We have the following issues on a iPad enrolled as Shared iPad via MDM using Apple Business Manager (ABM) We are unable to use the mail app in Shared iPad. The following error message is shown “This iPad is restricted from creating mail accounts”. When checked from MDM whether any such account restriction was added, they was none added to this device. We are also unable to add accounts via Settings app as well. And also when checking the Shared iPad restriction documentation, mail app is not in the restricted list for Shared iPad https://support.apple.com/en-mt/guide/apple-school-manager/axm3a8bb0ab8/web Kindly let us know whether we can add mail accounts manually in Shared iPad device. OS Version : iPadOS 16.5

After we wipe the Mac using MDM EraseDevice command, the screen appears asking for PIN and when we enter the correct PIN provided in EraseDevice command, it says Try again in 24284826 minutes, which is like 46 years. We could recover this by connecting the device to LAN, but can we avoid this screen? ?

We encountering an issue with HasUpdateAvailable Key is not updating in InstalledApplicationList when the newer app version is available for the device to update from App Store. Problem Description: When an App Store app or Custom app has a newer version released, the HasUpdateAvailable Key in Installed Application List is never updating. In InstalledApplicationList the HasUpdateAvailable value is False even when a newer app version is available to update. For Example, Google Slides app ( com.google.Slides ) was released a new version - 1.2023.22200 was on June 7, 2023. By checking the device, The InstalledApplicationList response on June 10. The hasUpdateAvailable key is False, Even though the app has an update available. <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CommandUUID</key> <string>InstalledApplicationList</string> <key>InstalledApplicationList</key> <array> <dict> <key>AdHocCodeSigned</key> <false/> <key>AppStoreVendable</key> <true/> <key>BetaApp</key> <false/> <key>BundleSize</key> <integer>198696960</integer> <key>DeviceBasedVPP</key> <false/> <key>DynamicSize</key> <integer>143360</integer> <key>ExternalVersionIdentifier</key> <integer>857221931</integer> <key>HasUpdateAvailable</key> <false/> <key>Identifier</key> <string>com.google.Slides</string> <key>Installing</key> <false/> <key>IsAppClip</key> <false/> <key>IsValidated</key> <true/> <key>Name</key> <string>Slides</string> <key>ShortVersion</key> <string>1.2023.20201</string> <key>Version</key> <string>1.2023.20201</string> </dict> </array> <key>Status</key> <string>Acknowledged</string> <key>UDID</key> <string>00008020-XXXXXXXXXXXX</string> </dict> </plist> Note :- We are experiencing this issue in multiple OS version for most of the apps. All the devices which we tested are compatible with the latest app version

Hi Apple community, I am writing this regarding device based activation lock can enable on device which is in 30 days DEP provisional period. Within the DEP provisional period, I can remove the remote management on my device. So the device is considered to use as my personal device ,not organization owned. Since MDM device based activation lock can enable during this provisional period, The device no longer be referred to use as my personal device also . what is the use of that 30 days? Kindly educate us on this case to whether this an intended options or a bug. Thanks in Advance

Hi Apple community, We encountering an issue with Declarative Management app events when attempting bulk app distribution through our Mobile Device Management (MDM) solution. Description of the Issue: During bulk app distribution, the expected app events defined in the Declarative Management framework are not functioning as intended. While individual app deployments work fine and trigger the desired events, the problem arises specifically when distributing apps in the bulk of more than 20 apps. My Status-Subscription Configuration, { "Type": "com.apple.configuration.management.status-subscriptions", "Identifier": "DEFAULT_STATUS_CONFIG_0", "ServerToken": "2", "Payload": { "StatusItems": [ { "Name": "account.list.caldav" }, { "Name": "account.list.carddav" }, { "Name": "account.list.exchange" }, { "Name": "account.list.google" }, { "Name": "account.list.ldap" }, { "Name": "account.list.mail.incoming" }, { "Name": "account.list.mail.outgoing" }, { "Name": "account.list.subscribed-calendar" }, { "Name": "device.identifier.serial-number" }, { "Name": "device.identifier.udid" }, { "Name": "device.model.family" }, { "Name": "device.model.identifier" }, { "Name": "device.model.marketing-name" }, { "Name": "device.operating-system.build-version" }, { "Name": "device.operating-system.family" }, { "Name": "device.operating-system.marketing-name" }, { "Name": "device.operating-system.supplemental.build-version" }, { "Name": "device.operating-system.supplemental.extra-version" }, { "Name": "device.operating-system.version" }, { "Name": "mdm.app" }, { "Name": "passcode.is-compliant" }, { "Name": "passcode.is-present" } ] } } Has anyone encountered a similar issue where Declarative Management app events fail to trigger during bulk app distribution? If so, I would greatly appreciate any insights, recommendations, or potential workarounds you may have discovered. Additionally, if you have any suggestions for further troubleshooting steps or resources to explore, please feel free to share them. Thank you in advance for your time.

Issue Description: We tested App Store app update deployment in an iPad with OS version 16.4.1. We put the app AppLock mode in device using a MDM. Then we pushed a update for the app from MDM. The device didn't update the app but the command was successfully sent from MDM and device acknowledged it. When we removed the app from AppLock mode and closed it, the app updated instantly. For enterprise apps, we have observed that while pushing the app update to devices when it is in AppLock mode, the app closes automatically and the app updates and opens automatically in AppLock mode. But for app store apps this behavior is different like mentioned above. Also, if the app is not in AppLock mode and if the app update is pushed when the app is running in foreground, the device asks for update prompt. If we accept it, the app doesn't update automatically. If we close the app manually, then the app is updated instantly. Kindly educate us on this case on App Store App as to whether this an intended behavior or a bug.

https://developer.apple.com/documentation/devicemanagement/homescreenlayout With Respect to the above link, we have deployed HomeScreenLayout Policy to device with iPadOS Version 16.4. Irrespective of all the os's, we cant able to restrict the App Library , whatever we do. Attached screenshot of the App Library shown in Home screen Layout. Is it possible to restrict this or not . Can anyone help on this.

https://developer.apple.com/documentation/devicemanagement/homescreenlayout With Respect to the above link, we have deployed HomeScreenLayout Policy to device with iPadOS Version 16.4. Irrespective of all the os's, we cant able to restrict the App Library , whatever we do. Attached screenshot of the App Library shown in Home screen Layout. Is it possible to restrict this or not . Can anyone help on this.

Description: <key>allowSpotlightInternetResults</key> <dict> <key>value</key> <false/> </dict> <key>allowAssistant</key> <dict> <key>value</key> <false/> </dict> I have added the restriction profile with the above restriction keys and values . along with a App Lock Policy locked to a single app. The problem am facing is, the app was locked to a particular app as per the policy . But User can able to open safari preview search view using the spotlight search. Atached Screenshot for the safarii preview in App Lock Policy Enabled Device

Hi Apple Team, We tend to update the MDM profile Supplied to the Mobile Devices when the Name of the organisation was changed by the customer we change the value of PayloadOrganization. When it comes to User Enrollment The organisation name will be shown in Settings Tab and also in Profiles Page. After performing update in MDM profile The Organisation name in the profile's page have been updated but The Organisation name in settings tab wasn't updated Old Name : APNS_ORG_NAME New Name : NEWNAME1

** Hi Community,** We have been testing on using oauth2 for User Enrollment.Where as per doc provided we have supplied the method, authorization-url, token-url, redirect-url, client-id in the 401 response from MDM Server Authorization Request As mentioned the apple client performed authorization request by adding state, login_hint to the Authorization-url and the params mentioned above and successfully received the authorization code after the user makes a login with the IDP. <<<<< Request GET /oauth2/authorization?response_type=code &client_id=XXXXXXXXXX &redirect_uri=apple-remotemanagement-user-login:/oauth2/redirection &state=XXXXXXXXXX &login_hint=useroa@example.com HTTP/1.1 Host: mdmserver.example.com ------- MULTIPLE REQUESTS BETWEEN CLIENT Server ---------- >>>>> Response HTTP/1.1 308 Permanent Redirect Content-Length: 0 Location: apple-remotemanagement-user-login:/oauth2/redirection ?code=XXXXXXXXXX&state=XXXXXXXXXX . Token Request Using the code received from authorization server apple client performs this step to get the access_token and refresh_token.I am using a authorization server created by default in my Okta domain and this step fails. <<<<< Request POST /oauth2/token HTTP/1.1 Content-Type: application/x-www-form-urlencoded Content-Length: 195 grant_type=authorization_code &code=XXXXXXXXXXXX &redirect_uri=apple-remotemanagement-user-login:/oauth2/redirection &client_id=XXXXXXXXXX >>>>> Response HTTP/2 401 Unauthorized Content-Type: application/json { "error": "invalid_client", "error_description": "Client authentication failed. Either the client or the client credentials are invalid." } When debugged this issue, As per Okta's doc https://developer.okta.com/docs/guides/implement-grant-type/authcode/main/#exchange-the-code-for-tokens The client must specify Their credentials in Authorization header as Authorization : Basic <client_id>:<client_secret> in order to get the access_token And Also as per RFC-6749 https://www.rfc-editor.org/rfc/rfc6749#section-4.1.3 The Confidential Clients must specify their client_id, client_secret provided by the authorization server to receive the access_tokens. May I know how to overcome this issue or did I missed any steps that may include the Authorization header Thanks in Advance,.

Apple App Store apps that are not purchased in ABM (Non VPP apps) fails while deployed to macOS and tvOS devices from MDM. Since, we can install apps directly from App Store of macOS and tvOS devices just like iOS devices, kindly help us understand why the non VPP apps fails when distributed to tvOS and macOS from devices.

We have a device which does not communicate with our MDM server. When we checked the console logs we found that device receives the push notification but does not respond to MDM server. When a restart is performed, it again communicates. From time to time it stops working and we have to restart to bring back communication. Feedback has been raised with sysdiagnose - FB12062214 Any help would be appreciated.

Issue : When applied applock policy to the device, device not shutting down on long press of the power button and volume button. Shut down happens well when the profile is removed from the device. When tested in iPhone, this worked well when the profile is applied Steps to Reproduce : In iPad 16.3 OS , Payload : <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadUUID</key> <string>01d6d9a0-740f-40e4-a521-b97e3d452547</string> <key>PayloadType</key> <string>Configuration</string> <key>PayloadOrganization</key> <string>MDM</string> <key>PayloadIdentifier</key> <string>com.mdm.b4033cca-328f-4eab-8bbe-b9224a6ab4ed.singleKioks</string> <key>PayloadDisplayName</key> <string>single Kioks</string> <key>PayloadRemovalDisallowed</key> <true/> <key>PayloadContent</key> <array> <dict> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadUUID</key> <string>8533f5c1-fbb6-49fb-88bb-b3cbda8e8bb1</string> <key>PayloadType</key> <string>com.apple.app.lock</string> <key>PayloadOrganization</key> <string>MDM</string> <key>PayloadIdentifier</key> <string>8533f5c1-fbb6-49fb-88bb-b3cbda8 èe8bb1</string> <key>PayloadDisplayName</key> <string>AppLock Policy</string> <key>App</key> <dict> <key>Options</key> <dict> <key>DisableTouch</key> <false/> <key>DisableDeviceRotation</key> <false/> <key>DisableVolumeButtons</key> <false/> <key>DisableRingerSwitch</key> <false/> <key>DisableSleepWakeButton</key> <false/> <key>DisableAutoLock</key> <true/> <key>EnableVoiceOver</key> <false/> <key>EnableZoom</key> <false/> <key>EnableInvertColors</key> <false/> <key>EnableAssistiveTouch</key> <false/> <key>EnableSpeakSelection</key> <false/> <key>EnableMonoAudio</key> <false/> <key>EnableVoiceControl</key> <false/> </dict> <key>UserEnabledOptions</key> <dict> <key>VoiceOver</key> <false/> <key>Zoom</key> <false/> <key>InvertColors</key> <false/> <key>AssistiveTouch</key> <false/> </di µct> <key>Identifier</key> <string>com.apple.AppStore</string> </dict> <key>Identifier</key> <string>com.apple.AppStore</string> </dict> </array> </dict> </plist> -> I have applied the following kiosk profile to the device . -> When pressing the Power button(top Button) and a side volume button, It doesnt shut down the device. -> Whereas, the device when the above profile is removed. the same buttons lead to shut down. -> Same way this was not an issue for the iPhone devices (only iPads doesnt shut down when this profile is applied) Have attached the sysdiagnose logs for the iPad (affected). Kindly help with this case.

DESCRIPTION: A macOS devices (Version 13 and above), "mdm.app" status item will not be supported. why? HOW TO REPRODUCE: Enroll a macOS device in MDM. Send the DeclarativeManagement Command to macOS 13+ devices. The MDM server responds with a DeclarativeManagement Command that should include the SynchronizationTokens JSON data. The device fetches the declarations manifest from the MDM server. While synchronization, we will subscribe the status items (mdm.app) as configuration. For example, { "Type":"com.apple.configuration.management.status-subscriptions", "Identifier":"85B5130A-4D0D-462B-AA0D-0C3B6630E5AA", "ServerToken":"59eb13b9-5d51-54b9-8a4b-e8abe37c27ee", "Payload":{ "StatusItems":[ { "Name":"mdm.app" } ] } } Response the above JSON payload to the device, While requesting the "declaration/configuration/****" details. EXPECTED RESULT: The "mdm.app" status item responds to the current status of the managed app after sending InstallApplication Command to the device. ACTUAL RESULT: The mdm.app status item response is like the following error- { "Errors":[ { "Reasons":[ { "Code":"Error.UnsupportedStatusValue", "Description":"Cannot report status on “mdm.app†because value is not supported." } ], "StatusItem":"mdm.app" } ] } Any help on this would be appreciated. Thanks.