Hey @jimstr, Awesome to hear that you are already using an additional layer of encryption! Two other resources that might help, but not formally state "compliance". New Developer Documentation: https://developer.apple.com/documentation/usernotifications/setting_up_a_remote_notification_server https://developer.apple.com/documentation/usernotifications/setting_up_a_remote_notification_server/sending_notification_requests_to_apns Old Developer Documentation (My Preference): https://developer.apple.com/library/archive/documentation/NetworkingInternet/Conceptual/RemoteNotificationsPG/APNSOverview.html#//apple_ref/doc/uid/TP40008194-CH8-SW1 Neither answer the "compliance" question directly though outside of speaking abstractly to how the service works. One approach to take in a compliance report is to show what systems you have control over and those you do not. Showing that you have compliance within the systems that you are able to control (Certificate Pinning, KMS, etc.) with the ability to ensure cryptographic integrity to the client (assuming you also have client side protections in place) through untrusted space which is essentially the entire Internet because the client wouldn't have control over the client side network connection (assuming a BYOD approach) even with those protections in place (ISP Interference, etc.). If I am able to find any more specific documents from Apple I will make sure to update the post!

Hey @stefanvasic, This has been a recurring issue recently for users across the forum. I would recommend looking for other posts as well just to see if there are any details that might help you. The best way (although not amazing) to get more information on your build status will be to call Apple Developer Support and see if they can verify that your builds exist in the database and provide a status. If they have not completed processing, I would try and verify that they haven't been rejected and still have a chance to finish processing. I have experienced sometimes where with some errors Apple has not found a way to present this information successfully to developers. https://developer.apple.com/contact/topic/select Often times unfortunately, Apple will suggest uploading another build. Hopefully this helps and best of luck!

Hello @jimstr, Apple has some information on this posted at the below site. I would strongly recommend reviewing it and the other information as it has some really interesting details. https://support.apple.com/guide/sccc/overview-sccc9b6aa4275/1/web/1.0 From an architecture perspective, I would suggest not trusting Apple by default as that could get you in trouble in the long run. Even if you choose to rely on their current compliance standards, I would still recommend at a minimum encrypting the data in the notification payload and implementing a notification service extension and decrypting the data inside of the application container before posting to the device to at least ensure the plain text is not stored on Apple servers. Dynamically delivering a certificate to decrypt the data would be ideal, but if that is not possible and it needs to be included in the IPA file that is better than sending plain text through the system. Hopefully this helps!

Hello @JordanBettridge, Thanks for posting this on the forums! From what you have shared, I would suggest going through the process to get an Organizational Apple Developer Account. The biggest reason for this is that under a personal Apple Developer Account you are either going to need to share your Apple Developer Account credentials with all of the developers on your team so that they can access development resources or expect them to download and install new profiles and certificates that you make available to them. This could work, but it is a tons of overhead when most developers now days will want to login to Xcode with the account to help them during development. Sharing your Apple Developer Account credentials and a poor developer experience is what leads me to suggest an Organizational Apple Developer Account. The biggest benefit that you have with this approach is User Management in the App Store Connect Console so that you have more flexibility with roles and access to developer account resources and not needing to have a shared password. From a cost perspective, both of the above options currently cost the same amount (Annually, Enterprise Excluded) and do not have any limits on the number of applications that you can upload or deploy. I am sure there is at some point, but our account has close to 300 applications in it and we are still going strong. Outside of the annual cost, the only other cost would be if you have paid applications, in-app purchases, etc. where the Apple royalty would be applied (Make sure to enroll to the Small Business Program). https://developer.apple.com/app-store/review/guidelines/#business Hopefully this helps!

Hey @tngacker, This is some good investigative work! I do think this rules out any connection issues to the data stream from a networking perspective! The device is getting blocked before it can even open up the stream. Are the devices that you are working with Supervised by chance? If so, I wonder if it would be possible to set another device restriction in order to prevent the user from being prompted with this? https://support.apple.com/guide/mdm/supervised-restrictions-for-iphone-and-ipad-mdm54960f92a/web Modify personal Hotspot settings Modify eSIM settings Modify cellular plan settings Modify cellular data app settings However, I would definitely open up a Feedback with Apple on this as it is a unique edge case. https://feedbackassistant.apple.com What I imagine you as the admin are expecting to happen would be for the application to be installed and for the device to go into single-app mode, but due to the "user" having control over the cellular plan you are not able to accomplish this. If the device is supervised and one of the above restrictions cant help with this I think Apple would consider making a change to the protocol to support your use case. Hopefully one of the above restrictions can help get this solved for you!

Hey @lukasg, In general, if an application is offering in-app purchases, they should be using the In App purchasing tools provided by Apple which would mean Apple gets some kind of commission. There are legal cases right now that might change this, but this is how the App Store is supposed to work currently. One thing to consider is the Apple Small Business Program where the Apple commission is only 15%. https://developer.apple.com/app-store/small-business-program/ The App Store Review Guidelines currently lay this out very clearly on how in app purchasing is supposed to work. https://developer.apple.com/app-store/review/guidelines/#in-app-purchase Hopefully this helps!

Hey @tngacker & @zhengjuf, So there is tons of complexity when changing from a WiFi network to a cellular network. Hopefully there is more than 1 device facing the issue to help diagnose where the actual issue is. Also, if you have any additional logs to share from the mobile client, this might be beneficial but understand the confidentiality. Below are a few thoughts. The cellular network is taking a drastically different path that WiFi altogether. Does the MDM network support both IPv4 and IPv6? Does the application download on ANY WiFi network or just a managed network that is being pushed to the device? WiFi is often "inside" of a Firewall where cellular needs to go through the "Firewall" to get to your content. In order to initiate an application install through MDM, that request goes through Apple services, the streaming of the data itself which is being triggered by appstored during the install process is a stream to where the content is hosted. Are you using a Cloud MDM or a local hosted MDM? Do you have a way to determine if you can get access to the data through a cellular connection? Is the location where the content hosted following all of the TLS requirements and using a valid certificate? Are other applications (Enterprise) applications able to install successfully where this one is not? What are the differences between them if some can install successfully and others cannot? WiFi and Cellular are using completely different networking paths to get to the content and that is where the problem is most likely lying if one works and one does not. We just need to rule out all of the places where a cellular connection is different from Wifi. Hopefully this helps in some way!

Hey @JonBrydgesLP, This is a great question! The best place to get your answer is going to be the App Store Review Guidelines document (Specifically section 4.2.6). https://developer.apple.com/app-store/review/guidelines/#minimum-functionality Your organization would be fulfilling the "App Generation Service" where the organization that you are selling to would be the "Provider of the App's Content" since they are providing the content to be displayed to users. The approach that you are taking is spot on in submitting the application under the other organizations App Store Connect account and business registration. This is the same approach that our organization takes with vendors and we have never been rejected for this with hundreds of applications in the App Store. Hopefully this helps!

Hey @blueberry6401, Thanks for posting this! Make sure to check out a few other issues that users on the forums are facing as well. https://developer.apple.com/forums/thread/692592 Our organization is facing long processing times as well. Our longest wait times right now are right at 26 hours. Processing time varies in general, but what we have found is the more complicated the application is, specifically if you have a Watch App along with any extensions the longer the build processing time will take as Apple needs to recompile your application for each Watch series as of today. Our native applications without Watch applications are still processing in sub 20 minutes across the board and the delays feel very localized to larger IPA file sizes along with extensions and a Watch App componant. Hopefully Apple finds a way to address this soon or deliver tools like a web hook for notifying automation systems when builds have completed processing so that they can be added to TestFlight groups. Have a great day!

Hey @MoHindi, Thanks for posting this question! In our teams experience, if the App Reviewer needs additional context or information on how to login to the application or leverage its functionality, the Review Notes section inside of TestFlight is the right place for this (at least it has worked for our teams). I have to imagine that Apple at least attempts to protect demo account credentials and so the statement is really geared towards trying to keep passwords in protected fields in their databases where the Review Notes could be read by anyone. Not sure if that is true but just a thought. You should be good to put this information in the Review Notes field. Hopefully this helps and happy coding!

Hey @sienchoo, Thanks for posting this! This is a very common error that we see on our account as we are uploading hundreds of IPA files to Apple on a monthly basis. This will happen even when all of the Apple System Status shows green on their monitoring site. This is indicative of a problem on the Apple side and we have not been able to find anything to help resolve the issue as it is intermittent. When interacting with Apple, we use the command line and we have actually wrapped our upload command into a while loop and will retry to upload an application up to 5 times if we get this error and while we still encounter it, that is enough tries to get the application to go through for this specific error. Hopefully this helps!

Hey @Zaszko, I personally have not run into this issue. What I did notice when I moved to my iPhone 13 is that my Enterprise applications were NOT transferred and I was required to go back to the source of truth and install them again. Even though I could search for and see the applications on my new device, I could not open them and re-installed them which then gave me the ability to "Trust" the Enterprise certificate. In theory, you would imagine that as a part of the backup Apple includes Enterprise applications but maybe they don't? I also checked MDM pushed Enterprise applications and I am not running into issues with these. Could you share what iOS version you are running on the exact hardware? Are you able to install the IPA successfully through Xcode or OTA? If you run into issues installing my first go to is always to open "Console" and start sifting though the logs and looking for errors. Hopefully this helps!

Hey @tngacker, Do you happen to know how large the IPA file is that is attempting to be pushed by the MDM to the mobile client? Is it possible that you are hitting a size limit for installing over cellular? Hopefully this helps!

Hey @backbetterapp, Would it be possible to share a bit more detail around specifically what you are trying to accomplish so the community can help? It is not clear where you are getting the stated error and the activity that you are attempting to complete. Looking forward to helping you find a solution!

Hey @ebrowkin, Would it be possible to share a code sample so that we can see how you are generating and replacing the token? Just enough to let the community help you find the problem? One way to test this locally in a debug environment is to disable the API calls to Apple and log your token every time you run the application so that you can see when it changes (if it does). Depending on your implementation you might want to unset / delete / undefined the variable before trying to store a new value in it depending on its scope. This will also help make it abundantly clear if you are able to remove the value and not generate a new token for some reason. Hopefully this helps!