I took notes during the "What's new in managing Apple Devices" session. If interested, please see the attached "Notes from session": Session Notes For the session video, please see the following link: https://developer.apple.com/wwdc22/10045

Managed iOS/iPad devices are struck with no network under below conditions Enrolling a Supervised iOS device Send InstallProfile command with AppLock payload (https://developer.apple.com/documentation/devicemanagement/applock) Now when the above managed device loses network connection with MDM server due to unknown network issues - the device is out of contact with MDM server and device is locked. Since such AppLock payload installed devices are placed in remote locations, it becomes difficult for Admins to recover such devices with no network connectivity. The devices have to be brought in from remote location and recover them. Under such conditions, it would be better to allow the end user to change the Network configuration manually to reconnect the device with MDM server. This option can also be allowed only when the device can’t ping MDM server.

It's been two weeks since I submitted the MDM capability request form as our app requires an MDM to activate the DNS Proxy component. There's been zero emails about it, and I can't find anywhere to check the status on it. Does anyone have experience regarding the "MDM capability" request or is anyone from Apple able to provide some insight into what is expected?

Is there or will there be an update to the depsim and vppsim simulator tools? The current version is significantly out-of-date in terms of features and fails to start due to the developer not being verified (ironically).

Hello Developer Community, I'm facing a critical situation with our company's Apple Developer Account. We are unable to access our account because: The admin of our Apple Developer Account is a former team member We cannot reach this person anymore We need to regain access to maintain our app on the App Store Questions: What is the official process to recover account access in this situation? What documentation will Apple require to verify our company ownership? Who should we contact at Apple to start this process? Any guidance from developers who have experienced a similar situation would be greatly appreciated. Note: I'll be happy to provide more details if needed, while keeping sensitive information private. Thanks in advance for your help!

I've installed two different profiles and having no issues using them until iOS 17, 18.0 (certainly for 17, but not so sure for 18). But after upgrading to 18.2 and even developer beta 18.3, installed profiles are not showing on the Setting / General / VPN & Device Management. So I can't even uninstall, also I can't reinstall unless I factory reset by iPhone, iPad and not using iCloud backups. First profile is DNS profile downloaded from website(NextDNS) and the second profile is made by my own, configuration for the cellular APN setting. (DNS setting is shown on the setting but there's no profile showing, I did not uninstalled or removed it) (Installing the custom celluar configuration profile failed, since it's already installed but just not showing as above) All happens on my iPad pro M1 12.9, ipad mini 2021, iphone 12 mini(18.3, else are 18.2), and iphone 16 pro max. Want to know if it's bug, and any resolution excluding factory reset and start using from scratch(It's very useless solution). Thank you.

Hello. I bought a new Iphone 16, 2 days ago in my store, but when I checked it at home, it turned out that it was installed using the Telia Sweden ( Remote Management System ). Can someone help me remove this Telia RMS system from my smartphone so that it is not configured for Telia during setup? Since their configurator blocks my smartphone, with a note - Lost Iphone. The device has been blocked by Telia. I have been using Apple equipment for 10 years, I have phones and tablets. I need help

I'm trying to use DDM manager Safari Extensins in macOS Sequoia. I generate json and load it by mdm and ddm , but it doesn't seems to work. The json I loading is the following: { "Type": "com.apple.configuration.safari.extensions.settings", "Payload": { "ManagedExtensions": { "*": { "State": "AlwaysOn", "PrivateBrowsing": "AlwaysOn", "AllowedDomains": [], "DeniedDomains": [] } } }, "Identifier": "com.test.safari" } This following image is macOS Sequoia Console log. It show the "com.apple.configuration.safari.extensions.settings" had been run successfully, and no errors. macOS Sequoia response is the following: { "StatusItems" : { "management" : { "declarations" : { "activations" : [ { "active" : true, "identifier" : "com.example.act", "valid" : "valid", "server-token" : "5cc191206d1b1933" } ], "configurations" : [ { "active" : true, "identifier" : "com.test.safari", "valid" : "unknown", "server-token" : "29d3ec5ab48e6367" } ], "assets" : [ ], "management" : [ ] } } }, "Errors" : [ ] } you can see macOS Sequoia response , The "valid" value is always "unknown" at ""identifier" : "com.test.safari", but "Errors" is empty, Safari app don't load extensions , the SafariExtensionSettings" ddm don't work, Is there anything wrong with "SafariExtensionSettings" json? or how can I debug it

I'm trying to use DDM manager Safari Extensins in macOS Sequoia. I generate json and load it by mdm and ddm , but it doesn't seems to work. The json I loading is the following: { "Type": "com.apple.configuration.safari.extensions.settings", "Payload": { "ManagedExtensions": { "*": { "State": "AlwaysOn", "PrivateBrowsing": "AlwaysOn", "AllowedDomains": [], "DeniedDomains": [] } } }, "Identifier": "com.test.safari" } macOS Sequoia response is the following: { "StatusItems" : { "management" : { "declarations" : { "activations" : [ { "active" : true, "identifier" : "com.example.act", "valid" : "valid", "server-token" : "5cc191206d1b1933" } ], "configurations" : [ { "active" : true, "identifier" : "com.test.safari", "valid" : "unknown", "server-token" : "29d3ec5ab48e6367" } ], "assets" : [ ], "management" : [ ] } } }, "Errors" : [ ] } you can see, The "valid" value is always "unknown" at ""identifier" : "com.example.act", but "Errors" is empty, Safari app don't load extensions , the SafariExtensionSettings" ddm don't work, Is there anything wrong with "SafariExtensionSettings" json? or how can I debug this bug .

Hi, I'm glad to hear that the service discovery process is improved on iOS/iPadOS 18.2 mentioned here. https://support.apple.com/en-ca/guide/deployment/dep4d9e9cd26/1/web/1.0 I tried it on my development MDM server. Set default MDM for iPad to my development MDM server on Apple Business Manager. Call the new API https://developer.apple.com/documentation/devicemanagement/account_driven_enrollment_profile and 200 OK is returned However the service discovery fails with the following error. Invalid well-known response for https://{my email's comain name}/.well-known/com.apple.remotemanagement?user-identifier={my email}&model-family=iPad: <NSHTTPURLResponse: 0x300a9f420> Invalid well-known response for https://axm-servicediscovery.apple.com/mdmBaseURL?user-identifier={my email}&model-family=iPad: <NSHTTPURLResponse: 0x3009047a0> It seems fallback process to https://axm-servicediscovery.apple.com/mdmBaseURL actually works but it returns 404 Not Found error. How can we use this awesome feature? Thank you :)

“At this rate, I’m starting to get frustrated. I’ve registered for the developer program twice, but they’re still asking me for the registration fee, and my registration is not being approved. Moreover, I haven’t received any response to my emails, and since the information is limited in English, I can’t search for solutions. Could someone please take care of this issue now?”

我有十一台M4芯片的mac mini，目前通过AC2将设备挂载在ABM中。目前有10台通过接口 “https://mdmenrollment.apple.com/device/activationlock” 启用企业激活锁去出现INTERNAL_SERVER_ERROR错误，只有一台成功了，成功那台设备使用的ABM账号与其他设备使用的ABM账号不同所属组织也不同。 I have eleven M4 chip Mac mini devices, currently mounted in ABM through AC2. Currently, there are 10 units that have passed the interface“ https://mdmenrollment.apple.com/device/activationlock ”Enabling the enterprise activation lock resulted in an INTERNAL_SERVER-ERROR error, and only one device succeeded. The successful device used a different ABM account than the other failed devices and belonged to a different organization.

Hi,team: I have configured SystemExtensions and WebContentFilter for supervised devices through mdm, and set NonRemovableFromUISystemExtensions in SystemExtensions, but found that my network filter cannot be deleted in macOS10, macOS11 and macOS12, but it can still be turned off by selecting the network filter in the network and choosing to disable the service. However, it cannot be turned off in macOS13, macOS14 and macOS15. How can I prevent supervised devices from turning off the network filter in 10, 11 and 12? The macOS 10.15.7 image is as follows: macOS15.1.1 cannot delete and cannot close the image as follows: Hope to receive your reply！

Hi,team: I know that the MDM system extension configuration parameter RemovableSystemExtensions can only be valid after macOS12+, but can I also use this parameter between macOS10.15-12? Even if he is ineffective. Will this cause any problems with the system. I want to use the same MDM configuration file for the devices I manage, which have systems between macOS10.15-15.I hope to receive your confirmation

We have noticed that if we apply forceDelayedSoftwareUpdates in Restrictions profile, it causes ScheduleOSUpdates to fail or go into an invalid state. For example: On my iOS device, we have set the forceDelayedSoftwareUpdates to 90 days which removed the latest iOS update iOS 18.2 from the Software Updates section on the device. Post this, if I schedule an update for iOS 18.2 using ScheduleOSUpdateCommand, it fails to download. If I schedule the same without forceDelayedSoftwareUpdates, the update works as expected. Please help what could be the reason for this behavior as forceDelayedSoftwareUpdates should not block ScheduleOSUpdates.

Hi Apple Community, I have been Testing with key allowAccountModification in macOS Restriction Payload and found some contrasting behavior In macOS 14, macOS 15.1 in both of the OS Version when allowAccountModification is set to False it restricts adding new Account in System Settings and this is expected behavior How ever things are contrasting and not going as expected in the below situation When macOS 14 Version has 2 profiles for Restriction Payload one with allowAccountModification set to False and another with allowAccountModification set to True it restricts adding Apple Account When macOS 15.1 Version has 2 profiles for Restriction Payload one with allowAccountModification set to False and another with allowAccountModification set to True it allows adding Apple Account I remember when restrictions payload keys are contrasting across different profile Apple Uses the most restrictive one among them. But in macOS 15.1 the behavior is unexpected. Is this a issue in 15.1 and is there any list of macOS versions which shows this unexpected behavior

Hi Apple Community, If a macOS Device is FileVault Encrypted, We are using the keys FDE_HasInstitutionalRecoveryKey, FDE_HasPersonalRecoveryKey from SecurityInfo to know the Device Encryption Type. But Some times rarely we get FDE_Enabled as true but both the above mentioned keys as false Also we get SecurityInfo Response patterns like these only if FileVault is enabled in Device with iCloud as option to unlock the disk Can we confirm this pattern or is there any way to know if device is encrypted with options other than Personal / Institutional Types <plist version="1.0"> <dict> <key>CommandUUID</key> <string>SecurityInfo</string> <key>SecurityInfo</key> <dict> ...... ...... ...... <key>FDE_Enabled</key> <true/> <key>FDE_HasInstitutionalRecoveryKey</key> <false/> <key>FDE_HasPersonalRecoveryKey</key> <false/> ...... ...... ...... <key>Status</key> <string>Acknowledged</string> <key>UDID</key> <string>..............</string> </dict> </plist>

On devices running iOS 18+, when a web app kiosk policy is pushed via an MDM and the device is restarted. The touch screen doesn't respond on the device. So the device is currently in a brick state. Since we can't enter the password we can't get the logs from the device and it is even hard to recover the device. On restart the device isn't connecting to the internet so it isn't possible to remove the kiosk policy as well. This only happens on devices running iOS 18+ and with web app kiosk profile.

We're implementing an MDM system and would like to know if we can get the type of CPU for an enrolled device, I know we can use IsAppleSilicon from the Device Information command but it would be good to know if it's an M1, M2, M3 etc. We can implement a mapping of product name to CPU type, e.g. Mac16,1 has an M4 chip but this would mean ongoing maintenance that we'd prefer to avoid. Is there a public web API (ideally first-party provided by Apple) that can be used to lookup details of a device by product name or similar? Slightly related is the Declarative Device Management documentation for StatusDeviceModelMarketingName offers an alternative of: use device.model.configuration-code to look up the marketing name through the web API but doesn't mention which web API.

Ref- https://support.apple.com/en-in/guide/deployment/dep3b4cf515/web When we deploy an Payload with identifier "com.apple.airprint" , It will add the deployed printer configurations to printers list in mac. Which additionally needs the mac user to add it from Settings -> Printers -> Add Printer -> (Deployed Printer Configuration will be listed here) Select the printer -> Click Add . Screenshot where user need to add it manually after profile association is attached below. Now the Printer is available to be used ,when an share option in any document is clicked. Why this flow requires multiple to and fro. Can it be able to deploy the printer straight to Printers available List instead of manually adding from the above screenshot

Dear Apple Team, As an MDM (Mobile Device Management) service provider, we are writing to bring attention to an issue that is affecting many of our customers who manage large fleets of iOS devices. Specifically, we have encountered challenges with the app update process via MDM, which is impacting both kiosk devices and non-kiosk devices in a variety of use cases. Issue 1: App Updates Delayed on Kiosk Devices Many of our customers are deploying kiosk devices that are used 24/7 independently with no attendants. In these cases, when an app update is sent through MDM via the installApplication command, the installation does not begin immediately. Instead, the update starts only after the device is locked. However, since these kiosk devices are running continuously, they are rarely locked, preventing the app update from occurring. To force the update, administrators need to manually remote lock or physically lock the device, which is a time-consuming process. This becomes even more challenging for devices like Apple TV, where remotely locking and unlocking the device to complete app updates is especially difficult, making it hard to keep the apps up to date in a timely manner. Issue 2: User Cancellations of Critical Updates on Non-Kiosk Devices In the case of non-kiosk devices, customers are encountering another challenge: when a critical update is pushed during business hours, users are often prompted to install the update. However, many users tend to cancel the update, leaving devices unpatched and potentially vulnerable. This behavior can delay the deployment of important security patches, which is a critical concern for organizations managing sensitive data or business-critical apps. Request for a Solution Our customers have expressed the need for a more reliable and forceful app update mechanism. Specifically, we are requesting the following features to improve the app update experience: Scheduled app updates: The ability to schedule app updates, similar to the way OS updates are handled. If the user does not install the update within a specified timeframe, the update should begin automatically or prompt the user with a stronger reminder. Force install option: A feature that would allow MDM administrators to force an app update immediately, without relying on user intervention. This would ensure that critical updates are installed promptly, improving security and system stability across all devices. These features are essential for many of our customers who rely on timely and consistent app updates to maintain security, functionality, and compliance across their managed devices. Without these options, they face challenges in ensuring devices are kept up-to-date, which can result in security vulnerabilities and operational disruptions. We kindly request that Apple consider adding these functionalities to improve the MDM app update process and provide a more reliable experience for both kiosk and non-kiosk device management. Thank you for your attention to this matter. We look forward to your feedback and any potential improvements in future iOS updates. Raised in the same manner as feedback: FB15910292