We are doing application assignment to personal iOS devices that are enrolled in MDM via User Enrollment. However, we're experiencing some odd behavior when assigning licenses. We are getting back errors from the devices when doing assignments: code: 12064, domain: MDMErrorDomain, description: Could not retrieve licence for the app with iTunes Store ID 422689480. code: 2605, domain: DeviceManagement.error, description: No licence was found for app "com.google.Gmail". However, we are not seeing license exhaustion on the Apple Business Manager side for our location. We are not clear what would cause the 12064 or 2605 errors. We have tried re-sending the command to install the app, and we have tried un-enrolling devices and re-enrolling, as well as updating the VPP Token for the location. We have gathered sysdiagnoses from affected devices, but it's not clear what causes this. What other causes are there for 12064 and 2605 errors? How can we work around these?

out of 37 devices, 7 are inactive( al are ios ). We have checked one of the devices and the broadcast message was sent successful. Additionally, Cx confirmed that the location history is shown properly. We restarted the device, checked the date and time, and found it to be correct. We also switched to a different network, but that doesn't change anything. The sync from the Hexnode app was successful. We reinstalled the MDM profile, yet it doesn't change anything. We renewed the APNs once and checked, but the scan device action remains pending.

how can i generate MDM Push Certificate for my own MDM server. Please guide me on that.

Can someone help me, every time I insert a new attribute in the Table, the Query stops working, the bank keeps giving these messages, thank you

Unable to distribute the App via Intune, When tried to install the App on Intune enrolled device. Gets error: Unable to install “App Name”. This app cannot be installed because its integrity could not be verified. Verified Bundle ID is getting updated and Sign-in shows successful. Mac OS Build - 13.7.2 (22H313) XCode Version: 15.1 (15C65) Provisioning Profile renewed this week Distribution Certificate Valid till 2027

What is the proper payload for the FDEFileVault? Do I need to provide a user password in the payload to proceed with turning on the FileVault? Isn't that a privacy issue? Why UserEntersMissingInfo does not work for me? How to properly turn off FileVault - every try failed? Below I attach tested payloads and results. Test 1: Enable: "On" Result 1: Error ErrorCode: -319 LocalizedDescription: The ‘FileVault Settings’ payload could not be installed. User authentication failed. Test 2: Enable: "On" Username: "username on a device" Result 2: Error ErrorCode: -319 LocalizedDescription: The ‘FileVault Settings’ payload could not be installed. User authentication failed. Test 3: Enable: "On" Username: "username on a device" Password: "password of the user" Result 3: Success: FileVault turned On Test 4: After previously turning On FileVault successfully after restarting a machine. Enable: "Off" Result 4: Fail: FileVault didn't turn off, but the profile in settings updated. The machine restart didn't help. Test 5: Enable: "On" UserEntersMissingInfo: True Result 5: Error ErrorCode: -319 LocalizedDescription: The ‘FileVault Settings’ payload could not be installed. User authentication failed. Test 6: Enable: "On" Username: "username on a device" UserEntersMissingInfo: True Result 6: Error ErrorCode: -319 LocalizedDescription: The ‘FileVault Settings’ payload could not be installed. User authentication failed. Test 7: This is example payload from: https://developer.apple.com/documentation/devicemanagement/fdefilevault#Profile-Example Defer: True Enable: "On" ShowRecoveryKey: True UseKeychain: False UseRecoveryKey: True UserEntersMissingInfo: False Result 7: Success: FileVault turned On Test 8: Same as test 4, but after turning on like test 7. Test 9: Defer: True Enable: "Off" ShowRecoveryKey: True UseKeychain: False UseRecoveryKey: True UserEntersMissingInfo: False Result 9: Fail: FileVault didn't turn off, but the profile in settings updated. The machine restart didn't help. Test 10: Defer: True Enable: "Off" ShowRecoveryKey: True UseKeychain: False UseRecoveryKey: True UserEntersMissingInfo: True Result 10: Fail: FileVault didn't turn off, but the profile in settings updated. The machine restart didn't help. Test 11: Defer: True Enable: "Off" ShowRecoveryKey: True UseKeychain: False UseRecoveryKey: True UserEntersMissingInfo: True DeferForceAtUserLoginMaxBypassAttempts: 0 Result 11: Fail: FileVault didn't turn off, but the profile in settings updated. The machine restart didn't help. Test 12: UserEntersMissingInfo: True Enable: "Off" Username: "username on a device" Result 12: Fail: FileVault didn't turn off, but the profile in settings updated. The machine restart didn't help.

Since this file is protected by SIP, it can't just be changed by an installer/app without prompting the user. If the user chooses to deny the request, the sudo file won't be updated with a security critical pam module. I need to insert our custom pam module into /etc/pam.d/sudo without the user being able to deny the operation.

We are in the process of replacing the TripleDES algorithm with AES in our MDM solution. However, after switching the encryption algorithm, we encountered the following error on Apple devices during enrollment: Error: "-26275 error decrypting response payload (mdmclient(SCEP))" Do Apple devices support AES encryption during the enrollment process, or are there any known limitations that prevent its use? Technical Details: During enrollment, when the device attempts to install the Management Profile, it requests the MDM server to retrieve the device certificate from the SCEP URL. We send the certificate by creating Enveloped CMS content, using TripleDES as the algorithm identifier. If we switch the algorithm to AES, we observe the error mentioned above. We are also using TripleDES when preparing the CMS content for the enrollment profile, which works without issues.

On devices running iOS 18+, when a web app kiosk policy is pushed via an MDM and the device is restarted. The touch screen doesn't respond on the device. So the device is currently in a brick state. Since we can't enter the password we can't get the logs from the device and it is even hard to recover the device. On restart the device isn't connecting to the internet so it isn't possible to remove the kiosk policy as well. This only happens on devices running iOS 18+ and with web app kiosk profile.

I tried the new feature of macOS 26.0 com.apple.configuration.app.managed. A configuration and its activation are defined with the data like this. InstallBehavior: Install: Required License: Assignment: Device iOSApp: true AppStoreID: '1113153706' After distributing the configuration with DeclarativeDevicement MDM command, an error is notified via status channel app.managed.list. "managed": { "list": [ { "state": "failed", "declaration-identifier": "1424a813-113f-5de0-9a75-38bf64f22673", "identifier": "com.microsoft.skype.teams", "name": "Microsoft Teams" } ] } What am I missing in the settings? Thank you

I have an issue with my MDM setup. The Push notification that installs and updates configuration profile in the device is no longer working. It was working before Apple developer account got expired we renewed our apple developer account and then retried and we got the device enrollment working just fine. Now when we are updating configuration profile and MDM server is supposed to notify the device using push notification, this is the part where its not working. Are the certs faulty now since the account was expired? Would just renewal of the Push cert work? Will I have to setup the certs all over again? Any help is appreciated. Thanks in advance.

We are experiencing a lot of problems deploying an enterprise app for in-house use since late January. All our iPads are managed by an MDM solution. It can take 10 or more attempts to successfully deploy the app. The deployment usually fails with the message "ASDErrorDomain error 854" among other messages. The company providing the MDM solution has no idea what causes this message or what it means. I suspect the error message is not generated by the MDM solutiion but rather gets passed through from iOS. After many attempts the installation may succeed suddenly, though, and the apps works as expected, but this may take weeks. I have not done any changes to my development system. 'I am running XCode 15.3 with SDK version 17.4, the iPads are on iOS 18.3

Why is MDM camera restriction designed not to work on the lock screen?

Hello, I'm currently working on implementing app installation features, referencing the app.managed.yaml declaration on GitHub: https://github.com/apple/device-management/blob/0a4527c5ea21825fd23e08273ccdb9e2302458ce/declarative/declarations/configurations/app.managed.yaml My question pertains to the InstallBehavior.Version key. The current specification indicates its type as <integer>: key: Version title: Version supportedOS: iOS: introduced: '26.0' macOS: introduced: '26.0' visionOS: introduced: '26.0' type: <integer> Is there a way to specify the app version using a string format, such as x.y.z, instead of the integer (App Store External Version Identifier - EVID)? Allowing for a simpler version specification would make app version management through MDM more flexible and efficient. I believe this would significantly streamline the deployment and operation of Apple devices within organizations. Any guidance or consideration for this would be greatly appreciated. Thank you.

Our organization is deploying passwordless authentication. Instead of using a password, employees must use the Microsoft Authenticator app to complete the login process. Unfortunately, employees with passwordless authentication can't complete the login on the Wi-Fi Captive portal with SAML authentication. The reason is that when an employee switches to the Microsoft Authenticator app, the Apple CNA (Apple Network Captive Assistant) disappears. As a result, the authentication process breaks. According to the https://developer.apple.com/news/?id=q78sq5rv source, iOS 14+ devices support the RFC-8908 standard. Unfortunately, we couldn't find a reliable source on how this feature works on iOS devices. The question is: Is it possible to automatically forward Wi-Fi clients to the SAML authentication portal in the default browser app (for example, Safari) after connecting an employee to Wi-Fi?

Hi Apple Community, I have been Testing with key allowAccountModification in macOS Restriction Payload and found some contrasting behavior In macOS 14, macOS 15.1 in both of the OS Version when allowAccountModification is set to False it restricts adding new Account in System Settings and this is expected behavior How ever things are contrasting and not going as expected in the below situation When macOS 14 Version has 2 profiles for Restriction Payload one with allowAccountModification set to False and another with allowAccountModification set to True it restricts adding Apple Account When macOS 15.1 Version has 2 profiles for Restriction Payload one with allowAccountModification set to False and another with allowAccountModification set to True it allows adding Apple Account I remember when restrictions payload keys are contrasting across different profile Apple Uses the most restrictive one among them. But in macOS 15.1 the behavior is unexpected. Is this a issue in 15.1 and is there any list of macOS versions which shows this unexpected behavior

Hi,team: I know that the MDM system extension configuration parameter RemovableSystemExtensions can only be valid after macOS12+, but can I also use this parameter between macOS10.15-12? Even if he is ineffective. Will this cause any problems with the system. I want to use the same MDM configuration file for the devices I manage, which have systems between macOS10.15-15.I hope to receive your confirmation

It's a great platform to grow your knowledge. Apple Teacher

Hi. I am writing a little MDM application. Despite the basic task (add a password for 'remove profile' button in settings), it seems I am stuck with a problem: When I try to enroll my device with enrollment.mobileconfig file, Apple Configurator app, I receive an error The profile “Enrollment Profile” could not be installed because it is invalid. Make sure the profile is valid and try installing it again. The original architecture of my .mobileconfig contains of two payloads (com.apple.security.scep , com.apple.mdm), and it works correctly. However, when I try to add a third payload of com.apple.profileRemovalPassword , I receive the error stated above. From logs collected on iPhone, here's what was found : Failed to parse profile data. Error: NSError: Desc : The profile “Enrollment Profile” is invalid. Sugg : A profile containing an MDM payload must be removable. US Desc: The profile “Enrollment Profile” is invalid. US Sugg: A profile containing an MDM payload must be removable. Domain : MCProfileErrorDomain Code : 1000 Type : MCFatalError Params : ( "Enrollment Profile" ) ...Underlying error: NSError: Desc : A profile containing an MDM payload must be removable. US Desc: A profile containing an MDM payload must be removable. Domain : MCProfileErrorDomain Code : 1000 Type : MCFatalError Extra info: { isPrimary = 1; } My main dictionary contains HasRemovalPasscode Also, I have tried playing around with PayloadRemovalDisallowed setting it to true and false, however, I keep getting the same error message. There is also a second error produced: Profile MCConfigurationProfile, version 1: Display Name: “Enrollment Profile” Description : “***” Identifier : *** UUID : *** Organization: *** Is Stub : No Locked : Yes Removal passcode present Encrypted : No Trusted : 0 Signed : No Device Type : 0 Payloads: Payload MCSCEPPayload, version 1 Description : “***” Identifier : *** UUID : *** Type : com.apple.security.scep Display name: *** Organization: *** Payload MCMDMPayload, version 1 Description : “***” Identifier : *** UUID : *** Type : com.apple.mdm Organization: *** Payload MCRemovalPasswordPayload, version 1 Identifier : com.examp Can't parse profile: <decode: missing data> The code for com.apple.profileRemovalPassword is taken from apple documentation (https://developer.apple.com/documentation/devicemanagement/profileremovalpassword) I have also tried the automatic way - creating it from Apple Configurator, so it is correct in terms of syntax 100%. Several important notes: Creating a fresh new profile with just password removal protection single payload allows to perform a download of the profile If I comment out the whole com.apple.mdm payload block, I will be able to download this profile on iPhone also The com.apple.mdm block is also valid by itself, and works correctly I have tried implementing other types of "dummy" payloads - for example com.apple.dock <dict> <key>PayloadType</key> <string>com.apple.dock</string> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadIdentifier</key> <string>com.example.test.dock</string> <key>PayloadUUID</key> <string>22222222-3333-4444-5555-666666666666</string> <key>PersistentApps</key> <array/> </dict> And everything worked out fine. So my hypothetical conclusion out of these four notes might be in some type of interconnection between mdm and profileRemovalPassword, which isn't really listed anywhere? Or am I missing something ? Thank you in advance.

https://uclient-api.itunes.apple.com/WebObjects/MZStorePlatform.woa/wa/lookup?version=2&id=1515995528&p=mdm-lockup&caller=MDM&platform=enterprisestore&cc=IN return blank result when parameter platform=enterprisestore is added for india location when platform=enterprisestore is removed for india location result is there. https://uclient-api.itunes.apple.com/WebObjects/MZStorePlatform.woa/wa/lookup?version=2&id=1515995528&p=mdm-lockup&caller=MDM&cc=IN