Hello,
Return to service allows providing a Wifi profile when Erasing device to go with barely zero-touch ; is there a way to provide a client certificate used for 802.x auth or is the WiFiProfileData limited to com.apple.wifi.managed payload ?
Post
Replies
Boosts
Views
Activity
Hello,
is there any plan to add a new service type for Privacy Preferences Policy Control profile to allow apps deployed via MDM on Organization owned devices to access local network without prompting end user on Sequoia ?
This would be very welcome, especially in education world where students are good at finding on how to block the tools they are supposed to use.
I created FB14540495 for reference.
Thanks !
Hello,
I could not find information in the doc (which is still beta, I understand) : how are app upgrade handled by DDM AppManaged ?
With MDM, sending InstalledApplication command will upgrade the app to the most suitable recent version ; HasUpdateAvailable flag tells MDM server (more or less accurately) if there is an update and then Organizations can keep apps up to date as quickly as possible if needed.
But with DDM, we just have a declaration where we tell the device to install a given app, and that's it. Is there any detail about how the device upgrades apps, and how frequently ?
Thanks.
Hello,
AppManaged documentation has been updated and shares some details about current state of DDM and app management.
Is there any way to specify App Config with DDM, the same way as we can do with MDM with ManagedApplicationConfiguration and InstallApplication command ?
I see attributes are available but not config.
Thanks !
Hello,
ContentFilterUUID in WebContentFilter payload can be used for "Per-App content filter" - the UUID can be used in app attributes, as stated in the doc:
A globally-unique identifier for this content filter configuration. Managed apps with the same ContentFilterUUID in their app attributes have their network traffic processed by the content filter.
Do I understand right that if we want the profile to be globally applied, it should NOT contain the ContentFilterUUID key ?
We're seeing cases where setting the key would make the profile doing nothing on the device, but the documentation is not 100% clear on this.
Any clarification would be very appreciated !
Thanks
Hello,
what's the status of managing books with UserEnrollment context ?
I remember this used to work with a glitch : end user has to log in into Books with his/her managed Apple id (which could be problematic as you can't have both your books and organization books).
But I'm currently not able to make it work - A VPP user is associated (silent invite) to the right managed apple id, enough time (more than an hour) happened since a license has been associated to the VPP user and fetching the license from the API shows it has been set properly.
But installing the app via MDM always ends with error:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Command</key>
<dict>
<key>MediaType</key>
<string>Book</string>
<key>RequestType</key>
<string>InstallMedia</string>
<key>iTunesStoreID</key>
<integer>1525146196</integer>
</dict>
<key>CommandUUID</key>
<string>e802d682-e8b1-6253-04f5-736dab7ecd13</string>
</dict>
</plist>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CommandUUID</key>
<string>e802d682-e8b1-6253-04f5-736dab7ecd13</string>
<key>EnrollmentID</key>
<string>971BB6F0-CA43-4B5E-9A1A-7BEF7A7BC286</string>
<key>ErrorChain</key>
<array>
<dict>
<key>ErrorCode</key>
<integer>12047</integer>
<key>ErrorDomain</key>
<string>MDMErrorDomain</string>
<key>LocalizedDescription</key>
<string>A VPP purchase record for the item could not be found.</string>
<key>USEnglishDescription</key>
<string>A VPP purchase record for the item could not be found.</string>
</dict>
<dict>
<key>ErrorCode</key>
<integer>2615</integer>
<key>ErrorDomain</key>
<string>DeviceManagement.error</string>
<key>LocalizedDescription</key>
<string>Could not find Volume Purchase Programme assignment.</string>
</dict>
</array>
<key>Status</key>
<string>Error</string>
</dict>
</plist>```
Is this still a supported workflow ? Installing an App works without any issue in the same context.
Hello,
MDM protocol advices to use GDMF (https://gdmf.apple.com/v2/pmv) to manage properly updates ; the service defines which update is available for which device.
Nevertheless, we're seeing a difference between what GDMF returns and what is documented in the "public" documentation : https://support.apple.com/guide/deployment/manage-software-updates-depc4c80847a/web
For instance, for iOS 15.2, GDMF shows:
"ProductVersion":"15.2","PostingDate":"2021-12-13","ExpirationDate":"2022-04-12"
But public doc shows 11/02/2022 as expiration date.
Why this mismatch ? Which one is the right one ?
Thanks !
Hi MDM folks,
We're getting reports - and were able to reproduce - that installing books fails on macOS these days ; InstallMedia command errors with Internal Error MDMClientError:-567.
Steps to repro:
Enroll a mac (tested with Mac Book Air M1 running macOS 12.1) to your favorite MDM
login to iCloud
Go to Apple School Manager (or Business), get VPP location, get a book for the location.
Have a VPP (from the location) user registered, send notification to the device to have it associated (respond to notification, accept T&Cs).
Use VPP API to associate a license from this location for the user created in 4. Wait 3 minutes to be sure.
Run InstallMedia command with the itunes id.
Getting now:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Command</key>
<dict>
<key>MediaType</key>
<string>Book</string>
<key>RequestType</key>
<string>InstallMedia</string>
<key>iTunesStoreID</key>
<integer>1055374716</integer>
</dict>
<key>CommandUUID</key>
<string>41d2986d-c105-d283-5b4d-6b35a3539208</string>
</dict>
</plist>
is answered with:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CommandUUID</key>
<string>41d2986d-c105-d283-5b4d-6b35a3539208</string>
<key>ErrorChain</key>
<array>
<dict>
<key>ErrorCode</key>
<integer>-567</integer>
<key>ErrorDomain</key>
<string>MDMClientError</string>
<key>LocalizedDescription</key>
<string>Internal Error <MDMClientError:-567></string>
</dict>
</array>
<key>NotOnConsole</key>
<false/>
<key>Status</key>
<string>Error</string>
<key>UDID</key>
<string>682A2614-DCB7-5AC6-829B-674A101A9EDA</string>
<key>UserID</key>
<string>0AF0BD86-C327-472D-80EC-9BFF31633087</string>
<key>UserLongName</key>
<string>admin</string>
<key>UserShortName</key>
<string>admin</string>
</dict>
</plist>
Looking at device logs after installing ManagedClient Log profiles :
[ERROR] [ErrorChain.0] (InstallMedia) [MDMClientError:-567] Internal Error <MDMClientError:-567>>
CSSM Exception: -2147415780 CSSMERR_CSP_INVALID_KEYATTR_MASK
CSSM Exception: -2147415780 CSSMERR_CSP_INVALID_KEYATTR_MASK
cert[0]: MissingIntermediate =(leaf)[force]> 0
Trust evaluate failure: [leaf MissingIntermediate]
[501:MDMAgent:HTTPUtil:<0x3236>] >>>>> Sending HTTP request (PUT) [Error(InstallMedia):80c5de4b-9f47-eacf-1f2f-caab1ec34fe8] >>>>>
I'll try with 12.2 Beta, but sounds like something's wrong with 12.1 and book assignment.
Any hint ?
Thanks (and all the best for 2022!).
Hi,
What would be the root cause of macOS device responding "Other.
Duplicate request."
to InstallApplication commands ?
Is this equivalent of "The application is already scheduled for management" error on iOS side ?
Generally, would it be possible to extend https://developer.apple.com/documentation/devicemanagement/installapplicationresponse?changes=latest_minor&language=objc (and other commands) with possible error codes and their meaning ?
Thanks !
Hello,
AvailableOSUpdates command used to be acknowledged by non-supervised iOS devices (it's still the case for iOS 12.5.3 devices for instance), but it is now returning an error on iOS 14.5+.
?xml version="1.0" encoding="UTF-8"?
!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"
plist version="1.0"
dict
keyCommandUUID/key
string96bc818b-5e2c-f83b-b710-0197fba79474/string
keyErrorChain/key
array
dict
keyErrorCode/key
integer12021/integer
keyErrorDomain/key
stringMCMDMErrorDomain/string
keyLocalizedDescription/key
string“AvailableOSUpdates” is not a valid request type./string
keyUSEnglishDescription/key
string“AvailableOSUpdates” is not a valid request type./string
/dict
/array
keyStatus/key
stringError/string
keyUDID/key
stringxxx/string
/dict
/plist
Is this expected, and if yes, could you clarify when the change happened ?
Thanks !
Hi Device Management team,
Are ScheduleOSUpdate error code documented somewhere ? I could not find anything in https://developer.apple.com/documentation/devicemanagement/schedule_an_os_update?changes=latest_minor&language=objc.
We have a case where a device reports cryptic error 700:
keyUpdateResults/key
array
dict
keyErrorChain/key
array
dict
keyErrorCode/key
integer700/integer
keyErrorDomain/key
stringSUOSUErrorDomain/string
keyLocalizedDescription/key
string700/string
/dict
/array
keyInstallAction/key
stringError/string
keyProductKey/key
string_MACOS_11.2.1/string
keyStatus/key
stringInstallFailed/string
/dict
/array
The description is just "700".
The device properly reports this update:
keyAvailableOSUpdates/key
array
dict
keyAllowsInstallLater/key
true/
keyAppIdentifiersToClose/key
array/
keyDownloadSize/key
integer12199403070/integer
keyHumanReadableName/key
stringmacOS Big Sur/string
keyIsConfigDataUpdate/key
false/
keyIsCritical/key
false/
keyIsFirmwareUpdate/key
false/
keyProductKey/key
string_MACOS_11.2.1/string
keyRequiresBootstrapToken/key
false/
keyRestartRequired/key
true/
keyVersion/key
string11.2.1/string
/dict
And the command to install seems ok:
dict
keyRequestType/key
stringScheduleOSUpdate/string
keyUpdates/key
array
dict
keyInstallAction/key
stringDefault/string
keyProductKey/key
string_MACOS_11.2.1/string
keyProductVersion/key
string11.2.1/string
/dict
/array
/dict
Thanks !
Good morning,
SkipKeys documentation for DEP (https://developer.apple.com/documentation/devicemanagement/skipkeys?changes=latest_minor&language=objc) has been updated with a new "AppStore" key - but the description is empty.
Could you share more details about this key ? (supported plaftorms for instance...)
Thanks !
We have a case where some users, within the same organization, report that our application does not start on macOS Catalina.
When this is the case, the error message in console is
Trust evaluate failure: [leaf TemporalValidity]
The same app works on other devices which seem to be equivalent (same macOS version...).
I'm trying to figure out what could be the issue and which log could help us understanding what's wrong.
I can see track of this error in a blog post from the Eclectic Light Company Blog (sounds like I can't post the link, but googling for "What happened when MRT was updated" should redirect to it) ; both running / not running devices have most up to date MRT Data.
The app is signed and notarized (and it's anyway the same app on both devices).
Any idea on what to look at to understand what fails ?
Hi,
We're investigating unreliable OS Update management with iOS devices - in a nutshell, it takes ages to see the update installed.
Looking again at the doc:
Downloading and installing updates in iOS and tvOS is a two-step process. Send a ScheduleOSUpdate command with Default for InstallAction to download the updates. Then send another ScheduleOSUpdate command with a Default InstallAction to install the updates. Software updates may require a restart, which prevents the device from responding. When this happens, the MDM server resends the ScheduleOSUpdate command when the device checks in again, however, the device won’t return a value for UpdateResults. This not was not in the original PDF - and I missed the 2-step note.
Our Apple contact was a bit surprised and redirected me to the Dev Forum to get clarification about the expected behavior.
Polling devices to know when to send the command a second time is not welcome for large organizations.
Could the process be clarified ? Is there a way to upgrade a device with one single command MDM side ?
Thanks !
macOS 11 Beta 9 introduces a new option for TCC profile to allow normal user account to grant Screen Recording (and audio) permissions to apps.
Is there a way to build one profile which can be deployed to both macOS 10.15 and 11 ?
If we want to deny access, and therefore send:
Allowed=False
Authorization=Deny
Big Sur rejects the profile.
If we want to allow access to standard user, the profile will be rejected if we do:
Allowed - not set (as it's invalid for Screen recording)
Authorization=AllowStandardUserToSetSystemService,
Catalina rejects the profile because Allowed is missing.