As we know, we can't add restrictions payload in the mobileconfig when registing the device. We are developing MDM by ourselfs, met some trouble. Please help.

On iOS 26, if in "Single App Mode", the device gets stuck on the lock screen. Devices are configured in SAM (kiosk mode), without a PIN requirement. Since updating to iPadOS 26, every single device that locks (goes to sleep) becomes completely unresponsive at the lock screen. Touch input does not work. The only way to regain access is to reboot the device, which will boot to the SAM app, but then lock again if it goes to sleep. Related discussion in the public forums.

Issue Description: We are experiencing MDM profile installation failures specifically on iPhone 17 devices. After extensive testing and comparison between affected and working devices, we suspect this appears to be a parameter transmission error rather than device settings. Technical Analysis: Device Settings Comparison: No differences found between problematic and working devices in system settings, indicating this is not a configuration issue. Suspected Parameter Transmission Error: • Device model information appears to be restricted or blocked during profile download • User ID and phone number parameters are not being transmitted to the server • Installation logs show missing login ID and phone number entries Symptoms: • During MDM profile installation, the "Apps & Restrictions" section that should appear is missing • Profile download parameters are suspected to not be properly transmitted to the server • Installation process fails at the profile configuration stage Critical Finding: When we cloned a previously working device to create a problematic device configuration, the cloned device also began experiencing the same installation failures. This strongly suggests the issue is related to device-specific parameters or identifiers. Additional Information: We continue to receive reports of this issue from our iPhone 17 users, and these reports are occurring across various iOS versions. Request for Assistance: Has anyone encountered similar MDM profile installation issues on iPhone 17? Are there known limitations or changes in how device parameters are transmitted during MDM enrollment on this model? Any guidance on debugging parameter transmission or known workarounds would be greatly appreciated.

Can someone help me, every time I insert a new attribute in the Table, the Query stops working, the bank keeps giving these messages, thank you

Hi We've had an Enterprise Developer a/c for years. But last year they asked a bunch a questions to confirm we were a company. I answered them all and then it said it would review the answers. Were a big company and answered these questions before so just expected it to go through. Then our Enterprise Program a/c was up for renewal in April. But the money was never taken from the company cc and every expiry date the renewal date keeps moving forward a month. Its now been moved to Sep 2025. Either were getting April-Sep free or were going to be landed with a CC bill for 12+5 months soon. Anyone else seeing this. Is there an email or webpage for Enterprise a/c support? We have the money :)

We have purchase but status still pending, please how to complete membership to active

I'm trying to set up a configuration profile on a supervised device for a kid's phone. I want to force a VPN 100% of the time except for local network activity and some specific domains. Or at the very least, have a few apps go outside the tunnel. Apple makes this IMPOSSIBLE even though according to the documentation it should be possible. The IKEv2 vpntype has a key "OnDemandUserOverrideDisabled" which is supposed to prevent a user from toggling off the vpn, which obviously defeats the purpose of having it. However, as other users have posted, this DOES NOT WORK. So anyone can just turn off the vpn and be connected to the internet unprotected. On the "AlwaysOn" vpntype, the element "ApplicationExceptions" which would allow you to list a few applications that can go outside the tunnel DOES NOT WORK. This is critical because so many domains automatically block vpn servers and it's a huge pain. Also local network activity also gets blocked, which makes it impossible to connect to local devices. And there's no split tunneling possible with this vpntype. So basically, it's impossible. I WOULDN'T BE SURPRISED IF APPLE DID THIS INTENTIONALLY TO KEEP KIDS ADDICTED AND IN DANGER SO THEY USE THE PHONE MORE.

is it possible to push app updates in Single App Mode via Intune?

I'm hoping to make certain in-house apps fail to launch by revoking the in-house certificate that they were built on. This is by way of encouraging users of these apps to download updates built on a new certificate. How long will it take app built on a now-revoked certificate to no longer launch? Also, what is Apple's process for checking the validity of an in-house certificate in an app built on that certificate, running on iOS devices? I understand that provisioning profiles have built-in expiration dates, but will an in-house app that's built on a valid provisioning profile keep running even on a revoked certificate if the revocation happened before the certificate's own expiration date? Craig Umanoff

Is the possibility of programmatically recovering the enrolled email address associated with an iPad. We are currently working on a project that requires us to retrieve this information for our enrolled devices. Could you please provide guidance or documentation on how we can achieve this programmatically? Specifically, we are interested in any APIs or frameworks that Apple provides for this purpose, as well as any necessary permissions or configurations that need to be in place.

Hello! We using jwsRepresentation for Transaction. In documentation we found The decoded payloads of the jwsRepresentation and JWSTransaction strings contain price fields that are specified in milliunits of the currency; StoreKit represents the price in units of currency. Take care not to confuse these two representations when working with both APIs. source But when we decoded JWS, we found what price are specified in units (but we were expecting to get milliunits) We using https://developer.apple.com/documentation/storekit/product/purchaseresult/success switch result { case .success(let verification): let jwsRepresentation = verification.jwsRepresentation ... And when we decoded jwsRepresentation we get { "transactionId": ".....", "originalTransactionId": ".....", "webOrderLineItemId": ".....", "bundleId": ".....", "productId": ".....", "subscriptionGroupIdentifier": ".....", "purchaseDate": ".....", "originalPurchaseDate": ".....", "expiresDate": ".....", "quantity": 1, "type": ".....", "deviceVerification": ".....", "deviceVerificationNonce": ".....", "appAccountToken": ".....", "inAppOwnershipType": ".....", "signedDate": ".....", "environment": ".....", "transactionReason": ".....", "storefront": ".....", "storefrontId": ".....", "price": 12990, "currency": "USD" }

May I know the checking mechanism for the ios Provisioning profile? Is my Apple app distributed by MDM inside the organisation? If the Provisioning profile is expired , what is the behaviour when user run the App and how to perform the checking mechanism , is it performed at user client side device or Apple server via online access.

Why is MDM camera restriction designed not to work on the lock screen?

macOS devices- dep enrolled device - configured an email policy and it gets stuck on pending status. The rest of the policies and actions like lock device and scan device are executed successfully. While enrollment using DEP, if there is account creation config present in Dep configuration profile , At the time of enrollment we don't receive the user token and user channel is not present. The keys UserID and EnrollmentUserID in TokenUpdate is not present. As a result we can't successfully push the email policy. Is the inference correct or is there anything else we are missing out.

Our organization is deploying passwordless authentication. Instead of using a password, employees must use the Microsoft Authenticator app to complete the login process. Unfortunately, employees with passwordless authentication can't complete the login on the Wi-Fi Captive portal with SAML authentication. The reason is that when an employee switches to the Microsoft Authenticator app, the Apple CNA (Apple Network Captive Assistant) disappears. As a result, the authentication process breaks. According to the https://developer.apple.com/news/?id=q78sq5rv source, iOS 14+ devices support the RFC-8908 standard. Unfortunately, we couldn't find a reliable source on how this feature works on iOS devices. The question is: Is it possible to automatically forward Wi-Fi clients to the SAML authentication portal in the default browser app (for example, Safari) after connecting an employee to Wi-Fi?

The result Plist for the InstalledApplicationList MDM command is reporting duplicate Application identifiers. Sometimes with different version, other times with the same version. The device is MacOS 15.5, Enrolled via ABM (Supervised). Here are a couple samples from the returned list. Duplicate app: <key>BundleSize</key> <integer>398051</integer> <key>Identifier</key> <string>com.adobe.Acrobat.NativeMessagingHost</string> <key>Installing</key> <false/> <key>Name</key> <string>NativeMessagingHost</string> <key>ShortVersion</key> <string>5.0</string> <key>Version</key> <string>5.0</string> </dict> <dict> <key>BundleSize</key> <integer>398051</integer> <key>Identifier</key> <string>com.adobe.Acrobat.NativeMessagingHost</string> <key>Installing</key> <false/> <key>Name</key> <string>NativeMessagingHost</string> <key>ShortVersion</key> <string>5.0</string> <key>Version</key> <string>5.0</string> </dict> Different Version: <key>BundleSize</key> <integer>4197200</integer> <key>Identifier</key> <string>com.adobe.adobe_licutil</string> <key>Installing</key> <false/> <key>Name</key> <string>adobe_licutil</string> <key>ShortVersion</key> <string>11.0.0.39</string> <key>Version</key> <string>11.0.0.39</string> </dict> <dict> <key>BundleSize</key> <integer>4443177</integer> <key>Identifier</key> <string>com.adobe.AcroLicApp</string> <key>Installing</key> <false/> <key>Name</key> <string>AcroLicApp</string> <key>ShortVersion</key> <string>25.001.20432</string> <key>Version</key> <string>25.001.20432</string> </dict> <dict> <key>BundleSize</key> <integer>7380980</integer> <key>Identifier</key> <string>com.adobe.adobe_licutil</string> <key>Installing</key> <false/> <key>Name</key> <string>adobe_licutil</string> <key>ShortVersion</key> <string>10.0.0.274</string> <key>Version</key> <string>10.0.0.274</string> </dict>

Hi, Is there a method to hide individual items in System Settings that is not Deprecated? It needs some of the settings set and hidden for the end user. I found the DisabledSystemSettings key however it is marked as Deprecated and does not include all the new items, especially those related to Apple Intelligence. Is there any method other than “Restrictions” that does not hide and only set individual settings ? It needs to hide items in system settings :)

Last year I used the iOS Distribution Managed Certificate (Enterprise Program) to sign an App and to distribute it internally. The Cert is still valid until May 2026. But its associated Provisiong Profile (which is not visible in the Apple Portal, but within Xcode when you export your archive) expired last week. Until then it was impossible for me to somehow force renew the profile and that lead to the fact that my app was not usable for a day, because the renewal was done after the expiration of the old one. Whats the whole point of the managed signing if can't influence the provisioning update. To be clear: I don't speak about the certificate - just about the profile. Or am I using it wrong?

Dear Apple, Suggestions to rise tour TKDN in IS: Make small components from ID, such as iPhone case,IPad case, etc Continue with Productivity to build Apple Developer, recruiting local developer and headed by Apple developer Train local technician to repair or replace some components from Apple device (off course they must be original parts). I think it will fit 35% or more TKDN p.s: someone in my family is interested to be Apple Dev, and increase skill from Android Dev

Here https://github.com/apple/device-management/blobelease/mdm/commands/information.device.yaml#L3246 it is mentioned that for querying Managed attestation certificate the ios device needs to have A11 Bionic and later, Wanted to understand how to get this information programmatically i.e is Apple sending chip information for iphone and ipad devices as part of some sample ? or is there a way to query this information from the device ? Here https://github.com/apple/device-management/blobelease/mdm/commands/information.device.yaml#L3246 it is mentioned that for querying Managed attestation certificate the macos device needs to have Apple Silicon, using IsAppleSilicon https://github.com/apple/device-management/blobelease/mdm/commands/information.device.yaml#L357 property is fine ? Can we use this field to determine if the device is Apple silicon ? Same question for Apple TV as well - How to get the information if a device is having A12 Bionic and later ? and same for Apple watch, how to know if a device is S4 and later ?