When we push Desktop/Wallpaper configuration to UserEnrolled Mac devices, we get an acknowledgment.
But device is not reporting the config in the installed Profile list report.
Issue is seen with only Mac UserEnrolled device ( Tested with 10.15 , 11 os version). As per apple doc this is supported in UserEnrolled devices as well
Post
Replies
Boosts
Views
Activity
Regarding allowWallpaperModification setting in https://developer.apple.com/documentation/devicemanagement/restrictions,
1) Is this setting supposed to work on supervised macOS device only or on non-supervised macOS device as well?
2) From our testing, we observed that for the setting change to be effective on the device, device restart is required. Is this expected?
We are testing the new InstallAction option InstallForceRestart (https://developer.apple.com/documentation/devicemanagement/scheduleosupdatecommand/command/updatesitem) on macOS 11 devices per the documentation and we are getting an error that it is an unsupported action for this Product Key.
If we use the InstallAction of Default instead with the same Product Key the update is fine.
Plist with error is
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "...">
<plist version="1.0">
<dict>
<key>CommandUUID</key>
<string>0b17230e-7096-4972-be30-1f23fb8c4d6d</string>
<key>ErrorChain</key>
<array>
<dict>
<key>ErrorCode</key>
<integer>12008</integer>
<key>ErrorDomain</key>
<string>MCMDMErrorDomain</string>
<key>LocalizedDescription</key>
<string>Unsupported InstallAction for this ProductKey</string>
</dict>
</array>
<key>Status</key>
<string>Error</string>
<key>UDID</key>
<string>54354E4B-F56B-5D62-83C9-990342AD570B</string>
<key>UpdateResults</key>
<array>
<dict>
<key>ErrorChain</key>
<array>
<dict>
<key>ErrorCode</key>
<integer>12008</integer>
<key>ErrorDomain</key>
<string>MCMDMErrorDomain</string>
<key>LocalizedDescription</key>
<string>Unsupported InstallAction for this ProductKey</string>
</dict>
</array>
<key>InstallAction</key>
<string>Error</string>
<key>ProductKey</key>
<string>MACOS11.1</string>
<key>Status</key>
<string>InstallFailed</string>
</dict>
</array>
</dict>
</plist>
Anyone else seeing this error or have people been able to get the InstallForceRestart option to work?
From which version of devices the changes mentioned in https://developer.apple.com/documentation/devicemanagement/vpn/alwayson?changes=latest_major are present? Are they applicable to iOS and macOS platforms? Are they backward compatible? Would "VPN.AlwaysOn.AllowedCaptiveNetworkPlugin", "VPN.AlwaysOn.ServiceException" etc work on newer version of iOS and macOS devices?
Is there more details what is considered "contains sensitive user information which is not permitted for user payloads" for shared IPad deployments on IOS 14?
We've looked at the Apple docs and the fields that are sensitive user information do not appear to be explicitly called out.
For example, our testing results show that the payloads
Email
CalDAV
CardDAV
Exchange
Subscribed Calendar
LDAP
will result in a "contains sensitive user information which is not permitted for user payloads" error if the password attribute is included in the payload.
Removing the password attribute and the payload is fine.
Is this information documented somewhere explicitly? What are the other list of attributes that are considered sensitive user information?
Any guidance on installing managed applications for macOS 11?
We are not getting any luck.
<?xml version="1.0"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "...">
<plist version="1.0">
<dict>
<key>CommandUUID</key>
<string>c81be0c8-a5a4-4162-898e-64e865dfd714</string>
<key>Command</key>
<dict>
<key>RequestType</key>
<string>InstallApplication</string>
<key>ManagementFlags</key>
<integer>0</integer>
<key>iTunesStoreID</key>
<integer>406056744</integer>
<key>ChangeManagementState</key>
<string>Managed</string>
<key>InstallAsManaged</key>
<true/>
<key>iosApp</key>
<false/><key>Configuration</key>
<dict>
<key>configUuid</key>
<string>100000-1000-1000-1000-100000000000</string>
</dict><key>Attributes</key>
<dict>
<key>Removable</key>
<true/>
</dict>
</dict>
</dict>
</plist>
results in the error
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "...">
<plist version="1.0">
<dict>
<key>CommandUUID</key>
<string>0c4d2406-1c4e-4ebf-800b-ea372225f911</string>
<key>ErrorChain</key>
<array>
<dict>
<key>ErrorCode</key>
<integer>97</integer>
<key>ErrorDomain</key>
<string>MDMClientError</string>
<key>LocalizedDescription</key>
<string><![CDATA[PurchaseMethod must be 1 <MDMClientError:97>]]></string>
</dict>
</array>
<key>RejectionReason</key>
<string>PurchaseMethodNotSupported</string>
<key>Status</key>
<string>Error</string>
<key>UDID</key>
<string>564D79B5-29E6-DAEC-8E5B-2D921352D787</string>
</dict>
</plist>
We tried removing the InstallAsManaged, but we get the same PurchaseMethodNotSupported error.
None of the existing PurchaseMethod values make sense
https://developer.apple.com/documentation/devicemanagement/installapplicationcommand/command/options
0 is for IOS
1 is for VPP
My understanding was that the whole purpose of the new managed application support for macOS 11 was that EMMs now had the ability to install applications as managed for macOS 11 without using VPP.
We are seeing errors on the IOS 14.2 device when pushing an Encrypted DNS Payload.
Specifically
Enable Demand Rules: and set Network: Evaluate Connection (for both Domain Action: Never Connect & Domain Action: Connect If Needed options)
The error is
<?xml version="1.0" encoding="UTF-8"?> ... <plist version="1.0"> <array> <dict> <key>ErrorCode</key> <integer>4001</integer> <key>ErrorDomain</key> <string>MCInstallationErrorDomain</string> <key>LocalizedDescription</key> <string>Profile Installation Failed</string> <key>USEnglishDescription</key> <string>Profile Installation Failed</string> </dict> <dict> <key>ErrorCode</key> <integer>4001</integer> <key>ErrorDomain</key> <string>MCInstallationErrorDomain</string> <key>LocalizedDescription</key> <string>Profile Failed to Install</string> <key>USEnglishDescription</key> <string>Profile Failed to Install</string> </dict> <dict> <key>ErrorCode</key> <integer>1009</integer> <key>ErrorDomain</key> <string>MCProfileErrorDomain</string> <key>LocalizedDescription</key> <string>The profile "h1dns" could not be installed.</string> <key>USEnglishDescription</key> <string>The profile "h1dns" could not be installed.</string> </dict> <dict> <key>ErrorCode</key> <integer>57000</integer> <key>ErrorDomain</key> <string>MCDNSSettingsErrorDomain</string> <key>LocalizedDescription</key> <string>The DNS settings service encountered an internal error.</string> <key>USEnglishDescription</key> <string>The DNS settings service encountered an internal error.</string> </dict> </array> </plist>
The plist that we are sending is
<?xml version="1.0" encoding="UTF-8">
<!DOCTYPE plist PUBLIC \"-//Apple//DTD PLIST 1.0//EN\" \"...">
<plist version="1.0">
<array>
<dict>
<key>DNSSettings</key>
<dict>
<key>DNSProtocol</key>
<string>HTTPS</string>
<key>ServerAddresses</key>
<array>
<string>1.1.1.1</string>
</array>
<key>ServerURL</key>
<string><Somehost/dns-query</string>
</dict>
<key>OnDemandRules</key>
<array>
<dict>
<key>Action</key>
<string>EvaluateConnection</string>
<key>ActionParameters</key>
<dict>
<key>DomainAction</key>
<string>NeverConnect</string>
<key>Domains</key>
<array>
<string>news.google.com</string>
</array>
</dict>
<key>InterfaceTypeMatch</key>
<string>Ethernet</string>
</dict>
<dict>
<key>Action</key>
<string>EvaluateConnection</string>
<key>ActionParameters</key>
<dict>
<key>DomainAction</key>
<string>ConnectIfNeeded</string>
<key>Domains</key>
<array>
<string>mail.yahoo.com</string>
</array>
</dict>
<key>InterfaceTypeMatch</key>
<string>WiFi</string>
</dict>
</array>
<key>ProhibitDisablement</key>
<false/>
<key>PayloadDescription</key>
<string>The payload for configuring encrypted DNS settings.</string>
<key>PayloadDisplayName</key>
<string>DNS_ENCRYPTED</string>
<key>PayloadIdentifier</key>
<string>mi.dnssettings.44011.0</string>
<key>PayloadOrganization</key>
<string>com.mobileiron</string>
<key>PayloadType</key>
<string>com.apple.dnsSettings.managed</string>
<key>PayloadUUID</key>
<string>3173360096376915336</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
</plist>
The current docs for https://developer.apple.com/documentation/devicemanagement/dnssettings state that the encrypted DNS setting is supported on the device channel for shared IPad
Device Channel
iOS, macOS, Shared iPad
but under
Allow Multiple Payloads
iOS, macOS
shared IPad is not listed.
BUT if you go to the Shared IPad Payload list
https://support.apple.com/en-gb/guide/mdm/mdm05daf6e79/web
DNS Settings is listed as device, combined, and multiple.
Device
Combined
Multiple
Which doc is correct?
We are seeing ...
<dict> <key>CommandUUID</key> <string>43abc5e2-60a8-4fef-8375-0c3bc530573b</string> <key>ErrorChain</key> <array> <dict> <key>ErrorCode</key> <integer>1</integer> <key>ErrorDomain</key> <string>SingleSignOn</string> <key>LocalizedDescription</key> <string>The profile is a user profile but contains a “Single Sign On Extension” payload which is only valid in device profiles.</string> </dict> </array> <key>NotOnConsole</key> <false/> <key>Status</key> <string>Error</string> <key>UDID</key> <string>3297AA46-0711-5788-8161-FB41629845AF</string> ... pushing a Single Sign On Extension Payload on the user channel for macOS 10.15 devices.
The same payload works on the user channel works for macOS 11.
We have created a Feedback ticket https://feedbackassistant.apple.com/feedback/8799075
Any more details on the new attributes AssociatedDomains and ExcludedDomains in https://developer.apple.com/documentation/devicemanagement/applayervpn
Are these fields supported for iOS and macOS? Which versions? IOS 14 and macOS 11
Per the https://developer.apple.com/documentation/devicemanagement/settingscommand/command/settings/mdmoptions/mdmoptions?changes=latest_minor
SettingsCommand.Command.Settings.MDMOptions.MDMOptions
the PromptUserToAllowBootstrapTokenForAuthentication default value is false.
Can you elaborate why the default value is false? From our testing on macOS 11 it would appear when the value is false, only the primary account is able to logon to the device because only the primary account can decrypt the encrypted volume. Any optional admin accounts that are created are unable to decrypt the value so consequently the optional admin account cannot logon. This seems like a big change in macOS 11 that should be called out.
We also noticed that any local users that were created while logged in as the primary account appear to inherit some permission that allows these local users to decrypt the volume and login.
When sending the setting to change the time zone, the plist is Acknowledged, but the device is not changing.
I tried setting the following values: America/Moncton
America/New_York
Europe/Dublin
Europe/London
In all cases the plist was acknowledged. These are values are part of the IANA timezone database.
There are two issues: When "Set Automatically" is enabled on the Date & Time settings screen, the TimeZone is not displayed and there is just a spinning icon.
When "Set Automatically" is disabled on the Date & Time settings screen, the Timezone displays but as the original timezone of the device, not of the time zone sent to the device through the SettingsCommand.
The device has the following: Software Version: 14.0 (18A5301v)
Model Name: iPhone Xs
Model Number: A1920
What is the desired outcome from setting the timezone? I had expected to see the timezone change on the device and the current time to match the time zone that was set. Is this not yet functional?
Also, if I send a bogus timezone, it is still acknowledged. I would have expected it to get rejected. Will it reject invalid timezones?
What is the purpose of the tri-state BootstrapTokenAllowedForAuthentication value in the SecurityInfo response?
allowed, disallowed, not supported are the possible values
https://developer.apple.com/documentation/devicemanagement/securityinforesponse/securityinfo?changes=latest_beta
During WWDC2020 and when the key was a boolean it seem to be that the key was to indicate if a bootstrap token existed on the device, but that doesn't seem to be the case now with the allowed, disallowed, not supported values.
Any more details on the new restriction allowApplePersonalizedAdvertising
See https://developer.apple.com/documentation/devicemanagement/restrictions?changes=latest_major
Is it for supervised devices or all devices? IOS 14 and higher or macOS 11 too?
What behavior does the end user see/notice if set to false?
What is Items suppose to control in the InstalledApplicationListCommand?
Items
[string]
Possible values: AdHocCodeSigned, AppStoreVendable, BetaApp, BundleSize, DeviceBasedVPP, DynamicSize, ExternalVersionIdentifier, HasUpdateAvailable, Identifier, Installing, IsValidated, Name, ShortVersion, Version
The results are the same response https://developer.apple.com/documentation/devicemanagement/installedapplicationlistresponse/installedapplicationlistitem regardless of what strings in included in the Items string of the request.