I'm reaching out to discuss a significant issue related to how iOS handles app login sessions, particularly in the context of MDM (Mobile Device Management) and the Outlook app.
In our organization, we use MDM to distribute applications, including Outlook, with certificate-based authentication for BYOD (Bring Your Own Device) devices. This setup allows users to log in seamlessly to their accounts. However, we've encountered a concerning behavior: when a user unenrolls from MDM, which automatically removes the distributed apps and certificates, they can later reinstall the app from the App Store and find themselves automatically logged back into their previous accounts without any authentication prompts.
Here’s a detailed breakdown of the situation:
Initial Installation: Users enroll their devices in MDM, which installs the necessary apps and certificates on those devices.
Session Storage: After the initial login, the app stores the session locally on the device.
App Deletion: When users un enroll their devices from MDM, it automatically removes the distributed apps and certificates.
Reinstallation: Days or weeks later, when they reinstall the Outlook app from the App Store, they find themselves automatically logged back into their accounts.
This behavior raises important concerns:
Lack of Authentication: The app retaining user sessions even after deletion allows users to access their accounts without re-authentication, which could lead to potential unauthorized access and undermines the effectiveness of certificate-based authentication and two-factor authentication (2FA).
Note: This issue is not limited to Outlook; we've observed similar behavior with many other apps.
Need for a Solution -
Given the implications of this behavior, we are looking for effective solutions to prevent it. Specifically, we need options within the MDM framework to:
Restrict Session Retention: Implement settings that ensure any app deleted via MDM will lose all stored sessions and require re-authentication upon reinstallation.
Default Settings for MDM-Distributed Apps: Ideally, this would be a default feature for all apps distributed through MDM, ensuring that user sessions are not retained after app deletion.
Has anyone else experienced this issue? Are there any existing settings or workarounds within MDM platforms to mitigate this problem? Your insights and experiences would be invaluable as we navigate this challenge.
Thank you!
Explore the intersection of business and app development. Discuss topics like device management, education, and resources for aspiring app developers.
Post
Replies
Boosts
Views
Activity
Analytics report issues
Hello,
I have a system, which is able to execute bash/zsh scripts on a set of machines.
The default behaviour is that the signature of the script is checked on the machine, which is executing it, and in case if it is not signed properly, the system rejects the execution.
An own certificate has to be created for signing the scripts, which means that the certificate has to be installed and marked as trusted on the target machines (which are executing the script).
I've been using :
"/usr/bin/security add-trusted-cert ..."
command to install the certificate on the machines as trusted.
Since macOS Big Sur, the above command was prompting the local user for admin credentials. To avoid this, Apple suggested to use the following command to temporarily disable and re-enable the confirmation dialog :
1.:
/usr/bin/security authorizationdb write com.apple.trust-settings.admin allow
2.:
/usr/bin/security authorizationdb write com.apple.trust-settings.admin admin
Now with the release of macOS Sequoia, the above command :
"/usr/bin/security authorizationdb write com.apple.trust-settings.admin allow"
does not work any more.
It gives the following output :
NO (-60005)
I have the following questions :
1.: Could you please suggest an alternative way for IT administrators to install certificates on their machines, without any user confirmation?
2.: Could you please suggest how the same could be achieved using a bash/zsh script? In which context could the above commands :
"/usr/bin/security authorizationdb write com.apple.trust-settings.admin allow"
and
"/usr/bin/security authorizationdb write com.apple.trust-settings.admin admin"
still work?
Thank you for your help in advance!
When the user pushed the lock device action on a macOS 14, it returned an acknowledgement but the device wasn't locked. Which resulted in loss of data on the device.
Dear Apple Developer Support Team,
I hope this message finds you well.
I am currently utilizing the services at https://identity.apple.com for mobile device management and encountered an issue while attempting to upload a Certificate Signing Request (CSR) file to the portal. The system generated an error indicating that the file format was invalid.
Below are the steps I followed to generate the CSR:
I first created a private key on my server using the following command:
openssl genrsa -out private.key 2048
Next, I generated the CSR file with the following command:
openssl req -new -key private.key -out request.csr
Despite following these steps, I could not successfully upload the CSR file and obtain the APNs certificate. I would greatly appreciate your guidance on creating and uploading a valid CSR file to avoid this error.
Please let me know if there are any specific formatting requirements or additional steps I need to follow. Thank you in advance for your assistance and support.
We are doing application assignment to personal iOS devices that are enrolled in MDM via User Enrollment. However, we're experiencing some odd behavior when assigning licenses.
We are getting back errors from the devices when doing assignments:
code: 12064, domain: MDMErrorDomain, description: Could not retrieve licence for the app with iTunes Store ID 422689480.
code: 2605, domain: DeviceManagement.error, description: No licence was found for app "com.google.Gmail".
However, we are not seeing license exhaustion on the Apple Business Manager side for our location.
We are not clear what would cause the 12064 or 2605 errors.
We have tried re-sending the command to install the app, and we have tried un-enrolling devices and re-enrolling, as well as updating the VPP Token for the location.
We have gathered sysdiagnoses from affected devices, but it's not clear what causes this. What other causes are there for 12064 and 2605 errors? How can we work around these?
Context: I’m not an app developer, but I’m doing some research in order to gain a high level understanding of an app that I want some developers to build for me.
Basically I need a navigation app built (integrated with Google Maps) that works pretty much like Google Maps. This app will connect to and stream live navigation data to a car HUD (heads-up-display) device using WiFi direct (to facilitate high bandwidth streaming). The purpose of the streaming from the mobile app to the HUD is so that the driver can see the live map without having to look at their phone.
This leads me to my QUESTION: this functionality (streaming from app to HUD) is similar to what AirPlay does & I’ve read that Apple rejects apps that replicate AirPlay’s screen mirroring function. I’ve also read that in order to work around this, my app should limit the information that is sent to & displayed by the HUD device (basically, shouldn’t mirror the whole screen). So, would Apple still reject my app if it only streamed the live map onto the HUD device & left out all the other information displayed on the app (ETA, turn signals, distances etc.) and thus refraining from streaming the entire screen?
I am trying to set up a workflow where Apple Vision Pro users in my organization can install a signed enterprise .ipa file from an internal web page.
The relevant link looks something like this:
<a role="button" href="itms-services://?action=download-manifest&url=https://my.example.com/path/manifest.plist">Click here to download</a>
After verifying that all the mime types were correct on the server and the certificate was valid, I finally attached my AVP headset to my Mac's console app and saw that the errors look like this:
[com.example.myapp] Skipping due to incompatible platform: com.apple.platform.xros
Could not load download manifest with underlying error: Error Domain=ASDErrorDomain Code=752 "Not compatible with this platform: com.apple.platform.xros" UserInfo={NSDebugDescription=Not compatible with this platform: com.apple.platform.xros}
This manifest.plist was made by the "Distribute App" workflow in Xcode 16.0.
Multipart question:
Is installing VisionOS apps via manifest+ipa over a web connection a supported way of installing apps?
If the issue is with com.apple.platform.xros, what should be the platform-identifier for VisonOS apps?
We use managed Apple accounts for all users in our environment. One of these accounts is associated with an App Store app. Currently the developer console has a banner that says:
"There's no credit/debit card on the Apple Online Store associated with your Apple ID to auto-renew your membership."
This account, as well as my own admin account, are unable to add a payment method to our Apple account. We're missing the "Payments & Shipping" button on the Manage Account page.
How can we renew our developer subscription to keep our app on the App Store? It's critical for us that the account that owns this app is managed. TIA
Hi,
I have a question regarding reading the configuration of a managed app deployed via an MDM system. The application has an Action Extension and can receive shared files via this extension.
The problem I am facing is that I can read the managed configuration in the host app by accessing the UserDefaults.standard.object(forKey: "com.apple.configuration.managed") dictionary. With this, I can configure the host app. However, I am unable to read this configuration key in the Action Extension part of the application.
My question is whether there is any possibility to read the managed configuration even in the extension. So far, I have been unable to figure out how to read it.
I found the sample code, but it was not very helpful since it is very basic and does not deal with extensions at all.
Any hints are appreciated.
Hello:
The App Store provides https://developer.apple.com/help/app-store-connect/configure-in-app-purchase-settings/enter-server-urls-for-app-store-server-notifications When the server interfaces with this interface, it is found that the specific user account cannot be found. How should I know which user initiated the subscription, or which user automatically subscribed during automatic renewal? Do you have a user account or ID?
I hope to receive your complete answer as soon as possible.
Best wishes.
https://support.apple.com/en-gb/guide/deployment/dep6fa9dd532/web dangles a carrot about being able to facilitate "A list of domains that the Shared iPad sign-in screen displays. The user can pick a domain from the list to complete their Managed Apple ID." - this sounds ideal!
In the absence of this seemingly being supported by Apple Configurator or iMazing Profile Editor at the time of writing, I have tried to create my own but I fall foul of knowing what PayloadIdentifier or PayloadType to use?
This is the draft/work in progress/doomed to failure config so far (which doesn't - as expected - work):
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>HasRemovalPasscode</key>
<false/>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDescription</key>
<string>Configures Managed Domains</string>
<key>PayloadDisplayName</key>
<string>Domains</string>
<key>PayloadIdentifier</key>
<string>com.apple.domains.DE12211A-CFDD-4F8C-8D7B-72E569CE3B6C</string>
<key>PayloadType</key>
<string>com.apple.domains</string>
<key>PayloadUUID</key>
<string>DE12211A-CFDD-4F8C-8D7B-72E569CE3B6C</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>WebDomains</key>
<array>
<string>domain.com</string>
</array>
</dict>
</array>
<key>PayloadDescription</key>
<string>For Shared iPad login convenience</string>
<key>PayloadDisplayName</key>
<string>DefaultDomain</string>
<key>PayloadIdentifier</key>
<string>Tom.77CF3CA5-4A48-41DD-9179-EF6F4C5E786E</string>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>A5594F17-155B-4A1C-8696-3F502D118C37</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
The support article is probably ~2-year old information so I'd have thought that by now that this would be documented somewhere - am I just not looking hard enough?
中文:
大家好,我通过https://mdmenrollment.apple.com/session获取到了auth_session_token,并能正常使用device/activationlock、devices、profile/devices这些接口,但是不能正常使用devices/disown(https://mdmenrollment.apple.com/devices/disown)这个接口,接口返回401 UNAUTHORIZED,请问应该怎么处理?
English:
Hi, I have passed https://mdmenrollment.apple.com/session Obtained auth_dession_token and can use interfaces such as device/activationlock, devices, and profile/devices normally, but cannot use devices/disown normally( https://mdmenrollment.apple.com/devices/disown )How should I handle this interface, which returns 401 UNAUTORIZE?
I am looking into bypassing the following popup when setting up an iPhone 15 Pro:
Would the SkipKey SIMSetup allow to bypass having the following window popup upon initial setup? So far all settings are bypassed during the initial setup of the phone and the application of Wi-Fi. The only issue present in the setup I want to achieve is prohibiting this window regarding eSIM set up.
We are in the process of replacing the TripleDES algorithm with AES in our MDM solution. However, after switching the encryption algorithm, we encountered the following error on Apple devices during enrollment:
Error: "-26275 error decrypting response payload (mdmclient(SCEP))"
Do Apple devices support AES encryption during the enrollment process, or are there any known limitations that prevent its use?
Technical Details:
During enrollment, when the device attempts to install the Management Profile, it requests the MDM server to retrieve the device certificate from the SCEP URL.
We send the certificate by creating Enveloped CMS content, using TripleDES as the algorithm identifier. If we switch the algorithm to AES, we observe the error mentioned above.
We are also using TripleDES when preparing the CMS content for the enrollment profile, which works without issues.
A profile that contains setting of allowVPNCreation is false was installed duiring activation in my requirements.
The iOS version is 18.
AllowVPNCreation is first, setting the app's network is second, the app can't use network.
Setting the app's network is first, AllowVPNCreation is second, the app works well.
For example:
Scene 1
Step 1: Install a profile that contains a setting where allowVPNCreation is false during activation.
Step 2: Complete activation and enter the main screen.
Step 3: Tap App Store, the screen displays network unavailable, needs to be set in Setting.
Step 4: Open the network setting for App Store, but still closed.And the network settings for other apps are all closed;
Step 5: Remove the profile.
Step 6: After a minute, opening the network setting for App Store is work.
Result: AllowVPNCreation effects app's newtork after entering the system for the first time. It don't happen below iOS 18.
Scene 2
Step 1: The app's network setting is ok.
Step 2: Install a profile that contains a setting where allowVPNCreation is false.
Result: No effect。The same result below iOS 18.
Is this a bug or new features, how to handle?
Phone Pe's customer support:09798-179-306
Could you please provide guidance on what is required to set up an Apple MDM server from scratch? Specifically, I would like to understand the necessary steps, tools, certifications, and best practices involved in the process. Any resources or documentation you could recommend would also be appreciated.
I recently upgraded my Apple Developer account from a personal account to a business account. However, I would like to revert back to a personal account. The reason is that I plan to create a separate developer account for a company using a different company email, and I want to use my original account for publishing personal apps.
Is it possible to change the account type back to personal? If so, what steps do I need to follow? If not, are there any other options I should consider?
Thank you for your help!
**Hi Apple Developer Community,
Good Morning **
My Personal MacBook Air M1:
Mac OS: Sequoia, Version 15.0
Please note, this is my personal MacBook and I am the only one who is using it.
I can see System Configuration, Configuration Profiles and Kerberos on my personal MacBook Air M1
System Folder ---&amp;amp;amp;amp;amp;amp;amp;amp;gt; Library ----&amp;amp;amp;amp;amp;amp;amp;amp;gt; Configuration profile, System Configuration folders ?.
Attaching herewith the snapshot of the same.
Can some throw light on the same.
Do I need to remove the configuration profile, system configuration from my personal MacBook Air M1 which is seen in
System Folder ---&amp;amp;amp;amp;amp;amp;amp;amp;gt; Library ----&amp;amp;amp;amp;amp;amp;amp;amp;gt; Configuration profile, System Configuration folders ?
Also, I cannot edit the user in my name.
**Kindly assist me with the same.
Thanks and Regards,**
Omkar