Post not yet marked as solved
In Declarative Device Management there is the Get Server Supported Declarations endpoint that is sent via an MDM Check-In request. Is this supposed to return all of the declarations supported by the server, or only the ones that are intended for the device making the request?
This seems like a bad choice of naming for that endpoint and, if my assumption is correct it should be named more along the lines of "Get Device Declarations"
Or am I fundamentally misunderstanding DDM and our server should be sending all declarations we have to the device and the device controls them via activations? This seems counter to the pitch around scalability and performance improvements that DDM offers if we have to send literally everything to the device even if it's known to not be needed, and similarly if the device doesn't support it but the server does then obviously(?) the server shouldn't send it to the device.
Post not yet marked as solved
Can someone please explain the purpose of the ManagementServerCapabilities declaration in Declarative Device Management?
I understand based on the documentation that it contains a "dictionary that contains the server’s optional protocol features" but what would be an example of an "optional protocol feature"?
Post not yet marked as solved
I can enroll iOS and macOS devices with success when DEP is not used (OTA). With DEP, I can enroll iOS devices but not macOS devices. In this case, the process fails when the activation profile is received, because the system cannot decrypt the returned payload.
Note that I sign the payload using the server certificate (trusted as the anchored certs are defined accordingly) and I encrypt the payload using the device identity certificate. This identity certificate was obtained when the device reached the enrollment URL (used to sign the inbound payload).
From the console logs, it seems that the device cannot find the aforementioned certificate using the issuer and serial number, which is surprising because this should be the device identity certificate.
I currently use PKCS7 openssl 3 API. I am wondering if I should switch for the CMS functions since it provides a way to define the certificate using it's key identifier rather than the issuer and serial number.
I'm also wondering if certificates are missing in the chain. Any help would be greatly appreciated.
Post not yet marked as solved
Hi all,
I'm working on a small PoC to get Content Filtering (FilterDataProvider) working on macOS without any user interaction.
So far, I've pushed two payloads to my machine using user-approved MDM enrollment:
com.apple.system-extension-policy
com.apple.webcontent-filter
The application containing the network extension is present in /Applications.
The installation of the profiles both succeed and I can see a Content Filter is created in the Network section of System Settings. Even the status says "Enabled", but the dot remains orange.
Inspecing the system logs (specifically: filtering on process:neagent) shows me the following error:
1. Failed to find a com.apple.networkextension.filter-data extension inside of app com.my.app.containing.the.ext
Only when I submit an activation request using OSSystemExtensionRequest.activationRequest, the network extension starts (without prompts, as expected) and everything works.
Is this expected behaviour? Do I need to submit an activation request through code regardless of the fact that MDM pre-approved the System Extension prompts and created the Content Filter in the System Settings?
The MAC device is a device that has been manually added to the Apple Business Manager.
DEP profiles are normally installed in both iOS and iPadOS.
Profile descript error occurs only when attempting DEP of MacOS.
(If you look at the picture, a decryption error occurs in the remote device registration step.)
I asked Apple's customer center about this problem,
and it is said that it is caused by the lack of a key called "automatic registration on the MDM server"
The key cannot be found in the Apple official document related to the profile below.
https://developer.apple.com/documentation/devicemanagement/mdm/
Information received during DEP enroll of Macmini using Apple silicon.
{
'LANGUAGE': 'en_US',
'PRODUCT': 'Macmini 9,1',
'SERIAL': 'CXXXXXXXXXXV',
'UDID': '0XXXXX27-XXXX-XXXX-XXXX-XZXXXXXXXXX',
'VERSION': '21C52'
}
Information received during DEP enroll of iPAD
{
'LANGUAGE': 'en_US',
'PRODUCT': 'iPad5,4',
'SERIAL': 'DXXXXXXXXXXQ',
'UDID': '9aXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX6d',
'VERSION': '19C63'
}
Profile to be transmitted to the device (same as MacOS, iOS, IPadOS)
{
'AccessRights': 8191,
'CheckInURL': 'https://apm.xxxxx.com/checkin',
'CheckOutWhenRemoved': True,
'IdentityCertificateUUID': '00000000-0000-0000-0000-000000000000',
'PayloadDescription': 'MDM Profile',
'PayloadDisplayName': 'MDM',
'PayloadIdentifier': 'com.xxxxx.xxxxxxx.mdm',
'PayloadOrganization': 'MDM provider',
'PayloadType': 'com.apple.mdm',
'PayloadUUID': '00000000-0000-0000-0000-000000000000',
'PayloadVersion': 1,
'PromptUserToAllowBootstrapTokenForAuthentication': True,
'ServerCapabilities': ['com.apple.mdm.per-user-connections','com.apple.mdm.bootstraptoken'],
'ServerURL': 'https://apm.xxxxx.com/server',
'SignMessage': False,
'Topic': 'com.apple.mgmt.External.206bfa63-f76a-4381-9e50-6f74241d14d9'
}
Because it uses the same profile structure, it is not understood that iOS/iPadOS operates normally and errors occur only in MacOS.
If there is anything that can help me, please let me know.
Thank you.
Post not yet marked as solved
Issue:
Our app is currently experiencing an unexpected behavior related to VPN functionality on iOS devices. Despite having the "OnDemandUserOverrideDisabled" parameter set to 1 in our VPN profile, users have reported that they can create a shortcut to disable the "Connect On Demand" feature. However, upon doing so, toggling off the VPN does not re-enable the feature as anticipated. This oversight results in unfiltered browsing, potentially compromising user security and privacy.
Explanation:
The presence of "OnDemandUserOverrideDisabled" set to 1 in our VPN profile should theoretically prevent users from toggling the "Connect On Demand" feature via any means. However, users have found a workaround using shortcuts to bypass this safeguard. Consequently, the VPN does not automatically re-engage after being disabled, leading to unintended consequences for users.
Impact:
The inability to reliably control VPN settings, despite profile configurations, poses a significant risk to user data privacy and security. Unintended unfiltered browsing can expose users to malicious actors and compromise sensitive information.
Post not yet marked as solved
On WWDC 2023 Apple announced this: https://developer.apple.com/videos/play/wwdc2023/10040/?time=648
And as you can see and hear, they are saying: "In the past, entire System Preference panes were hidden to fulfill this requirement. With the introduction of System Settings, we were able to implement a granular management approach. Instead of hiding entire panes, the administrator can restrict modifications of a specific setting which now shows a label about its management state."
But where Apple Developer documentation can I find the payload for this? The only thing I was abble to find is https://developer.apple.com/documentation/devicemanagement/systempreferences which is DEPRECEATED for 13.0 macOS.
Post not yet marked as solved
Our keyboard extension can be accessed independently in China region with native app like Notes or Safari, however the keyboard can only be opened in the app under same project in Taiwan region.
I've checked some articles about how MDM managing extensions, also make sure our RequestOpenAccess option of keyboard extension info.plist also set to Yes.
I'm not sure is there anything I missed, or I just need to inform client that they need to reach out their MDM manager and modify some restrictions?
If keyboard supports mobile device management (MDM), it can work with managed apps.
App extensions give third-party developers a way to provide functionality to other apps or even to key systems built into the operating systems
Allow full access to custom keyboard in iOS
Post not yet marked as solved
I'm working on a tool which parses the output from the command "profiles -P -o" to check that our MDM profile has been deployed correctly, as there has been issues around profiles being misconfigured. It seems that the framework which the profiles command uses is private, so I'm just wondering could there be a way to get information which is similar to the output from the profiles command without having to directly use the command?
Post not yet marked as solved
Hi all,
I'm implementing Intune MAM to secure applications on iOS. However, I need my users to be able to save files (e.g. attachments in an email in the Outlook app) to iOS Files. To do so, I'm trying to put Files in exception of my Intune MAM policy and I need to obtain the Files "CFBundleURLSchemes" value from the info.plist file of the Files app. I'm not able to get that information.
Are any of you able to get that somehow?
Thanks!
I am trying to add DNSProxy configuration using .mobileconfig and MDM on supervised device. I have Content Filter payload in the same configuration file that works as expected, however I was unable to start my DNSProxy. My app has 3 extension targets for Filter Data/Control Providers and DNSProxy extension.
Here is my DNSProxy payload:
<dict>
<key>AppBundleIdentifier</key>
<string>my.app.bundle.id</string>
<key>PayloadDescription</key>
<string>Configures DNS proxy network extension</string>
<key>PayloadDisplayName</key>
<string>DNS Proxy</string>
<key>PayloadIdentifier</key>
<string>com.apple.dnsProxy.managed.AEE249BB-4F44-4ED9-912B-6A70CC0E01B6</string>
<key>PayloadType</key>
<string>com.apple.dnsProxy.managed</string>
<key>PayloadUUID</key>
<string>AEE249BB-4F44-4ED9-912B-6A70CC0E01B6</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>ProviderBundleIdentifier</key>
<string>my.app.bundle.id.DNS-Proxy-Extension</string>
</dict>
Any thoughts on what I might be doing wrong?
Post not yet marked as solved
This page indicates https://support.apple.com/en-in/guide/deployment/dep0a2cb7686/web that some usage of fdesetup command line tool is deprecated such as turning on FV using username/password.
However, I don't see any proper information about which options from the fdesetup tool are deprecated and which are still valid?
Any pointers for that?
Thanks,
N
Post not yet marked as solved
Hi,
With iOS-17.4 update, we are seeing AppProxy VPN not getting started when Apps (associated with PerAppVPN) tried to access network resource after MDM PerAppVPN profile install/update.
Looks like PerApp rules associated with applayer vpn profile are broken after profile update/install as we see internet sites working without going through VPN (appProxy network extension), this start working if we toggle WiFi and then access network resource from Apps associated with PerAppVPN.
Created FB13688086 with all the details for this iOS 17.4 and AppLayerVPN, looking for and update here and any feedback/pointers will help. Thanks
Post not yet marked as solved
Hey,
I am looking into creating an app that sets limits on what apps can be use while in the apps focused mode. Something similar to Opal or Forest. I saw that the Screen Time API has similar utility for parental control apps, would I be able to use the API for an app tailored to adults with it remaining under guidelines?
Post not yet marked as solved
Hi everyone.
I've been trying to set up my Macs in Intune. One of the key requirements is to create a push certificate for my environment. I can get past the upload page on the Apple Push Certificate Portal. Once I click the upload button on the web page after choosing my CSR file, I get this the page on the CSR file "The page you’re looking for can’t be found". I get the same message every time I refresh or log back into the page doing these steps. I don't know what to do. Would anyone have any advice on this? Or is this solely an Apple problem? Just if it's of any relevance, I am in Australia.
Post not yet marked as solved
udid 解析设备名称。这是 Apple 设备的 udid:00008110-00090D863EF9801E。我需要知道它是什么型号的设备。Apple 是否提供通过 udid 解析设备类型的接口?
Post not yet marked as solved
I have a question. When the DDM status report is sent from a DDM device, normally an empty response is returned. However, if we return a non-empty response that includes an arbitrary string, the device sends us the declaration-items request. Is this behavior correct?
device| --status reort--------> |server
device| <------a non-empry----- |server
device| --declaration-items---> |server. Is this behavior correct?
Post not yet marked as solved
I added a PKCS12 file to the Certificates section of the mobileconfig using Apple Configurator. I've installed the profile on the device but I can't see how I can access this cert. I want to use it to response to a NSURLAuthenticationMethodClientCertificate challenge.
Is it possible for an iOS app to get access to the cert this way?
Post not yet marked as solved
I have tried to deploy passwordpolicy script using pwpolicy
pwpolicy -n /Local/Default -setglobalpolicy "usingHistory=5 canModifyPasswordforSelf=1 maxMinutesUntilChangePassword=129600 requiresAlpha=1 requiresNumeric=1 minChars=8 passwordCannotBeName=1 requiresMixedCase=1 requiresSymbol=1"
sudo defaults write /Library/Preferences/com.apple.loginwindow PasswordExpirationDays 14
errcode=$?
if [ "$errcode" -ne 0 ];
then
echo ""
echo "Failed to apply with errorcode $errcode" 1>&2
echo ""
exit 1
fi
echo "Password Policy applied successfully" 1>&2
After deploying, on next login, It prompted for login, On entering password, It shows wrong password. When I tried to reset the password, It is not accepting the password. Instead It prompts again and again.
Like this , I have got 300 mac machines struck in login page.
I tried to run these two commands via a app running in root
pwpolicy -u "$user" -clearaccountpolicies
pwpolicy -clearaccountpolicies
After Running this, I can able to loggin for first time.
When tried to login second or successive times, It is failing with wrong password or sometimes no error instead of a jumping prompt in password page.
When tried to change password after a login after clearpolicy command, It is not accepting the admin's password (Which was used to login the current session).
Please help on this issue. As it does have a serious impact.
Post not yet marked as solved
I'm the IT Admin in my company. We use Microsoft Intune, which is a Mobile Device Management tool, to manage our devices and apps.
I created an app protection policy, restricting the data can only be shared between the allowed apps. For example, if our user want to copy the content in Outlook for iOS to WeChat or personal memo, the action will be blocked.
However, may be it's too strict, here is the scenario that we need to hadle:
A user selected the content in the Outlook for iOS mail, and wanted to use the "translate" function to do translation. Before the app protection policy was deployed, he can do the translation successfully. And now, it's blocked.
Therefore, we need to find a way to exempt the app "Translate" so that users can do the translation successfully.
We put the value "com.apple.Translate"(this is a package ID listed in the official document of Apple) to the exemption, but it's not working.
May I know what is the correct "value" for the iOS native Translate APP? I need to put this value to our app protection policy to exempt Translate app.
Thank you so much.
