I'm working on a tool which parses the output from the command "profiles -P -o" to check that our MDM profile has been deployed correctly, as there has been issues around profiles being misconfigured. It seems that the framework which the profiles command uses is private, so I'm just wondering could there be a way to get information which is similar to the output from the profiles command without having to directly use the command?

This page indicates https://support.apple.com/en-in/guide/deployment/dep0a2cb7686/web that some usage of fdesetup command line tool is deprecated such as turning on FV using username/password. However, I don't see any proper information about which options from the fdesetup tool are deprecated and which are still valid? Any pointers for that? Thanks, N

Hey, I am looking into creating an app that sets limits on what apps can be use while in the apps focused mode. Something similar to Opal or Forest. I saw that the Screen Time API has similar utility for parental control apps, would I be able to use the API for an app tailored to adults with it remaining under guidelines?

Hi everyone. I've been trying to set up my Macs in Intune. One of the key requirements is to create a push certificate for my environment. I can get past the upload page on the Apple Push Certificate Portal. Once I click the upload button on the web page after choosing my CSR file, I get this the page on the CSR file "The page you’re looking for can’t be found". I get the same message every time I refresh or log back into the page doing these steps. I don't know what to do. Would anyone have any advice on this? Or is this solely an Apple problem? Just if it's of any relevance, I am in Australia.

I am trying to add DNSProxy configuration using .mobileconfig and MDM on supervised device. I have Content Filter payload in the same configuration file that works as expected, however I was unable to start my DNSProxy. My app has 3 extension targets for Filter Data/Control Providers and DNSProxy extension. Here is my DNSProxy payload: <dict> <key>AppBundleIdentifier</key> <string>my.app.bundle.id</string> <key>PayloadDescription</key> <string>Configures DNS proxy network extension</string> <key>PayloadDisplayName</key> <string>DNS Proxy</string> <key>PayloadIdentifier</key> <string>com.apple.dnsProxy.managed.AEE249BB-4F44-4ED9-912B-6A70CC0E01B6</string> <key>PayloadType</key> <string>com.apple.dnsProxy.managed</string> <key>PayloadUUID</key> <string>AEE249BB-4F44-4ED9-912B-6A70CC0E01B6</string> <key>PayloadVersion</key> <integer>1</integer> <key>ProviderBundleIdentifier</key> <string>my.app.bundle.id.DNS-Proxy-Extension</string> </dict> Any thoughts on what I might be doing wrong?

udid 解析设备名称。这是 Apple 设备的 udid：00008110-00090D863EF9801E。我需要知道它是什么型号的设备。Apple 是否提供通过 udid 解析设备类型的接口？

I have tried to deploy passwordpolicy script using pwpolicy pwpolicy -n /Local/Default -setglobalpolicy "usingHistory=5 canModifyPasswordforSelf=1 maxMinutesUntilChangePassword=129600 requiresAlpha=1 requiresNumeric=1 minChars=8 passwordCannotBeName=1 requiresMixedCase=1 requiresSymbol=1" sudo defaults write /Library/Preferences/com.apple.loginwindow PasswordExpirationDays 14 errcode=$? if [ "$errcode" -ne 0 ]; then echo "" echo "Failed to apply with errorcode $errcode" 1>&2 echo "" exit 1 fi echo "Password Policy applied successfully" 1>&2 After deploying, on next login, It prompted for login, On entering password, It shows wrong password. When I tried to reset the password, It is not accepting the password. Instead It prompts again and again. Like this , I have got 300 mac machines struck in login page. I tried to run these two commands via a app running in root pwpolicy -u "$user" -clearaccountpolicies pwpolicy -clearaccountpolicies After Running this, I can able to loggin for first time. When tried to login second or successive times, It is failing with wrong password or sometimes no error instead of a jumping prompt in password page. When tried to change password after a login after clearpolicy command, It is not accepting the admin's password (Which was used to login the current session). Please help on this issue. As it does have a serious impact.

I have a question. When the DDM status report is sent from a DDM device, normally an empty response is returned. However, if we return a non-empty response that includes an arbitrary string, the device sends us the declaration-items request. Is this behavior correct? device| --status reort--------> |server device| <------a non-empry----- |server device| --declaration-items---> |server. Is this behavior correct?

I added a PKCS12 file to the Certificates section of the mobileconfig using Apple Configurator. I've installed the profile on the device but I can't see how I can access this cert. I want to use it to response to a NSURLAuthenticationMethodClientCertificate challenge. Is it possible for an iOS app to get access to the cert this way?

Hi! Notice for the VPN of type "Always On", this site indicates a ApplicationExceptions key. But on the configuration manual it's not found. I'm trying to indicate a couple apps that should be able to bypass the always on vpn, but it doesn't seem to work. Any ideas? THanks appears here: https://developer.apple.com/documentation/devicemanagement/vpn/alwayson/applicationexceptionelement not here: https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf

I'm the IT Admin in my company. We use Microsoft Intune, which is a Mobile Device Management tool, to manage our devices and apps. I created an app protection policy, restricting the data can only be shared between the allowed apps. For example, if our user want to copy the content in Outlook for iOS to WeChat or personal memo, the action will be blocked. However, may be it's too strict, here is the scenario that we need to hadle: A user selected the content in the Outlook for iOS mail, and wanted to use the "translate" function to do translation. Before the app protection policy was deployed, he can do the translation successfully. And now, it's blocked. Therefore, we need to find a way to exempt the app "Translate" so that users can do the translation successfully. We put the value "com.apple.Translate"(this is a package ID listed in the official document of Apple) to the exemption, but it's not working. May I know what is the correct "value" for the iOS native Translate APP? I need to put this value to our app protection policy to exempt Translate app. Thank you so much.

Hi Team, Im trying to disable the option to change the status of the Transparent Proxy enable/disable but there is no API which works in NETransparentProxyManager. Could you suggest, how to disable the option to change the status of the Transparent Proxy enable/disable? We want to disable it so that no one can modify it from the settings. This option is coming in Network -> Vpn & Filters I observed that some other providers disabled it in the "Network -> VPN & Filters" settings.

Hi, With iOS-17.4 update, we are seeing AppProxy VPN not getting started when Apps (associated with PerAppVPN) tried to access network resource after MDM PerAppVPN profile install/update. Looks like PerApp rules associated with applayer vpn profile are broken after profile update/install as we see internet sites working without going through VPN (appProxy network extension), this start working if we toggle WiFi and then access network resource from Apps associated with PerAppVPN. Created FB13688086 with all the details for this iOS 17.4 and AppLayerVPN, looking for and update here and any feedback/pointers will help. Thanks

Hello Forum, If I send the device the "DeviceInformationCommand.Command.RequestType= DeviceInformation" command and "InstalledApplicationListCommand.Command.RequestType = InstalledApplicationList" command , it can be sent successfully, but I don't get a response from the device. https://developer.apple.com/documentation/devicemanagement/get_device_information ------------- our log ---------------------- general.log.5:[2024/03/27 13:23:30] (172.31.54.87) I #TaskUpdateInformationHandler - did:14379, udid:63a6d7edc9f1128808aaee49d80e9539b5fd9cdd, mdm_task_uuids:['0aa5f838-1891-4a9b-b4fd-9d7c0aa365d3', '3f401ea8-be87-499b-a4be-fea2b1dab379'], result:ok, cid:117 general.log.5:[2024/03/28 03:06:34] (172.31.76.98) I #TaskUpdateInformationHandler - did:14379, udid:63a6d7edc9f1128808aaee49d80e9539b5fd9cdd, mdm_task_uuids:['c46b8523-40cd-4c7e-8a5d-0e49c9d26106', '8a99b664-df27-4bc9-8f41-fe39e3a7f3bc'], result:ok, cid:117 It is transmitted successfully to the Apple MDM server, but there is no response from the device. However, policy distribution such as PushSetting works normally. I would like to get some document or help that I can refer to. Thank you.

I am trying to find how to configure an application when using an AppManaged declaration. Using MDM, I would send the install command and include the settings in the 'Configuration' key of the command. I have checked the documentation and rewatched the 2023 WWDC video, but it is not mentioned at all. AppManagedAttributesObject has specific configuration options and doesn't appear to cater for adhoc app specific configurations. Anyone found a way to accomplish this? There are a number of apps (store and enterprise) that require this functionality in order to be configured remotely.

Our MDM customers often claim MDM push is not delivered to device and cannot manage devices via MDM. The user first uninstalled the old description file and then installed the new one, but after the new description file was installed, our mdm server did not receive any notification from Apple about updating the token, only received an Authenticate message We tried to restore network settings but it did not work. We hope to get your help to solve this problem. Currently, we can't figure out where the problem is.

Please tell me two things about "Safari Password Autofill Domains" in my domain settings. Incident The behavior of the following items in the Domains setting differs between "no setting" and "edit and delete setting values". Subject: Safari Password Autofill Domains Steps to Reproduce(Delete the setting value) enter any value in "Safari Password Autofill Domains" in the domain settings and save it. Delete the value entered in step 1. Distribute to the terminal. Result If no settings: A pop-up window will appear asking if the password is to be saved in all domains. The key "SafariPasswordAutoFillDomains" is not present in the configuration profile. Edited to remove the value: The "Save Password AutoFillDomains" popup does not appear for all domains. The key "SafariPasswordAutoFillDomains" exists in the configuration profile and an empty array remains. Question 1. Is it expected that the behavior is different when "Safari Password Autofill Domains" is not configured and when the configuration value is edited and removed? Question 2 Is it expected that "" remains in the configuration profile when the setting value is edited and deleted?

Hello, I am currently testing the com.apple.configuration.app.managed declaration, and have failed to get it to work with either VPP OR Enterprise apps. (Testing is being conducted on an iPhone XR with iOS 17.3.1) VPP: Initially errors where returned due to not having a license for the device, so I have set it up to fetch a license before the declaration is return to the device. Said declaration is as follows (I have attempted to switch from Device to User VPP type, as well as attempting to use BundleID or AppStoreID but all have the same result: { "Identifier": "BBC_Test_Install", "Payload": { "AppStoreID": "377382255", "InstallBehavior": { "Install": "Required", "License": { "VPPType": "Device" } } }, "ServerToken": "...", "Type": "com.apple.configuration.app.managed" } The configuration above successfully applies on to the device, and can be seen in the configurations tab in Settings. The install is unsuccessful however, as the app.managed subscription item returns the following result: "app" : { "managed" : { "list" : [ { "state" : "failed", "declaration-identifier" : "BBC_Test_Install", "identifier" : "uk.co.bbc.newsuk", "name" : "BBC News - UK & World Stories" } ] } } The device does not provide any additional information, it was initially returning the following reason when I did not request a licence before the install: "code" : "Error.LicenseNotFound" but this has disappeared now that a licence is requested before hand. No other information can be gleaned so I am at a bit of a loss. It should be noted, I am wipping my device between each test, just to try and get it working on a "fresh" application before attempting to deal with updating the declaration. Enterprise: This also does not seem to be behave, the configuration states a successful application, but it cant be seen in the declrations tab within general settings: "active" : true, "identifier" : "Enterprise_Test_Install", "valid" : "valid", "server-token" : "..." The associated configuration is as follows: { "Identifier": "Enterprise_Test_Install", "Payload": { "InstallBehavior": { "Install": "Required" }, "ManifestURL": "https://my.domain/web/mdm/ios/enterpriseplistgenerator/bundle.id" }, "ServerToken": "...", "Type": "com.apple.configuration.app.managed" } I have had previous success installing enterprise apps through MDM commands so I would have assumed the ManifestURL should have worked the same. The above URL does cause the device to make a secondary request for the application manifest, which returns the following: <?xml version="1.0" encoding="UTF-8"?> <plist version="1.0"> <dict> <key>items</key> <array> <dict> <key>assets</key> <array> <dict> <key>kind</key> <string>software-package</string> <key>url</key> <string>https://my.domain/web/mdm/ios/enterpriseipa/bundle.id</string> </dict> </array> <key>metadata</key> <dict> <key>bundle-identifier</key> <string>bundle.id</string> <key>kind</key> <string>software</string> <key>subtitle</key> <string>testapp</string> <key>title</key> <string>testapp</string> </dict> </dict> </array> </dict> </plist> Which the device then does nothing with (app.managed does not report back anything). When installing the enterprise app through MDM commands the above plist does cause the device to make a secondary call to fetch the applications IPA. Some additional information, help, or insight would be useful, as from my perspective the declaration does not seem to work at all.

Hello, I could not find information in the doc (which is still beta, I understand) : how are app upgrade handled by DDM AppManaged ? With MDM, sending InstalledApplication command will upgrade the app to the most suitable recent version ; HasUpdateAvailable flag tells MDM server (more or less accurately) if there is an update and then Organizations can keep apps up to date as quickly as possible if needed. But with DDM, we just have a declaration where we tell the device to install a given app, and that's it. Is there any detail about how the device upgrades apps, and how frequently ? Thanks.

We have a few development servers that implement MDM and I am trying to incorporate WatchOS Enrollment. I am having trouble connecting to our enrollment URL that is defined in the watch enrollment payload. The error I get indicates that the server certificate is invalid. I can see this error if I attempt to pair to an iPhone that has the WatchOS enrollment declaration on it and I also see if I send an iMessage with our server url and attempt to open the url using the messages app on the watch itself. The certificate is valid, but the SAN does not define my particular domain but rather it uses a wildcard (i.e. DNS Name: *.domain.com and DNS name: domain.com). The url opens fine on any other Apple device (iPhone, iPad, Mac, etc) as well as windows. My question is, is there some problem with using an SSL server certificate that has a wildcard in place of a specific domain when attempting to connect using WatchOS?