Hello, AppManaged documentation has been updated and shares some details about current state of DDM and app management. Is there any way to specify App Config with DDM, the same way as we can do with MDM with ManagedApplicationConfiguration and InstallApplication command ? I see attributes are available but not config. Thanks !

I am experiencing difficulties in fully integrating my Apple Watch with a supervised iPhone under MDM control. While I have successfully paired the watch with the iPhone, I am facing issues with some apps not syncing or appearing on the Apple Watch. This issue persists despite having allowed their bundle IDs in the MDM’s whitelist. Could anyone provide guidance on which specific Apple bundle ID is crucial for maintaining the connectivity and functionality between the iPhone and the Apple Watch? Understanding this would help in ensuring that the necessary bundle ID is whitelisted in the MDM settings, thus resolving the app visibility and functionality issues on the Apple Watch.

When device polling occurs in the link below, is there a way to determine from the requests received on the server side whether the request was device polling? https://developer.apple.com/documentation/devicemanagement/implementing_device_management/handling_notnow_status_responses#3690890 Or can I add a specific parameter when the MDM server instructs the APNs so that the device sends the request to the MDM server with that parameter included? If this is possible, we think we can determine if the request is a polling request.

I'm trying to implement ACME managed device attestation, I have ACME server code written in C# and I've been able to get all of the steps working except for the very last one - issuing the certificate. I so far have not been able to get the device to accept the certificate, the device logs show: Got certificate {length = ......} ACME request flow failed at step 9: Error Domain=NSOSStatusErrorDomain Code=-67673 "failed to obtain certificate" UserInfo={NSLocalizedDescription=failed to obtain certificate} The certificate is issued by an internal CA and the correct root certificate is in the device's trusted certs. I have tried returning the certificate chain as a file response or content response to the device as a "application/pem-certificate-chain" mime type (as outlined as the default in the ACME RFC), returning just the leaf certificate as PEM, returning the leaf certificate as DER with mime type "application/pkix-cert", "application/pkcs7-mime", "application/x-pkcs12" or "application/x-x509-ca-cert", but none of this has worked. Can anyone point me in the right direction to figure out what the issue is?

Hi Team, We have Apple's OS Update for Mac machines in our fleet . Where some Macs are Silicon previously at 14.2.1 and we updating them to 14.3 using Command ScheduleOSUpdate with InstallAction key set to Default. We also have set restriction set with keys forceDelayedSoftwareUpdates set to true and enforcedSoftwareUpdateDelay set to 1 For Updating at earliest. FYI, These machines already have FileVault Encrypted with them and also has Admin User After Restart We can see that the device automatically boots to Recovery Mode asking for a "Recovery Key" to continue , Even When we have given the personal recovery key (or) Trying to unlock the disk using Admin user's Credential in Startup Disk Things not working. FYI , The machine have asked for BootStrap Token After ScheduleOSUpdate Command And MDM have given them in Response Can We please know where there is a issue and why this behaviour is occurring

The new profile added to manage the cellular private network is not getting installed on the device end - https://developer.apple.com/documentation/devicemanagement/cellularprivatenetwork?changes=_9 When we try to oinstall the profile we get these error messages. {'Status': 'Error', 'CommandUUID': '556d4936-7514-4121-af8d-3f0bf855a9e6', 'ErrorChain': [ {'ErrorCode': 4001, 'ErrorDomain': 'MCInstallationErrorDomain', 'USEnglishDescription': 'Profile Installation Failed', 'LocalizedDescription': 'Profile Installation Failed'}, {'ErrorCode': 4001, 'ErrorDomain': 'MCInstallationErrorDomain', 'USEnglishDescription': 'Profile Failed to Install', 'LocalizedDescription': 'Profile Failed to Install'}, {'ErrorCode': 1009, 'ErrorDomain': 'MCProfileErrorDomain', 'USEnglishDescription': u'The profile \u201cprivate network policy\u201d could not be installed.', 'LocalizedDescription': u'The profile \u201cprivate network policy\u201d could not be installed.'}, {'ErrorCode': 4001, 'ErrorDomain': 'MCInstallationErrorDomain', 'USEnglishDescription': u'The payload \u201cPrivate Mobile Networks\u201d could not be installed.', 'LocalizedDescription': u'The payload \u201cPrivate Mobile Networks\u201d could not be installed.'}], 'UDID': '00008101-001E1DCA3A81001E'}

Is there a way to check if DDM(Declarative Device Management) is enabled on a device?

Hello Apple Community, Issue encountered during the installation of an app via DDM (Declarative Device Management) on iOS 17.3 devices. When applying an app configuration and managed app list status event through declarative management, the configuration is successfully applied, but the configured app is not being installed on the device. Upon closer inspection, we have identified that the error "ManagedAppDistribution.ManagedAppDistributionError" is being logged during this process. My Configuration: { "Type": "com.apple.configuration.app.managed", "Identifier": "com.mdm.1740e623-4361-498d-af02-b433500d58bd.ManagedAppDDM", "ServerToken": "1706282674113", "Payload": { "AppStoreID": "361309726", "InstallBehavior": { "License": { "VPPType": "Device" }, "Install": "Required" } } } { "Type": "com.apple.configuration.management.status-subscriptions", "Identifier": "com.mdm.9c70c80f-406a-425a-8829-1025652f05c6.ManagedAppListStatus", "ServerToken": "1706282673976", "Payload": { "StatusItems": [ { "Name": "app.managed.list" }, { "Name": "mdm.app" }, { ... } ] } } DDM Response: { "StatusItems": { "management": { "declarations": { "activations": [ { "active": true, "identifier": "DEFAULT_ACT_0", "valid": "valid", "server-token": "1706282674113" } ], "configurations": [ { "active": true, "identifier": "DEFAULT_STATUS_CONFIG_0", "valid": "valid", "server-token": "3" }, { "active": true, "identifier": "com.mdm.1740e623-4361-498d-af02-b433500d58bd.ManagedAppDDM", "valid": "valid", "server-token": "1706282674113" }, { "active": true, "identifier": "com.mdm.9c70c80f-406a-425a-8829-1025652f05c6.ManagedAppListStatus", "valid": "valid", "server-token": "1706282673976" } ], "assets": [], "management": [] } } }, "Errors": [ { "Reasons": [ { "Code": "ManagedAppDistribution.ManagedAppDistributionError.0", "Description": "The operation couldn’t be completed. (ManagedAppDistribution.ManagedAppDistributionError error 0.)" } ], "StatusItem": "app.managed.list" } ] } Note : The ManagedAppDistribution framework extension appears to not be implemented in this context. Kindly help us with this issue. Thanks in advance.

I need help pairing apple watch to Supervised iPhone with MDM. Need to know which apple bundle id is the one resposable for the connection. By now the watch does pair with the iPhone but some of the apps dont appear on the apple watch though I've already allowed those bundles in my MDM. Thank you!

Hi all, I'm trying to uninstall FortiClient on macbook with M1/M2 processor using a script from this article: https://community.fortinet.com/t5/FortiClient/Technical-Tip-Uninstall-FortiClient-using-a-script-on-... I only added two lines to change flags. Here is my script: #!/bin/sh # Uninstall FortiClient.sh pkill FortiClient pkill FortiClientAgent pkill FctMiscAg launchctl unload /Library/LaunchDaemons/com.fortinet* chflags -hv noschg /Applications/FortiClient.app chflags -hv noschg /Applications/FortiClientUninstaller.app rm -Rfv /Applications/FortiClient.app rm -Rfv /Applications/FortiClientUninstaller.app rm -Rfv /Library/Application\ Support/Fortinet rm -Rfv /Library/Internet\ Plug-Ins FortiClient_SSLVPN_Plugin.bundle rm -Rfv '/Library/LaunchDaemons/com.fortinet.forticlient.vpn.plist' rm -Rfv '/Library/LaunchDaemons/com.fortinet.forticlient.wf.plist' rm -Rfv '/Library/LaunchDaemons/com.fortinet.forticlient.fmon.plist' rm -Rfv '/Library/LaunchDaemons/com.fortinet.forticlient.epctrl.plist' rm -Rfv '/Library/LaunchDaemons/com.fortinet.forticlient.appfw.plist' rm -Rfv '/Library/LaunchDaemons/com.fortinet.forticlient.fssoagent_launchdaemon.plist' localAccounts=$(dscl . list /Users UniqueID | awk '$2 > 500 { print $1 }') for user in $localAccounts ; do rm -Rfv /Users/"$user"/Library/Application\ Support/Fortinet/ done But I got error that deleting FortiClient.app and FortiClient.app\Content is not permitted, because application is locked. At this time, FortiClientUninstaller.app has been deleted successfully: chflags: /Applications/FortiClient.app: Operation not permitted /Applications/FortiClientUninstaller.app and rm -Rfv /Applications/FortiClient.app rm: /Applications/FortiClient.app/Contents: Operation not permitted rm: /Applications/FortiClient.app: Operation not permitted Could someone help me with this issue, please? I need to uninstall FortiClient using a script via MDM on multiply devices

Please tell me about the NotNow status returned by the MDM command for Apple devices. ◾️I would like to check I am aware that there are some MDM commands that return a status NotNow when the device is locked and the command cannot be executed. I am aware of InstallProfileCommand and SecurityInfoCommand. https://developer.apple.com/documentation/devicemanagement/installprofilecommand https://developer.apple.com/documentation/devicemanagement/securityinfocommand Please answer the following two questions. ◾️Question I would appreciate an answer with the official name of the command and the URL of the command's reference, if possible. Question 1 Please tell us if there are commands other than InstallProfileCommand and SecurityInfoCommand that return status NotNow because the command cannot be executed if the terminal is locked. Question 2 Please tell us if any of the following commands return the status NotNow because the command cannot be executed if the terminal is locked. DeviceConfiguredCommand AvailableOSUpdatesCommand ScheduleOSUpdateCommand OSUpdateStatusCommand

Hello, Dear Engineers I have distributed a management profile from Aplle Configurator to my terminal with reference to the following document https://developer.apple.com/documentation/devicemanagement/cellularprivatenetwork Situation: We tested the device in an environment where both Wi-Fi and cellular connections were available, Wi-Fi seemed to have priority in the operation. This is because CellularDataPreferred, which is set in the distributed management profile, is enabled, I would like cellular to be given priority. I am using iPhone 15 (iOS 17.1.2). Question： ・Is there anything else missing besides the Profile Example to make CellularPrivateNetwork's Device Management Profile work properly? ・Has anyone confirmed that CellularPrivateNetwork's Device Management Profile works correctly? BestRegards

hi! https://developer.apple.com/documentation/devicemanagement/applayervpn I have a question about AssociatedDomains in the AppLayerVPN reference above. From the description, I believe that this property triggers the VPN when the app is launched with a universal link and connects to the domain specified in AssociatedDomains. Is that correct in your understanding? I specified "twitter.com" as a test, and the VPN was not triggered when the universal link was executed from safari, etc. How can I make a VPN connection with the domain connection specified in the AssociatedDomains property? If you could please let us know with some real life examples. I will pass on your thanks in advance. Thanks.

https://developer.apple.com/documentation/managedappdistribution As stated in the above documentation, to use this framework, App should be enabled the following entitlement . The Managed App Installation UI entitlement is required to use this framework. But in developer portal it is not found .Is there any other requirements Apple will expect in order to use this entitlement.? Any help will be appreciated.

We have an existing version of a mobile app in Appstore. This app was written in ionic version 2.2, more than 4 years back. To improve user experience and to add helpful features, we re-wrote the app in React Native. We are planning to release this new version in 2024. We want a recommendation on how to release the new version in a controlled way to selected few users only. We will have a specific target audience for the new version, not random sampling (so, can't use phased release option). User selection will be driven by a database. Constraints as follows. Old app is frozen. It's very difficult to change anything in it. We do not have MDM. It’s a public facing app. We should be able to control who get’s which version of the app. We should be able to roll back to the old app if needed. We are trying to bundle both apps in a container app which will route the user to the old or new version of the app (within the same bundle). Have anyone done anything like this before? If not, do you see any technical difficulties with the approach either during coding or during Appstore review?

I maintain an iOS and Apple TV app that share a bundle ID. We recently updated our Apple TV app to version 5 but iOS remains at version 4.6.6. However when you view the App Store Preview page it only shows the iOS version history and version number. Example https://apps.apple.com/us/app/trilbytv-player/id674488346?platform=appleTV I believe this also has a knock on effect for MDM systems as we are aware of an issue where Jamf may not be able to allow Apple TV devices to update to v5 as the app store data it uses reports the iOS version number not the platform specific version.

When attempting to renew a certificate after December 18, 2023, an error may be displayed, preventing the renewal of the certificate. It seems that repeating the process multiple times can occasionally lead to success, indicating that there is no issue with the CSR file. This occurrence has been observed in multiple MDM services, including Intune, Work Space One, and various other MDM vendors, suggesting a malfunction with Apple's servers. We hope that this issue will be promptly resolved and fixed. Although unrelated to the previous issue, when pressing "Manage Certificates," it redirects back to the login screen instead of returning to the certificate list page. Please fix this so that it returns to the certificate list page.

I registered a Mac as a device in apple-developer using a third-party UID for collaboration, but the Mac cannot be selected when creating a provisioning profile. And they say udid and uuid are the same. Why is that? The third party's Mac has been updated to Ventura OS using Open Core patcher.

Push notification for PWA app is supported on iOS >= 16.4. I want to restrict app usage using Restriction payload of configuration profile. Formerly we could it by defining a restriction like this. (actually via MDM) <key>whitelistedAppBundleIDs</key> <array> <string>com.apple.webapp</string> </array> However on iOS >= 17.0, the notification setting of the PWA app is disappeared!! Without the restriction payload, or with the restriction payload without whitelistedAppBundleIDs, the notification setting for the PWA app is shown as expected. Also we discovered that the issue can be avoided by adding com.apple.WebKit.PushBundle.xxxxxx into the restriction payload. <key>whitelistedAppBundleIDs</key> <array> <string>com.apple.webapp</string> <string>com.apple.WebKit.PushBundle.7880D99FB56F4FF7B5DC019E0EDBCBD0</string> </array> com.apple.WebKit.PushBundle.7880D99FB56F4FF7B5DC019E0EDBCBD0 can be found with console log using Apple Configurator. However it cannot be found via MDM command (ex. InstalledApplicationList). We want to configure and install the restriction payload into multiple devices via MDM. So how can we know the com.apple.WebKit.PushBundle.xxxxxx via MDM? or how can we enable push notification settings for PWA apps with restriction payload? Thank you

I'm encountering a strange issue with PPPC configuration files and app visibility in Security &amp; Privacy for standard users on the latest macOS version. The Scenario: I created a PPPC file granting accessibility and screen recording permissions for my app. I deployed the PPPC file to devices using MDM. Surprisingly, the app doesn't appear under Security &amp; Privacy &gt; Privacy &gt; Screen Recording or Accessibility for standard users. However, if I remove the PPPC file, the app instantly shows up in those locations. What I've Tried: Double-checked the PPPC file syntax and permissions configuration. Redeployed the PPPC file and verified successful installation on devices. Restarted devices and re-registered the MDM profile. The Impact: This issue prevents standard users from granting my app the necessary permissions through the standard system interface. They require admin intervention to grant permissions manually, which is inconvenient and not ideal for our workflow. Seeking Help: I'm reaching out to the community for any insights or suggestions on resolving this issue. Has anyone encountered a similar problem with PPPC files and standard user permissions? Any advice or potential solutions would be greatly appreciated!