Our MDM server is hosted with our enterprise. All the devices pass through the proxy & firewall server to reach it. Due to some misconfiguration, our proxy server responded with 401 to all the requests. Later we noticed that the MDM profile is missing from some of the devices. On checking with the MDM team, they forwarded us to Apple documents saying this is out of their control and 401 response would remove MDM profile. Could this be handled in such a way that, MDM server could have some control over this, say only MDM server can send 401 to remove the profile. Has anyone faced this. Any help this would be appreciated.

Some customers wants to add a remote file address in the Files App -> Connect to Server option. For now , We cant find any api's to add this to the device via any Commands /Profiles . Is it not at all possible to add this to Files app or am i missing something? If it is not yet supported and no apis available , Will it be available in Future ? Needed some help here.

For creating APNS certificate, we use a signed CSR from our MDM vendor which is a .plist file. We were using this for quite some years now. But currently APNS portal throws error saying invalid file type (as attached below) Is the Portal updated to support only .csr / .txt / .rtf? Can anyone help to use the correct file format. (P.S: Works if we edit the extension & upload it)

We are pushing a HomeScreenlayout payload with no "docks" array . The behaviour in iOS's is the dock at the bottom is disappeared. But in ipadOS's , dock is still at the bottom with recent apps listed there. Attached is Screenshot for the ipad's behaviour . Payload : <integer>1</integer> <key>PayloadUUID</key> <string>____________-</string> <key>PayloadType</key> <string>com.apple.homescreenlayout</string> <key>PayloadOrganization</key> <string>MDM</string> <key>PayloadIdentifier</key> <string>_______________</string> <key>PayloadDisplayName</key> <string>Homescreen Layout</string> <key>Pages</key> <array> <array> <dict> <key>BundleID</key> <string>com.apple.mobilephone</string> <key>Type</key> <string>Application</string> </dict> <dict> <key>BundleID</key> <string>com.apple.Preferences</string> <key>Type</key> <string>Application</string> </dict> <dict> <key>BundleID</key> <string>com.google.ios.youtube</string> <key>Type</key> <string>Application</string> </dict> <dict> <key>BundleID</key> <string>com.manageengine.mdm.iosagent</string> <key>Type</key> <string>Application</string> </dict> </array> </array> Is it possible remove the dock from iPadOS or is there anything am i missing to disable the dock or distinguish between dock added apps and Recent Apps?

We have a use case such that we want all the network calls from the mac device to go through VPN. We tried using the OnDemand field in VPN. Unfortunately those user's with admin privilege still able to disconnect from VPN. Even if we enabled OnDemand. Admin users can disconnect by disabling the OnDemand option in VPN settings. We noticed that there is an option to restrict the OnDemand option in iOS as mentioned here using the field OnDemandUserOverrideDisabled However, this is not supported in macOS. Can anyone suggest a mechanism to restrict users from disabling VPN?

In the latest update of macOS 12.3, the Login Window Items payload does not work. However, it is working until macOS 12.1. The profile applies successfully but the required apps are not listed under the Login Window Items tab in Users & Groups. Here is the payload we tried in both the OS versions             <key>PayloadVersion</key>             <integer>1</integer>             <key>PayloadUUID</key>             <string>bdcc8534-8a2e-40b5-bf65-17ab9247319c</string>             <key>PayloadType</key>             <string>com.apple.loginitems.managed</string>             <key>PayloadOrganization</key>             <string>MDM</string>             <key>PayloadIdentifier</key>             <string>bdcc8534-8a2e-40b5-bf65-17ab9247319c</string>             <key>PayloadDisplayName</key>             <string>Mac Login Window Item</string>             <key>AutoLaunchedApplicationDictionary-managed</key>             <array>                 <dict>                     <key>Path</key>                     <string>/Applications/Safari.app</string>                     <key>Hide</key>                     <false/>                 </dict>             </array>         </dict>

In the document by Apple over here, it says that AlwaysOn VPN is supported in macOS 10.7+. However, AlwaysOn doesn't seem to work in macOS even in that latest OS. We came across a post where it states that it is supported only for iOS. We had a requirement for supporting AlwaysOn VPN for macOS. Also, in the console log, we found the following error while sending a profile with AlwaysOn VPN configuration error 16:19:45.716722+0530 mdmclient NEConfiguration initWithVPNPayload: failed error 16:19:45.717076+0530 mdmclient [ERROR] <<<<< PlugIn: InstallPayload [NEProfileIngestionPlugin] Error: Error Domain=ConfigProfilePluginDomain Code=-319 "The ‘VPN Service’ payload could not be installed. The VPN service could not be created." UserInfo={NSLocalizedDescription=The ‘VPN Service’ payload could not be installed. The VPN service could not be created.} <<<<<

We tried this Global Preference configuration profile payload to enable fast switching in the device, but unfortunately, after successfully applying the payload, fast user switching still remains disabled in the device with the user restricted to modify the setting. PFA the screenshot of the settings applied in the Profile as well as a screenshot of Login Window settings. OS version: macOS 12.1 <dict> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadUUID</key> <string>7b3041b6-d1fb-43d8-af8c-1028cde8b534</string> <key>PayloadType</key> <string>.GlobalPreferences</string> <key>PayloadOrganization</key> <string>MDM</string> <key>PayloadIdentifier</key> <string>7b3041b6-d1fb-43d8-af8c-1028cde8b534</string> <key>PayloadDisplayName</key> <string>Mac Global Preference payload</string> <key>MultipleSessionEnabled</key> <true/> <key>LULookupDisabled</key> <false/> <key>com.apple.autologout.AutoLogOutDelay</key> <integer>0</integer> </dict>

We have sent the payload for restricting all the apps except Youtube and MEMDM app . Payload is listed below. The Problem is we are restricted all the apps except the apps that were offloaded before . the icon of the offloaded apps appears in the homescreen. Attached the Screenshot for the above offloaded icons with multiapp kiosk enabled Is this the expected behaviour? Or anything am i missing. Can anyone help me with this? Payload Sent to the Device :-> <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadUUID</key> <string>------------</string> <key>PayloadType</key> <string>Configuration</string> <key>PayloadOrganization</key> <string>-----</string> <key>PayloadIdentifier</key> <string>----------------</string> <key>PayloadDisplayName</key> <string>MultiApp Kiosk</string> <key>PayloadRemovalDisallowed</key> <true/> <key>PayloadContent</key> <array> <dict> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadUUID</key> <string>----------------</string> <key>PayloadType</key> <string>com.apple.applicationaccess</string> <key>PayloadOrganization</key> <string>MDM</string> <key>PayloadIdentifier</key> <string>---------------</string> <key>PayloadDisplayName</key> <string>AppLock Whitelist Policy</string> <key>whitelistedAppBundleIDs</key> <array> <string>com.google.ios.youtube</string> <string>com.manageengine.mdm.iosagent</string> <string>com.apple.webapp</string> </array> <key>allowListedAppBundleIDs </key> <array> <string>com.google.ios.youtube</string> <string>com.manageengine.mdm.iosagent</string> <string>com.apple.webapp</string> </array> </dict> </array> </dict> </plist>

requireManagedPasteboard - boolean If true, copy and paste functionality respects the allowOpenFromManagedToUnmanaged and allowOpenFromUnmanagedToManagedrestrictions. Also available for user enrollment. As it is suggested , It doesn't allow the text to be copied from managed apps and pasted in any unmanaged app and also ViceVersa. But there is an another way to get the text to other Unmanaged/Managed App by highlighting a text from mail content and click on the 'share' option leads the text to be opened in the destination App. Steps: Pushed a Managed Account to Native Mail App. Pushed a Restriction with "requireManagedPasteboard" Opened a Mail and highlighted the text contents Click on Share Option . It will list all the app (both Managed and Unmanaged ) to share the text. I clicked on Notes App. The Highlighted Text got moved to the Notes App. The Same when tried to Copied and pasted in Notes App. It says "Enabled Restriction for Copy/Paste " Attached the screenshot where does the "Share" Option appear. Kindly check whether this is the default behaviour or anything am i missing?

After Energy Saver mobileconfig file with Display sleep time as 1 and System Sleep time as 2 successfully, and then when you change the settings in System Preference->Energy Saver manually. The time that was set manually takes effect instead of what MDM has set for MacBook Pro(Intel Chip tried in both Sierra as well as Monterey). Please find the mobileconfig that we tried below. <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict>     <key>PayloadContent</key>     <array>         <dict>             <key>PayloadDisplayName</key>             <string>Energy Saver</string>             <key>PayloadIdentifier</key>             <string>com.286E9EC9-588D-4BDC-B90C-F4FBAC58A2F0.com.apple.MCX.24D336A4-FE03-493F-81B6-C4CEB640F58F</string>             <key>PayloadType</key>             <string>com.apple.MCX</string>             <key>PayloadUUID</key>             <string>24D336A4-FE03-493F-81B6-C4CEB640F58F</string>             <key>PayloadVersion</key>             <integer>1</integer>             <key>com.apple.EnergySaver.portable.ACPower</key>             <dict>                 <key>Disk Sleep Timer</key>                 <integer>5</integer>                 <key>Display Sleep Timer</key>                 <integer>1</integer>                 <key>System Sleep Timer</key>                 <integer>2</integer>             </dict>             <key>com.apple.EnergySaver.portable.BatteryPower</key>             <dict>                 <key>Disk Sleep Timer</key>                 <integer>5</integer>                 <key>Display Sleep Timer</key>                 <integer>1</integer>                 <key>System Sleep Timer</key>                 <integer>2</integer>             </dict>         </dict>     </array>     <key>PayloadDisplayName</key>     <string>Energy Saver</string>     <key>PayloadIdentifier</key>     <string>A5406D19-83C6-45B2-B6D2-EF9AF9D59EA8</string>     <key>PayloadRemovalDisallowed</key>     <false/>     <key>PayloadType</key>     <string>Configuration</string>     <key>PayloadUUID</key>     <string>803ABA57-F75B-42EB-9849-15D7EAE7B7FA</string>     <key>PayloadVersion</key>     <integer>1</integer> </dict> </plist>

We are trying to connect macOS devices to Wi-Fi using Wi-Fi configuration profile in MDM. EAP type is PEAP - MSCHAPv2 with both System and LoginWindow setup modes enabled, but unfortunately devices are getting stuck in connecting phase of the Wi-Fi without actually getting connected. We have also send the Sysdiagnose logs to Apple feedback assistance(Ref ID:FB9965644) Please find the configuration we have used below &lt;!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"&gt; &lt;plist version="1.0"&gt; &lt;dict&gt;     &lt;key&gt;PayloadVersion&lt;/key&gt;     &lt;integer&gt;1&lt;/integer&gt;     &lt;key&gt;PayloadUUID&lt;/key&gt;     &lt;string&gt;5f9c93d0-f2b4-45b2-9367-e65a52d1f1a9&lt;/string&gt;     &lt;key&gt;PayloadType&lt;/key&gt;     &lt;string&gt;Configuration&lt;/string&gt;     &lt;key&gt;PayloadOrganization&lt;/key&gt;     &lt;string&gt;MDM&lt;/string&gt;     &lt;key&gt;PayloadIdentifier&lt;/key&gt;     &lt;string&gt;com.mdm.0583c3c2-4fe2-414a-9bc6-87467f0fef02.MacOSWifi&lt;/string&gt;     &lt;key&gt;PayloadDisplayName&lt;/key&gt;     &lt;string&gt;Wifi_Corp&lt;/string&gt;     &lt;key&gt;PayloadRemovalDisallowed&lt;/key&gt;     &lt;true/&gt;     &lt;key&gt;PayloadContent&lt;/key&gt;     &lt;array&gt;         &lt;dict&gt;             &lt;key&gt;PayloadVersion&lt;/key&gt;             &lt;integer&gt;1&lt;/integer&gt;             &lt;key&gt;PayloadUUID&lt;/key&gt;             &lt;string&gt;f962f11d-6524-4061-b93b-82975dd7512b&lt;/string&gt;             &lt;key&gt;PayloadType&lt;/key&gt;             &lt;string&gt;com.apple.wifi.managed&lt;/string&gt;             &lt;key&gt;PayloadOrganization&lt;/key&gt;             &lt;string&gt;MDM&lt;/string&gt;             &lt;key&gt;PayloadIdentifier&lt;/key&gt;             &lt;string&gt;f962f11d-6524-4061-b93b-82975dd7512b&lt;/string&gt;             &lt;key&gt;PayloadDisplayName&lt;/key&gt;             &lt;string&gt;Wifi Profile Configuration&lt;/string&gt;             &lt;key&gt;SSID_STR&lt;/key&gt;             &lt;string&gt;--SSID Over Here--&lt;/string&gt;             &lt;key&gt;AutoJoin&lt;/key&gt;             &lt;true/&gt;             &lt;key&gt;SetupModes&lt;/key&gt;             &lt;array&gt;                 &lt;string&gt;System&lt;/string&gt;                 &lt;string&gt;Loginwindow&lt;/string&gt;             &lt;/array&gt;             &lt;key&gt;HIDDEN_NETWORK&lt;/key&gt;             &lt;false/&gt;             &lt;key&gt;EAPClientConfiguration&lt;/key&gt;             &lt;dict&gt;                 &lt;key&gt;AcceptEAPTypes&lt;/key&gt;                 &lt;array&gt;                     &lt;integer&gt;21&lt;/integer&gt;                     &lt;integer&gt;25&lt;/integer&gt;                 &lt;/array&gt;                 &lt;key&gt;EAPFASTUsePAC&lt;/key&gt;                 &lt;false/&gt;                 &lt;key&gt;EAPFASTProvisionPAC&lt;/key&gt;                 &lt;false/&gt;                 &lt;key&gt;EAPFASTProvisionPACAnonymously&lt;/key&gt;                 &lt;false/&gt;                 &lt;key&gt;UserName&lt;/key&gt;                 &lt;string&gt;---UserName Over here---&lt;/string&gt;                 &lt;key&gt;UserPassword&lt;/key&gt;                 &lt;string&gt;--Password Over here--&lt;/string&gt;                 &lt;key&gt;TTLSInnerAuthentication&lt;/key&gt;                 &lt;string&gt;MSCHAPv2&lt;/string&gt;                 &lt;key&gt;PayloadCertificateAnchorUUID&lt;/key&gt;                 &lt;array&gt;                     &lt;string&gt;b68ceae9-5752-44a3-887c-4dd422428f3d&lt;/string&gt;                 &lt;/array&gt;             &lt;/dict&gt;             &lt;key&gt;EncryptionType&lt;/key&gt;             &lt;string&gt;Any&lt;/string&gt;             &lt;key&gt;ProxyType&lt;/key&gt;             &lt;string&gt;None&lt;/string&gt;         &lt;/dict&gt;         &lt;dict&gt;             &lt;key&gt;PayloadVersion&lt;/key&gt;             &lt;integer&gt;1&lt;/integer&gt;             &lt;key&gt;PayloadUUID&lt;/key&gt;             &lt;string&gt;b68ceae9-5752-44a3-887c-4dd422428f3d&lt;/string&gt;             &lt;key&gt;PayloadType&lt;/key&gt;             &lt;string&gt;com.apple.security.root&lt;/string&gt;             &lt;key&gt;PayloadOrganization&lt;/key&gt;             &lt;string&gt;MDM&lt;/string&gt;             &lt;key&gt;PayloadIdentifier&lt;/key&gt;             &lt;string&gt;b68ceae9-5752-44a3-887c-4dd422428f3d&lt;/string&gt;             &lt;key&gt;PayloadDisplayName&lt;/key&gt;             &lt;string&gt;iOS Certificate Policy&lt;/string&gt;             &lt;key&gt;PayloadContent&lt;/key&gt;             &lt;data&gt;                 -----Trust Certificate Data Here---             &lt;/data&gt;             &lt;key&gt;PayloadCertificateFileName&lt;/key&gt;             &lt;string&gt;----Certificate file name.cer----&lt;/string&gt;         &lt;/dict&gt;     &lt;/array&gt; &lt;/dict&gt; &lt;/plist&gt;

We are facing issues in VPP Client Configuration API ( POST: https://vpp.itunes.apple.com/mdm/VPPClientConfigSrv ). For some VPP token, the "clientContext" key in the response says "token being used in v2" instead of giving a proper clientContext. These VPP tokens aren't actually added in any other MDM than ours. But it gives this as response. Also, we didn't use the new API for setting VPP Client Configuration too. We are seeing this issue for some VPP tokens in random. We would like to understand this behaviour in VPP tokens.

In a iPad device with OS Version 15.1, when deploying a app store app through MDM, the InstallApplication command receives "License Not Found" error in response. The app is not purchased through VPP and the "PurchaseMethod" key is not set in InstallApplication request command. I have attached a sample request and response of InstallApplication commands. InstallApplication command: <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CommandUUID</key> <string>InstallApplication;Collection=xxxx</string> <key>Command</key> <dict> <key>RequestType</key> <string>InstallApplication</string> <key>iTunesStoreID</key> <integer>xxxx</integer> <key>ManagementFlags</key> <integer>5</integer> <key>Configuration</key> <dict> <key>ServerName</key> <string>xxxx</string> <key>ServerPort</key> <string>xxxx</string> <key>UDID</key> <string>xxxx</string> <key>ErID</key> <string>xxxx</string> <key>IsLanguagePackEnabled</key> <string>true</string> <key>authtoken</key> <string>********</string> <key>SCOPE</key> <string>MDMOnDemand/MDMCloudEnrollment</string> <key>Services</key> <dict> <key>urls</key> <dict> <key>IOSNativeAppServlet</key> <string>xxxx</string> <key>DeviceRegistrationServlet</key> <string>xxxx</string> <key>IOSCheckInServlet</key> <string>xxxx</string> <key>AppCatalogServlet</key> <string>xxxx</string> <key>MDMLogUploaderServlet</key> <string>xxxx</string> <key>mdmDocsServlet</key> <string>xxxx</string> <key>DFSDownloadURL</key> <string>xxxx</string> </dict> <key>token_name</key> <string>********</string> <key>token_value</key> <string>********</string> </dict> <key>IsSyncServerEnabled</key> <true/> <key>IsAnnouncementEnabled</key> <true/> </dict> <key>ChangeManagementState</key> <string>Managed</string> </dict> </dict> </plist> InstallApplication Response: <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CommandUUID</key> <string>InstallApplication;Collection=xxxx</string> <key>ErrorChain</key> <array> <dict> <key>ErrorCode</key> <integer>1005</integer> <key>ErrorDomain</key> <string>DeviceManagement.error</string> <key>LocalizedDescription</key> <string>Could not install app.</string> </dict> <dict> <key>ErrorCode</key> <integer>9610</integer> <key>ErrorDomain</key> <string>ASDServerErrorDomain</string> <key>LocalizedDescription</key> <string>License not found</string> </dict> </array> <key>Status</key> <string>Error</string> <key>UDID</key> <string>xxxx</string> </dict> </plist>

FB9895426 (Apple Device MDM enrolment fails if client certificate is requested during SSL Handshake) Device enrolment fails in an MDM Server configured with client certificate authentication. Upon investigating the issue, we noticed that the device drops the SSL handshake if a client certificate is requested during the handshake. Wireshark Screenshot: From the console logs, we noticed the below error: <MCHTTPRequestor: 0x283b560a0> cannot accept the authentication method NSURLAuthenticationMethodClientCertificate The TLS protocol states that "If no suitable certificate is available, the client SHOULD send a certificate message containing no certificates.". Thus, we expect the MDM client to respond with a "no certificate" response during the SSL handshake. Someone has already raised the same question but there's no reply yet: https://developer.apple.com/forums/thread/680328 https://developer.apple.com/forums/thread/676579 Any help would be appreciated. Thanks in advance.