We are experiencing issues with MDM Enrolled devices as the devices do not contact the MDM server randomly even on successful APNS notification. As documented by Apple, the device sends a Token update message when MDM Profile is installed in the device and whenever there is an OS update. We could see that device randomly loose connection with the MDM server over a period of time. We have verified that MDM sends notifications with the information received from the latest TokenUpdate from devices, however, few devices never seem to send token update messages to the MDM server nor respond to APNS wakeup. Currently, we are reinstalling MDM Profile in devices to trigger Token update again and to revive the device MDM contact. But as you can imagine for large enterprises this involves user intervention and becomes difficult to manage. It would be great if the Apple MDM team can clarify below What are the cases device sends TokenUpdate message to MDM What happens when the MDM server is not reachable during the first attempt of the Token update. As in many cases, the MDM server may not always be reachable to the device during OS update events etc. Is there any way to trigger Token update on iOS and macOS manually without reinstalling the MDM Profile again? It would be better designed if devices send Token updates often until it's acknowledged by MDM Server. Similar issues are reported in past: https://developer.apple.com/forums/thread/28918 https://developer.apple.com/forums/thread/671878

Hi , Is it possible to provide SHA256 in manifest URL to verify integrity in the client for deploying IPA files through MDM? Apple provides this option for macOS only and not for iOS according to protocol documentation and POC results. If it's not supported for iOS (ie.. IPA deployment), do we have any mechanisms to verify its integrity and how can we secure it?

Apple introduces MDM to subscribe to certain events in Apple business manager Apps and Books through specifying the URL in "notificationUrl" filed during client context command. What the best way to design it for a closed network MDM Server How does it work for MDM with a self-signed certificate or enterprise certificate? Will it cause any SSL issues?

When we try to Install an Application through InstallApplicationCommand - https://developer.apple.com/documentation/devicemanagement/installapplicationcommand/command through MDM we are getting the below errors. Apple has not documented the reason for the below errors and we are setting these error responses more frequently and random in iOS 13 and iOS 14 versions. Couldn’t communicate with a helper application ?xml version="1.0" encoding="UTF-8"? !DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd" plist version="1.0" dict keyCommandUUID/key stringInstallApplication/string keyErrorChain/key array dict keyErrorCode/key integer4097/integer keyErrorDomain/key stringNSCocoaErrorDomain/string keyLocalizedDescription/key stringCouldn’t communicate with a helper application./string /dict /array keyRejectionReason/key stringNotSupported/string keyStatus/key stringError/string keyUDID/key string0000-000000000000/string /dict /plist Rejection reason key as dictionary "NotSupported" but if multiple attempts are made, it succeeded in one of the attempts. This Error is seen in response to many commands and occurs very randomly. Commands such as SecurityInfo, RestartDevice, InstallProfile etc also gives this response. Feedback raised to apple is still unresolved. Refer this forum post. - https://developer.apple.com/forums/thread/663044 . 2. Purchase Batch Failed ?xml version="1.0" encoding="UTF-8"? !DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd" plist version="1.0" dict keyCommandUUID/key stringInstallApplication/string keyErrorChain/key array dict keyErrorCode/key integer1005/integer keyErrorDomain/key stringDeviceManagement.error/string keyLocalizedDescription/key stringCould not install app./string /dict dict keyErrorCode/key integer12/integer keyErrorDomain/key stringAMSErrorDomain/string keyLocalizedDescription/key stringPurchase Batch Failed/string /dict /array keyStatus/key stringError/string keyUDID/key string0000-000000000000/string /dict /plist 3. The iTunes Store ID of the application could not be validated. ?xml version="1.0" encoding="UTF-8"? !DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd" plist version="1.0" dict keyCommandUUID/key stringInstallApplication/string keyErrorChain/key array dict keyErrorCode/key integer12023/integer keyErrorDomain/key stringMCMDMErrorDomain/string keyLocalizedDescription/key stringThe iTunes Store ID of the application could not be validated./string keyUSEnglishDescription/key stringThe iTunes Store ID of the application could not be validated./string /dict /array keyRejectionReason/key stringCouldNotVerifyAppID/string keyStatus/key stringError/string keyUDID/key string0000-000000000000/string /dict /plist 4. An unknown error has occurred ?xml version="1.0" encoding="UTF-8"? !DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd" plist version="1.0" dict keyCommandUUID/key stringInstallApplication/string keyErrorChain/key array dict keyErrorCode/key integer5002/integer keyErrorDomain/key stringASDServerErrorDomain/string keyLocalizedDescription/key stringAn unknown error has occurred/string /dict /array keyRejectionReason/key stringNotSupported/string keyStatus/key stringError/string keyUDID/key string0000-000000000000/string /dict /plist It would be of great help if there is a detailed documentation of list of all possible errors that MDM would receive and workaround to those error codes.

Issuing a Personal Recovery Key rotate command - https://developer.apple.com/documentation/devicemanagement/rotate_the_filevault_key to macOS High Sierra through MDM fails with the below error. According to Documentation, it's available from macOS 10.9+. Sample Error Response: * ?xml version="1.0" encoding="UTF-8"? !DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd" plist version="1.0" dict keyCommandUUID/key stringRotateFileVaultKey/string keyErrorChain/key array dict keyErrorCode/key integer34/integer keyErrorDomain/key stringNSTaskExitCode/string keyLocalizedDescription/key stringThe operation couldn’t be completed. (NSTaskExitCode error 34.)/string /dict /array keyStatus/key stringError/string keyUDID/key stringXXXX-XXXX-XXXX-XXXX-XXXX/string /dict /plist Command Sent to the device: ?xml version="1.0" encoding="UTF-8"? !DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd" plist version="1.0" dict keyCommandUUID/key stringRotateFileVaultKey/string keyCommand/key dict keyRequestType/key stringRotateFileVaultKey/string keyKeyType/key stringpersonal/string keyReplyEncryptionCertificate/key string********/string keyFileVaultUnlock/key dict keyPassword/key stringXXXX-XXXX-XXXX-XXXX-XXXX/string /dict /dict /dict /plist We have ensured that the Personal Recovery Key sent in Command under the key name 'Password' is Correct. The Command works fine in macOS Catalina and macOS BigSur. Also, Apple has not documented possible error code sent as a response to issuing this command to devices.

While associating license to the device using the below API, We are getting an error saying "License not eligible for device assignment" https://vpp.itunes.apple.com/mdm/manageVPPLicensesByAdamIdSrv Sample Response: { "associations": [ { "serialNumber": "XXXXXX", "errorMessage": "License not eligible for device assignment.", "errorCode": 9628, "errorNumber": 9628 } ], "status": -1 } However, App shows as Device Assignable in Apple Business Manager and also the App details API responds as isVppDeviceBasedLicensingEnabled=true while fetching App details. "bundleId": "com.granicus.iLegislate", "isVppDeviceBasedLicensingEnabled": true, "kind": "iosSoftware", "copyright": "© Granicus, Inc.", "latestVersionReleaseDate": "Apr 4, 2019", "artistId": "1191882827", We are seeing this error very frequent and consistent for the past few hours for some apps which were working fine earlier. Since it greatly affects App deployment through Apple Business Manager it would be helpful if we get any input on why this error occurs and how to mitigate them.

MDM is able to enable lost mode in applicable devices , however while disabling lost mode we are getting an error code "12069" . We are unable to revive the device from lost mode remotely and only option left is to erase the device loosing all data. Apple has mentioned this error code but not documented in detail A device responds with error code 12067 if it isn’t in Lost Mode, or error code 12069 if the request to disable Lost Mode failed. While in Lost Mode, a device responds to invalid commands with error code 12078. - disable_lost_mode - https://developer.apple.com/documentation/devicemanagement/disable_lost_mode Since reviving from lost mode is equally important to enabling lost mode, it would be better if apple documents When does Disable Lost mode fails with error code "12069" ? Does it occur to only specific OS version or device models? Is it possible to find if disable lost mode will fail beforehand , so that we can warn users before enabling lost mode? For devices stuck in Lost mode , do we have any workaround to disable it remotely? It would be helpful if there is a detailed explanation from Apple on this .

With iOS 14 , App ask for new permissions to access Local Network information , when user does not approve this permission this causes some functionality to break . Do we have plans to pre approve the permissions for Managed Apps thats are distributed by MDM. There are lot of IT support when end users do not give this permission . Our Apps has handled it gracefully educating users , but it has not went good so far. I understand Apple has not given MDM , the APIs to enable App permissions such as Location and also i get the tradeoffs between user experience and privacy/security . It would be good if MDM can approve Local network permission for Apps like it has control for Notification alerts.

With iOS 14 devices we can see that Many MDM Commands Fails with error " Couldn’t communicate with a helper application." . This Error is more frequent in InstallApplication , InstallProfile command , but other MDM commads also face the same issue. I have attach sample response from some devices. We have seen this error in previous version of iOS but with iOS 14 these are very frequent. InstallApplication Errors <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CommandUUID</key> <string>InstallApplication;Collection=51075000000853127</string> <key>ErrorChain</key> <array> <dict> <key>ErrorCode</key> <integer>1005</integer> <key>ErrorDomain</key> <string>DeviceManagement.error</string> <key>LocalizedDescription</key> <string>Could not install app.</string> </dict> <dict> <key>ErrorCode</key> <integer>4097</integer> <key>ErrorDomain</key> <string>NSCocoaErrorDomain</string> <key>LocalizedDescription</key> <string>Couldn’t communicate with a helper application.</string> </dict> </array> <key>Status</key> <string>Error</string> <key>UDID</key> <string>UDID-UDID</string> </dict> </plist> <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CommandUUID</key> <string>InstallApplication;Collection=33783000002227119</string> <key>ErrorChain</key> <array> <dict> <key>ErrorCode</key> <integer>4099</integer> <key>ErrorDomain</key> <string>NSCocoaErrorDomain</string> <key>LocalizedDescription</key> <string>Couldn’t communicate with a helper application.</string> </dict> </array> <key>Status</key> <string>Error</string> <key>UDID</key> <string>UDIDUDIDUDID</string> </dict> </plist> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CommandUUID</key> <string>InstallApplication;Collection=51075000000853127</string> <key>ErrorChain</key> <array> <dict> <key>ErrorCode</key> <integer>1005</integer> <key>ErrorDomain</key> <string>DeviceManagement.error</string> <key>LocalizedDescription</key> <string>Could not install app.</string> </dict> <dict> <key>ErrorCode</key> <integer>4097</integer> <key>ErrorDomain</key> <string>NSCocoaErrorDomain</string> <key>LocalizedDescription</key> <string>Couldn’t communicate with a helper application.</string> </dict> </array> <key>Status</key> <string>Error</string> <key>UDID</key> <string>UDID-UDID</string> </dict> </plist> InstallProfile Errors <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CommandUUID</key> <string>SingletonRestriction</string> <key>ErrorChain</key> <array> <dict> <key>ErrorCode</key> <integer>4099</integer> <key>ErrorDomain</key> <string>NSCocoaErrorDomain</string> <key>LocalizedDescription</key> <string>Couldn’t communicate with a helper application.</string> </dict> </array> <key>Status</key> <string>Error</string> <key>UDID</key> <string>UDIDUDID</string> </dict> </plist> AvailableOSUpdate Error <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CommandUUID</key> <string>AvailableOSUpdates</string> <key>ErrorChain</key> <array> <dict> <key>ErrorCode</key> <integer>12050</integer> <key>ErrorDomain</key> <string>MCMDMErrorDomain</string> <key>LocalizedDescription</key> <string>The attempt to check for an available update failed.</string> <key>USEnglishDescription</key> <string>The attempt to check for an available update failed.</string> </dict> <dict> <key>ErrorCode</key> <integer>2214</integer> <key>ErrorDomain</key> <string>DeviceManagement.error</string> <key>LocalizedDescription</key> <string>Scan failed.</string> </dict> <dict> <key>ErrorCode</key> <integer>4097</integer> <key>ErrorDomain</key> <string>NSCocoaErrorDomain</string> <key>LocalizedDescription</key> <string>Couldn’t communicate with a helper application.</string> </dict> </array> <key>Status</key> <string>Error</string> <key>UDID</key> <string>UDIDUDIDUDID</string> </dict> </plist> ClearPasscode <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CommandUUID</key> <string>ClearPasscode</string> <key>ErrorChain</key> <array> <dict> <key>ErrorCode</key> <integer>701</integer> <key>ErrorDomain</key> <string>DeviceManagement.error</string> <key>LocalizedDescription</key> <string>The device’s passcode cannot be cleared.</string> </dict> <dict> <key>ErrorCode</key> <integer>4097</integer> <key>ErrorDomain</key> <string>NSCocoaErrorDomain</string> <key>LocalizedDescription</key> <string>Couldn’t communicate with a helper application.</string> </dict> </array> <key>Status</key> <string>Error</string> <key>UDID</key> <string>UDIDUDIDUDID</string> </dict> </plist>