Same here. Do you have a feedback assistant ID we can refer to ?

Thanks !

https://developer.apple.com/documentation/devicemanagement/installedapplicationlistcommand/command?changes=latest_beta&language=objc - there is a new Items key. Should this be sent to get the value again ?

Just tested with iPadOS 14.0 release and 14.2b1 - still no HasUpdateAvailable

Hi, FQDN based certificates seem to work, only IP based self signed certs are not supported anymore. According to the radar ticket we opened, this is due to changes announced in https://support.apple.com/en-us/HT210176. We're seeing the same with macOS 11.

Thanks for the clarification !

Thanks for the answer. Is this enough to run codesign -dv --verbose=4 /path/to/executable_or_dylib to track down the issue ? I'll check if device time is properly set and I'll try to get codesign output as well. Thanks !

So we finally figured out the root cause - on impacted devices there were left-overs from a former (more than a couple of years old) installation. Those dylibs would be picked before the most recent ones located in a different path. And the signing of these dylibs was not correct anymore.. Thanks for the help !

Not sure what you're exactly looking for, but basically: your app needs to implement code to react to app config being sent. Look at https://developer.apple.com/documentation/foundation/nsuserdefaultsdidchangenotification and NSUserDefaults class documentation. In a nutshell there is a function called when the config is sent by the MDM with a dictionary with all key/values. you need to provide to your customers a plist containing the dictionary. your customers need to use their MDM to send the configuration to the apps. At this point, it really depends on the MDM implementation. Disclaimer : I'm working for one MDM vendor ; with our solution, you can easily import the plist and attach it to the application you want to deploy to devices and we offer some flexibility (you can deploy different plists on different devices based on rules or customize the plist on the fly). But the MDM protocol is quite simple : the config can be sent to the device at installation time or afterwards, and once the config is sent the app receives the callback, the rest really depends on the implementation of the MDM tool.

It should not matter. https://developer.apple.com/documentation/devicemanagement/installapplicationcommand/command?changes=latest_minor&language=objc InstallApplication command can contain Configuration which is the configuration plist - and this should work for both IPA or via iTunesID (ASM/ABM). In addition, the Setting command allows to update the configuration once the app has been installed: https://developer.apple.com/documentation/devicemanagement/settingscommand/command/settings/applicationconfiguration?changes=latest_minor&language=objc And this is based on bundle id - so unrelated to how the app has been installed.

Per-account-VPN follows the same concept as Per-App-VPN : you deploy an app-layer-vpn profile (which looks very similar to a VPN payload), and you use VPNUUID key to refer to it (in the profile payload for the service, in the Attributes section of the application - see https://developer.apple.com/documentation/devicemanagement/installapplicationcommand/command/attributes?changes=latest_minor&language=objc - for Apps).

ok, thanks !

Understood - but my point is that AvailableOSUpdates command did not require supervision in the past - iOS 12.5.3 unsupervised devices do accept the request, while it's not the case with recent iOS versions like 14.5.1. So the supervision requirement changed over time - and I was just curious to know: if this was expected or if it is a bug. In 2016, the MDM protocol PDF documented: Only Supervised DEP-enrolled iOS devices and DEP-managed Macintosh computers are eligible for software update management. However, the AvailableOSUpdates query is available to non-DEP managed devices. So in 2016 supervision was not required. if this is not a bug, when (Which version) did that change. Our MDM solution still support older devices which can't upgrade to iOS 14.5 and we would like to make sure we send the right command to the right version of iOS. Thanks !

Thanks for the reply. I'd have 2 additional questions: which error should be replied by the server ? WWDC sessions says "The MDM will send a JSON 403 response when the device requests the enrollment profile", but JSON is the format of the content, while 403 is at HTTP layer. Should it just be 403 with empty content ? comparing versions is quite straightforward, but is there any guidance / documentation related to supplemental versions ? For instance, my test iPad would return: <key>OS_VERSION</key> <string>17.0</string> <key>PRODUCT</key> <string>iPad12,1</string> <key>SUPPLEMENTAL_BUILD_VERSION</key> <string>21A5248v</string> <key>VERSION</key> <string>21A5248v</string> Obviously, testing if the version is the one we expect is simple, but I guess that most of the time organizations are asking for a minimum version requirement, which means that we need to test if device VERSION / SUPPLEMENTAL_BUILD_VERSION is more recent than the organization requires. I assume the build number could be parsed...

Thanks for the confirmation. I guess it's the same for DNSProxy (DNSProxyUUID) ?