Inquiry about Running Enterprise Apps in Killed State and MDM Payload Management:- I am developing an enterprise iOS application that needs to perform specific tasks or network calls even when the app is in a killed state (i.e., when it is not actively running in the foreground or background). I understand that standard iOS restrictions prevent apps from executing code while in this state, but I am exploring potential solutions within the scope of enterprise apps and MDM (Mobile Device Management) capabilities.
Device Management
RSS for tagAllow administrators to securely and remotely configure enrolled devices using Device Management.
Post
Replies
Boosts
Views
Activity
Inquiry about Running Enterprise Apps in Killed State and MDM Payload Management:-
I am developing an enterprise iOS application that needs to perform specific tasks or network calls even when the app is in a killed state (i.e., when it is not actively running in the foreground or background). I understand that standard iOS restrictions prevent apps from executing code while in this state, but I am exploring potential solutions within the scope of enterprise apps and MDM (Mobile Device Management) capabilities.
We have confirmed the operation using iOS18 beta devices regarding the item "allowVideoConferencingRemoteControl" which is implemented for iOS18 beta.
Remote control can be requested even if “allowVideoConferencingRemoteControl" is set to "true" or "false".
Please tell me the following.
Is it an expected behavior that there is no control regarding remote control whether "allowVideoConferencingRemoteControl" is true or false?
I have confirmed the operation by following the procedure below, but is the procedure to confirm the control of "allowVideoConferencingRemoteControl" correct?
Steps taken
Create a profile with "allowVideoConferencingRemoteControl" set to "false" in the restriction settings
Distribute to the terminal
Make a video call with facetime between iOS18 beta devices
One device performs screen sharing of the device with Share Play, and the other device requests remote control.
Even if "allowVideoconferencingRemoteControl" is set to "false" in the restriction settings, remote control requests are still made.
I am checking the behavior of the Contact settings, but the controls are not working with respect to the Communication Service Rules.
Please let me know the following
Is it possible to change the default calling app on a Japanese iPhone?
If possible, does the control of the Contact settings in the configuration profile work?
Hi, Team:
Is there any difference in the underlying logic between starting the network filter by configuring the MDM description file through the first connection below and starting the network filter through the second connection in the code?
First connection:https://developer.apple.com/documentation/devicemanagement/webcontentfilter?language=objc
Second connection:
https://developer.apple.com/documentation/networkextension/nefiltermanager?language=objc
I sent the description file through MDM in advance and configured the system extension and web content filter. When my code uses activationRequestForExtension:queue:
to activate the system extension, other security app processes will be killed. I received the following message. May I ask why this may be?
2024-09-02 11:42:19.737229 (gui/501/killed_bundleid [679]) : exited due to SIGPIPE | sent by killed_app[679], ran for 301372ms 2024-09-02 11:42:19.737239 (gui/501/killed_bundleid [679]) : service state: exited 2024-09-02 11:42:19.737245 (gui/501/killed_bundleid [679]) : internal event: EXITED, code = 0 2024-09-02 11:42:19.737247 (gui/501/killed_bundleid [679] ]) : job state = exited 2024-09-02 11:42:19.737274 (gui/501 [100003]) : service inactive: killed_bundleid 2024-09-02 11:42:19.737277 (gui/501/killed_bundleid [679]) : service state: not running 2024-09-02 11:42:19.737282 (pid/679 [killed_app]) : shutting down 2024-09-02 11:42:19.737310 (pid/679 [killed_app]) : cleaning up
I am configuring the per app VPN deployment for iOS application and want to configure the match domain per app rules so that only the traffic from that match domain will trigger the VPN for the included app. I found the documentation on portal but I can't find any MDM related page.
https://developer.apple.com/documentation/networkextension/neapprule/1406488-matchdomains
Hi,Team:
I successfully installed the system extension through MDM and want to uninstall it through RemovableSystemExtensions, but this command does not support versions below macOS 12. Is there any other way to pause or uninstall the system extension? Can I delete the configuration file that allows system extensions through MDM? Or send and delete the configuration file of AllowedSystemExtensions?
Hi, Team:
I developed a network filter and used MDM to issue a description file. By configuring AllowedSystemExtensions, I can avoid the reminder of loading system extensions during installation. However, when savingToPreferencesWithCompletionHandler, I will still be reminded that my network data is monitored. How can I configure MDM to avoid this reminder?
And why can I still delete the filter from the network filter conditions even though I configured it in mobileconfig in the following way. NonRemovableFromUISystemExtensions
com.mysystemextensionid
Hello,
I am working on a MDM solution. I am facing issue to while Activation Unlock Iphone by MDM server. I am following this https://developer.apple.com/documentation/devicemanagement/device_assignment/activation_lock_a_device/creating_and_using_bypass_codes documentation as reference.
I am able to activation lock the device from mdm server but while unlocking the device I am getting below error
"?xml version="1.0" encoding="UTF-8"?>
ns:escrowKeyDeviceServicesResponse version="1" xmlns:ns="http://www.apple.com/cds/mdmescrowKeyDeviceServices/xml">
error code="1002" message="com.apple.cds.cyclops.mdm.MDMServiceException: No registered escrow key found"/>
/ns:escrowKeyDeviceServicesResponse>"
I am sending below request for Unlock
Url=https://deviceservices-external.apple.com/deviceservicesworkers/escrowKeyUnlock?Device_Serial=XXXXXXXX&productType=iPhone12,8&imei=XXXXXXX&imei2=XXXXXXXXXXXXXX&meid=XXXXXXXXXX
Body=escrowKey=VT2DK-YR647-HWAY-096C-ER7P-89J1&orgName=ORGNAME&guid=9C1AE0D42A38A23AFFE59
Below working request for Activation Lock
URL=https://mdmenrollment.apple.com/device/activationlock
Body =
{
"Device" :"Serial_Number",
"EscrowKey" :"B83C6E662299F3AF202656C4D7A434A319A34241A2892792132EECE56F6D898A",
"LostMessage":"Message"
}
Any idea what could cause this error.
Hello,
We are trying to use the Managed App Distribution framework with our mdm following the documentation here : https://developer.apple.com/documentation/managedappdistribution
But on the first load we don't get anything, the app keep getting stuck inside the following code without sending an error or getting the managed apps
for try await result in ManagedAppLibrary.currentDistributor.availableApps {
content = try result.get().map(Content.managedApp)
}
If we update the list of available managed apps in our mdm, the function execute and so we have all the apps displayed as expected, but if we close and re-open the app it'll again not display anything until we update the managed apps list.
How can we fetched our managed apps at anytime and not only when the list is updated ? Why this method seems to be waiting for an update instead of just fetching the available managed apps when we call it ?
The customer's ABM account has been locked,i can't get token with DEP Server Token.Is there any ways to release device from ABM with some api or softwares.
I hope no remote management page during the activation process settings after i restore factory settings.
Thanks in advance.
In MDM Software Update settings(https://developer.apple.com/documentation/devicemanagement/softwareupdate), there is a key "restrict-software-update-require-admin-to-install" which apparently controls if the standard users are allowed to install apps and software updates.
But so far, even if this is set to true, a standard user is able to download apps from Appstore.
We noticed that when we publish a pkg to be installed via MDM, then that does not get installed if the above setting is set to true.
Please provide clarity on what this setting controls.
In the latest macOS 15 system, we've noted that end users have the capability to disable and prevent the launch of system extensions via system settings.
I'm curious to know whether Apple plans to offer MDM configurations to deter end users from performing such actions.
We have encountered an issue while developing our own Apple MDM solution. The issue occurs in the activation lock scenario.
We have implemented the activation and deactivation of the activation lock feature in accordance with the following documentation.
1:https://developer.apple.com/documentation/devicemanagement/activation_lock_a_device
2:https://developer.apple.com/documentation/devicemanagement/device_assignment/activation_lock_a_device/creating_and_using_bypass_codes#3734453
Activationlock
Request URI : https://mdmenrollment.apple.com/device/activationlock
Request Method : POST
Request Headers : [Accept:"text/plain, application/json, application/*+json, /", X-ADM-Auth-Session:"1723449441118O1O649496FAD285FDC77565EC075E770547O90695212BB76419F8E43B2F68BE7A6C6O67033512O11Op1OA0EA85747E70D2D6941C4F6662166CAF22C2193COC298C61ECC7B9E9C14EB2A20305F7E41", X-Server-Protocol-Version:"3", Content-Type:"application/json", Content-Length:"133"]
Request Body : {"device":"K2LP4HQXJ4","escrow_key":"QRV7D-JPPMQ-Z90N-1VN8-L1PN-45Q2","lost_message":"xxxxx"}
Response : {"serial_number":"K2LP4HQXJ4","response_status":"SUCCESS"}
escrowKeyUnlock
Request URI : https://deviceservices-external.apple.com/deviceservicesworkers/escrowKeyUnlock?serial=K2LP4HQXJ4&imei=357174298879232&meid=35717429887923&productType=iPhone14,2
Request Method : POST
Request Headers : [Accept:"text/plain, application/json, application/*+json, /", Content-Type:"application/x-www-form-urlencoded", Content-Length:"189"]
Request Body : orgName=xxxxx&guid=xxxxx&escrowKey=QRV7D-JPPMQ-Z90N-1VN8-L1PN-45Q2
Response : 404 <ns:escrowKeyDeviceServicesResponse version="1" xmlns:ns="http://www.apple.com/cds/mdmescrowKeyDeviceServices/xml"></ns:escrowKeyDeviceServicesResponse>
Who can help me check if there are any errors in the way I'm calling these two APIs, and how to correct them?
I use then interface https://developer.apple.com/documentation/devicemanagement/device_assignment/activation_lock_a_device/creating_and_using_bypass_codes#3734453
to remove Activation Lock。
request url:https://deviceservices-external.apple.com/deviceservicesworkers/escrowKeyUnlock?serial=***&productType=***&imei=***&meid=***
then body is escrowKey、orgName、guid
and use APNs certificate when establishing the SSL connection
but return me:<ns:escrowKeyDeviceServicesResponse version="1" xmlns:ns="http://www.apple.com/cds/mdmescrowKeyDeviceServices/xml"></ns:escrowKeyDeviceServicesResponse>
Hi.
I'm trying to use the following command to set a wallpaper on an iPhone :
/usr/local/bin/cfgutil -K "/Users/ladmin/Downloads/privateKey.der" -C "/Users/ladmin/Downloads/publicCert.der" --ecid 0xE64120151001E set-wallpaper -s home "/Users/ladmin/Downloads/mickey-iPhone-12-Pro-12-wallpaper.png"
The answer is always :
--- Summary ---
Operation "set-wallpaper" failed on 1 devices.
cfgutil: error: An internal error occurred. Unknown service request error.
(Domain: ConfigurationUtilityKit.error Code: 100)
The same type of command works with an iPad.
Apple Configurator 2 can set the wallpaper on the iPhone.
Is there something different to do with cfgutil when setting a wallpaper on an iPhone ?
Thanks for your insights !
Franck
The Check-in API is now used for declarative device management in addition to MDM authentication and token updates.
We would like to set a different endpoint for DDM requests only than for MDM authentication
So is it possible to configure different Check-in API endpoint for MDM and DDM?
For example, we would like to split the endpoints as follows
Endpoints for MDM authentication and token update
yourmdmhost.example.com/checkin
Endpoint for DDM
yourmdmhost.example.com/ddm-chcekin
Check-in API Documentation
https://developer.apple.com/documentation/devicemanagement/check-in
Currently system extension need to be activate through an .app, and then need to manual allow in System Settings, Privacy and Security Pane with root user password
How to install driver extension/system extension without any manual user click and just to install and allow all the permission using script?
I am attempting to apply the softwareupdate.enforcement.specific declaration on a device. The first time it is processed it is applied successfully.
I then generate a new set of declarations for the device and send a sync command to the device with the new server token. The management.status-subscriptions declaration and the activation.simple declaration are both applied successfully, even though the contain the same content and server token, but a different identifier than the original declarations. For some reason, the softwareupdate.enforcement.specific declaration fails to be applied and the reason is reported as
[kSUCoreErrorDDMInvalidDeclarationFailure] New declaration is a duplicate
The original softwareupdate.enforcement.specific identifier is not included in the new declaration-items response, only the new identifier. I would expect the device to remove the existing declaration and apply the new one, even if it is a duplicate of a declaration no longer specified for the device.
Has anyone else run across this issue?