Hello, I could not find information in the doc (which is still beta, I understand) : how are app upgrade handled by DDM AppManaged ? With MDM, sending InstalledApplication command will upgrade the app to the most suitable recent version ; HasUpdateAvailable flag tells MDM server (more or less accurately) if there is an update and then Organizations can keep apps up to date as quickly as possible if needed. But with DDM, we just have a declaration where we tell the device to install a given app, and that's it. Is there any detail about how the device upgrades apps, and how frequently ? Thanks.

We have a few development servers that implement MDM and I am trying to incorporate WatchOS Enrollment. I am having trouble connecting to our enrollment URL that is defined in the watch enrollment payload. The error I get indicates that the server certificate is invalid. I can see this error if I attempt to pair to an iPhone that has the WatchOS enrollment declaration on it and I also see if I send an iMessage with our server url and attempt to open the url using the messages app on the watch itself. The certificate is valid, but the SAN does not define my particular domain but rather it uses a wildcard (i.e. DNS Name: *.domain.com and DNS name: domain.com). The url opens fine on any other Apple device (iPhone, iPad, Mac, etc) as well as windows. My question is, is there some problem with using an SSL server certificate that has a wildcard in place of a specific domain when attempting to connect using WatchOS?

We have observed that the following command causes NotNow: InstallProfileCommand(https://developer.apple.com/documentation/devicemanagement/installprofilecommand) InstallProvisioningProfileCommand(https://developer.apple.com/documentation/devicemanagement/installprovisioningprofilecommand) SecurityInfoCommand(https://developer.apple.com/documentation/devicemanagement/securityinfocommand) CertificateListCommand(https://developer.apple.com/documentation/devicemanagement/certificatelistcommand) InstallApplicationCommand(https://developer.apple.com/documentation/devicemanagement/installapplicationcommand) ManagedMediaListCommand(https://developer.apple.com/documentation/devicemanagement/managedmedialistcommand) 1,2,3 becomes NotNow while the iOS device is locked. I don't know under what circumstances 4, 5, 6 become NotNow. Please tell me.

I've encountered an issue while reviewing logs from my device and hope someone here can shed some light on it. In the process of diagnosing an application behavior, I noticed that some entries in my logs are marked as , specifically next to bundle IDs, which makes it challenging to understand which app or process is involved. Here are the relevant log entries: Feb 21 17:40:53 vCw-2 suggestd(CoreSuggestionsInternals)[30399] <Notice>: SGDSuggestManager: realtimeSuggestionsForMailOrMessageWithHash: com.apple.MobileSMS : <private> Feb 21 17:40:53 vCw-2 suggestd(CoreSuggestionsInternals)[30399] <Notice>: SGDSuggestManager: realtimeSuggestionsForMailOrMessageWithHash: <private>: results: (null) Feb 21 17:40:53 vCw-2 suggestd(CoreSuggestionsInternals)[30399] <Notice>: SGDSuggestManager: realtimeSuggestionsForMailOrMessageWithHash: com.apple.MobileSMS : <private> Feb 21 17:40:53 vCw-2 suggestd(CoreSuggestionsInternals)[30399] <Notice>: SGDSuggestManager: starting dissection. The identification of this hidden bundle ID is essential for allowing the specific iMessage Business Chat feature to function as intended in our MDM-managed devices. Does anyone have insights into why the bundle ID might be hidden or how to uncover it? Are there tools or methods available that could help me identify this bundle ID for MDM whitelist configuration purposes? I appreciate any guidance or recommendations you can provide. Thank you for your time and assistance.

I have found that Declarative management, although intriguing and could be useful in the future, is quite lacking. At this point in development, I don't see an advantage over using MDM commands. In order for a device to apply policies, the device must first post to a server to receive the manifest set, then for each item in the set, the device must post to the server to get the policy. How is that better than posting via MDM to obtain a policy (configuration profile, app, etc.)? It seems there is no benefit in terms of time complexity. In both scenarios the device would need to make O(n) posts. This doesn't solve the scalability issue with regards to the MDM channel. The limitation with regards to available native declarations vs configuration profiles means declarative management is not yet ready for prime time. Although the first attempt at solving this through LegacyProfiles allows for installing ConfigurationProfiles, this method adds another POST, so at this point it's 1 post to get the manifest, then 2 mores posts to get the policy, which is even worse that MDM. Regarding the status channel, the status report is missing quite a bit of device information. Currently, in order to obtain a more complete view of device state using MDM, the MDM server must send a set of commands to get information, installed profiles, apps, certificate, etc. The Status channel includes some of this stuff, but not all of it, which means a device must augment the status channel with some (or all) of these commands.

Hi! We are developing VPN software for the iOS platform, and our customers report a rare issue that we cannot reproduce. We seek any advice about the root cause of such a problem. On every update, we notice an increased number of customer reports saying that the tunnel process is in a "connecting" loop, and to break the loop the customer has to remove the VPN profile from the settings. As none of our testers could reproduce the issue, we have minimal knowledge to work on. What we know so far: The OnDemand rules cause the tunnel process to be restarted in the loop The tunnel process does not start at all. We have logs from our customers, and we know that the application tries to start an extension, but the extension does not start at all. Something in the operating system prevents the extension from starting. The issue reappears on every app update. My theory so far is that the profile gets broken during an update process, but we have no means of confirming that. Is this a known issue? Any advice on how could we reproduce the problem? Thank you in advance for any tips!

Vision Pro is getting MDM support, which is good for companies that want to bring them into the enterprise, but security needs to be addressed. Does anyone know what cryptographic module VisionOS uses? I didn't see any info here: https://support.apple.com/en-us/103688 or https://support.apple.com/guide/certifications/welcome/web

https://developer.apple.com/documentation/managedappdistribution https://developer.apple.com/documentation/appdistribution/fetching-and-displaying-managed-apps We have tested the above apple documentation regarding Managed Application Distribution . To Note : We are trying to provide a custom AppStore in our MDM App for Managed Apps. We have done all the steps mentioned in the documentation Got Entitlement and enabled for the app. Used the Exact code in a new swift UI Project Attaching Screenshots for the compile time error , i get First Screenshot , shows an error when building the project with a physical device(iOS 17.4). Seconds one , shows different error when building with a simulator. I have checked all the apple documentations and wwdc videos for further clue on this. But no help ! It will be helpful, if anyone help me with exact working model for this framework.

We are enrolled in the Apple Developer Program as an organization but still, I don't see any options to create an MDM certificate in the certification section. Kindly guide us the steps and options to enable the same.

we have corp own devices (ipad's) that need to disable the ability of users to turn off the location services as well as airplane mode and GPS, how this can be done? Thanks in advance

My company has an iOS and tvOS app which are distributed under the same bundle ID. We have recently released an update to the tvOS app but not the iOS app. Subsequently, some of our customers have told us that their MDM solution (Jamf Pro) does not allow them to install the update. This is because the software shows the latest version as being the iOS version (4.6.6), and it does not appear to share any additional details of the tvOS platform. Meaning all version checks show that the app is up to date. Performing a fresh install does indeed pull the latest version (5.0.3) on AppleTV. And updates can be performed on device manually. This is not suitable for our customers who have over 200 AppleTVs in use. I have contacted Jamf who have suggested I contact Apple. So here I am. From my perspective, it seems like the App Store directory information that MDM providers access does not have separate tvOS and iOS version information meaning that their tools can't tell when a platform version has been updated. This means our only solution would be to update the iOS version and keep it on par with our tvOS version. This isn't really feasible as out iOS usage is around 0.01%.

Is it possible to restore an Apple Vision Pro with Apple Configurator on a Mac and an IPSW file? I would like to begin some network system extension development, but I would feel more comfortable if I could scrub and restore the OS in case something goes wrong.

My employer has several MDM restrictions enabled for security reasons. Particularly, they disable Handoff in order to disable Universal Clipboard, since the two are coupled together in the MDM restrictions. This has the unfortunate side-effect of disallowing Mac Virtual Display on the Vision Pro, since it requires Handoff in order to work. Is there another way for them to disable only Universal Clipboard using MDM restrictions? If not, how could I go about requesting that the MDM restrictions be more granular?

Hi, I'm looking into ACME Managed Deice Attestation and was wondering about one of the values in the payload - AllowAllAppsAccess. From the documentation: "If true, all apps have access to the private key" but what is the case that you would have this set to true? seems like it opens up the device to potentially malicious software. Also, if this were set to true, how would an app access this private key when it is stored in the Secure Enclave? is there a specific tag that it is stored with?

Hi, I am developing an iPad application which will run in guided access mode. This will be an Enterprise app. the use case is we will provide iPad to our customers with the application installed in it and guided access mode is on and wi-fi is also on. Now I want users to connect to their own wifi setup at their home (SSID name and password as input field within the app) So is there any way user can connect to their wifi from within the application entering SSID and password in Guided access mode ? Or is there is any way user can scan the wifi at their home and connect to on of them by providing password from inside the application. Application will run in Guided access mode only.

Since the 14.4 latest beta update Chrome Remote Desktop is broken. The screenshot below says it all. This message pops up after each reboot of a headless Mac Mini M2 and has to be explicitly allowed before Chrome Remote Desktop will connect.

Hello! I made an iOS app for a research study that blocks network connections with certain websites. I need to block around 2000 web domains. To achieve this, I had two options: Use Screentime API Use Network Extension Screentime API has a limitation that limits the number of websites it can block to 50 (https://developer.apple.com/documentation/managedsettings/webcontentsettings/blockedbyfilter-swift.property). The Network Extension on the other hand requires my device to be in supervised mode, which as I understand it, involves erasing the data on the phone and resetting it. Hence, I am here to ask if there is a way to do this without erasing user data when setting the device into supervised mode. Also, I am open to hearing any other alternatives I could pursue. Thanks!!

Hello, AppManaged documentation has been updated and shares some details about current state of DDM and app management. Is there any way to specify App Config with DDM, the same way as we can do with MDM with ManagedApplicationConfiguration and InstallApplication command ? I see attributes are available but not config. Thanks !

I am experiencing difficulties in fully integrating my Apple Watch with a supervised iPhone under MDM control. While I have successfully paired the watch with the iPhone, I am facing issues with some apps not syncing or appearing on the Apple Watch. This issue persists despite having allowed their bundle IDs in the MDM’s whitelist. Could anyone provide guidance on which specific Apple bundle ID is crucial for maintaining the connectivity and functionality between the iPhone and the Apple Watch? Understanding this would help in ensuring that the necessary bundle ID is whitelisted in the MDM settings, thus resolving the app visibility and functionality issues on the Apple Watch.

When device polling occurs in the link below, is there a way to determine from the requests received on the server side whether the request was device polling? https://developer.apple.com/documentation/devicemanagement/implementing_device_management/handling_notnow_status_responses#3690890 Or can I add a specific parameter when the MDM server instructs the APNs so that the device sends the request to the MDM server with that parameter included? If this is possible, we think we can determine if the request is a polling request.