Our MDM customers often claim MDM push is not delivered to device and cannot manage devices via MDM.
The user first uninstalled the old description file and then installed the new one, but after the new description file was installed, our mdm server did not receive any notification from Apple about updating the token, only received an Authenticate message
We tried to restore network settings but it did not work. We hope to get your help to solve this problem. Currently, we can't figure out where the problem is.
Device Management
RSS for tagAllow administrators to securely and remotely configure enrolled devices using Device Management.
Posts under Device Management tag
190 Posts
Sort by:
Post
Replies
Boosts
Views
Activity
Please tell me two things about "Safari Password Autofill Domains" in my domain settings.
Incident
The behavior of the following items in the Domains setting differs between "no setting" and "edit and delete setting values".
Subject: Safari Password Autofill Domains
Steps to Reproduce(Delete the setting value)
enter any value in "Safari Password Autofill Domains" in the domain settings and save it.
Delete the value entered in step 1.
Distribute to the terminal.
Result
If no settings: A pop-up window will appear asking if the password is to be saved in all domains. The key "SafariPasswordAutoFillDomains" is not present in the configuration profile.
Edited to remove the value: The "Save Password AutoFillDomains" popup does not appear for all domains. The key "SafariPasswordAutoFillDomains" exists in the configuration profile and an empty array remains.
Question 1.
Is it expected that the behavior is different when "Safari Password Autofill Domains" is not configured and when the configuration value is edited and removed?
Question 2
Is it expected that "" remains in the configuration profile when the setting value is edited and deleted?
Hello, I am currently testing the com.apple.configuration.app.managed declaration, and have failed to get it to work with either VPP OR Enterprise apps.
(Testing is being conducted on an iPhone XR with iOS 17.3.1)
VPP:
Initially errors where returned due to not having a license for the device, so I have set it up to fetch a license before the declaration is return to the device. Said declaration is as follows (I have attempted to switch from Device to User VPP type, as well as attempting to use BundleID or AppStoreID but all have the same result:
{
"Identifier": "BBC_Test_Install",
"Payload": {
"AppStoreID": "377382255",
"InstallBehavior": {
"Install": "Required",
"License": {
"VPPType": "Device"
}
}
},
"ServerToken": "...",
"Type": "com.apple.configuration.app.managed"
}
The configuration above successfully applies on to the device, and can be seen in the configurations tab in Settings. The install is unsuccessful however, as the app.managed subscription item returns the following result:
"app" : {
"managed" : {
"list" : [
{
"state" : "failed",
"declaration-identifier" : "BBC_Test_Install",
"identifier" : "uk.co.bbc.newsuk",
"name" : "BBC News - UK & World Stories"
}
]
}
}
The device does not provide any additional information, it was initially returning the following reason when I did not request a licence before the install:
"code" : "Error.LicenseNotFound"
but this has disappeared now that a licence is requested before hand. No other information can be gleaned so I am at a bit of a loss. It should be noted, I am wipping my device between each test, just to try and get it working on a "fresh" application before attempting to deal with updating the declaration.
Enterprise:
This also does not seem to be behave, the configuration states a successful application, but it cant be seen in the declrations tab within general settings:
"active" : true,
"identifier" : "Enterprise_Test_Install",
"valid" : "valid",
"server-token" : "..."
The associated configuration is as follows:
{
"Identifier": "Enterprise_Test_Install",
"Payload": {
"InstallBehavior": {
"Install": "Required"
},
"ManifestURL": "https://my.domain/web/mdm/ios/enterpriseplistgenerator/bundle.id"
},
"ServerToken": "...",
"Type": "com.apple.configuration.app.managed"
}
I have had previous success installing enterprise apps through MDM commands so I would have assumed the ManifestURL should have worked the same. The above URL does cause the device to make a secondary request for the application manifest, which returns the following:
<?xml version="1.0" encoding="UTF-8"?>
<plist version="1.0">
<dict>
<key>items</key>
<array>
<dict>
<key>assets</key>
<array>
<dict>
<key>kind</key>
<string>software-package</string>
<key>url</key>
<string>https://my.domain/web/mdm/ios/enterpriseipa/bundle.id</string>
</dict>
</array>
<key>metadata</key>
<dict>
<key>bundle-identifier</key>
<string>bundle.id</string>
<key>kind</key>
<string>software</string>
<key>subtitle</key>
<string>testapp</string>
<key>title</key>
<string>testapp</string>
</dict>
</dict>
</array>
</dict>
</plist>
Which the device then does nothing with (app.managed does not report back anything). When installing the enterprise app through MDM commands the above plist does cause the device to make a secondary call to fetch the applications IPA.
Some additional information, help, or insight would be useful, as from my perspective the declaration does not seem to work at all.
Hello,
I could not find information in the doc (which is still beta, I understand) : how are app upgrade handled by DDM AppManaged ?
With MDM, sending InstalledApplication command will upgrade the app to the most suitable recent version ; HasUpdateAvailable flag tells MDM server (more or less accurately) if there is an update and then Organizations can keep apps up to date as quickly as possible if needed.
But with DDM, we just have a declaration where we tell the device to install a given app, and that's it. Is there any detail about how the device upgrades apps, and how frequently ?
Thanks.
We have a few development servers that implement MDM and I am trying to incorporate WatchOS Enrollment. I am having trouble connecting to our enrollment URL that is defined in the watch enrollment payload. The error I get indicates that the server certificate is invalid. I can see this error if I attempt to pair to an iPhone that has the WatchOS enrollment declaration on it and I also see if I send an iMessage with our server url and attempt to open the url using the messages app on the watch itself.
The certificate is valid, but the SAN does not define my particular domain but rather it uses a wildcard (i.e. DNS Name: *.domain.com and DNS name: domain.com).
The url opens fine on any other Apple device (iPhone, iPad, Mac, etc) as well as windows.
My question is, is there some problem with using an SSL server certificate that has a wildcard in place of a specific domain when attempting to connect using WatchOS?
We have observed that the following command causes NotNow:
InstallProfileCommand(https://developer.apple.com/documentation/devicemanagement/installprofilecommand)
InstallProvisioningProfileCommand(https://developer.apple.com/documentation/devicemanagement/installprovisioningprofilecommand)
SecurityInfoCommand(https://developer.apple.com/documentation/devicemanagement/securityinfocommand)
CertificateListCommand(https://developer.apple.com/documentation/devicemanagement/certificatelistcommand)
InstallApplicationCommand(https://developer.apple.com/documentation/devicemanagement/installapplicationcommand)
ManagedMediaListCommand(https://developer.apple.com/documentation/devicemanagement/managedmedialistcommand)
1,2,3 becomes NotNow while the iOS device is locked.
I don't know under what circumstances 4, 5, 6 become NotNow.
Please tell me.
I've encountered an issue while reviewing logs from my device and hope someone here can shed some light on it. In the process of diagnosing an application behavior, I noticed that some entries in my logs are marked as , specifically next to bundle IDs, which makes it challenging to understand which app or process is involved.
Here are the relevant log entries:
Feb 21 17:40:53 vCw-2 suggestd(CoreSuggestionsInternals)[30399] <Notice>: SGDSuggestManager: realtimeSuggestionsForMailOrMessageWithHash: com.apple.MobileSMS : <private>
Feb 21 17:40:53 vCw-2 suggestd(CoreSuggestionsInternals)[30399] <Notice>: SGDSuggestManager: realtimeSuggestionsForMailOrMessageWithHash: <private>: results: (null)
Feb 21 17:40:53 vCw-2 suggestd(CoreSuggestionsInternals)[30399] <Notice>: SGDSuggestManager: realtimeSuggestionsForMailOrMessageWithHash: com.apple.MobileSMS : <private>
Feb 21 17:40:53 vCw-2 suggestd(CoreSuggestionsInternals)[30399] <Notice>: SGDSuggestManager: starting dissection.
The identification of this hidden bundle ID is essential for allowing the specific iMessage Business Chat feature to function as intended in our MDM-managed devices.
Does anyone have insights into why the bundle ID might be hidden or how to uncover it? Are there tools or methods available that could help me identify this bundle ID for MDM whitelist configuration purposes?
I appreciate any guidance or recommendations you can provide. Thank you for your time and assistance.
I have found that Declarative management, although intriguing and could be useful in the future, is quite lacking. At this point in development, I don't see an advantage over using MDM commands.
In order for a device to apply policies, the device must first post to a server to receive the manifest set, then for each item in the set, the device must post to the server to get the policy. How is that better than posting via MDM to obtain a policy (configuration profile, app, etc.)? It seems there is no benefit in terms of time complexity. In both scenarios the device would need to make O(n) posts. This doesn't solve the scalability issue with regards to the MDM channel.
The limitation with regards to available native declarations vs configuration profiles means declarative management is not yet ready for prime time. Although the first attempt at solving this through LegacyProfiles allows for installing ConfigurationProfiles, this method adds another POST, so at this point it's 1 post to get the manifest, then 2 mores posts to get the policy, which is even worse that MDM.
Regarding the status channel, the status report is missing quite a bit of device information. Currently, in order to obtain a more complete view of device state using MDM, the MDM server must send a set of commands to get information, installed profiles, apps, certificate, etc. The Status channel includes some of this stuff, but not all of it, which means a device must augment the status channel with some (or all) of these commands.
Hi!
We are developing VPN software for the iOS platform, and our customers report a rare issue that we cannot reproduce. We seek any advice about the root cause of such a problem.
On every update, we notice an increased number of customer reports saying that the tunnel process is in a "connecting" loop, and to break the loop the customer has to remove the VPN profile from the settings. As none of our testers could reproduce the issue, we have minimal knowledge to work on. What we know so far:
The OnDemand rules cause the tunnel process to be restarted in the loop
The tunnel process does not start at all. We have logs from our customers, and we know that the application tries to start an extension, but the extension does not start at all. Something in the operating system prevents the extension from starting.
The issue reappears on every app update.
My theory so far is that the profile gets broken during an update process, but we have no means of confirming that.
Is this a known issue? Any advice on how could we reproduce the problem? Thank you in advance for any tips!
Vision Pro is getting MDM support, which is good for companies that want to bring them into the enterprise, but security needs to be addressed. Does anyone know what cryptographic module VisionOS uses? I didn't see any info here: https://support.apple.com/en-us/103688 or https://support.apple.com/guide/certifications/welcome/web
https://developer.apple.com/documentation/managedappdistribution
https://developer.apple.com/documentation/appdistribution/fetching-and-displaying-managed-apps
We have tested the above apple documentation regarding Managed Application Distribution .
To Note : We are trying to provide a custom AppStore in our MDM App for Managed Apps.
We have done all the steps mentioned in the documentation
Got Entitlement and enabled for the app.
Used the Exact code in a new swift UI Project
Attaching Screenshots for the compile time error , i get
First Screenshot , shows an error when building the project with a physical device(iOS 17.4).
Seconds one , shows different error when building with a simulator.
I have checked all the apple documentations and wwdc videos for further clue on this. But no help !
It will be helpful, if anyone help me with exact working model for this framework.
We are enrolled in the Apple Developer Program as an organization but still, I don't see any options to create an MDM certificate in the certification section.
Kindly guide us the steps and options to enable the same.
we have corp own devices (ipad's) that need to disable the ability of users to turn off the location services as well as airplane mode and GPS, how this can be done?
Thanks in advance
My company has an iOS and tvOS app which are distributed under the same bundle ID. We have recently released an update to the tvOS app but not the iOS app.
Subsequently, some of our customers have told us that their MDM solution (Jamf Pro) does not allow them to install the update. This is because the software shows the latest version as being the iOS version (4.6.6), and it does not appear to share any additional details of the tvOS platform. Meaning all version checks show that the app is up to date.
Performing a fresh install does indeed pull the latest version (5.0.3) on AppleTV. And updates can be performed on device manually. This is not suitable for our customers who have over 200 AppleTVs in use.
I have contacted Jamf who have suggested I contact Apple. So here I am.
From my perspective, it seems like the App Store directory information that MDM providers access does not have separate tvOS and iOS version information meaning that their tools can't tell when a platform version has been updated.
This means our only solution would be to update the iOS version and keep it on par with our tvOS version. This isn't really feasible as out iOS usage is around 0.01%.
Is it possible to restore an Apple Vision Pro with Apple Configurator on a Mac and an IPSW file?
I would like to begin some network system extension development, but I would feel more comfortable if I could scrub and restore the OS in case something goes wrong.
My employer has several MDM restrictions enabled for security reasons. Particularly, they disable Handoff in order to disable Universal Clipboard, since the two are coupled together in the MDM restrictions. This has the unfortunate side-effect of disallowing Mac Virtual Display on the Vision Pro, since it requires Handoff in order to work.
Is there another way for them to disable only Universal Clipboard using MDM restrictions? If not, how could I go about requesting that the MDM restrictions be more granular?
Hi, I'm looking into ACME Managed Deice Attestation and was wondering about one of the values in the payload - AllowAllAppsAccess.
From the documentation: "If true, all apps have access to the private key" but what is the case that you would have this set to true? seems like it opens up the device to potentially malicious software.
Also, if this were set to true, how would an app access this private key when it is stored in the Secure Enclave? is there a specific tag that it is stored with?
Hi,
I am developing an iPad application which will run in guided access mode. This will be an Enterprise app. the use case is we will provide iPad to our customers with the application installed in it and guided access mode is on and wi-fi is also on.
Now I want users to connect to their own wifi setup at their home (SSID name and password as input field within the app)
So is there any way user can connect to their wifi from within the application entering SSID and password in Guided access mode ?
Or is there is any way user can scan the wifi at their home and connect to on of them by providing password from inside the application. Application will run in Guided access mode only.
Since the 14.4 latest beta update Chrome Remote Desktop is broken. The screenshot below says it all. This message pops up after each reboot of a headless Mac Mini M2 and has to be explicitly allowed before Chrome Remote Desktop will connect.
Hello!
I made an iOS app for a research study that blocks network connections with certain websites. I need to block around 2000 web domains. To achieve this, I had two options:
Use Screentime API
Use Network Extension
Screentime API has a limitation that limits the number of websites it can block to 50 (https://developer.apple.com/documentation/managedsettings/webcontentsettings/blockedbyfilter-swift.property).
The Network Extension on the other hand requires my device to be in supervised mode, which as I understand it, involves erasing the data on the phone and resetting it.
Hence, I am here to ask if there is a way to do this without erasing user data when setting the device into supervised mode.
Also, I am open to hearing any other alternatives I could pursue. Thanks!!