Platform SSO not working on macos devices for zscaler application other app like safari / chrome working well. Need help from apple expert on the same. Environment : IDP : Entra ID MDM : Omnissa Workspace one UEM platform : macOS

Hi, I developed a Platform Single Sign-On extension and a corresponding extension for my IdP, which is Keycloak based. The code for both projects are here: https://github.com/unioslo/keycloak-psso-extension and https://github.com/unioslo/weblogin-mac-sso-extension I realized that, when using the Secure Enclave as the AuthenticationMethod, and according to Apple's documentation, the Extension doesn’t obtain fresh ID Tokens when they expire if the refresh token is still valid. When using password as the Authentication Method, it fetches new ID tokens when they expire, without prompting the user for credentials, by using the refresh token. My suggestion is that the same behavior should be implemented for Secure Enclave keys. The thing here is that usually, on OIDC flows, the ID/Access tokens are short-lived. It would make sense for the extension to provide fresh ID tokens. It doesn’t seem to make sense for me that, when using passwords, the extension would fetch these tokens, and not when having the Secure Enclave key. By not doing this, Apple almost forces the developer of an extension to fetch new ID tokens themselves, which doens’t make sense when it clearly provides fresh tokens when using passwords. It almost forces the developers to either implement that logic themselves, or to issue longer tokens, which is not so nice. How so you deal with this? Do you simply use the refresh token as an authentication token, or do you do some sort of manual refresh on the extension?

Is there a way to check if DDM(Declarative Device Management) is enabled on a device?

Hey. If i have a new idea for apple how can i reach out for you?

Hello, We are currently deploying Apple devices in our organization using Apple Business Manager (ABM) and are looking for a long-term self-hosted MDM solution. We initially considered MicroMDM, but since official support will end in December 2025, we are evaluating NanoMDM. I would like to confirm: Is NanoMDM a stable and production-ready option for long-term use with Apple Business Manager and Automated Device Enrollment (ADE)? Does NanoMDM support all essential features like: Supervision Remote wipe App deployment Configuration profiles Are there any limitations or known issues with using NanoMDM? Are there any other open-source or lightweight MDM solutions Apple developers recommend that are actively maintained? We are aiming for a reliable, secure, and future-proof self-hosted MDM setup. Any guidance or shared experience would be greatly appreciated. Thanks, Vijay Pratap Singh

Hello, We have an internal enterprise app. After the provisioning profile (certificate) expired, some employees' iPhones still retained the old certificate when updating the app, causing the app to fail to open. We’ve tried restarting and reinstalling the app, but the issue persists. Having each employee manually reset network or device settings would be too operationally costly. Since this involves a large number of devices, we cannot use Apple Configurator to remove and reinstall certificates one by one. Therefore, we’d like to ask if there is a more efficient, batch-oriented solution to quickly resolve the certificate residue issue. We’d appreciate any suggestions for large-scale deployment methods. Thank you very much!

I'm hoping to make certain in-house apps fail to launch by revoking the in-house certificate that they were built on. This is by way of encouraging users of these apps to download updates built on a new certificate. How long will it take app built on a now-revoked certificate to no longer launch? Also, what is Apple's process for checking the validity of an in-house certificate in an app built on that certificate, running on iOS devices? I understand that provisioning profiles have built-in expiration dates, but will an in-house app that's built on a valid provisioning profile keep running even on a revoked certificate if the revocation happened before the certificate's own expiration date? Craig Umanoff

The profile expiration date is approaching, and no amount of inquiries will solve it. Create a new profile Download a new profile from Xcode Press archive, press Distribute App, press Enterprise, and distribute Invalid expiration date in profile of summary of review app.ipa content I've tried everything that comes out by Googleing profiles, such as regenerating profiles, erasing caches, updating Xcode, updating macOS, deleting existing profile information, etc. Expiration date different from the expiration date of the profile created in that menu is displayed. The expiration date of the profile I created is December 8, 2026, and the previous certificate is January 22, 2026. However, the profile information of the generated ipa is February 12, 2026. So I can't distribute this app because I'm scared, and the expiration date is coming up. Users should have a period of time to update. Get me a novice developer who's choking up.

I am trying to find clarification on something. We are seeing strange cases where customer devices seem to unenroll themselves after a period of MDM inactivity. This seems to tie into roughly when their identity certificate has expired. We can't confirm this because the device has since unenrolled. Is there any case where an Apple device will automatically unenroll if it's identity certificate has expired? This doesn't always seem to happen - I had a device respond immediately after being switched off for a year - but could this be down to some devices being DEP enrolled and others manually enrolled?

Hi, I might be a bit late to the party, but Apple has added several SkipKeys such as: TapToSetup and SafetyAndHandling. I want to make sure that the keys is working properly, so I want to do the before-after comparison, however I just can't seem to show pages related to those keys. Just for information, I'm based in Japan and I've been using iPhone pro 16 and M2 iPad Pro for the testing. I believe that TapToSetup is apple tv-related, so I've tried various things such as having it in a same network or using the same apple account both in Apple TV and the iPhone/iPad but I can't get it to show. Any ideas?

There is a longstanding restriction payload for supervised iOS devices that disables "Erase All Content and Settings." We have been experimenting with supervised watches paired with supervised phones that have that payload applied, and yet "Erase All Content and Settings" remains available on the watch. Is this: – a) An error with our payload? Should we be sending something else? – b) A bug in watchOS supervision? – c) A deliberate design choice? If so, what is the rationale for preventing organizations from maintaining this very basic level of control over devices they may be configuring and dispatching into the field?

We are trying to develop an app that will be responsible for managing 5000+ managed iPads through Intune MDM. The user flow is to have a device locked to a single app when a user is not logged in, but to make the device available to other apps once a user is authenticated. We already tried UIAccessibility GuidedAccess Mode and autonomous single app mode but those were not sufficient due to our need to be able to toggle this from the background. When the device may be asleep. So another way we could achieve this functionality would be to control all app access under a launching mechanism. That way we could allow one app to be visible in our MDM configuration and try to access our business app through that using deep links. If this were to work, we would have to be able to hide an app and still make it launchable from the manager. Any ideas? Thanks

Hi Team, After agreeing the Paid In-app purchase agreements, i have been asked to fill the tax forms of US Certificate of foreign status of beneficial owner and US substitute form W-8BEN-E. Being an Indian Ed-tech company, we would like to know how should we approach this. Any help or support page or video on this can make our life easier. Thanks Team ACEplus.

Hello, I’d like to clarify the technical limitations around app updates in an Apple School Manager (ASM) + MDM environment. Environment • iOS/iPadOS devices supervised and managed via Apple School Manager • Apps are distributed via ASM (VPP / Custom App) and managed by MDM • Apps are App Store–signed (not Enterprise/In-House) • Some apps include NetworkExtension (VPN) functionality • Automatic app updates are enabled in MDM Question From a technical and platform-design perspective, is it possible to: Deploy app updates for ASM/MDM-distributed App Store apps via a separate/custom update server, and trigger updates simultaneously across all managed devices, bypassing or supplementing the App Store update mechanism? In other words: • Can an organization operate its own update server to push a new app version to all devices at once? • Or is App Store + iOS always the sole execution path for installing updated app binaries? ⸻ My current understanding (please correct if wrong) Based on Apple documentation, it seems that: 1. App Store–distributed apps cannot self-update • Apps cannot download and install new binaries or replace themselves. • All executable code must be Apple-signed and installed by the system. 2. MDM can manage distribution and enable auto-update, but: • MDM cannot reliably trigger an immediate update for App Store apps. • Actual download/install timing is decided by iOS (device locked, charging, Wi-Fi, etc.). 3. Custom update servers • May be used for policy decisions (minimum allowed version, feature blocking), • But cannot be used to distribute or install updated app binaries on iOS. 4. For ASM-managed devices: • The only supported update execution path is: App Store → iOS → Managed App Update • Any “forced update” behavior must be implemented at the app logic level, not the installation level. ⸻ What I’m trying to confirm • Is there any supported MDM command, API, or mechanism that allows: • Centralized, immediate, one-shot updates of App Store apps across all ASM-managed devices? • Or is the above limitation fundamental by design, meaning: • Organizations must rely on iOS’s periodic auto-update behavior • And enforce version compliance only via app-side logic? ⸻ Why this matters In large school deployments, delayed updates (due to device conditions or OS scheduling) can cause: • Version fragmentation • Inconsistent behavior across classrooms • Operational issues for VPN / security-related apps Understanding whether this limitation is absolute or if there is a recommended Apple-supported workaround would be extremely helpful. Thanks in advance for any clarification

I came across this tool that enables supervised mode on iOS without resetting the data. it's essentially a macOS with a unix executable file underneath. a quick guide of how it works is here https://www.techlockdown.com/guides/enable-supervised-mode-iphone I would appreciate any guidance on how to recreate this, as this is behind a paywall, and would like to offer something similar for free to people who want to restrict their families devices.

We are experiencing a critical issue where VPP app installations are consistently taking an excessive amount of time, leading to significant delays in asset association. We are deployionThis is a systemic problem that affects all VPP apps, not just an isolated case. Apps: 39470db7-e475-4269-9709-c80641657027 => com.zimride.instant d0876900-2579-463e-99f1-b7c85ef5c5e8 com.microsoft.azureauthenticator Troubleshooting: We have performed extensive troubleshooting and can confirm the following: VPP Token: The VPP token has been successfully renewed and is currently active and valid. License Availability: We've verified that there are sufficient VPP licenses available for the apps being deployed. Device Status: We've attempted the following on the affected devices: Restarted the devices. Switched to different Wi-Fi networks. Uninstalled and re-installed the apps. App Status: The issue is not limited to a single app; all VPP apps are failing to install. License Revocation: We attempted to revoke and reassign licenses for some devices, but this did not resolve the issue. The app was not pushed, and the pending status remained. Troubleshooting: Through our internal investigation, we have determined that the core issue is that the Asset Association Status is consistently taking excessive time. This seems to be preventing the app installation queue from processing. We have observed a significant delay in the processing of events within the Notification Channel. The time between the event being created and a response being received is excessively long, indicating a potential backlog or issue. We have included a few recent examples below for your reference: Event ID: 39470db7-e475-4269-9709-c80641657027 com.zimride.instant Created Time: 2025-08-26 01:02:04 Response Time: 2025-08-26 01:34:05 Event ID: d0876900-2579-463e-99f1-b7c85ef5c5e8 com.microsoft.azureauthenticator Created Time: 2025-08-25 21:16:29 Response Time: 2025-08-25 22:21:07 We would appreciate your help in the following areas: Resolution: Could you provide any known solutions or workarounds for an asset association status that is taking excessive amount of time'? Best Practices: Are there any recommended best practices or additional parameters we should be checking with the MDM that might influence the queueing of VPP app assignments? Queueing Parameters: Could you provide insight into the parameters or conditions that can affect the queueing and processing of VPP app installations on Apple's servers? Please let us know if there is any additional information or logs we can provide.

I tried the new feature of macOS 26.0 com.apple.configuration.app.managed. A configuration and its activation are defined with the data like this. InstallBehavior: Install: Required License: Assignment: Device iOSApp: true AppStoreID: '1113153706' After distributing the configuration with DeclarativeDevicement MDM command, an error is notified via status channel app.managed.list. "managed": { "list": [ { "state": "failed", "declaration-identifier": "1424a813-113f-5de0-9a75-38bf64f22673", "identifier": "com.microsoft.skype.teams", "name": "Microsoft Teams" } ] } What am I missing in the settings? Thank you

Last year I used the iOS Distribution Managed Certificate (Enterprise Program) to sign an App and to distribute it internally. The Cert is still valid until May 2026. But its associated Provisiong Profile (which is not visible in the Apple Portal, but within Xcode when you export your archive) expired last week. Until then it was impossible for me to somehow force renew the profile and that lead to the fact that my app was not usable for a day, because the renewal was done after the expiration of the old one. Whats the whole point of the managed signing if can't influence the provisioning update. To be clear: I don't speak about the certificate - just about the profile. Or am I using it wrong?

how to contact 酷

Downloaded screensavers not appearing in 4KSDR240FPS folder