Hi All, I'm trying to figure out why there's something tucked in the release notes for macOS 15b1 and iOS 18b1 saying: “• Profile-based User Enrollment is no longer supported in macOS 15. For User Enrollment, sign in with a Managed Apple Account in Settings.” If I'm reading this correctly, "UIE" or User Initiated Enrollment in Jamf parlance, will not be possible on macOS 15 and iOS18 going forward... But, there is ZERO mention of this in the video about what's new for Management, or what's new for IT document. I work in higher ed, and sadly, we get a lot of out of band purchases that aren't ADE eligible. And we've been told for years, and continue to be told, that Managed Apple ID's aren't appropriate for Higher Ed. So this is a big deal if this is being removed, and I find it disturbing it's being tucked away in release notes rather than being broadcast in every location. Heck, for small shops that don't have ASM or ABM, this means no MDM (they won't have managed Apple Accounts to enroll, they won't have ADE)? I happen to use a free Jamf Now system for home managing some personal home devices... I won't be able to do this with macOS 15/iOS 18?

Hello, I’ve run into an issue with a configuration profile on my supervised iPhone. I’m wondering if anyone here might be able to help? The profile contains the allowListedAppBundleIDs key within the restrictions payload. My Apple Watch is paired with the iPhone. The iPhone was supervised manually with Apple Configurator, hence the Apple Watch has not been directly supervised itself. The profile works completely as expected when installed on the phone. As soon as the profile is installed on the iPhone, I can witness the apps on the Apple Watch rearrange themselves as some apps are hidden. So clearly the profile is applying its restrictions to the Apple Watch to some degree. My issue however is that apps listed in the whitelist are hidden from the Watch. The apps that are missing from my Watch are Walkie Talkie, Find My Items, Find My Friends, Messages, Alarm, Remote, Now Playing, Sleep, Meditation and Heart Rate. This is despite the following bundle IDs being listed in the whitelist array: com.apple.findmy.findpeople, com.apple.findmy.finddevices, com.apple.HeartRate, com.apple.SessionTrackerApp, com.apple.NanoWorldClock, com.apple.findmy.finditems, com.apple.Mind, com.apple.NanoOxygenSaturation, com.apple.watchmemojieditor com.apple.NanoSleep com.apple.NanoNowPlaying com.apple.noise com.apple.tincan com.apple.NanoRemote com.apple.NanoAlarm com.apple.private.NanoTimer com.apple.NanoStopwatch I’ve done some testing, but not sure what I’ve found really. I’ve so far identified 3 scenarios. Scenario 1: I have the whitelist profile installed on the iPhone. I download an app that appears in the whitelist from my watch (or at least its iPhone version does). The apps show up on the iPhone automatically and can be launched there. These apps cannot be launched on the watch. Scenario 2: I downloaded a few apps to my watch, that didn’t automatically install on my iPhone at the same time. They were on the whitelist. These ones couldn’t be launched from my Watch. I then downloaded them to the iPhone and they could be launched there (since they were on the whitelist). Scenario 3: A couple of 3rd party apps on the whitelist could be downloaded and launched from the watch with the whitelist installed. It seems as though there are different kinds of Apple Watch app and this is what I’ve read elsewhere. First of all there are Watch-only apps, which do not automatically install a companion iPhone app. Secondly there are companion apps, which when installed from the Watch App Store download their companion app to the iPhone in the background. Someone please correct me - I’m bound to be overlooking something here. So maybe the apps that when installed from Watch automatically install on iPhone and can only be launched from the iPhone have a separate bundle ID for their Watch app which I haven’t included? Apps that are on the whitelist AND do not automatically install an iPhone app AND can be launched from the Watch, include: solstice What3words So maybe these do not need a companion app, but have the same Bundle ID as their iPhone app? However, I’m still not sure why many stock Apple Watch apps are missing from the Watch…. The most obvious answer is that I’ve got their Bundle IDs wrong, but I don’t think I have given I extracted the bundle IDs from the App Store pages of the Apple WatchOS apps. I noticed at this Apple Support page (https://support.apple.com/en-gb/guide/deployment/dep34c5cd30f/1/web/1.0) that there is no mention of whitelisting or blacklisting apps on WatchOS using MDM, yet something definitely happens on the watch when the configuration profile is installed on the iPhone. Furthermore, if I tap on a configuration profile, which comprises a blacklist, on my iPhone it will ask me if I want to install it on the iPhone or Watch. The same pop-up question doesn’t happen when the profile contains a whitelist. All this to say, I’m massively confused as to why I can’t get this working. I’d really appreciate anyone’s advice which is bound to be expert. Thank you

Hi, I was trying to configure the Managed Wi-Fi Settings profile for a Mac device which is running on the Sonoma 14 OS. (https://developer.apple.com/documentation/devicemanagement/wifimanagedsettings?language=objc). I wanted to enable admin authorization for turning Wi-Fi on/off, and for switching between Wi-Fi networks. I followed the docs and tried these restrictions in lower macOS versions(Monterey, Mojave), and they are being enabled in the device-end. However for Sonoma devices, the restrictions are not being enabled(even though the profile is being pushed to the device). While looking around, I came across the fact that the airport cli utility was discontinued recently(https://www.intuitibits.com/2024/03/14/goodbye-airport/, doesn't allow me to hyperlink). So does that affect the working of the Managed Wi-Fi device profile in any way?

It seems there was a new security feature added to macOS 15 - and now it asks every time after reboot if user wishes to continue and allow access the app to record screen and audio, while capture is blocked. Which renders remote access apps useless, a specially for headless computers like my Mac mini.

Anyone found a fix?

Hi, we have Universal Links configured, but it only works with public URLs. In our environment we need to use managed mode - we don't have a public domain. We have found out, that we need to set AssociatedDomainsEnableDirectDownloads key in Intune. However we are struggling with the right plist format. Has anyone have it configured correctly?

When I trusted my certificate in 'Setting'->'VPN & Device Management', my device reboot automatically. After reboot, it showed that "developer of My Team is not trusted in this iPhone", but the app is "verified" in the second column. The UI looks like: iOS18 beta: First Col: Trust "My Team" Second Col: MyApp Verified Other versions: First Col: Delete App Second Col: MyApp Verified What's more, my app has plugins(extensions), my app can run normally while the extension is not able to be pulled up on iOS18 beta.

In the case of organizational iPad devices, we need to have them in a more organized way via the homescreenlayout payload. We need to control the dock and the app library. We will be allowing certain apps on the device via allowListedAppBundleIDs, so we want to disable the recent apps in the dock and prevent apps from being duplicated in the app library, including recent apps and Siri suggestions. If there are more options to control the complete screen layout on the device, it would be helpful.

Hello, We are experiencing intermittent tunnel communication failures in iOS devices following internal application updates or fresh installations. This issue occurs specifically with VMware Workspace ONE Advanced (includes AirWatch) - On Premise and Workspace ONE Tunnel. Our enterprise mobility management platform provides comprehensive tools for managing corporate-owned and BYOD devices across various operating systems. Detailed Information: Applications Involved: VMware Workspace ONE Advanced (On-Premise): Manages and secures devices and applications. Workspace ONE Tunnel: Enables per-app VPN services, routing traffic from specific managed applications through our VPN. Problem Context: After a recent update, and notably after introducing deeplinking capabilities which required making our public DNS changes to host the Apple-app-site-association file, iOS devices are not routing application traffic through the Workspace ONE Tunnel correctly. Instead, applications are bypassing VPN configurations and connecting directly to public networks, jeopardizing data security. This behavior is inconsistent and varies across devices. To illustrate, I have attached a diagram (Diagram 1) that shows the flow of traffic during the issue compared to normal operations. Timeline and Troubleshooting Steps Taken: Initial Report Date: February 2024, following the iOS update 17.3.1 and post-deeplinking modifications. VMware Involvement: Multiple troubleshooting sessions, including log analysis and configuration reviews. VMware indicated the issue might not be directly related to their platform as the tunnel functions normally post-device restart. Logs Reviewed: Application logs, network traces, and device management logs. No errors directly linked to VMware solutions were found. The logs showing the issue occurrence and after a device restart are included (see Logs Set A and Logs Set B). Additional Information: Devices Affected: Various iOS devices, total fleet approximately 1500 units. Inconsistencies: The issue manifests inconsistently across different organizational groups (OGs) and is not tied to a specific app version or device model. Developer Notes: The issue does not occur when applications are deployed via Xcode during testing phases. It only arises when apps are updated in a live environment. Request for Assistance: We request Apple’s assistance in investigating potential iOS-specific causes or configurations contributing to this issue, particularly in the context of the deeplinking changes. A joint troubleshooting session is proposed to further diagnose and address the problem. Prompt support in resolving this issue, given its impact on our operations, would be greatly appreciated. Attachments: Diagram 1&2: Traffic Routing During Issue vs. Normal Operation Diagram 3: Our App communications diagram Logs Set A: Device Logs When Issue Occurs Logs Set B: Device Logs After Restart (Set A) After restart - no issue .log https://drive.google.com/file/d/1Q2COgXkMa3KnN1N-ggZKwYhHP7KC-Hwy/view?usp=sharing (Set B) before restart.log https://drive.google.com/file/d/1uS9kAV6zJyRvVRQoWQNKdWBBR7sxM6Js/view?usp=sharing Any suggestions? Thank you!

https://developer.apple.com/documentation/devicemanagement/systempreferences The Above documentation of "System Preferences" says deprecated. I assume that some of the panes are not working in latest OS due to this deprecation. My query is , Is there any other alternative to Disable or Enabled Preference Panes which was attained by SystemPreferences Payload. I couldn't find any. Is it entirely stopped and in latest OS's ,it wont allowed to restrict those panes?

Hello, We've been playing the app managed configuration with DDM recently and there is a few thing that we might be missing. We're trying to replace our existing feature of app installation using the Install Command with DDM. Everything seems to be working as expected but we're having an hard time understanding how to keep an app installed with the ManifestUrl (custom IPA) updated on the device as well as custom apps deployed through Custom Apps with ABM. We used to send new install command when a new version was released (either with manifest or custom apps) and this will trigger a new app install over the existing app keeping data and updating the app. We however, cannot figure how to do this with App Managed Configuration with DDM. If we replace the configuration declaration (and therefore changed the declaration Identifier), the app will be uninstalled and then reinstalled again (but not all the time). In that case app data is lost as this is a fresh install of the app. Is there a way to reinstall over an existing app an updated version of an app available through Manifest or with custom apps ? The same question would apply to any apps unless I'm mistaken, how do we force apps to be updated? Thanks for your help, Jeremy

I'm trying to implement managed device attestation, I have written server code in Go. So far, I have been able to implement all the steps except finalizing order by sending the Certificate url in the json response from where the client can download the certificate. ACME request flow failed at step 8: Error Domain=NSURLErrorDomain Code=-1002 "unsupported URL" UserInfo={NSLocalizedDescription=unsupported URL, NSErrorFailingURLStringKey=} For server, I am using localhost with https. The URL in "certificate" field of json response is working in browser/postman. I am not able to figure out what is the exact the cause of this error. As there is no FailingURLStringKey I suspect there might be some issue with key in the json response. Can anyone point me to the correct direction to figure out what is the issue?

We are considering developing our own MDM server for internal app distribution. Is it necessary to enroll in the Apple Enterprise Developer Program to develop MDM server? Currently, our company is only enrolled in the Apple Developer Program and Business Manager. Additionally, since we have fewer than 100 employees, it is difficult for us to join the Enterprise Program. In this case, is it not possible for us to set up an MDM server?

Cx was unable to login to their cloud account when the policy was pushed on to their device. However, when no policy was pushed cx could login. The issue is with applying whitelist configuration to device with passcode turned on..while whitelisting the app some system bundle identifier is getting blocked, we tried whitelisting all system app available for ios and couldn't find a solution

I've added my organization macbook air m2 2022 via apple configurator, however, the mac it not receiving the Remote Management prompt during setup. I've confirmed that the device in ABM is pointing to the connect server. Any ideas?

In older versions of macOS, such as those predating Mac OS Sonoma, users had the ability to set the Lock Screen independently from their desktop wallpaper. However, with the introduction of Mac OS Sonoma, this feature seems to have been altered or removed altogether. Currently, there appears to be no option to set the Lock Screen image separately; instead, only changing the desktop wallpaper, changes the Lock Screen image. This change raises questions about whether it is a deliberate alteration in the setting flow or if it could potentially be a bug in the system. Users may wonder if this adjustment is intended to streamline the interface or if there are plans to reintroduce the ability to customize the Lock Screen image independently of the wallpaper in future updates.

Hi all , We are planning to manage about 1 Million+ Apple devices of inclusive of both iPhone and Mac devices under a AxM Account. However while adding VPP Licenses for an App i'm prompted with below error: " You cannot order more than 100000 copies of same the free item per week" While our goal is to manage 1 Million devices under same Location token , i have below questions in mind 1 . What is the upper limit of number of Licenses that can be added per app in a Location token? Currently it says 1 Lakh Licenses per app per week . Wanted to know if there is any limit on this count as it shouldn't surprise us in upcoming weeks. 2 . How many Locations can be created in a AxM Account? Currently we created about 15 location to see if there are any limit but so far couldn't find any limit on number of locations that can be created. This limit could help us plan our deployment in advance 3 . What is the total number of licenses a VPP Location token can hold ? As we manage 1 Million Devices for 12 Apps , 1 Million x 12= 12 Million licenses would be transacted in this location token by our MDM Solution , is this okay or will there be any limitations in this count

In Declarative Device Management there is the Get Server Supported Declarations endpoint that is sent via an MDM Check-In request. Is this supposed to return all of the declarations supported by the server, or only the ones that are intended for the device making the request? This seems like a bad choice of naming for that endpoint and, if my assumption is correct it should be named more along the lines of "Get Device Declarations" Or am I fundamentally misunderstanding DDM and our server should be sending all declarations we have to the device and the device controls them via activations? This seems counter to the pitch around scalability and performance improvements that DDM offers if we have to send literally everything to the device even if it's known to not be needed, and similarly if the device doesn't support it but the server does then obviously(?) the server shouldn't send it to the device.

Can someone please explain the purpose of the ManagementServerCapabilities declaration in Declarative Device Management? I understand based on the documentation that it contains a "dictionary that contains the server’s optional protocol features" but what would be an example of an "optional protocol feature"?

I can enroll iOS and macOS devices with success when DEP is not used (OTA). With DEP, I can enroll iOS devices but not macOS devices. In this case, the process fails when the activation profile is received, because the system cannot decrypt the returned payload. Note that I sign the payload using the server certificate (trusted as the anchored certs are defined accordingly) and I encrypt the payload using the device identity certificate. This identity certificate was obtained when the device reached the enrollment URL (used to sign the inbound payload). From the console logs, it seems that the device cannot find the aforementioned certificate using the issuer and serial number, which is surprising because this should be the device identity certificate. I currently use PKCS7 openssl 3 API. I am wondering if I should switch for the CMS functions since it provides a way to define the certificate using it's key identifier rather than the issuer and serial number. I'm also wondering if certificates are missing in the chain. Any help would be greatly appreciated.