We are doing application assignment to personal iOS devices that are enrolled in MDM via User Enrollment. However, we're experiencing some odd behavior when assigning licenses. We are getting back errors from the devices when doing assignments: code: 12064, domain: MDMErrorDomain, description: Could not retrieve licence for the app with iTunes Store ID 422689480. code: 2605, domain: DeviceManagement.error, description: No licence was found for app "com.google.Gmail". However, we are not seeing license exhaustion on the Apple Business Manager side for our location. We are not clear what would cause the 12064 or 2605 errors. We have tried re-sending the command to install the app, and we have tried un-enrolling devices and re-enrolling, as well as updating the VPP Token for the location. We have gathered sysdiagnoses from affected devices, but it's not clear what causes this. What other causes are there for 12064 and 2605 errors? How can we work around these?

We are trying to publish an app on the public App Store that is intended for internal use by our organization. The app does not have a public registration process—accounts are created internally by our organization's system, and users simply sign in. Apple has rejected the app, suggesting to use private distribution methods like Apple Business Manager or the Apple Developer Enterprise Program. However, we would prefer to distribute the app publicly via the App Store for easier access and updates. Has anyone successfully published a public-facing app without a registration feature where account creation is managed internally? Are there any specific strategies or additional features we should add to meet Apple’s requirements while keeping our internal account creation process? Thank you for your insights!

I am currently working on a Visual Basic .NET project and aim to integrate an internal application with the Apple Business Manager API to access DEP (Device Enrollment Program) device data. Specifically, I would like to request any guidance on the following aspects: Generating a Valid Access Token: I am aware that JSON tokens are required to interact with the API, but I am unsure of the correct procedure to create a valid token for accessing the Apple Business Manager data. How to set permissions for accessing DEP Device Data: What steps do I need to follow to obtain the necessary permissions to read DEP device data from Apple Buiness Manager? Are there specific configurations or approval processes that need to be completed within Apple Developer Account oder Apple Business Manager account (which both uses same Apple ID)? API Endpoints and Documentation to access Business Manager by API: Could you please point me to the relevant APIs and endpoints for interacting with the DEP data? Which web requests to send where? Any documentation that outlines the API structure fur Business Manager access and how and where to obtain access tokens for it. Thanks for any assistance as I stuck here since it is ma first project accessing Apple APIs.

Hello there, I Have an Apple developer enterprise subscription. I need to put my app on app store in order to deliver it by Citrix secure hub it seems to be necessary for me using "volume purchase program". it seems to be necessary connecting citrix store with apple business manager On these premises, I followed docs and went on App Store Connect site, but there is no "my apps" section on the page as I expected, I can find only a unique section "Users and accesses" and two tabs "people" and "integrations" **How can I submit my app? why exactly I'm not seeing the same on different profile? ** here what I see:

Hello, We have filtering logic that is being loaded into PacketTunnelProvider network extension for processing web traffic. The issue we are facing is the 50MB cap is being hit after browsing a few websites and the OS terminates the PacketTunnelProvider. What would be the best way to tackle this problem? A few ideas come to mind and would appreciate any support on them: using IPC (Inter Process Communication) to move the filtering logic back to the main app (if this is possible) we could move the filtering in Filter Control Provider however the limitation on there is that we cannot perform HTTP response modification which is imperative for the workings of the filtering. We have same solution working fine on Android and app is using about 270MB in worst case (however in Android there is no limit to network extension as the VPN provider runs inside the app) The project target market is in excess of 50,000 devices We would appreciate any support on the matter.

The customer's ABM account has been locked，i can't get token with DEP Server Token.Is there any ways to release device from ABM with some api or softwares. I hope no remote management page during the activation process settings after i restore factory settings. Thanks in advance.

Hello, is there any plan to add a new service type for Privacy Preferences Policy Control profile to allow apps deployed via MDM on Organization owned devices to access local network without prompting end user on Sequoia ? This would be very welcome, especially in education world where students are good at finding on how to block the tools they are supposed to use. I created FB14540495 for reference. Thanks !

I have been running ABM to synchronize devices for some time now, but in recent days, when using the interface for synchronization, the response from the interface to the device's' Device-Assigned-by 'field has changed. The official website should return' The email of the person who assigned the device. 'However, what I received was a string of numbers, such as 275xxxxx, which corresponds to the ABM user's ID. Some devices may change the field to email again when synchronizing, but unfortunately some devices will always have these numbers. How can I recover the email?

I have been running ABM to synchronize devices for some time now, but in recent days, when using interface synchronization, the device's "assembly_assigned-by" field responded by the interface has changed. The official website should return "The email of the person who assigned the device." However, what I received was a string of numbers, such as 275xxxxxxxx. Some devices may change the field to email again when synchronizing, but unfortunately some devices will always have these numbers. How can I recover the email? https://mdmenrollment.apple.com/server/devices https://mdmenrollment.apple.com/devices/sync

When syncing newly added or modified devices in the Apple Business Manager (ABM) portal using the POST request to https://mdmenrollment.apple.com/devices/sync, we are getting an issue when the ABM server account has more than 1000 devices. The response consistently includes 1000 devices, with the ‘more_to_follow’ flag always set to true and the ‘cursor’ value changing. However, subsequent ABM syncs for other devices result in duplicate devices being included in the response, and the ‘more_to_follow’ flag never becomes false. As more_to_follow is always true, we try to hit api continuously. Please refer this for sync API details which is causing issue: https://developer.apple.com/documentation/devicemanagement/sync_the_list_of_devices This issue appears to originate from the Apple ABM side. Any help would be of great use. Thanks in advance.

Hi Team, We are planning to automate ABM export. We dont want to download export which contains device inventory for example, S/N, IMEI, Reseller ID, etc. Is there any way to automate it or has Apple made their APIs available? Any help would be appreciated. Regards!

When making a GET request to the ABM Account API at https://mdmenrollment.apple.com/account, we receive a response that includes an org_email field. However, we’ve noticed that the value of org_email varies. Sometimes it corresponds to an account with the role of Administrator, while other times it comes from account with roles Device Enrolment Manager, Content Manager and People Manager. We seek clarification on the following points: Which roles determine the org_email sent in the response? Is the org_email coming in API response always same or does it change when we hit the APIs in multiple times. org_email in this response: https://developer.apple.com/documentation/devicemanagement/accountdetail

Hi, My employer has Apple developer account and they want to distribute the application through Microsoft Intune for employees only. However when I checked the MS Intune distribution documentation they have mentioned we should have Apple Enterprise account and distribute the app as In house/ Ad hoc app. To distribute the app through Intune we need to use their wrapping tools which needs IPA generated through enterprise certificate and profile. Employer also has Apple Business Manager account and as per Apple documentation we can distribute the app in organization through ABM. Its really confusing to finalize which path to follow. I need your help to guide me in right direction.

Im experiencing an error code 12026 when trying to install an app with iTunes Store ID 1163307568 and has tried various solutions but is still unable to install the app. Tried revoking the licenses and pushing the apps again but the error prompt persists. We have also tried syncing VPP, checking the app license, and purchasing a mild surplus, but still getting the error.

Hello, I am having trouble distributing the internal app to the Apple Business Manager via the AppStore private distribution. == Steps to reproduce == Create a new app on AppStore Connect Set it as a private distribution and specify the organisation ID Submit the build to the review The app review is approved and "Ready to Distribute" On the distribution tab, it says "This app was removed from sale from the App Store. Go to Pricing and Availability to add it back to the App Store." Sign-in to the Apple Business Manager Enable the custom app in the Apple Business Manager settings Expected: 7-A. The app is listed under the Custom App Observed: 7-B. There is no app listed under the Custom App section == Questions == Is there any other steps for the successful private distribution? Does the organisation receive any email from the App Store Connect to accept the private distirubion? Is there any way to see the status of the custom app from the developer? Is there any Apple support contact I can confirm the status of the app? Thank you for your help in advance!

The customer is trying to enroll macOS devices to Hexode via Apple Business Manager (without reset). Upon running the command sudo profiles renew -type enrollment, he received the below error. Error: DEP enrollment failed: The cloud configuration server is unavailable. (MDMDeviceEnrollment:103) Upon running the command sudo profiles show -type enrollment in Terminal, he received the following output. Error fetching Device Enrollment configuration: (34006) Error Domain=MCCloudConfigurationErrorDomain Code=34006 "The cloud configuration server is unavailable." UserInfo={CloudConfigurationErrorType=CloudConfigurationFatalError, NSLocalizedDescription=The cloud configuration server is unavailable., NSUnderlyingError=0x6000012f0060 {Error Domain=com.apple.MobileActivation.ErrorDomain Code=-1 "Failed to create reference key." UserInfo={NSLocalizedDescription=Failed to create reference key., NSUnderlyingError=0x6000012f00c0 {Error Domain=com.apple.MobileActivation.ErrorDomain Code=-1 "Failed to create ref key." UserInfo={NSLocalizedDescription=Failed to create ref key., NSUnderlyingError=0x6000012f0150 {Error Domain=NSOSStatusErrorDomain Code=-25308 "failed to generate asymmetric keypair" (errKCInteractionNotAllowed / errSecInteractionNotAllowed:  / Interaction is not allowed with the Security Server.) UserInfo=0x6000009f0440 (not displayed)}}}}}} The device was assigned to the Hexnode server and listed in DEP devices in Hexnode. It seems to be an Intel device and we tried following troubleshooting steps. He said another user tried out the case and was encountering the same errors. He tried the following steps as part of troubleshooting. Installed pending OS updates Re-assigned device to Hexnode server Cleared NVRAM/PRAM Switched networks Turned off firewall and proxies on the device Re-assigned DEP configuration profile to devices Re-configured DEP and APNs Enrolling the device using the enrollment URL does work and he's able to deploy actions as well. He is willing to reset the device and check as well, but he has ~30 devices in ABM that are remote and in use. Since 2 devices encountered the case, he would like to know more about what happened.

We noticed that Apple Login fails if we try to login with Managed Apple ID on iOS 17.2 & 17.3 This issue could have been introduced in iOS 17 but we did not have iOS 17.0 or 17.1 to validate this. There are few prerequisites to this: Should be a supervised device. It can be enrolled in ABM or ASM. Apple ID should be Managed Apple ID Device should have a passcode policy Device should have “allowListedAppBundleIDs” added in the “com.apple.applicationaccess” payload If either of the above conditions are not met, then the issue does not happen. If the device is set up in the above way and we try to login with Managed Apple ID, then the login fails. Please refer the recording at this link: https://drive.google.com/file/d/1XG17loAuH_GB1IyGdwD8txjkHZWqGeD1/view?usp=drive_link We reproduced the issue three times and got the log files: Issue occurred at: 21st March 2024 at 19:54:58 IST a. Log file name: sysdiagnose_2024.03.21_19-55-26+0530_iPhone-OS_iPhone_21D50(07.54.58 pm).tar.gz b. Link: https://drive.google.com/file/d/1nk-cQPrVEZrAUgVmrxPCsSRDd4aNF8eK/view?usp=drive_link Issue occurred at: 21st March 2024 at 19:59:44 IST a. Log file name: sysdiagnose_2024.03.21_20-00-02+0530_iPhone-OS_iPhone_21D50(07.59.44 pm).tar.gz b. Link: https://drive.google.com/file/d/1VPcF77G2SK2c1rBK4S2GbLCAiQEeYPOB/view?usp=drive_link Issue occurred at: 21st March 2024 at 20:03:27 IST a. Log file name: sysdiagnose_2024.03.21_20-03-39+0530_iPhone-OS_iPhone_21D50(08.03.27 pm).tar.gz b. Link: https://drive.google.com/file/d/1zlLLMd0ugJoiZtmpWlarREFDl1vjZoWP/view?usp=drive_link During the above tests, this was the setup Passcode Policy: a. requireAlphanumeric: true b. minLength: 13 c. allowSimple: false allowListedAppBundleIDs: This can be anything but atleast one of them should be enabled. For example a. com.apple.AppStore b. com.apple.MobileAddressBook c. com.apple.calculator d. com.apple.camera e. com.apple.DocumentsApp f. com.apple.facetime What results I expected: The user should be able to login without an issue What results I actually saw: The user does not login We also created a ticket in Feedback assistant in March but haven't received any response: FB13694721

Hi, I would like to introduce you to the problem of my client, who is probably one of the first Apple Business Manger users in Poland. The client created an ABM instance and verified it. He also created a second administrator account as recommended, and added the first device. The problem was that these accounts were accessed by one person who used Cyber Ark to save credentials. After saving the credentials for the administrator accounts, an error occurred with Cyber Ark and the passwords of these accounts were saved incorrectly. The customer has since lost access to the verified ABM instance with one device already added. Can you advise me on what to do in this situation? Can https://iforgot.apple.com/ help in any way here? Thanks a lot for all your help Best Regards, XVsorim

The wallet App on a managed business ID is currently not able to store credit cards or flight tickets. When can we expect to have this functionality? Is there a reason why it's not possible to store the cards at the moment?

Hello, We are experiencing intermittent tunnel communication failures in iOS devices following internal application updates or fresh installations. This issue occurs specifically with VMware Workspace ONE Advanced (includes AirWatch) - On Premise and Workspace ONE Tunnel. Our enterprise mobility management platform provides comprehensive tools for managing corporate-owned and BYOD devices across various operating systems. Detailed Information: Applications Involved: VMware Workspace ONE Advanced (On-Premise): Manages and secures devices and applications. Workspace ONE Tunnel: Enables per-app VPN services, routing traffic from specific managed applications through our VPN. Problem Context: After a recent update, and notably after introducing deeplinking capabilities which required making our public DNS changes to host the Apple-app-site-association file, iOS devices are not routing application traffic through the Workspace ONE Tunnel correctly. Instead, applications are bypassing VPN configurations and connecting directly to public networks, jeopardizing data security. This behavior is inconsistent and varies across devices. To illustrate, I have attached a diagram (Diagram 1) that shows the flow of traffic during the issue compared to normal operations. Timeline and Troubleshooting Steps Taken: Initial Report Date: February 2024, following the iOS update 17.3.1 and post-deeplinking modifications. VMware Involvement: Multiple troubleshooting sessions, including log analysis and configuration reviews. VMware indicated the issue might not be directly related to their platform as the tunnel functions normally post-device restart. Logs Reviewed: Application logs, network traces, and device management logs. No errors directly linked to VMware solutions were found. The logs showing the issue occurrence and after a device restart are included (see Logs Set A and Logs Set B). Additional Information: Devices Affected: Various iOS devices, total fleet approximately 1500 units. Inconsistencies: The issue manifests inconsistently across different organizational groups (OGs) and is not tied to a specific app version or device model. Developer Notes: The issue does not occur when applications are deployed via Xcode during testing phases. It only arises when apps are updated in a live environment. Request for Assistance: We request Apple’s assistance in investigating potential iOS-specific causes or configurations contributing to this issue, particularly in the context of the deeplinking changes. A joint troubleshooting session is proposed to further diagnose and address the problem. Prompt support in resolving this issue, given its impact on our operations, would be greatly appreciated. Attachments: Diagram 1&2: Traffic Routing During Issue vs. Normal Operation Diagram 3: Our App communications diagram Logs Set A: Device Logs When Issue Occurs Logs Set B: Device Logs After Restart (Set A) After restart - no issue .log https://drive.google.com/file/d/1Q2COgXkMa3KnN1N-ggZKwYhHP7KC-Hwy/view?usp=sharing (Set B) before restart.log https://drive.google.com/file/d/1uS9kAV6zJyRvVRQoWQNKdWBBR7sxM6Js/view?usp=sharing Any suggestions? Thank you!