Hi, I'm glad to hear that the service discovery process is improved on iOS/iPadOS 18.2 mentioned here.
https://support.apple.com/en-ca/guide/deployment/dep4d9e9cd26/1/web/1.0
I tried it on my development MDM server.
Set default MDM for iPad to my development MDM server on Apple Business Manager.
Call the new API https://developer.apple.com/documentation/devicemanagement/account_driven_enrollment_profile and 200 OK is returned
However the service discovery fails with the following error.
Invalid well-known response for https://{my email's comain name}/.well-known/com.apple.remotemanagement?user-identifier={my email}&model-family=iPad: <NSHTTPURLResponse: 0x300a9f420>
Invalid well-known response for https://axm-servicediscovery.apple.com/mdmBaseURL?user-identifier={my email}&model-family=iPad: <NSHTTPURLResponse: 0x3009047a0>
It seems fallback process to https://axm-servicediscovery.apple.com/mdmBaseURL actually works but it returns 404 Not Found error.
How can we use this awesome feature?
Thank you :)
Explore the intersection of business and app development. Discuss topics like device management, education, and resources for aspiring app developers.
Post
Replies
Boosts
Views
Activity
Backup and restore Personal IOS data to a Supervised device?
We currently have around 200+ iPhone users that are using their devices as personal devices. We are planning on moving them to Intune using Automated Device Enrollment (Supervised).
Is it any way possible to backup their devices, do a factory reset, enroll them in Intune, then restore the old data?
Is it possible to do backup and restore in this situation? Is there an alternative way to restore the data back to a supervised device?
我有十一台M4芯片的mac mini,目前通过AC2将设备挂载在ABM中。目前有10台通过接口 “https://mdmenrollment.apple.com/device/activationlock” 启用企业激活锁去出现INTERNAL_SERVER_ERROR错误,只有一台成功了,成功那台设备使用的ABM账号与其他设备使用的ABM账号不同所属组织也不同。
I have eleven M4 chip Mac mini devices, currently mounted in ABM through AC2. Currently, there are 10 units that have passed the interface“ https://mdmenrollment.apple.com/device/activationlock ”Enabling the enterprise activation lock resulted in an INTERNAL_SERVER-ERROR error, and only one device succeeded. The successful device used a different ABM account than the other failed devices and belonged to a different organization.
We are considering the development of a new service,
We would like to ask for detailed information on the feasibility of the following.
Is it possible to encapsulate only xcframework, such as encapsulating xcframeworkA into xcframeworkB?
If the above is possible, will the application incorporating the xcframework in the above state pass the review of apple?
Hi,team:
I have configured SystemExtensions and WebContentFilter for supervised devices through mdm, and set NonRemovableFromUISystemExtensions in SystemExtensions, but found that my network filter cannot be deleted in macOS10, macOS11 and macOS12, but it can still be turned off by selecting the network filter in the network and choosing to disable the service. However, it cannot be turned off in macOS13, macOS14 and macOS15. How can I prevent supervised devices from turning off the network filter in 10, 11 and 12?
The macOS 10.15.7 image is as follows:
macOS15.1.1 cannot delete and cannot close the image as follows:
Hope to receive your reply!
When clicking Upload for the CSR file, there is no APNS certificate available for download.
Instead, the portal redirects to https://www.apple.com/filenotfound
MDM Push Certificates are critical for the operation of managed devices, if they expire, all devices will have to be reenrolled creating a catastrophic event for all the customers devices.
Please review and given how critical this service for renewing certificates is for your customers, please also make sure it is always available without downtimes.
Let me know if you need more details,
Thank you,
Sergio
Hi,team:
I know that the MDM system extension configuration parameter RemovableSystemExtensions can only be valid after macOS12+, but can I also use this parameter between macOS10.15-12? Even if he is ineffective. Will this cause any problems with the system. I want to use the same MDM configuration file for the devices I manage, which have systems between macOS10.15-15.I hope to receive your confirmation
We have noticed that if we apply forceDelayedSoftwareUpdates in Restrictions profile, it causes ScheduleOSUpdates to fail or go into an invalid state.
For example:
On my iOS device, we have set the forceDelayedSoftwareUpdates to 90 days which removed the latest iOS update iOS 18.2 from the Software Updates section on the device.
Post this, if I schedule an update for iOS 18.2 using ScheduleOSUpdateCommand, it fails to download.
If I schedule the same without forceDelayedSoftwareUpdates, the update works as expected.
Please help what could be the reason for this behavior as forceDelayedSoftwareUpdates should not block ScheduleOSUpdates.
Hi Apple Community,
I have been Testing with key allowAccountModification in macOS Restriction Payload and found some contrasting behavior
In macOS 14, macOS 15.1 in both of the OS Version when allowAccountModification is set to False it restricts adding new Account in System Settings and this is expected behavior
How ever things are contrasting and not going as expected in the below situation
When macOS 14 Version has 2 profiles for Restriction Payload one with allowAccountModification set to False and another with allowAccountModification set to True it restricts adding Apple Account
When macOS 15.1 Version has 2 profiles for Restriction Payload one with allowAccountModification set to False and another with allowAccountModification set to True it allows adding Apple Account
I remember when restrictions payload keys are contrasting across different profile Apple Uses the most restrictive one among them. But in macOS 15.1 the behavior is unexpected. Is this a issue in 15.1 and is there any list of macOS versions which shows this unexpected behavior
Hi Apple Community,
If a macOS Device is FileVault Encrypted, We are using the keys FDE_HasInstitutionalRecoveryKey, FDE_HasPersonalRecoveryKey from SecurityInfo to know the Device Encryption Type. But Some times rarely we get FDE_Enabled as true but both the above mentioned keys as false
Also we get SecurityInfo Response patterns like these only if FileVault is enabled in Device with iCloud as option to unlock the disk
Can we confirm this pattern or is there any way to know if device is encrypted with options other than Personal / Institutional Types
<plist version="1.0">
<dict>
<key>CommandUUID</key>
<string>SecurityInfo</string>
<key>SecurityInfo</key>
<dict>
......
......
......
<key>FDE_Enabled</key>
<true/>
<key>FDE_HasInstitutionalRecoveryKey</key>
<false/>
<key>FDE_HasPersonalRecoveryKey</key>
<false/>
......
......
......
<key>Status</key>
<string>Acknowledged</string>
<key>UDID</key>
<string>..............</string>
</dict>
</plist>
I work with https://developer.apple.com/documentation/devicemanagement/activationlockrequest?language=objc.
The same codes work well on other devices, such as iphone, ipad, mac air.
What causes?
What can i do to resovle it?
Is there a way for our app to deny Apple ID users from logging into the app if the Apple ID is not specifically managed by Apple School Manager? This would allow only students to be able to use the app.
Basically is there a way for us to know if an Apple ID was created by Apple School Manager?
is it possible to push app updates in Single App Mode via Intune?
I have private certificate authority. Root > Intermediate > Leaf.
When I install the Root Certificate, it shows in Settings > General > About > Certificate Trust Settings in iOS 18.1.1
However, when I install the Intermediate Certificate (including the CA Bundle), the Intermediate CA Certificate is not shown in the Certificate Trust Settings.
All my leaf certificates are issued by the Intermediate CA. Is this a bug? If not, how can this be solved? TIA!
I am trying to create a DNS over HTTPS and DNS over TLS server that requires authentication with a client certificate and configure it in the Device Management Profile for use from the iPhone.
I have set the PayloadCertificateUUID in DNSSettings, but it appears that the client certificate is not being used.
Is there anything I should check in advance when using a p12 file with PayloadCertificateUUID?
Configuration Profile
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadUUID</key>
<string>295E68E5-39F0-46D1-94E4-4A49EC8392E2</string>
<key>PayloadIdentifier</key>
<string>com.example.dns</string>
<key>PayloadDisplayName</key>
<string>My DNS</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadType</key>
<string>com.apple.dnsSettings.managed</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadUUID</key>
<string>4CCEE94D-7B72-46AB-87AD-5A368F937339</string>
<key>PayloadIdentifier</key>
<string>com.example.dns.names</string>
<key>PayloadDisplayName</key>
<string>My DNS</string>
<key>PayloadDescription</key>
<string>DNS Settings</string>
<key>PayloadCertificateUUID</key>
<string>07A96080-5FAE-4026-937D-F578530E1444</string>
<key>DNSSettings</key>
<dict>
<key>DNSProtocol</key>
<string>TLS</string>
<key>ServerName</key>
<string><!-- my DoT server name --></string>
</dict>
<key>ProhibitDisablement</key>
<false/>
</dict>
<dict>
<key>PayloadType</key>
<string>com.apple.security.pkcs1</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadUUID</key>
<string>260CC26A-2DD1-4B16-B8C0-AF1E655576AD</string>
<key>PayloadIdentifier</key>
<string>com.example.certs.intermediate-ca</string>
<key>PayloadDisplayName</key>
<string>Intermediate CA</string>
<key>PayloadDescription</key>
<string>Intermediate CA</string>
<key>PayloadCertificateFileName</key>
<string>ca-chain.cert.cer</string>
<key>PayloadContent</key>
<data><!-- contents of Intermediate CA certificate --></data>
</dict>
<dict>
<key>PayloadType</key>
<string>com.apple.security.root</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadUUID</key>
<string>E5DB74AA-3C5F-470B-AAE0-DF072095A2EC</string>
<key>PayloadIdentifier</key>
<string>com.example.certs.root-ca</string>
<key>PayloadDisplayName</key>
<string>Root CA</string>
<key>PayloadDescription</key>
<string>Root CA</string>
<key>PayloadCertificateFileName</key>
<string>ca.cert.cer</string>
<key>PayloadContent</key>
<data><!-- contents of Root CA certificate --></data>
</dict>
<dict>
<key>PayloadType</key>
<string>com.apple.security.pkcs12</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadUUID</key>
<string>07A96080-5FAE-4026-937D-F578530E1444</string>
<key>PayloadIdentifier</key>
<string>com.example.certs.client.iseebi</string>
<key>PayloadDisplayName</key>
<string>Client Certificate</string>
<key>PayloadDescription</key>
<string>Client Certificate</string>
<key>Password</key>
<string><!-- password of p12 --></string>
<key>PayloadCertificateFileName</key>
<string>Key.p12</string>
<key>PayloadContent</key>
<data><!-- contents of p12 --></data>
</dict>
</array>
</dict>
</plist>
iPhone console log
Connection 3742: enabling TLS
Connection 3742: starting, TC(0x0)
Connection 3742: asked to evaluate TLS Trust
Connection 3742: TLS Trust result 0
Connection 3742: asked for TLS Client Certificates
Connection 3742: issuing challenge for client certificates, DNs(1)
Connection 3742: asked for TLS Client Certificates
Connection 3742: received response for client certificates (-1 elements)
Connection 3742: providing TLS Client Identity (-1 elements)
Connection 3742: providing TLS Client Identity (-1 elements)
Connection 3742: connected successfully
Connection 3742: TLS handshake complete
Connection 3742: ready C(N) E(N)
Connection 3742: received viability advisory(Y)
Connection 3742: read-side closed
Connection 3742: read-side closed
Connection 3742: read-side closed
Connection 3742: cleaning up
Connection 3742: done
server log (stunnel)
LOG5[9]: Service [dns] accepted connection from <IP>
LOG6[9]: Peer certificate required
LOG7[9]: TLS state (accept): before SSL initialization
LOG7[9]: TLS state (accept): before SSL initialization
LOG7[9]: Initializing application specific data for session authenticated
LOG7[9]: SNI: no virtual services defined
LOG7[9]: OCSP stapling: Server callback called
LOG7[9]: OCSP: Validate the OCSP response
LOG6[9]: OCSP: Status: good
LOG6[9]: OCSP: This update: 2024.12.06 08:32:00
LOG6[9]: OCSP: Next update: 2024.12.13 08:31:58
LOG5[9]: OCSP: Certificate accepted
LOG7[9]: OCSP: Use the cached OCSP response
LOG7[9]: OCSP stapling: OCSP response sent back
LOG7[9]: TLS state (accept): SSLv3/TLS read client hello
LOG7[9]: TLS state (accept): SSLv3/TLS write server hello
LOG7[9]: TLS state (accept): SSLv3/TLS write change cipher spec
LOG7[9]: TLS state (accept): TLSv1.3 write encrypted extensions
LOG7[9]: TLS state (accept): SSLv3/TLS write certificate request
LOG7[9]: TLS state (accept): SSLv3/TLS write certificate
LOG7[9]: TLS state (accept): TLSv1.3 write server certificate verify
LOG7[9]: TLS state (accept): SSLv3/TLS write finished
LOG7[9]: TLS state (accept): TLSv1.3 early data
LOG7[9]: TLS state (accept): TLSv1.3 early data
LOG7[9]: TLS alert (write): fatal: unknown
LOG3[9]: SSL_accept: ssl/statem/statem_srvr.c:3510: error:0A0000C7:SSL routines::peer did not return a certificate
LOG5[9]: Connection reset/closed: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
LOG7[9]: Deallocating application specific data for session connect address
LOG7[9]: Local descriptor (FD=10) closed
LOG7[9]: Service [dns] finished (0 left)
Hey Community!
I am seeking your help. I have tried Apple Support but to no avail. I know they are busy with a lot of requests, understandable.
I previously had my personal developer account (which I used to use for building apps). But then I started my own consultancy/business. Now I want to create apps for my organization.
From what I understood from their guidelines:
1/ Create a new individual account with your organization.
2/ Somehow link it to an organization account using DUNS number, etc.
I am still stuck at point 1 because it doesn't verify my personal ID (could this be because it is linked to my old personal account).
Can someone walk me through the process of creating an organization account?
Quick question, when I make money from any third-party ad network I have running in my app (Google AdMob, for example), does Apple take a share of that?
I created a mobileconfig file on our self-developed MDM server and used Apple Configurator with a USB cable to prepare the device.
However, the profile installation failed and show the mdm payload is invalid must to be removed.
I suspect that the issue might be related to the CA (Certificate Authority) in the configuration, even though I have provided the ROOT SSL CA and the .p12 file.
What CA file should I include in the mobileconfig to resolve this issue?
using Apple Configurator to edit the mobileconfig file, but the MDM service is no longer displayed. How should I handle this
On devices running iOS 18+, when a web app kiosk policy is pushed via an MDM and the device is restarted. The touch screen doesn't respond on the device. So the device is currently in a brick state. Since we can't enter the password we can't get the logs from the device and it is even hard to recover the device. On restart the device isn't connecting to the internet so it isn't possible to remove the kiosk policy as well. This only happens on devices running iOS 18+ and with web app kiosk profile.
Hey everyone,
Is it possible and how to get Managed Apple ID (email) programmatically for user signed in to ipad through shared IPad feature ?
It would be good to have MDM independent solution, I mean API call to MDM service is not acceptable for us.
Maybe API call to ASM or ABM, or get that somehow on iOS device end... any advice ?
Thanks in advance,
Dima