Post

Replies

Boosts

Views

Activity

TCC profile change for Local Network Access
Hello, is there any plan to add a new service type for Privacy Preferences Policy Control profile to allow apps deployed via MDM on Organization owned devices to access local network without prompting end user on Sequoia ? This would be very welcome, especially in education world where students are good at finding on how to block the tools they are supposed to use. I created FB14540495 for reference. Thanks !
1
0
563
Jul ’24
DDM, AppManaged and app upgrade
Hello, I could not find information in the doc (which is still beta, I understand) : how are app upgrade handled by DDM AppManaged ? With MDM, sending InstalledApplication command will upgrade the app to the most suitable recent version ; HasUpdateAvailable flag tells MDM server (more or less accurately) if there is an update and then Organizations can keep apps up to date as quickly as possible if needed. But with DDM, we just have a declaration where we tell the device to install a given app, and that's it. Is there any detail about how the device upgrades apps, and how frequently ? Thanks.
1
0
542
Feb ’24
WebContent filter and ContentFilterUUID clarification
Hello, ContentFilterUUID in WebContentFilter payload can be used for "Per-App content filter" - the UUID can be used in app attributes, as stated in the doc: A globally-unique identifier for this content filter configuration. Managed apps with the same ContentFilterUUID in their app attributes have their network traffic processed by the content filter. Do I understand right that if we want the profile to be globally applied, it should NOT contain the ContentFilterUUID key ? We're seeing cases where setting the key would make the profile doing nothing on the device, but the documentation is not 100% clear on this. Any clarification would be very appreciated ! Thanks
2
0
817
Sep ’23
InstallMedia (Books) and UserEnrollment
Hello, what's the status of managing books with UserEnrollment context ? I remember this used to work with a glitch : end user has to log in into Books with his/her managed Apple id (which could be problematic as you can't have both your books and organization books). But I'm currently not able to make it work - A VPP user is associated (silent invite) to the right managed apple id, enough time (more than an hour) happened since a license has been associated to the VPP user and fetching the license from the API shows it has been set properly. But installing the app via MDM always ends with error: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Command</key> <dict> <key>MediaType</key> <string>Book</string> <key>RequestType</key> <string>InstallMedia</string> <key>iTunesStoreID</key> <integer>1525146196</integer> </dict> <key>CommandUUID</key> <string>e802d682-e8b1-6253-04f5-736dab7ecd13</string> </dict> </plist> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CommandUUID</key> <string>e802d682-e8b1-6253-04f5-736dab7ecd13</string> <key>EnrollmentID</key> <string>971BB6F0-CA43-4B5E-9A1A-7BEF7A7BC286</string> <key>ErrorChain</key> <array> <dict> <key>ErrorCode</key> <integer>12047</integer> <key>ErrorDomain</key> <string>MDMErrorDomain</string> <key>LocalizedDescription</key> <string>A VPP purchase record for the item could not be found.</string> <key>USEnglishDescription</key> <string>A VPP purchase record for the item could not be found.</string> </dict> <dict> <key>ErrorCode</key> <integer>2615</integer> <key>ErrorDomain</key> <string>DeviceManagement.error</string> <key>LocalizedDescription</key> <string>Could not find Volume Purchase Programme assignment.</string> </dict> </array> <key>Status</key> <string>Error</string> </dict> </plist>``` Is this still a supported workflow ? Installing an App works without any issue in the same context.
0
0
538
Jul ’22
Update expiration date mismatch between public doc and GDMF
Hello, MDM protocol advices to use GDMF (https://gdmf.apple.com/v2/pmv) to manage properly updates ; the service defines which update is available for which device. Nevertheless, we're seeing a difference between what GDMF returns and what is documented in the "public" documentation : https://support.apple.com/guide/deployment/manage-software-updates-depc4c80847a/web For instance, for iOS 15.2, GDMF shows: "ProductVersion":"15.2","PostingDate":"2021-12-13","ExpirationDate":"2022-04-12" But public doc shows 11/02/2022 as expiration date. Why this mismatch ? Which one is the right one ? Thanks !
0
1
725
Mar ’22
InstallMedia errors with Internal Error <MDMClientError:-567>
Hi MDM folks, We're getting reports - and were able to reproduce - that installing books fails on macOS these days ; InstallMedia command errors with Internal Error MDMClientError:-567. Steps to repro: Enroll a mac (tested with Mac Book Air M1 running macOS 12.1) to your favorite MDM login to iCloud Go to Apple School Manager (or Business), get VPP location, get a book for the location. Have a VPP (from the location) user registered, send notification to the device to have it associated (respond to notification, accept T&Cs). Use VPP API to associate a license from this location for the user created in 4. Wait 3 minutes to be sure. Run InstallMedia command with the itunes id. Getting now: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Command</key> <dict> <key>MediaType</key> <string>Book</string> <key>RequestType</key> <string>InstallMedia</string> <key>iTunesStoreID</key> <integer>1055374716</integer> </dict> <key>CommandUUID</key> <string>41d2986d-c105-d283-5b4d-6b35a3539208</string> </dict> </plist> is answered with: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CommandUUID</key> <string>41d2986d-c105-d283-5b4d-6b35a3539208</string> <key>ErrorChain</key> <array> <dict> <key>ErrorCode</key> <integer>-567</integer> <key>ErrorDomain</key> <string>MDMClientError</string> <key>LocalizedDescription</key> <string>Internal Error &lt;MDMClientError:-567&gt;</string> </dict> </array> <key>NotOnConsole</key> <false/> <key>Status</key> <string>Error</string> <key>UDID</key> <string>682A2614-DCB7-5AC6-829B-674A101A9EDA</string> <key>UserID</key> <string>0AF0BD86-C327-472D-80EC-9BFF31633087</string> <key>UserLongName</key> <string>admin</string> <key>UserShortName</key> <string>admin</string> </dict> </plist> Looking at device logs after installing ManagedClient Log profiles : [ERROR] [ErrorChain.0] (InstallMedia) [MDMClientError:-567] Internal Error <MDMClientError:-567>> CSSM Exception: -2147415780 CSSMERR_CSP_INVALID_KEYATTR_MASK CSSM Exception: -2147415780 CSSMERR_CSP_INVALID_KEYATTR_MASK cert[0]: MissingIntermediate =(leaf)[force]> 0 Trust evaluate failure: [leaf MissingIntermediate] [501:MDMAgent:HTTPUtil:<0x3236>] >>>>> Sending HTTP request (PUT) [Error(InstallMedia):80c5de4b-9f47-eacf-1f2f-caab1ec34fe8] >>>>> I'll try with 12.2 Beta, but sounds like something's wrong with 12.1 and book assignment. Any hint ? Thanks (and all the best for 2022!).
1
0
752
Jan ’22
macOS : InstallApplication errors with "Other. Duplicate request".
Hi, What would be the root cause of macOS device responding "Other. Duplicate request." to InstallApplication commands ? Is this equivalent of "The application is already scheduled for management" error on iOS side ? Generally, would it be possible to extend https://developer.apple.com/documentation/devicemanagement/installapplicationresponse?changes=latest_minor&language=objc (and other commands) with possible error codes and their meaning ? Thanks !
0
1
847
Jun ’21
AvailableOSUpdates on non-supervised iOS devices
Hello, AvailableOSUpdates command used to be acknowledged by non-supervised iOS devices (it's still the case for iOS 12.5.3 devices for instance), but it is now returning an error on iOS 14.5+. ?xml version="1.0" encoding="UTF-8"? !DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd" plist version="1.0" dict keyCommandUUID/key string96bc818b-5e2c-f83b-b710-0197fba79474/string keyErrorChain/key array dict keyErrorCode/key integer12021/integer keyErrorDomain/key stringMCMDMErrorDomain/string keyLocalizedDescription/key string“AvailableOSUpdates” is not a valid request type./string keyUSEnglishDescription/key string“AvailableOSUpdates” is not a valid request type./string /dict /array keyStatus/key stringError/string keyUDID/key stringxxx/string /dict /plist Is this expected, and if yes, could you clarify when the change happened ? Thanks !
3
0
1.2k
May ’21
ScheduleOS Error code documentation
Hi Device Management team, Are ScheduleOSUpdate error code documented somewhere ? I could not find anything in https://developer.apple.com/documentation/devicemanagement/schedule_an_os_update?changes=latest_minor&amp;language=objc. We have a case where a device reports cryptic error 700: keyUpdateResults/key array dict keyErrorChain/key array dict keyErrorCode/key integer700/integer keyErrorDomain/key stringSUOSUErrorDomain/string keyLocalizedDescription/key string700/string /dict /array keyInstallAction/key stringError/string keyProductKey/key string_MACOS_11.2.1/string keyStatus/key stringInstallFailed/string /dict /array The description is just "700". The device properly reports this update: keyAvailableOSUpdates/key array dict keyAllowsInstallLater/key true/ keyAppIdentifiersToClose/key array/ keyDownloadSize/key integer12199403070/integer keyHumanReadableName/key stringmacOS Big Sur/string keyIsConfigDataUpdate/key false/ keyIsCritical/key false/ keyIsFirmwareUpdate/key false/ keyProductKey/key string_MACOS_11.2.1/string keyRequiresBootstrapToken/key false/ keyRestartRequired/key true/ keyVersion/key string11.2.1/string /dict And the command to install seems ok: dict keyRequestType/key stringScheduleOSUpdate/string keyUpdates/key array dict keyInstallAction/key stringDefault/string keyProductKey/key string_MACOS_11.2.1/string keyProductVersion/key string11.2.1/string /dict /array /dict Thanks !
1
0
1.2k
Mar ’21
"AppStore" Skip key ?
Good morning, SkipKeys documentation for DEP (https://developer.apple.com/documentation/devicemanagement/skipkeys?changes=latest_minor&language=objc) has been updated with a new "AppStore" key - but the description is empty. Could you share more details about this key ? (supported plaftorms for instance...) Thanks !
3
0
1.1k
Feb ’21
Trust evaluate failure: [leaf TemporalValidity]
We have a case where some users, within the same organization, report that our application does not start on macOS Catalina. When this is the case, the error message in console is Trust evaluate failure: [leaf TemporalValidity] The same app works on other devices which seem to be equivalent (same macOS version...). I'm trying to figure out what could be the issue and which log could help us understanding what's wrong. I can see track of this error in a blog post from the Eclectic Light Company Blog (sounds like I can't post the link, but googling for "What happened when MRT was updated" should redirect to it) ; both running / not running devices have most up to date MRT Data. The app is signed and notarized (and it's anyway the same app on both devices). Any idea on what to look at to understand what fails ?
4
0
3.6k
Jan ’21
ScheduleOSUpdate - 2 step process ?
Hi, We're investigating unreliable OS Update management with iOS devices - in a nutshell, it takes ages to see the update installed. Looking again at the doc: Downloading and installing updates in iOS and tvOS is a two-step process. Send a ScheduleOSUpdate command with Default for InstallAction to download the updates. Then send another ScheduleOSUpdate command with a Default InstallAction to install the updates. Software updates may require a restart, which prevents the device from responding. When this happens, the MDM server resends the ScheduleOSUpdate command when the device checks in again, however, the device won’t return a value for UpdateResults. This not was not in the original PDF - and I missed the 2-step note. Our Apple contact was a bit surprised and redirected me to the Dev Forum to get clarification about the expected behavior. Polling devices to know when to send the command a second time is not welcome for large organizations. Could the process be clarified ? Is there a way to upgrade a device with one single command MDM side ? Thanks !
2
0
1.7k
Dec ’20
TCC profile and Authorization
macOS 11 Beta 9 introduces a new option for TCC profile to allow normal user account to grant Screen Recording (and audio) permissions to apps. Is there a way to build one profile which can be deployed to both macOS 10.15 and 11 ? If we want to deny access, and therefore send: Allowed=False Authorization=Deny Big Sur rejects the profile. If we want to allow access to standard user, the profile will be rejected if we do: Allowed - not set (as it's invalid for Screen recording) Authorization=AllowStandardUserToSetSystemService, Catalina rejects the profile because Allowed is missing.
1
0
1.8k
Oct ’20