User Profile

I have tried to deploy passwordpolicy script using pwpolicy pwpolicy -n /Local/Default -setglobalpolicy "usingHistory=5 canModifyPasswordforSelf=1 maxMinutesUntilChangePassword=129600 requiresAlpha=1 requiresNumeric=1 minChars=8 passwordCannotBeName=1 requiresMixedCase=1 requiresSymbol=1" sudo defaults write /Library/Preferences/com.apple.loginwindow PasswordExpirationDays 14 errcode=$? if [ "$errcode" -ne 0 ]; then echo "" echo "Failed to apply with errorcode $errcode" 1>&2 echo "" exit 1 fi echo "Password Policy applied successfully" 1>&2 After deploying, on next login, It prompted for login, On entering password, It shows wrong password. When I tried to reset the password, It is not accepting the password. Instead It prompts again and again. Like this , I have got 300 mac machines struck in login page. I tried to run these two commands via a app running in root pwpolicy -u "$user" -clearaccountpolicies pwpolicy -clearaccountpolicies After Running this, I can able to loggin for first time. When tried to login second or successive times, It is failing with wrong password or sometimes no error instead of a jumping prompt in password page. When tried to change password after a login after clearpolicy command, It is not accepting the admin's password (Which was used to login the current session). Please help on this issue. As it does have a serious impact.

https://developer.apple.com/documentation/managedappdistribution https://developer.apple.com/documentation/appdistribution/fetching-and-displaying-managed-apps We have tested the above apple documentation regarding Managed Application Distribution . To Note : We are trying to provide a custom AppStore in our MDM App for Managed Apps. We have done all the steps mentioned in the documentation Got Entitlement and enabled for the app. Used the Exact code in a new swift UI Project Attaching Screenshots for the compile time error , i get First Screenshot , shows an error when building the project with a physical device(iOS 17.4). Seconds one , shows different error when building with a simulator. I have checked all the apple documentations and wwdc videos for further clue on this. But no help ! It will be helpful, if anyone help me with exact working model for this framework.

Hi Team, We have Apple's OS Update for Mac machines in our fleet . Where some Macs are Silicon previously at 14.2.1 and we updating them to 14.3 using Command ScheduleOSUpdate with InstallAction key set to Default. We also have set restriction set with keys forceDelayedSoftwareUpdates set to true and enforcedSoftwareUpdateDelay set to 1 For Updating at earliest. FYI, These machines already have FileVault Encrypted with them and also has Admin User After Restart We can see that the device automatically boots to Recovery Mode asking for a "Recovery Key" to continue , Even When we have given the personal recovery key (or) Trying to unlock the disk using Admin user's Credential in Startup Disk Things not working. FYI , The machine have asked for BootStrap Token After ScheduleOSUpdate Command And MDM have given them in Response Can We please know where there is a issue and why this behaviour is occurring

https://developer.apple.com/documentation/managedappdistribution As stated in the above documentation, to use this framework, App should be enabled the following entitlement . The Managed App Installation UI entitlement is required to use this framework. But in developer portal it is not found .Is there any other requirements Apple will expect in order to use this entitlement.? Any help will be appreciated.

I'm encountering challenges deploying two unlisted applications via MDM to an iOS 17.2 device. The first app successfully installed after presenting a user prompt upon distribution <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CommandUUID</key> <string>InstallApplication</string> <key>Command</key> <dict> <key>RequestType</key> <string>InstallApplication</string> <key>iTunesStoreID</key> <integer>**********</integer> <key>InstallAsManaged</key> <true/> <key>ManagementFlags</key> <integer>5</integer> <key>ChangeManagementState</key> <string>Managed</string> </dict> </dict> </plist> Device Response for first app :- <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CommandUUID</key> <string>InstallApplication</string> <key>Identifier</key> <string>*********************</string> <key>State</key> <string>Prompting</string> <key>Status</key> <string>Acknowledged</string> <key>UDID</key> <string>XXXXXXXXXXXX</string> </dict> </plist> However, deploying the second app resulted in an error message from the device. <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CommandUUID</key> <string>InstallApplication</string> <key>Command</key> <dict> <key>RequestType</key> <string>InstallApplication</string> <key>iTunesStoreID</key> <integer>**********</integer> <key>InstallAsManaged</key> <true/> <key>ManagementFlags</key> <integer>5</integer> <key>ChangeManagementState</key> <string>Managed</string> </dict> </dict> </plist> Device Response for second app :- <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CommandUUID</key> <string>InstallApplication</string> <key>ErrorChain</key> <array> <dict> <key>ErrorCode</key> <integer>9610</integer> <key>ErrorDomain</key> <string>ASDServerErrorDomain</string> <key>LocalizedDescription</key> <string>License not found.</string> </dict> </array> <key>RejectionReason</key> <string>NotSupported</string> <key>Status</key> <string>Error</string> <key>UDID</key> <string>XXXXXXXXXXX</string> </dict> </plist> Can you confirm the iOS Devices support deployment of Unlisted apps without VPP app assignment ?

The specific pdf when opened in an macOS or web orA Adobe iOS App, it shows the highlighted texts as expected But when opened through any IOS app (except the adobe app) or our native app using pdfkit , the highlights are gone . It disappeared Even the pdf when opened in files app has this issue. Don’t know what’s the problem with the iOS. I have attached the screenshot for the pdf when opened in mac versus the pdf opened in any iOS app. **PDF when opened via Adobe App, ** Pdf when opened via our native app, Raised a feedback regarding this unexpected behaviour . FB Id - FB13326307 Do anyone faced the same issue? Anything am i missing regarding this>

Our goal is to fetch Battery Health Capacity Percentage through an swift App or through any Mobile device Management Protocol. I can surf through internet and can find only there is an api to fetch the battery level from the iOS/iPadOS devices. Is there any way to fetch the battery health. Eventhough there are plenty of apple forums regarding this problem, Still we cant able to find any possible way to do it. https://developer.apple.com/forums/thread/693614 - With respect to Apple's Reply in this thread, We have raised an Enhancement Request with Feedback Id : FB13322108 on this context. We request you to have a look on it, as most of them are waiting for a solution.

Having trouble in signing in to iCloud when a managed supervised iPhone is restricted with few apps using “allowListedAppBundleIDs” restrictions key. Only iPhone has this trouble, this issue is not reproducible in iPad. Even after entering the Apple ID and password, the account seems to be not logged in. Have attached screenshots for reference. Tested device iOS Version : 17.1 Kindly explain this behaviour. Feedback ID : #FB13318247 - Sysdiagnose logs attached here.

We are making an appstore app to be opened in single app kiosk mode(App Lock Policy for a single app) . When tried to open and login , a popup which is seen when opened without kiosk mode is not opening up. Attached the screenshot of the popup screen. (not able to attach the video here) Raised Feedback id - FB13304240 AppLock Policy Payload sent to the device : <dict> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadUUID</key> <string></string> <key>PayloadType</key> <string>Configuration</string> <key>PayloadOrganization</key> <string>fhd</string> <key>PayloadIdentifier</key> <string>sample_id</string> <key>PayloadDisplayName</key> <string>Kiosk Zenoti</string> <key>PayloadRemovalDisallowed</key> <true/> <key>PayloadContent</key> <array> <dict> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadUUID</key> <string>ad18a938-211e-4670-9be6-6f43162b6290</string> <key>PayloadType</key> <string>com.apple.app.lock</string> <key>PayloadOrganization</key> <string>MDM</string> <key>PayloadIdentifier</key> <string>a � �d18a938-211e-4670-9be6-6f43162b6290</string> <key>PayloadDisplayName</key> <string>AppLock Policy</string> <key>App</key> <dict> <key>Options</key> <dict> <key>DisableTouch</key> <false/> <key>DisableDeviceRotation</key> <false/> <key>DisableVolumeButtons</key> <false/> <key>DisableRingerSwitch</key> <false/> <key>DisableSleepWakeButton</key> <false/> <key>DisableAutoLock</key> <true/> <key>EnableVoiceOver</key> <false/> <key>EnableZoom</key> <false/> <key>EnableInvertColors</key> <false/> <key>EnableAssistiveTouch</key> <false/> <key>EnableSpeakSelection</key> <false/> <key>EnableMonoAudio</key> <false/> <key>EnableVoiceControl</key> <false/> </dict> <key>UserEnabledOptions</key> <dict> <key>VoiceOver</key> <false/> <key>Zoom</key> <false/> <key>InvertColors</ke � y> <false/> <key>AssistiveTouch</key> <false/> </dict> <key>Identifier</key> <string>com.zenoti.mpos</string> </dict> <key>Identifier</key> <string>com.zenoti.mpos</string> </dict> </array> </dict> </plist>

Hi Apple Community, Problem Description: Regarding the transition from MDM (Mobile Device Management) profiles to DDM (Declarative Device Management) profiles, as announced during WWDC 2023, this marks a significant step forward in simplifying our device management process. When we attempted to test this transition with the 17 developer beta OS version devices, we encountered a notable challenge. Specifically, when trying to apply a DDM Webclip legacy profile configuration to a device that already had the same profile applied through MDM. We received the following status response from DDM: "The profile “<profile_identifier>” cannot replace an existing profile." As a result, the configuration was not applied. However, after removing the existing applied MDM profile and then reapplying the same profile as a legacy profile via DDM, the configuration was successfully applied. My DDM Configuration: { "Type": "com.apple.configuration.legacy", "Identifier": "DEFAULT_APP_CATALOG_CLIP_CONFIG", "ServerToken": "3", "Payload": { "ProfileURL": "https://mdmtest:8080/certificates/appConfig.mobileconfig" } } My DDM Status Response : { "StatusItems" : { "management" : { "declarations" : { "activations" : [ { "active" : true, "identifier" : "DEFAULT_ACT_0", "valid" : "valid", "server-token" : "1" }, { "active" : false, "identifier" : "DEFAULT_APP_CATALOG_CLIP_ACT", "valid" : "valid", "server-token" : "3" } ], "configurations" : [ { "reasons" : [ { "details" : { "Error" : "The profile “<profile_identifier>” cannot replace an existing profile." }, "description" : "Configuration cannot be applied", "code" : "Error.ConfigurationCannotBeApplied" }, { "details" : { "Identifier" : "DEFAULT_APP_CATALOG_CLIP_ACT", "ServerToken" : "3" }, "description" : "Activation “DEFAULT_APP_CATALOG_CLIP_ACT:3” has errors.", "code" : "Error.ActivationFailed" } ], "active" : false, "identifier" : "DEFAULT_APP_CATALOG_CLIP_CONFIG", "valid" : "invalid", "server-token" : "3" }, { "active" : true, "identifier" : "DEFAULT_STATUS_CONFIG_0", "valid" : "valid", "server-token" : "2" } ], "assets" : [ ], "management" : [ ] } } }, "Errors" : [ ] } Kindly help us with this issue. Note : We have posted a feedback in Feedback Assistant portal FB13132059 - along with device sysdiagnose.

Problem Description: We are using manageVPPLicensesByAdamIdSrv API for assigning licenses for serial numbers. We get "Internal error - 9603" response for this API when assigning the API for valid adamID of an app. When using the same API other apps, this issue doesn't occur. AdamID: 720111835. The license is assigning properly for the same app in VPP License Management 2.0.0 + - Associate Assets API. Currently, we will not able to the new API. We overcame this issue by creating a new location token in the same organization and purchasing the same app in it and using it to assign the license to device for the same app which is successful. Kindly help us with this issue. Request: {"pricingParam":"STDQ","disassociateSerialNumbers":["SAMPLESERIAL"],"adamIdStr":"720111835","sToken":"********************","notifyDisassociation":false} Response: {"errorMessage":"Internal error.","errorNumber":9603,"status":-1}

** Hi Community,** We have been testing on using oauth2 for User Enrollment.Where as per doc provided we have supplied the method, authorization-url, token-url, redirect-url, client-id in the 401 response from MDM Server Authorization Request As mentioned the apple client performed authorization request by adding state, login_hint to the Authorization-url and the params mentioned above and successfully received the authorization code after the user makes a login with the IDP. <<<<< Request GET /oauth2/authorization?response_type=code &client_id=XXXXXXXXXX &redirect_uri=apple-remotemanagement-user-login:/oauth2/redirection &state=XXXXXXXXXX &login_hint=useroa@example.com HTTP/1.1 Host: mdmserver.example.com ------- MULTIPLE REQUESTS BETWEEN CLIENT Server ---------- >>>>> Response HTTP/1.1 308 Permanent Redirect Content-Length: 0 Location: apple-remotemanagement-user-login:/oauth2/redirection ?code=XXXXXXXXXX&state=XXXXXXXXXX . Token Request Using the code received from authorization server apple client performs this step to get the access_token and refresh_token.I am using a authorization server created by default in my Okta domain and this step fails. <<<<< Request POST /oauth2/token HTTP/1.1 Content-Type: application/x-www-form-urlencoded Content-Length: 195 grant_type=authorization_code &code=XXXXXXXXXXXX &redirect_uri=apple-remotemanagement-user-login:/oauth2/redirection &client_id=XXXXXXXXXX >>>>> Response HTTP/2 401 Unauthorized Content-Type: application/json { "error": "invalid_client", "error_description": "Client authentication failed. Either the client or the client credentials are invalid." } When debugged this issue, As per Okta's doc https://developer.okta.com/docs/guides/implement-grant-type/authcode/main/#exchange-the-code-for-tokens The client must specify Their credentials in Authorization header as Authorization : Basic <client_id>:<client_secret> in order to get the access_token And Also as per RFC-6749 https://www.rfc-editor.org/rfc/rfc6749#section-4.1.3 The Confidential Clients must specify their client_id, client_secret provided by the authorization server to receive the access_tokens. May I know how to overcome this issue or did I missed any steps that may include the Authorization header Thanks in Advance,.

When pushing the “ScheduleOSUpdate” command to a Supervised MDM enrolled iPad device, command fails with the following error. Available OS Update response <key>AvailableOSUpdates</key> <array> <dict> <key>AllowsInstallLater</key> <false/> <key>Build</key> <string>20G75</string> <key>DownloadSize</key> <integer>4456890240</integer> <key>HumanReadableName</key> <string>iOS 16</string> <key>InstallSize</key> <integer>467664896</integer> <key>IsCritical</key> <false/> <key>ProductKey</key> <string>iOSUpdate20G75</string> <key>ProductName</key> <string>iOS</string> <key>RestartRequired</key> <true/> <key>Version</key> <string>16.6</string> </dict> </array> <key>CommandUUID</key> <string>AvailableOSUpdates</string> <key>Status</key> <string>Acknowledged</string> ScheduleOSUpdate command <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CommandUUID</key> <string>ScheduleOSUpdate</string> <key>Command</key> <dict> <key>RequestType</key> <string>ScheduleOSUpdate</string> <key>Updates</key> <array> <dict> <key>ProductKey</key> <string>iOSUpdate20G75</string> <key>InstallAction</key> <string>Default</string> <key>ProductVersion</key> <string>16.6</string> </dict> </array> </dict> </dict> </plist> ScheduleOSUpdate command response <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CommandUUID</key> <string>AttemptOSUpdate</string> <key>Status</key> <string>Acknowledged</string> <key>UDID</key> <string>****</string> <key>UpdateResults</key> <array> <dict> <key>ErrorChain</key> <array> <dict> <key>ErrorCode</key> <integer>12057</integer> <key>ErrorDomain</key> <string>MCMDMErrorDomain</string> <key>LocalizedDescription</key> <string>The update failed to download.</string> <key>USEnglishDescription</key> <string>The update failed to download.</string> </dict> <dict> <key>ErrorCode</key> <integer>2202</integer> <key>ErrorDomain</key> <string>DeviceManagement.error</string> <key>LocalizedDescription</key> <string>A download failed.</string> </dict> <dict> <key>ErrorCode</key> <integer>31</integer> <key>ErrorDomain</key> <string>com.apple.softwareupdateservices.errors</string> <key>LocalizedDescription</key> <string>The operation couldn’t be completed. (com.apple.softwareupdateservices.errors error 31.)</string> </dict> </array> <key>InstallAction</key> <string>Error</string> <key>ProductKey</key> <string>iOSUpdate20G75</string> <key>Status</key> <string>DownloadFailed</string> </dict> </array> </dict> </plist> As seen in the AvailableOSUpdate response, this device is applicable for iOS 16 update but unable to update manually as well as via MDM. The device has the following message showing up, is there any relation between the MDM command failing and this message. This iPad device is currently running "12.1.4" OS version Kindly confirm the reason for this message and the reason for this failure via MDM. And also confirm if there are any restrictions to update to certain major OS versions from lower OS versions, if so kindly share any documentation available regarding this. 

Able to access corporate mail attachment in unmanaged apps even after the restriction profile (“allowOpenFromManagedToUnmanaged”) has been installed in the device. Followed the following steps able to reproduce this issue Logged in with a personal mail account in iOS device in Mail app. Pushed an MDM profile with Email configuration to an iOS device. Now this account is in managed space Pushed a Restriction profile which has the key “allowOpenFromManagedToUnmanaged” to “false”. This restricts unmanaged apps to open attachments from managed space. Now when I send a email with an attachment to this managed mail account from personal account (Mail is sent from another device, not managed device) On receiving the email in managed mail account, Able to open the attachment in unmanaged apps. The restriction seems not to be working when the personal mail account is present in the mail app along with the corporate mail account and the attachment received in a corporate mail account is treated to be in unmanaged space. The restriction works fine when the personal mail account is removed from mail app. Kindly confirm whether this is the expected behaviour.

During the "What’s new in managing Apple devices" session, you provided information about the "Not Now" option during Mac ABM Enrollment. We observed that this option was functional when enrolling a Mac through ABM using the "profiles renew -type enrollment" command. However, when attempting to enroll a Mac by erasing it through ABM, we couldn't find the "Not Now" option. Could you please confirm whether the "Not Now" option is intended to be available when enrolling a Mac by erasing it through ABM? Your clarification on this matter would be greatly appreciated.