Hello,
ContentFilterUUID in WebContentFilter payload can be used for "Per-App content filter" - the UUID can be used in app attributes, as stated in the doc:
A globally-unique identifier for this content filter configuration. Managed apps with the same ContentFilterUUID in their app attributes have their network traffic processed by the content filter.
Do I understand right that if we want the profile to be globally applied, it should NOT contain the ContentFilterUUID key ?
We're seeing cases where setting the key would make the profile doing nothing on the device, but the documentation is not 100% clear on this.
Any clarification would be very appreciated !
Thanks
Explore the intersection of business and app development. Discuss topics like device management, education, and resources for aspiring app developers.
Post
Replies
Boosts
Views
Activity
Hi Apple Community,
Problem Description:
Regarding the transition from MDM (Mobile Device Management) profiles to DDM (Declarative Device Management) profiles, as announced during WWDC 2023, this marks a significant step forward in simplifying our device management process.
When we attempted to test this transition with the 17 developer beta OS version devices, we encountered a notable challenge. Specifically, when trying to apply a DDM Webclip legacy profile configuration to a device that already had the same profile applied through MDM. We received the following status response from DDM: "The profile “<profile_identifier>” cannot replace an existing profile." As a result, the configuration was not applied.
However, after removing the existing applied MDM profile and then reapplying the same profile as a legacy profile via DDM, the configuration was successfully applied.
My DDM Configuration:
{
"Type": "com.apple.configuration.legacy",
"Identifier": "DEFAULT_APP_CATALOG_CLIP_CONFIG",
"ServerToken": "3",
"Payload": {
"ProfileURL": "https://mdmtest:8080/certificates/appConfig.mobileconfig"
}
}
My DDM Status Response :
{
"StatusItems" : {
"management" : {
"declarations" : {
"activations" : [
{
"active" : true,
"identifier" : "DEFAULT_ACT_0",
"valid" : "valid",
"server-token" : "1"
},
{
"active" : false,
"identifier" : "DEFAULT_APP_CATALOG_CLIP_ACT",
"valid" : "valid",
"server-token" : "3"
}
],
"configurations" : [
{
"reasons" : [
{
"details" : {
"Error" : "The profile “<profile_identifier>” cannot replace an existing profile."
},
"description" : "Configuration cannot be applied",
"code" : "Error.ConfigurationCannotBeApplied"
},
{
"details" : {
"Identifier" : "DEFAULT_APP_CATALOG_CLIP_ACT",
"ServerToken" : "3"
},
"description" : "Activation “DEFAULT_APP_CATALOG_CLIP_ACT:3” has errors.",
"code" : "Error.ActivationFailed"
}
],
"active" : false,
"identifier" : "DEFAULT_APP_CATALOG_CLIP_CONFIG",
"valid" : "invalid",
"server-token" : "3"
},
{
"active" : true,
"identifier" : "DEFAULT_STATUS_CONFIG_0",
"valid" : "valid",
"server-token" : "2"
}
],
"assets" : [
],
"management" : [
]
}
}
},
"Errors" : [
]
}
Kindly help us with this issue.
Note : We have posted a feedback in Feedback Assistant portal FB13132059 - along with device sysdiagnose.
Hello Community,
My devices are listed on the Apple MDM. Previously few days back they were working fine as they were responding to every command pushed via MDM but today they are not responding neither updating their status even of active/inactive etc anything? Kindly your kind help would be needed
Hi Team,
I want to send server capability to iphone for watchos pairing token . I tried following payload and its not working. Can you provide example of it?. Also how to find server protocol version. I could not find any documentation around it.
{
"Identifier": "server-capabilities-list",
"ServerToken": "$serverToken",
"Type": "com.apple.management.server-capabilities",
"Payload": {
"Version": "2",
"SupportedFeatures": {
"com.apple.mdm.token" : {},
}
}
}
https://developer.apple.com/documentation/devicemanagement/managementservercapabilities
Hello,
I had to create an IKE VPN profile to use this service from my Mac running Ventura, so I was directed to the Apple Configurator application where I was able to find how to proceed, except that the import was not successful. not, here are the logs that I capture on the ProfilesSettingsExt processes:
[ERROR] [501:CPPrefPaneExt:<0x3faf>] [CE] XPC: InstallProfile <User:501> ==> Error Domain=ConfigProfilePluginDomain Code=-319 "Les données utiles « Service VPN » n’ont pas pu être installées. Le serveur VPN n’a pas pu être créé." UserInfo={NSLocalizedDescription=Les données utiles « Service VPN » n’ont pas pu être installées. Le serveur VPN n’a pas pu être créé.}
[501:CPPrefPaneExt] Number of <Device> profiles found: 0 (Filtered: 0)
[501:CPPrefPaneExt] ReloadProfiles: device profiles: 0
[501:CPPrefPaneExt] === CPF_GetInstalledProfiles === (<User: 501>)
[501:CPPrefPaneExt] Number of <User: 501> profiles found: 0 (Filtered: 0)
[501:CPPrefPaneExt] ReloadProfiles: user profiles: 0
[501:CPPrefPaneExt] Building ProfilesListView with sections:Optional(0) selection:Binding<Set<String>>(transaction: SwiftUI.Transaction(plist: []), location: SwiftUI.LocationBox<SwiftUI.FunctionalLocation<Swift.Set<Swift.String>>>, _value: Set([])) emptyList:Optional("Aucun profil installé") oip: true disableRemove: true
[501:CPPrefPaneExt] ProfileInstall: PROGRESS: <Completed>
[501:CPPrefPaneExt] [CE] Profile installation (IKEv2 test (laptop.64286FD8-B086-4A63-A1BB-D9CFA279F231:08BFF8E1-3296-43E6-9CEC-A40B31A4A7D4)) ==> Error Domain=ConfigProfilePluginDomain Code=-319 "Les données utiles « Service VPN » n’ont pas pu être installées. Le serveur VPN n’a pas pu être créé." UserInfo={NSLocalizedDescription=Les données utiles « Service VPN » n’ont pas pu être installées. Le serveur VPN n’a pas pu être créé.}
Warning: -[NSWindow makeKeyWindow] called on _NSAlertPanel 0x7fa91294aa50 which returned NO from -[NSWindow canBecomeKeyWindow].
order window: 15f op: 1 relative: 15f related: 0
Item (<private>) is attached but is too large to fit without clipping. minWidth=72.000000
It works if I try to import L2TP or IPSEC profiles with total random parameters.
Issue Description: We have observed that the DDM Status response is expected to be provided daily at specific timestamps or sometimes randomly for certain devices to obtain the complete DDM status report. The following daily pattern is observed for DDM requests to MDM:
Endpoint -> Status
Endpoint -> Tokens
After receiving a full report from DDM, it proceeds to fetch any changes in declarations from DDM via a tokens request. In iOS 17/macOS 14 also, the same full reports are received daily, but they include new properties in the status report, such as "FullReport": true.
Sample Status Response :
{
"StatusItems" : {
"FullReport" : true,
"client-capabilities" : {
"supported-versions" : [
"1.0.0"
],
"supported-payloads" : {
"declarations" : {
"activations" : [
"com.apple.activation.simple"
],
"assets" : [
"com.apple.asset.credential.acme",
"com.apple.asset.credential.certificate",
"com.apple.asset.credential.identity",
"com.apple.asset.credential.scep",
"com.apple.asset.credential.userpassword",
"com.apple.asset.data",
"com.apple.asset.useridentity"
],
"configurations" : [
"com.apple.configuration.account.caldav",
"com.apple.configuration.account.carddav",
"com.apple.configuration.account.exchange",
"com.apple.configuration.account.google",
"com.apple.configuration.account.ldap",
"com.apple.configuration.account.mail",
"com.apple.configuration.account.subscribed-calendar",
"com.apple.configuration.legacy",
"com.apple.configuration.legacy.interactive",
"com.apple.configuration.management.status-subscriptions",
"com.apple.configuration.management.test",
"com.apple.configuration.passcode.settings",
"com.apple.configuration.security.certificate",
"com.apple.configuration.security.identity",
"com.apple.configuration.security.passkey.attestation",
"com.apple.configuration.softwareupdate.enforcement.specific",
"com.apple.configuration.watch.enrollment"
],
"management" : [
"com.apple.management.organization-info",
"com.apple.management.properties",
"com.apple.management.server-capabilities"
]
},
"status-items" : [
"account.list.caldav",
"account.list.carddav",
"account.list.exchange",
"account.list.google",
"account.list.ldap",
"account.list.mail.incoming",
"account.list.mail.outgoing",
"account.list.subscribed-calendar",
"device.identifier.serial-number",
"device.identifier.udid",
"device.model.family",
"device.model.identifier",
"device.model.marketing-name",
"device.model.number",
"device.operating-system.build-version",
"device.operating-system.family",
"device.operating-system.marketing-name",
"device.operating-system.supplemental.build-version",
"device.operating-system.supplemental.extra-version",
"device.operating-system.version",
"device.power.battery-health",
"management.client-capabilities",
"management.declarations",
"mdm.app",
"passcode.is-compliant",
"passcode.is-present",
"security.certificate.list",
"softwareupdate.failure-reason",
"softwareupdate.install-reason",
"softwareupdate.install-state",
"softwareupdate.pending-version",
"test.array-value",
"test.boolean-value",
"test.dictionary-value",
"test.error-value",
"test.integer-value",
"test.real-value",
"test.string-value"
]
},
"supported-features" : {
}
}
},
"device" : {
"identifier" : {
"serial-number" : "S7T95QN0XP",
"udid" : "00000-AAAAA-111111-BBBBB"
},
"model" : {
"marketing-name" : "iPhone 14 Plus",
"number" : "AB523HN/A",
"identifier" : "iPhone14,8",
"family" : "iPhone"
},
"operating-system" : {
"marketing-name" : "iOS 17.0",
"family" : "iOS",
"supplemental" : {
"extra-version" : "",
"build-version" : "21A5312c"
},
"build-version" : "21A5312c",
"version" : "17.0"
}
},
"mdm" : {
"app" : [
{
"version" : "1452",
"state" : "managed",
"external-version-id" : "123456789",
"identifier" : "com.xxxxx.yyyy.zzzz",
"name" : "App Name",
"short-version" : "23.XX.XY"
},
{
// app details
},
{
// app details
},
{
// app details
}, etc...
]
},
"passcode" : {
"is-present" : true,
"is-compliant" : true
},
"management" : {
"declarations" : {
"activations" : [
{
"active" : true,
"identifier" : "DEFAULT_ACT_0",
"valid" : "valid",
"server-token" : "1"
}
],
"configurations" : [
{
"active" : true,
"identifier" : "DEFAULT_STATUS_CONFIG_0",
"valid" : "valid",
"server-token" : "2"
}
],
"assets" : [
],
"management" : [
]
}
},
"security" : {
"certificate" : {
"list" : [
]
}
},
"softwareupdate" : {
"install-reason" : {
"reason" : [
]
},
"install-state" : "none",
"pending-version" : {
},
"failure-reason" : {
"count" : 0
}
}
"Errors" : [
]
}
Followed by Tokens Request :
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Endpoint</key>
<string>tokens</string>
<key>MessageType</key>
<string>DeclarativeManagement</string>
<key>UDID</key>
<string>00000-AAAAA-111111-BBBBB</string>
</dict>
</plist>
May I know if this is a behavior, and is it possible to control DDM status report polling data or time?
Thanks in Advance
When we specified a "Unlisted app" by InstallApplication(MDM command),
the response state is NeedsRedemption.
This is the request and response.
■Request
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"[]>
<plist version="1.0">
<dict>
<key>CommandUUID</key>
<string>dd3fe1a1-a1a7-4987-8201-447e815bd6f9</string>
<key>Command</key>
<dict>
<key>RequestType</key>
<string>InstallApplication</string>
<key>Attributes</key>
<dict>
<key>Removable</key>
<false />
</dict>
<key>Identifier</key>
<string>******</string>
<key>ChangeManagementState</key>
<string>Managed</string>
<key>InstallAsManaged</key>
<true />
<key>ManagementFlags</key>
<integer>4</integer>
</dict>
</dict>
</plist>
■Response
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"[]>
<plist version="1.0">
<dict>
<key>CommandUUID</key>
<string>dd3fe1a1-a1a7-4987-8201-447e815bd6f9</string>
<key>Identifier</key>
<string>******</string>
<key>State</key>
<string>NeedsRedemption</string>
<key>Status</key>
<string>Acknowledged</string>
<key>UDID</key>
<string>00008110-001E74C814EA401E</string>
</dict>
</plist>
I think non-VPP apps don't need redemption codes.
Is there a way to install "Unlisted app" without using a redemption code?
We are facing issue SSO from some days its was working fine few days before.
In apple devices, we are facing issue that once user enters the username and password, it is asking again when user logs in.
All things were fine no changes in system only thing, this issue started happening for may be iOS 16 updated.
We have implemented SSO using Microsoft AD.
Things working for all other OS (Windows, Android) except iOS.
I am looking for a documentation of key value pairs for Apple's own iPad-Apps (Files, Settings, Safari, …) to use with Managed App Config Settings in our MDM.
Is there a list somewhere on Apple's website or – even better – is there a way to find out about the key value pairs via MDM?
Thanks a lot!
I am trying to recreate the following example. However, when i create a Singleton class MyModel and bind the familyActivityPicker like this
@ObservedObject var model = MyModel.shared
....
....
Button("Present FamilyActivityPicker") { isPresented = true }
.familyActivityPicker(isPresented: $isPresented, selection: $model.discouragedApps)
Then in my DeviceActivityExtension I try to access the discouraged applications, this way
let model = MyModel()
let applications = model.discouragedApps
But the model.discouragedApps is always empty. How do I pass the selected applications into my extension. In all of the documentation this part is very conveniently left unexplained.
Can I use the local storage to save the user selection and then read it from there instead of having to use the Singleton pattern ?
Hi,
I'm trying to confirm if there is an API that can be used to interrogate ABM for device info? It holds our enterprise devices and so want to regularly extract a list of all devices along with associated information, and import these into a corporate system.
It's unclear from the documentation if this can be done. This is the closest I can find but implies it must be done from within another (developed) app...?
TIA.
What is an older computer that I can get that will still run XCode 15.
I would like to start teaching my 9 year old grandson programming.
My budget is limited.
We are also looking to create a programming club at the local high school
Thank you for any help you can give.
Hi everyone,
We have developed an application for a large company and are distributing it using a business account. We have codes that we give to users.
The problem is that we released an update for the same app, but users aren't receiving the update automatically as it should be. It's not working. So, we are giving new codes to users as if they are installing a fresh version.
We have contacted Apple, but we haven't received any answers (the suppport its a nightmare mostly people just saying they dont have acess to our ticket case)
Has anyone else experienced this problem? And does anyone have a solution for this?
Thanks.
I am getting the response back for DevicePropertiesAttestation and can match the other oids. For nonce value, I am using Base64.encode to match it with what I sent but I am getting a different value. What is the right way to extract this nonce value from response?
Is it expected behavior for an iOS device with the default recommendation cadence to only return the new major update(s) to MDM via AvailableOSUpdates? We'd expect to see both iOS 16 and iOS 17 product keys here. We don't remember this being a problem last year.
iPad 11,6 running 16.5.1 that can take 16.7.1 according to GDMF with the default RecommendationCadence is only returning this and not anything in the 16 series:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>AvailableOSUpdates</key>
<array>
<dict>
<key>AllowsInstallLater</key>
<false/>
<key>Build</key>
<string>21A360</string>
<key>DownloadSize</key>
<integer>3157073669</integer>
<key>HumanReadableName</key>
<string>iPadOS 17.0.3</string>
<key>InstallSize</key>
<integer>1328545792</integer>
<key>IsCritical</key>
<false/>
<key>IsSecurityResponse</key>
<false/>
<key>ProductKey</key>
<string>iOSUpdate21A360</string>
<key>ProductName</key>
<string>iOS</string>
<key>RestartRequired</key>
<true/>
<key>SupplementalBuildVersion</key>
<string>21A360</string>
<key>Version</key>
<string>17.0.3</string>
</dict>
</array>
<key>CommandUUID</key>
<string>3e556538-d125-460e-923e-feebca9ac2e5</string>
<key>Status</key>
<string>Acknowledged</string>
<key>UDID</key>
<string>00008020-001A4C512E68402E</string>
</dict>
</plist>
14 Inch 2021 Macbook Pro M1, running Ventura.
When the macbook is closed and charging, I attempt to connect via screen sharing from another Macbook pro, 13-inch 2020 M1 also running Ventura.
First I have to enter my username and password into a popup before I can even get to the other mac's screen.
Then I get to the standard lock screen, showing my username and asking for a password. When I enter my password I see the desktop for a second or two, then it immediately relocks before I can even move the mouse, etc.
This happens up to 4 times before I either give up or get through.
This is extremely aggravating. I don't have a hot corner to relock the screen or anything like that.
We are creating our own server for MDM, we followed apple suggested approach with following link [https://it-training.apple.com/tutorials/deployment/dm055] After uploading .pem file in ABM portal, new server token is generating but my question is where we need keep that server token(.P7M) in our servers...is there any specific path we have...if we gone through apple documents they are suggesting to follow vendor documentation but in my case we did't take any third party server's...so we don't have any vendor document.
Can you please help me to achieve this scenario.
We are having an issue in some iPads, that web clips pushed through MDM started after a while make duplicates of itselves in iPad. So user instead of one web clip IRL Address now has the same 50 times. Nothing is working. When removing from MDM duplicates styl there.
Hi, I just download the ios17 beta profile for my iphone in order to install but when i open the profile download from here then i see thsi code and I have no idea what is this code language and How can i see it in human readable language or any other better than this ?
Are the codes generated by the business portal always limited to the country in which the DUMS code is registered? I have clients who have only one office and therefore can request only one DUMS code but have employees in various countries. How can I generate codes, from the business portal, valid for all countries? Has it become possible to do this? What alternatives can I evaluate for distributing a private app?