Currently system extension need to be activate through an .app, and then need to manual allow in System Settings, Privacy and Security Pane with root user password How to install driver extension/system extension without any manual user click and just to install and allow all the permission using script?

I am attempting to apply the softwareupdate.enforcement.specific declaration on a device. The first time it is processed it is applied successfully. I then generate a new set of declarations for the device and send a sync command to the device with the new server token. The management.status-subscriptions declaration and the activation.simple declaration are both applied successfully, even though the contain the same content and server token, but a different identifier than the original declarations. For some reason, the softwareupdate.enforcement.specific declaration fails to be applied and the reason is reported as [kSUCoreErrorDDMInvalidDeclarationFailure] New declaration is a duplicate The original softwareupdate.enforcement.specific identifier is not included in the new declaration-items response, only the new identifier. I would expect the device to remove the existing declaration and apply the new one, even if it is a duplicate of a declaration no longer specified for the device. Has anyone else run across this issue?

I have an iOS app with two network extension targets(tunnel1 and tunnel2) in it. Use case is explained below:- One target i.e Tunnel1 will be used for public traffic. Traffic not part of Tunnel2 will go through this tunnel Second target i.e Tunnel2 will be used for private traffic.This will be configured as per app vpn so that only those apps can have access to private resources. MDMs can push two VPN profiles along with Provider Bundle Indentifier so that designated tunnel can start based on source app. So far this works well. Issue:- We have thousands of deployments already in place where VPN profiles did not contain Provider Bundle Indentifier because so far our app had just one tunnel target. Now , after upgrade to New App version(with two NE targets) , sometimes Tunnel1 starts , sometimes Tunnel2 . Its purely random and dont know logic behind it. Question:- Is there any way to always prefer Tunnel1 when there is no Provider Bundle Indentifier in MDM pushed VPN profile?

We have implemented a NEFilterDataProvider in our Network Extension. We want to utilize the WebContentFilter payload within the Device Management Configuration profile to allow the functionality of our content filter. In the Device Management Profile documentation, there are three properties that are related and seems to have some conditions around them: FilterBrowsers, FilterPackets and FilterSockets. It stated that "At least one of FilterBrowsers or FilterSockets needs to be true" for FilterBrowsers, "At least one of FilterPackets or FilterSockets needs to be true" for FilterPackets, and At least one of FilterBrowsers or FilterSockets needs to be true" for FilterSockets. Based on the above conditions, if we only set FilterPackets to true and ignore the other two properties, it would not satisfy the condition for FilterSockets as both FilterBrowsers and FilterSockets are false. However, during testing we found out that this still works and our content filter is filtering traffic as expected. Does this mean only ONE of the THREE properties need to be true? Or should we make changes according to the documentation to have it align with all conditions and requirements? Any clarifications of the properties and their requirements are much appreciated!

Current Apple ACME Profile does not support EAB. Do you have any plan to support it?

We have an iPad app which can write to user-specified locations on USB-connected storage devices. On unmanaged devices, this works just fine. However, when the device is under MDM, although the Files app can see the external USB storage device, it does not show up in the file browser in our own app. There's a restriction called "allowFilesUSBDriveAccess" which is set to true (the default), but there's no restriction called "allowOtherAppsUSBDriveAccess". Are MDM-managed iPads simply not allowed to access USB drives (except through the Files app)?

Hello, is there any plan to add a new service type for Privacy Preferences Policy Control profile to allow apps deployed via MDM on Organization owned devices to access local network without prompting end user on Sequoia ? This would be very welcome, especially in education world where students are good at finding on how to block the tools they are supposed to use. I created FB14540495 for reference. Thanks !

Hello, I am testing Configuration Profiles' Passcode policy in an MDM environment. After setting the 'maxFailedAttempts' property to 5 and deploying the Passcode payload via MDM to iPhones, some iPhones are not wiped after exceeding 5 failed passcode attempts. Could you please advise on the possible reasons for this issue? Devices affected: iPhone 11 (iOS 16.4.1), iPhone 12 mini (iOS 16.5).

In MDM device management, I called the device synchronization interface (Sync the List of Devices: https://mdmenrollment.apple.com/devices/sync), and the returned data device_assigned_by did not return an email address as described in the documentation, but returned a string of numbers. What's the situation? This situation only occurs on some devices, and other devices return email addresses normally. Is there any solution for this?

I have been running ABM to synchronize devices for some time now, but in recent days, when using the interface for synchronization, the response from the interface to the device's' Device-Assigned-by 'field has changed. The official website should return' The email of the person who assigned the device. 'However, what I received was a string of numbers, such as 275xxxxx, which corresponds to the ABM user's ID. Some devices may change the field to email again when synchronizing, but unfortunately some devices will always have these numbers. How can I recover the email?

I have been running ABM to synchronize devices for some time now, but in recent days, when using interface synchronization, the device's "assembly_assigned-by" field responded by the interface has changed. The official website should return "The email of the person who assigned the device." However, what I received was a string of numbers, such as 275xxxxxxxx. Some devices may change the field to email again when synchronizing, but unfortunately some devices will always have these numbers. How can I recover the email? https://mdmenrollment.apple.com/server/devices https://mdmenrollment.apple.com/devices/sync

We want to set key-value pair (installation_token: xxxxx) into an app installed by MDM. Formerly we could set the key-value using Settings MDM command like this. <dict> <key>Command</key> <dict> <key>RequestType</key> <string>Settings</string> <key>Settings</key> <array> <dict> <key>Configuration</key> <dict> <key>installation_token</key> <string>xxxxxxx</string> </dict> <key>Identifier</key> <string>com.cloudflare.cloudflareoneagent</string> <key>Item</key> <string>ApplicationConfiguration</string> </dict> </array> </dict> We can still use this for the apps installed withInstallApplication MDM command, however we cannot apply this configuration into the app using Declarative Device Management. When we try it, we got an error like this. <dict> <key>CommandUUID</key> <string>.............</string> <key>Settings</key> <array> <dict> <key>ErrorChain</key> <array> <dict> <key>ErrorCode</key> <integer>12008</integer> <key>ErrorDomain</key> <string>MDMErrorDomain</string> <key>LocalizedDescription</key> <string>Could not modify apps managed by Declarative Device Management.</string> <key>USEnglishDescription</key> <string>Could not modify apps managed by Declarative Device Management.</string> </dict> </array> <key>Identifier</key> <string>com.cloudflare.cloudflareoneagent</string> <key>Item</key> <string>ApplicationConfiguration</string> <key>Status</key> <string>Error</string> </dict> </array> How can we work with managed application configuration with DDM?

There is a change log in Safari 18 Beta mentioning that you can now via MDM control Safari's extensions state and make an extension be enabled after you've installed it - "Added support for Device Management of extension enabled state, private browsing state, and website access on Managed Devices. (113051857)" However I could not find any documentation for it, I need to know what to set in my plist/mobileconfig file. Does anyone know (or maybe apple is here as well and can help) where would this be documented? Thanks!

When syncing newly added or modified devices in the Apple Business Manager (ABM) portal using the POST request to https://mdmenrollment.apple.com/devices/sync, we are getting an issue when the ABM server account has more than 1000 devices. The response consistently includes 1000 devices, with the ‘more_to_follow’ flag always set to true and the ‘cursor’ value changing. However, subsequent ABM syncs for other devices result in duplicate devices being included in the response, and the ‘more_to_follow’ flag never becomes false. As more_to_follow is always true, we try to hit api continuously. Please refer this for sync API details which is causing issue: https://developer.apple.com/documentation/devicemanagement/sync_the_list_of_devices This issue appears to originate from the Apple ABM side. Any help would be of great use. Thanks in advance.

Can we get more information about the state of profile-driven user enrollment in iOS 18? The only official statement seems to be this post here on the forums and nothing more. 1 Year deprecation and removal during the beta cycle is usually not the way Apple does this stuff - UIWebView was deprecated for 6 years. Nothing in the wording during the WWDC Session indicates this is going to be removed in iOS 18, and none of the documentations we could find mentions profile-driven user enrollment is being removed this year. Could we please get an official answer stating that yes, this is being removed, and that it's not just a bug in the Beta cycle?

just upgraded my local iPhone 15 to iOS 18 Beta 3, and I enrolled the device to MDM server. Then ran EraseDevice command with ReturnToService as enabled. https://developer.apple.com/documentation/devicemanagement/erasedevicecommand/command/returntoservice MDM command request body: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Command</key> <dict> <key>DisallowProximitySetup</key> <false/> <key>PreserveDataPlan</key> <true/> <key>RequestType</key> <string>EraseDevice</string> <key>ReturnToService</key> <dict> <key>Enabled</key> <true/> <key>WiFiProfileData</key> <data>WiFi Profile Base64</data> <key>MDMProfileData</key> <data>MDM Profile Base64</data> </dict> </dict> <key>CommandUUID</key> <string>0001_EraseDevice</string> </dict> </plist> MDM executed the command successfully. The device erased itself, and opened Hello Screen after few secs, but device did not went to the Home Screen, however same works fine on iOS 17.

I'd like to try ManagedAppView describe here: https://developer.apple.com/documentation/appdistribution/fetching-and-displaying-managed-apps // Define a model that obtains a list of managed apps. @Observable final class PortalViewModel { enum Content: Identifiable { case managedApp(ManagedApp), developerContent(title: String, action: (ManagedContentOfferState) -> Void) var id: String { switch self { case let .managedApp(app): return app.id case let .developerContent(title, _): return title } } } var contents: [Content] = [] func getApps() async { do { for try await result in ManagedAppLibrary.currentDistributor.availableApps { contents = try result.get().map(Content.managedApp) } } catch { // Handle errors here. print("ERROR==>\(error)") } } } struct PortalView: View { private var viewModel = PortalViewModel() var body: some View { List(viewModel.contents) { content in switch content { case let .managedApp(managedApp): ManagedAppView(app: managedApp) case let .developerContent(title, action): ManagedContentView(primaryLabel: title, offerState: .custom(title: "Request"), offerAction: action) { Image("house") } } } .managedContentStyle(.compact) .task { await viewModel.getApps() } } } I already configured an entitlement for this UI <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.developer.managed-app-distribution.install-ui</key> <array> <string>managed-app</string> </array> </dict> </plist> However the screen keeps blank with an error message "Error registering for message: [App catalog changed]: An unspecified, unrecoverable error occurred." on executing ManagedAppLibrary.currentDistributor.availableApps And the console log probably implies that this playground app (MDM Agent for SwiftUI) should be available on App Store and installed as managed. Jul 16 02:20:17 iPhone MDM Agent for SwiftUI(libxpc.dylib)[1395] <Notice>: [0x105a155c0] activating connection: mach=true listener=false peer=false name=com.apple.managedappdistributiond.xpc Jul 16 02:20:17 iPhone managedappdistributiond(libxpc.dylib)[1320] <Notice>: [0xc2a1e4dc0] activating connection: mach=false listener=false peer=true name=com.apple.managedappdistributiond.xpc.peer[1395].0xc2a1e4dc0 Jul 16 02:20:17 iPhone managedappdistributiond[1320] <Notice>: [TXNaf44] \M-p\M^_\M^P\M^O Beginning transaction (<private>) Jul 16 02:20:17 iPhone managedappdistributiond[1320] <Notice>: Activity associated with <private>ED4BF49B Jul 16 02:20:17 iPhone dmd[169] <Notice>: Received request: <DMFFetchAppsRequest: 0xbdc8e48c0>, from client: <CATTaskSession: 0xbdc850aa0 { state = Connected, session = 04530509-57B9-41D3-BEBC-3F07673E8BFC, transport = <CATXPCTransport: 0xbdc96c9b0 { state = Connected }> }> Jul 16 02:20:17 iPhone dmd(libxpc.dylib)[169] <Notice>: [0xbdc1ab700] activating connection: mach=true listener=false peer=false name=com.apple.accountsd.accountmanager Jul 16 02:20:17 iPhone accountsd(AccountsDaemon)[112] <Notice>: "<private> (<private>) received" Jul 16 02:20:17 iPhone accountsd(libxpc.dylib)[112] <Notice>: [0xcc2804f00] activating connection: mach=false listener=false peer=true name=com.apple.accountsd.accountmanager.peer[169].0xcc2804f00 Jul 16 02:20:17 iPhone dmd[169] <Notice>: Add operation: <DMDFetchAppsOperation: 0xbdc360000 { name = (null), ID = 4161DF16-B5EE-4C2F-AFC7-ED66C9EF6216, state = A-- [0], completed = -1/-1 }> Jul 16 02:20:17 iPhone dmd(libxpc.dylib)[169] <Notice>: [0xbdc1ab700] invalidated because the current process cancelled the connection by calling xpc_connection_cancel() Jul 16 02:20:17 iPhone dmd[169] <Notice>: Operation will start: <DMDFetchAppsOperation: 0xbdc360000 { name = (null), ID = 4161DF16-B5EE-4C2F-AFC7-ED66C9EF6216, state = A-- [0], completed = -1/-1 }> Jul 16 02:20:17 iPhone dmd(Accounts)[169] <Notice>: "The connection to ACDAccountStore was invalidated." Jul 16 02:20:17 iPhone dmd[169] <Notice>: Fetch apps with bundle ids: ( "com.companyname.MDM-Agent-for-SwiftUI" ), store item id: (null) Jul 16 02:20:17 iPhone dmd(AppStoreDaemon)[169] <Notice>: [ASDUpdatesService]: getManagedUpdatesWithCompletionBlock Jul 16 02:20:17 iPhone accountsd(libxpc.dylib)[112] <Notice>: [0xcc2804f00] invalidated after getting a no-senders notification - client is gone Jul 16 02:20:17 iPhone appstored[189] <Notice>: [XPCServiceEntitlements]: We have the entitlement: com.apple.itunesstored.private for pid: 169 result: 1 Jul 16 02:20:17 iPhone appstored[189] <Notice>: [8D8ED625] getManagedUpdates requested for client: com.apple.dmd Jul 16 02:20:17 iPhone appstored[189] <Notice>: [8D8ED625] Returning 0 available and 0 recent update(s) Jul 16 02:20:17 iPhone appstored[189] <Notice>: [8D8ED625] getManagedUpdates completed successfully Jul 16 02:20:17 iPhone dmd(AppStoreDaemon)[169] <Notice>: [ASDUpdatesService]: getUpdatesWithCompletionBlock Jul 16 02:20:17 iPhone appstored[189] <Notice>: [XPCServiceEntitlements]: We have the entitlement: com.apple.itunesstored.private for pid: 169 result: 1 Jul 16 02:20:17 iPhone appstored[189] <Notice>: [C7CA1AFD] getUpdates requested for client: com.apple.dmd Jul 16 02:20:17 iPhone appstored[189] <Notice>: [C7CA1AFD] Returning 0 available and 0 recent update(s) Jul 16 02:20:17 iPhone appstored[189] <Notice>: [C7CA1AFD] getUpdates completed successfully Jul 16 02:20:17 iPhone dmd[169] <Notice>: Lifecycle is not stale for bundle ID: com.companyname.MDM-Agent-for-SwiftUI Jul 16 02:20:17 iPhone dmd[169] <Notice>: Operation will finish: <DMDFetchAppsOperation: 0xbdc360000 { name = (null), ID = 4161DF16-B5EE-4C2F-AFC7-ED66C9EF6216, state = AE- [0], completed = -1/-1 }> Jul 16 02:20:17 iPhone managedappdistributiond[1320] <Error>: Hosting app <private> with persona <private> is not managed Jul 16 02:20:17 iPhone managedappdistributiond[1320] <Error>: Error in <private>: An unspecified, unrecoverable error occurred. Jul 16 02:20:17 iPhone managedappdistributiond[1320] <Notice>: [TXNaf44] \M-p\M^_\M^P\M^O Ending transaction (<private>) (<private>) Jul 16 02:20:17 iPhone MDM Agent for SwiftUI(ManagedAppDistribution)[1395] <Error>: Error registering for message: [App catalog changed]: An unspecified, unrecoverable error occurred. So, how can we develop and debug ManagedAppDistribution? (NOTE the test device is supervised and managed using DDM.)

We need to do some operations in a login screen, but when the user uses a WPA2-Enterprise network, the authentication to this network is only possible after the login process has already been completed. Is there a way to change the network on login screen or a way to authenticate on the WPA2-Enterprise network before a completed login? STEPS TO REPRODUCE 1 - Use a WPA2-Enterprise 2 - Set WPA2-Enterprise as Auto-Join/Principal 3 - Reboot the Machine 4 - On the logon screen it's impossible to authenticate on the enterprise network even then type the username and password.

There is new porperty introduced in iOS 18 Beta for VPN i.e CellularSliceUUID But there is no description available for the same. Could you please let us know how this property can impact VPN? https://developer.apple.com/documentation/devicemanagement/vpn?changes=latest_major&amp;language=objc

I am having two issues with an IKEv2 VPN profile and certificates, and I am using Apple Configurator to create the profile. We have a self-signed CA that consists of an intermediate/root chain. The first issue is that when I load the intermediate and/or root into the Certificates section, then, in the VPN section, select Certificate for Machine Authentication, the VPN doesn't connect, and from Console, we get the error "Trust evaluate failure: [leaf MissingIntermediate]." If I load the server cert, the profile connects. I am lost as to why this works, I would assume we would need only the intermediate and/or root. Second issue I am running into, is that when I put the Intermediate CA name into "Server Certificate Issuer Common Name" the VPN does not connect at all. With the server cert or not. If I can provide any more information at all, please let me know. With this being a public forum, I didn't want to include much from my organization but can send it privately. Thank you in advance for any assistance. Screenshot of the console error is attached