VerifyRecoveryLockResponse - in this response, we do not get a key as VerifyRecoveryLock like its seen in VerifyFirmwarePasswordResponse where we get a key as VerifyFirmwarePassword. So should we rely only on the commanduuid to map to type of response and handle result accordingly for this type? <dict> <key>CommandUUID</key> <string>08b5bfb1-b547-43b4-b453-340a0dadeb7d</string> <key>PasswordVerified</key> <true/> <key>Status</key> <string>Acknowledged</string> <key>UDID</key> <string>B29422F1-756E-5370-966E-3A6E9E969096</string> </dict> . SetRecoveryLockResponse - in this response also we do not get a key to identify acknowledgement as 'SetRecoveryLockResponse' ( but we can identify with the CommandUUID) . we do not have any field as 'PasswordChanged' to confirm if its already changed like we have for SetFirmwarePasswordResponse. <dict> <key>CommandUUID</key> <string>d19f5ac9-31be-4cd9-9e20-0b034108855a</string> <key>Status</key> <string>Acknowledged</string> <key>UDID</key> <string>B29422F1-756E-5370-966E-3A6E9E969096</string> </dict> even though we could compare commanduuid, it would have been better if we also get the

In new Userenrollment flow (Account driven User enrollment), we are challenging the authentication by sending authentication URL which has a query parameter source=NATIVE as below : WWW-Authenticate: Bearer method="apple-as-web", url="https://ourauthserverdomain.com/ireg/index.html?source=NATIVE but when device makes the request to this url when it opens the webview it is ignoring query parameter sent from server (here, source=NATIVE).

We are trying out Account Driven User Enrollment feature. Device is expected to send the device info(plist) (snippet below) during User enrolment in new flow as part of profile download request. Device is sending with HTTP request content type as "application/x-www-form-urlencoded", because of this HTTP request content type, we are not able to read the body as stream of bytes and parse the xml. In comparison to usual device enrolment workflow device info gets posted with the http request content-type  as "application/pkcs7-signature" which has been working fine without any issues. <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>LANGUAGE</key> <string>en-US</string> <key>PRODUCT</key> <string>iPhone10,2</string> <key>VERSION</key> <string>19A222</string> </dict> </plist> Can you please confirm if this is an issue from Apple side? Any suggestions around this?

We are observing few issues when allow / block list of apps restriction is pushed to iOS 14.5 & iOS 15 devices. Below are the list of issues: System apps are not accessible from Device Layout when a specific non-system app bundle id is added to allowed list. This behaviour is seen both on iOS 14.x & 15. For example calendar, notes, email apps are missing but apps like feedback assistant, whether widgets are seen. When any app is added to blocked app list, all system apps are missing in layout iOS15 but are accessible from App Library. Where as on iOS 14.5 system apps are displayed on Device Layout & App Library even when a particular non-system app is added to blocked app list. On device retirement from MDM, all the apps are not reappearing on the Device layout if allowed / blocked app list was earlier distributed. Only upon uninstall of another app all the apps reappear. When Allowed & Blocked apps list restrictions are sent to device only Web Clip apps are present on Device Layout. Please direct to the right documentation which can confirm the right behaviour of these restrictions on the device.

While issuing a device deviceLock command to intel based Monterey device, if PIN, message & phone number are set, message is displayed rightly, but nowhere phone number gets displayed on lock screen. Please point to documentation which describes the supportability of these fields.

On Apple silicon Mac running 11.4 when device lock is performed through MDM, the device is going to activation mode. Instead it should get locked. There were a few blogs where the issue is talked about but nothing concrete from Apple documentation. Please direct us to the right documentation on Device lock support for Apple Silicon.

We tried installing ipa file in m1 Mac ( tried both mac11 and mac12 silicon mac), but it failed with error informing - Error Domain=ASDErrorDomain Code=660 "Could not create PKProduct". Attaching the log and plist details ipa-failure-devicelog.txt the plist - install application command

Hi, can you please confirm if Apple supports - is provisioning profile is support on m1 Mac ? any specific m1 Mac version onwards? if the iOS app is supported on m1 Mac, then the respective iOS provisioning profile would work on m1 Mac as well?

As per the Web content filter payload documentation at https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf page#106, it allows multiple payloads. But as per the latest document https://developer.apple.com/documentation/devicemanagement/webcontentfilter?changes=latest_major, it does not allow multiple payloads. Can we get answers for the below queries? What is the current expected behaviour WRT to multi /single payloads for web content payload on iOS and macOS? If the functionality is changed to single payload from multiple payloads, from which iOS and macOS versions is this change effective? If multiple payloads were earlier accepted and the device is updated to a version where only single payload is allowed, how does device prioritise/ merge the payloads during update?

We sent certificate revocation payload documented at https://developer.apple.com/documentation/devicemanagement/certificaterevocation to iOS device. On the device, the "Certificate Revocation Configuration" is listed but do not see any effect of this revocation. We revoked the certificate of a website and tried to access it from Safari. The access is not blocked. How can we check that the certificates are actually revoked?

Without iosApp flag in the InstallApplication command we are able to install an iOS app in mac11 device.    https://developer.apple.com/documentation/devicemanagement/installapplicationcommand/command                As per doc, this flag has to be set to true so that ios app can be installed on mac device, but even without this flag ( default false), the iOS apps installation on MacOS 11 is successful. What is the significance of iOSApp flag?

Is there any metadata in ios apps that can be used to determine if an iOS app can be installed on M1 device? https://affiliate.itunes.apple.com/resources/documentation/itunes-store-web-service-search-api/ - metadata returned by this search API does not have any indication of whether the iOS app is applicable for macOS 11 or not? Ex: curl -s 'https://itunes.apple.com/lookupid=281796108&amp;amp;country=RU&amp;amp;l ang=en' O/p of the API response is attached. O/P of API of App that is also applicable on M1 - https://developer.apple.com/forums/content/attachment/53aab414-e2bc-4f67-a5e7-b82df6b6bd89

https://developer.apple.com/documentation/devicemanagement/airplay?changes=latest_minor AllowList is newly added. older field Whitelist - doc says "Use AllowList instead. " , Is 'whitlist' deprecated , can admin still use it in any os version. 2. AllowList - is it alpha numeric in that format xx:xx:xx:xx:xx:xx

As per documentation at https://developer.apple.com/documentation/devicemanagement/dock/staticitem/tile-data, file-type is a required field and the possible values are 0, 1, 3. But in the file present on Mac device at ~/Library/preferences/com.apple.dock.plist, the values for file-type are 41, 40, 2, 1, 169. Can you please help with the valid possible values for the field file-type? And also please help with what each those values mean? Attached the dock preference file from Mac device. com.apple.dock.plist - https://developer.apple.com/forums/content/attachment/8f8e62a4-322b-45b1-a94d-643d8539589b

Hi, in ios14.5 we have new restriction "forceWiFiToAllowedNetworksOnly". This limits device to only join Wi-Fi networks set-up via configuration profile. If there is no valid wifi payload installed then this would stop communication with MDM server right? If so, is there any recommendation on how to handle this or whether there are any constraints to check and not send this recommendation if so?