ID as sub: Tried using SCHOOLAPI.7c0c10a0-4d8a-4ef8-a2be-eda040b65c59 as the sub claim Using Organization ID as sub: Tried using 55155430 as the sub claim (fallback) With and without scope: Tried both including and excluding the scope parameter Different JWT expiration: Tried various expiration times (30 days, 180 days) Verified Service ID format: Confirmed the Client ID follows the SCHOOLAPI.xxxxx-xxxxx-xxxxx format Both attempts (Client ID and Organization ID as sub) return the same invalid_client error. Previous Support Interaction I've contacted Apple Developer Support (Case #102783504559). They confirmed: The technical implementation is correct The issue is an account access/permission problem My Apple Account email is not associated with any memberships The Account Holder must add me to the Enterprise team membership However, I'm posting here to see if anyone in the community has: Experienced similar issues and found a solution Additional technical insights about the invalid_client error Suggestions for what else to verify or try Questions Is there a specific format requirement for the sub claim? Should it be the Client ID (Service ID) or Organization ID? I've tried both. Are there any additional claims required in the JWT beyond iss, sub, aud, iat, exp? Could there be a backend issue with the API account even though it appears active in Apple School Manager? Has anyone successfully resolved an invalid_client error that wasn't related to account access? Is there a delay after creating an API account before it becomes fully active for authentication? Technical Details Language: Python (Flask) JWT Library: PyJWT with cryptography library Algorithm: ES256 (ECDSA P-256) OAuth2 Flow: Client Credentials Grant with JWT Bearer Assertion (RFC 7523) Error Log I've generated a detailed error log showing the exact request/response. The key points: HTTP 400 Bad Request Response: {"error":"invalid_client"} Same error occurs with both Client ID and Organization ID as sub Any Help Appreciated If anyone has encountered this issue or has insights into what might be causing it, I'd greatly appreciate your help. I'm happy to provide additional details or try any suggestions. Thank you! Case Number: 102783504559 API Account: Created in Apple School Manager Status: API account appears active, but authentication fails

Our organization is attempting to retrieve the External Version Identifier (EVID) history for all published versions. This data is required so that we can pass the exact externalVersionIdentifier integer to our deployment framework to pin specific app versions on our managed devices. We currently have an active App Store Connect account, but our attempts to fetch this data via standard publishing APIs return a 401 Unauthorized error. To help us resolve this technical blocker, please provide explicit engineering guidance on the following four points: API Endpoint Architecture: Is the enterprise Apps and Books for Organizations API (apple.com) the only platform that exposes the externalVersionId history for all versions? If so, what is the exact endpoint path we must call to return the full version-based EVID array? Account Requirements: Can these version-specific EVIDs be retrieved using our existing App Store Connect developer credentials, or is an Apple Business Manager (ABM) account strictly mandatory to bypass the 401 gate? ABM Portal Setup for EVIDs Only: If an ABM account is mandatory, what are the minimum technical steps required inside the ABM dashboard to fetch only the EVID data? Specifically, do we need to "purchase" a volume license for the target app to make its version history accessible via the API? Authentication Parameters: What is the correct token structure for this endpoint? Do we need to pass a specific location server token (sToken / itvt cookie) generated inside ABM alongside our signed developer JWT header? Thank you for your time and technical guidance. We look forward to your engineering team's response.

Buongiorno, In azienda abbiamo molti iPhone gestiti su ABM integrati con Intune, adesso il passaggio su nuovi dispositivi con ripristino dei dati non è possibile avvicinandoli perché la funzione “inizia subito“ non appare. Qualcuno conosce un sistema rapido per la migrazione dei dati da un iPhone a un altro che non sia il Finder? Grazie per l’aiuto

forum-post-v2-evidence.log MCRestrictionsPayload (allowListedAppBundleIDs) breaks Apple Watch app enumeration — nanotimekitcompaniond reports "Missing .app from directory: /Watch/" Summary Installing a Configuration Profile with com.apple.applicationaccess payload containing allowListedAppBundleIDs causes native Apple Watch apps to disappear from the paired Watch — even when their bundle IDs are explicitly in the whitelist. Log analysis shows this is not a bundle ID matching problem: nanotimekitcompaniond on the iPhone fails to enumerate the <companion>.app/Watch/ subdirectories where native watchOS app stubs live. Follow-up to https://developer.apple.com/forums/thread/745585 — community-confirmed but received no official response. Environment iPhone 16 (iPhone17,3), iOS 26.4.2 (23E261), supervised Apple Watch paired via Bridge.app Profile installed locally via Apple Configurator (no MDM server required) Smoking gun Within ~5 seconds of profile install, two processes (nanotimekitcompaniond and NTKFaceSnapshotService) log identical errors for eight companion-app paths: nanotimekitcompaniond[1498] <Error>: Missing .app from directory: file:///Applications/MobilePhone.app/Watch/ nanotimekitcompaniond[1498] <Error>: Missing .app from directory: .../Calculator.app/Watch/ nanotimekitcompaniond[1498] <Error>: Missing .app from directory: .../Bridge.app/Watch/ nanotimekitcompaniond[1498] <Error>: Missing .app from directory: .../MobileTimer.app/Watch/ nanotimekitcompaniond[1498] <Error>: Missing .app from directory: .../Camera.app/Watch/ nanotimekitcompaniond[1498] <Error>: Missing .app from directory: .../VoiceMemos.app/Watch/ nanotimekitcompaniond[1498] <Error>: Missing .app from directory: .../MobileMail.app/Watch/ nanotimekitcompaniond[1498] <Error>: Missing .app from directory: .../FindMy.app/Watch/ NTKFaceSnapshotService[3758] <Error>: Missing .app from directory: <same 8 paths> The Watch's app icons and face complications both go through these processes, which explains the symptoms users see. iOS itself flags the payload as Watch-incompatible — but applies it anyway profiled[179] <Notice>: Payload class MCRestrictionsPayload (com.apple.applicationaccess) is not supported on any Watch version profiled[179] <Notice>: Payload class MCRestrictionsPayload (com.apple.applicationaccess) is not available on HomePod profiled[179] <Notice>: Beginning profile installation... profiled[179] <Notice>: Profile "...v2..." installed. So profiled knows the payload doesn't target watchOS — yet its side effects clearly manifest there. Tests performed Test Bundle IDs in whitelist Result v1 249 (every installed iOS app: Apple + 3rd party) Walkie-Talkie, Messages, Find My + more disappear from Watch v2 295 (v1 + every Apple extension/Nano* daemon seen in syslog: *.MessagesActionExtension, *.FindMyNotifications*Extension, *.FindMyWidget*, com.apple.NanoBackup, com.apple.NanoMusicSync, com.apple.NanoPreferencesSync, com.apple.NanoTimeKit.face, com.apple.NanoUniverse.AegirProxyApp, com.apple.tursd, com.apple.FaceTime.FTConversationService, com.apple.Bridge.GreenfieldThumbnailExtension, etc.) Identical Missing-.app errors. Same apps disappear. Conclusion: this is not a bundle ID matching issue — adding more IDs doesn't help. The system fails to enumerate <companion-iOS-app>.app/Watch/ regardless of whitelist contents. Many users in my prior thread reported trying 100+ bundle ID combinations without success; this evidence explains why. Reproduction (no MDM required) Pair Apple Watch with iPhone normally. Generate a Configuration Profile with com.apple.applicationaccess + any non-empty allowListedAppBundleIDs array. Install via Apple Configurator's cfgutil install-profile, or AirDrop + Settings → Install. Within ~5 s, nanotimekitcompaniond errors appear (visible via idevicesyslog). Native Watch apps backed by an iOS companion stub disappear from the Watch's app grid and from face complications. Hypothesis MCRestrictionsPayload applies an enumeration filter that does not descend into .app/Watch/ subdirectories when computing visible apps. nanotimekitcompaniond consequently sees those directories as missing, the Watch's Carousel (SpringBoard equivalent) hides the apps, and NTKFaceSnapshotService can't load corresponding complications. Because profiled itself logs the payload as "not supported on any Watch version", this appears to be unintended bleed-through. Questions for Apple Is MCRestrictionsPayload / allowListedAppBundleIDs officially supposed to affect Apple Watch apps? profiled says no. Is there an undocumented bundle ID pattern (e.g. <companion>.watchapp, or a Bridge.app/Watch/ prefix) that needs whitelisting to keep native Watch apps visible? Is the recommended workaround to use blacklistedAppBundleIDs instead? Should the enumeration error (Missing .app from directory: .../Watch/) be tracked as a separate watchOS framework bug? Artifacts Curated evidence log with timestamps, profile installer events, and the eight Missing-.app errors is attached as forum-post-v2-evidence.log. Full idevicesyslog captures (multiple install/remove cycles, ~2M log lines) and the .mobileconfig files are available on request. Thanks — looking forward to guidance.

Summary: When applying a configuration profile that uses allowListedAppBundleIDs to permit a defined set of apps, essential Apple Watch apps are unexpectedly removed from the paired Watch — even though their associated iPhone bundle IDs are explicitly included. This issue occurs with a minimal profile, and has been consistently reproducible on the latest versions of iOS and watchOS. Impact: This behavior severely limits the use of Apple Watch in managed environments (e.g., education, family management, accessibility contexts), where allowlisting is a key control mechanism. It also suggests either: Undocumented internal dependencies between iOS and watchOS apps, or A possible regression in how allowlists interact with Watch integration. Steps to Reproduce: Create a configuration profile with a Restrictions payload containing only the allowListedAppBundleIDs key. Allow a broad list of essential system apps, including all known Apple Watch-related bundle IDs: com.apple.NanoAlarm com.apple.NanoNowPlaying com.apple.NanoOxygenSaturation com.apple.NanoRegistry com.apple.NanoRemote com.apple.NanoSleep com.apple.NanoStopwatch com.apple.NanoWorldClock (All the bundles can be seen in the Attached profile) Install the profile on a supervised or non-supervised iPhone paired with an Apple Watch. Restart both devices. Observe that several core Watch apps (e.g. Heart Rate, Activity, Workout) are missing from the Watch. Expected Behavior: All apps explicitly included in the allowlist should function normally. System apps — especially those tied to hardware like Apple Watch — should remain accessible unless explicitly excluded. Actual Behavior: Multiple Apple Watch system apps are removed or hidden, despite their iPhone bundle IDs being listed in the allowlist. Test Environment: iPhone running iOS 18 Apple Watch running watchOS 11 Profile includes only the allowListedAppBundleIDs key Issue confirmed on fresh devices with no third-party apps Request for Apple Engineering: Please confirm whether additional internal or undocumented bundle IDs are required to preserve Apple Watch functionality when allowlisting apps. If this behavior is unintended, please treat this as a regression or bug affecting key system components. If intentional, please provide formal documentation listing all required bundle IDs for preserving Watch support with allowlisting enabled. Attachment: .mobileconfig profile demonstrating the issue (clean, minimal, reproducible) Attached test profile = https://drive.google.com/file/d/12YknGWuo1bDG-bmzPi0T41H6uHrhDmdR/view?usp=sharing

We've put in a feedback assistant request, but not sure if we will get feedback in that channel or not and also want to highlight for others. When replacing a basic passcode profile on a macOS device with a passcode declaration, the user is required to change the password after logging out and back in. Explicitly including the "ChangeAtNextAuth" key set equal to false, set required a password change after logging out and back in. Once the declaration is active and the password has been changed, future updates to the passcode declaration do not require a password change unless the existing password is not compliant. Steps to reproduce: Install a basic passcode profile on a macOS device Ensure the existing password matches the requirements specified in the profile Install a passcode declaration with the same settings as the passcode profile currently installed Remove the traditional passcode profile from the device After the passcode declaration is installed, check the local pwpolicy with the command pwpolicy getaccountpolicies and look for the key policyAttributePasswordRequiredTime Log out of the macOS device Log back into the macOS device and you are presented with a change password prompt Expected result: Simply replacing an existing passcode profile with the exact same settings in a passcode declaration should not require a password change if the existing password is compliant. Actual results: After replacing the passcode profile with a passcode declaration, a password change was required even though the existing password was compliant. Initial testing was done with a macOS VM running 15.5. Additional testing has now been done with a macOS VM running 26.4.1 and the same behavior was observed.

Hi, We have a macOS app that uses NETransparentProxyManager (Transparent App Proxy) with a NETunnelProviderExtension. The Network Extension is configured and deployed via an MDM configuration profile. The profile is pushed through Intune MDM as a user-enrolled device (Company Portal enrollment, not ADE/supervised). The MDM profile sets up the Transparent Proxy extension as follows (sanitized snippet): <key>VPNType</key> <string>TransparentProxy</string> <key>TransparentProxy</key> <dict> <key>ProviderType</key> <string>app-proxy</string> <key>ProviderBundleIdentifier</key> <string>com.example.app.tunnel</string> <key>ProviderDesignatedRequirement</key> <string>identifier "com.example.app.tunnel" and anchor apple generic and certificate leaf[subject.OU] = TEAMID</string> <key>RemoteAddress</key> <string>100.64.0.0</string> </dict> <key>PayloadScope</key> <string>System</string> What we do in code: Call NETransparentProxyManager.loadAllFromPreferences — this correctly returns the MDM-managed profile (1 profile found) We do not call saveToPreferences — the profile already exists We call NEVPNConnection.startVPNTunnel() to connect and NEVPNConnection.stopVPNTunnel() to disconnect Problem: On a user-enrolled MDM device, when the app is running as a standard user (non-admin), every call to startVPNTunnel() or stopVPNTunnel() triggers the macOS VPN consent dialog: "VPN is trying to modify your system settings. Enter your password to allow this." Console log evidence: Failed to authorize 'system.preferences' by client '/System/Library/ExtensionKit/Extensions/VPN.appex' for authorization created by '/System/Library/ExtensionKit/Extensions/VPN.appex' (-60006) (engine 881) Key observations: Even if the user does not provide the admin credentials in the popup and cancel the window, still things work properly in the background i.e start/stop works. This does not happen for admin users on user-enrolled devices saveToPreferences is NOT called — the profile is MDM-managed and already present The prompt is triggered purely by startVPNTunnel() / stopVPNTunnel() from a standard user process Question: Is there a supported API, entitlement, or MDM configuration key that allows NETransparentProxyManager.startVPNTunnel() / stopVPNTunnel() to be invoked by a standard user process on a user-enrolled (non-supervised) device without triggering the system.preferences authorization dialog — given that the VPN profile is already deployed and managed by MDM?

Hi, Is there any possible way we can install enrolment provisioning profile using iOS app using User/Account Authentication Enrolment such as described in this thread: https://developer.apple.com/documentation/devicemanagement/implementing-the-oauth2-authentication-user-enrollment-flow

Hi, Is there any possible Apple approved way or workaround if we can bypass the stolen device protection delay of 1 hour when a user try to install our MDM server's enrolment profile on unknown location? I do not want managed apple account solution. I need solution for BYOD devices not for company owned. Thank you, Software Engineer - iOS

If I have a macOS devices enrolled in MDM, with a DDM policy defined to deliver passcode settings to the device I can run: sudo pwpolicy -getaccountpolicies to see the configuration on the device. I can subsequently run: sudo pwpolicy -clearaccountpolicies Then all passcode policies applied in my declarations are cleared from the device allowing the user to set and use any password they want with no bearing on the delivered passcode settings. I have left my macOS devices for days on and off network and the pwpolicy data never returns. The passcode settings do not restore on the device until I do one of the following: manually re-push all declarations from MDM log off and log back on reboot the computer It was my understanding that DDM was meant to assess device state and self heal on its own without requiring an MDM service to re-push any commands. Based on this finding this seems broken or I may misunderstand how DDM is supposed to work. macOS version: 26.4.1

We intend to request a fee waiver as an eligible educational institution in Japan. Could you please provide an estimate of how long the verification process typically takes for educational institutions? Also, if there are any specific documents or additional information required to expedite the "Accredited Educational Institution" verification and fee waiver process, please let us know.

Hi Dear Apple experts, I am hitting a problem (observed from Apr-15, maybe earlier) for renewing ABM/DEP token from my MDM server. My renewal steps: Download public key from my MDM server Upload the public key to the ABM Device Management server instance in ABM portal, and download a new token Upload the new token to my MDM server The problem here is at step-2: If upload the public key to an existing ABM Device Management server instance in ABM portal, then the generated token will be rejected by my MDM server with error "Could not find recipient info"; However, if upload the public key to a newly created ABM Device Management server instance, then everything is good. So, looks to me, it is the token issue when renewing an existing ABM MDM instance. Could you please help take a look? Thanks, Wei

Is system_profiler the recommended approach for retrieving installed application data on macOS? If not, what is the preferred and reliable alternative to fetch a consistent and complete list of installed applications?

Requesting com.apple.managed-keychain Entitlement for Enterprise S/MIME Cert Visibility Platform: iOS | Distribution: MDM (Microsoft Intune) | Not App Store We are developing an internal enterprise iOS app (EMS Assist, com.company.supportcompanion) for Company deployed exclusively to Intune-managed devices. Our requirement: Read S/MIME certificates pushed to the device via Intune SCEP profiles to: Confirm cert presence in the MDM-managed keychain Read expiry date (kSecAttrNotValidAfter) to warn users before expiry Distinguish between missing, expired, and valid cert states What we have tried: Standard SecItemCopyMatching query — returns only app-installed certs, not MDM-pushed certs Graph API (deviceConfigurationStates) — confirms profile compliance but does not expose actual cert expiry or keychain presence Our understanding: com.apple.managed-keychain is required for an app to access MDM-managed keychain items on supervised devices, combined with a matching keychain-access-groups entitlement and the cert profile configured as "always available" in MDM. Questions: Is com.apple.managed-keychain the correct entitlement for this use case? Does it apply to SCEP/PKCS-issued certificates specifically, or only other MDM keychain items? Has anyone successfully accessed Intune-pushed S/MIME certs from an iOS app using this entitlement? Any guidance from the community or Apple engineers would be appreciated.

Our enterprise App (Loan Signature) is distributed to our corporate Ipads using JAMP. We use provisioning profile and certificate along with the IPA file to push the builds. Our current disstribution profile is expiring on 23d April 2026 and we wanted to update the Profile. So we created a new provisioning profile (Enterprise V9, along with a new ceritificate that ends on April 1st 2029). The enterprise provisioning profile is created in the same way as the old one which is called Enterprise V8. However when we use JAMP to upload the certificate and our current production version of app, it is not working. The app would not load and it would complain that the app is not available. I was told by the JAMF administrators that the profile could be wrong and I have no way to find out. Any help in this regard will really be helpful.

I'm trying to enable Supervision Mode on a Wi-Fi-only Apple TV (Apple TV 4K) using Apple Configurator on macOS, but I’m unable to get the device into supervised state. What I’ve tried so far: Connected Apple TV to Mac using Apple Configurator pairing mode via same wifi connection Erased and prepared the device Followed the "Prepare" workflow to supervise the device Issue: After preparation completes, the device does not appear as supervised in Apple Configurator.

Issue - Falcon application is intermittently not detected using system_profiler command Use case - We are trying to fetch the list of installed applications on macOS using the system_profiler command. While this works for most applications, we are observing inconsistent behavior with the Falcon application — it is sometimes detected as installed and sometimes missing from the results, even though it is present on the system. This inconsistency is causing issues in reliably tracking installed security software. Command used - /usr/sbin/system_profiler SPApplicationsDataType