For additional security we would like to avoid keeping generated certificates (their private keys) on our server after installing them on a device, but still be able to reference them in later installed configuration profiles via MDM. However, it seems that for a configuration profile's payload to use a certificate (e.g. VPN payload), the certificate payload must be present in the same profile. Are we missing anything, perhaps it's already possible somehow? Ideal workflow for us would be: our MDM server generates a certificate (private+public keys) for a given device our MDM server sends this certificate to the device as configuration profile and saves PayloadUUID of the certificate's payload our MDM server deletes the generated private key from its storage. At this point the private key is present only on the device. at some point in the future our MDM server sends a configuration profile that references the certificate from step 2 via the saved PayloadUUID (e.g. using key PayloadCertificateUUID in a VPN payload) Current result: device responds to MDM server with error "The profile “VPN” could not be installed. Certificates needed for the VPN service “VPN” are invalid." Desired result: device is able to find the previously installed certificate via its PayloadUUID. Alternatively, it could be certificate fingerprint or something similar. One more alternative could be to replace steps 1-3 by an app on the device that obtains a certificate (in any way), installs it to device as a configuration profile, passes the certificate's PayloadUUID to our MDM server and then doing step 4.

Hi everyone, I submitted this feature request through Apple’s Feedback Assistant and wanted to share it here, because many families run into the same issue and Apple prioritizes features based on the number of reports they receive. Current limitation: Screen Time only allows one single Downtime period per day for child accounts. For families with separate school hours and bedtime, this is very impractical. My real-world use case: • Downtime 1: 08:00–13:00 (school) • Downtime 2: 20:00–06:00 (bedtime) Both serve completely different purposes, but are not possible to combine with the current system. My suggestions to Apple: Support multiple Downtime periods per day for child accounts. Allow custom exceptions per Downtime block (e.g., allow Phone app). Provide more flexibility overall for families using Screen Time. If you would benefit from this too, it would be great if you could submit the same request via the Feedback app – the more reports Apple receives, the higher the chance for implementation. My Feedback ID: FB21265678 Thank you! 🙏 Hallo zusammen, ich habe über die Feedback-App einen Vorschlag an Apple eingereicht und wollte ihn hier teilen, weil viele Familien dasselbe Problem haben und Apple mehr Rückmeldungen braucht, um das Thema zu priorisieren. Aktuelles Problem: In Bildschirmzeit kann für Kinder aktuell nur eine einzige Auszeit pro Tag eingerichtet werden. Für Familien mit getrennten Schul- und Schlafenszeiten ist das extrem unpraktisch. Mein Anwendungsfall: • Auszeit 1: 08:00–13:00 (Schule) • Auszeit 2: 20:00–06:00 (Schlafenszeit) Beides erfüllt unterschiedliche Zwecke, ist aber nicht kombinierbar. Mein Vorschlag an Apple: Mehrere Auszeiten pro Tag für Kinderaccounts. Pro Auszeit eigene Ausnahmen festlegen (z. B. Telefon erlauben). Allgemein mehr Flexibilität im Screen-Time-System für Familien. Wenn ihr das ebenfalls hilfreich findet, wäre es super, wenn ihr es auch über die Feedback-App meldet – je mehr, desto besser. Feedback-ID meines Vorschlags: FB21265678 Danke euch! 🙏

Hi, everyone! Is there any way to change ACL of existing Private key in system keychain using MDM? We would like to add the binary or .app to access list of the key. I tried to send script via MDM which imported/exported our certificate with private key with required ACL. But can we change it without import/export?

I’m looking for advice on implementing an Active Supervision Mode for enhanced parental control. My goal is to restrict access to both iOS system apps and third-party applications to create a safer and more tailored digital experience for my child. Here’s what I’d like to achieve: App Restrictions: Block specific apps (both iOS and third-party) and allow access only to approved ones. Time Limits: Set daily usage limits for individual apps or app categories. Content Filtering: Apply restrictions to block inappropriate content and age-inappropriate apps. Remote Management: Manage these settings remotely from my device for added convenience. Activity Monitoring: View app usage stats or receive alerts for policy violations. I understand that Screen Time on iOS offers basic parental controls, but I’m exploring whether iOS supports more advanced capabilities natively or through additional configurations. I’ve also heard that enrolling a device in Apple Business Manager (ABM) and linking it to an MDM (Mobile Device Management) solution might provide greater control. If this is a viable solution, could anyone provide guidance on: Enrolling a personal or family-owned device into Apple Business Manager. Linking an MDM for configuring app restrictions and monitoring usage. Alternatively, if there are third-party parental control apps that work seamlessly with iOS to achieve these goals, I’d appreciate your recommendations! Thanks in advance for your insights!

When clicking Upload for the CSR file, there is no APNS certificate available for download. Instead, the portal redirects to https://www.apple.com/filenotfound MDM Push Certificates are critical for the operation of managed devices, if they expire, all devices will have to be reenrolled creating a catastrophic event for all the customers devices. Please review and given how critical this service for renewing certificates is for your customers, please also make sure it is always available without downtimes. Let me know if you need more details, Thank you, Sergio

I have an MDM supervised device with an installed managed app, that activates a content-filter solution to filter traffic system-wide. Is it possible in any way for the user to install a third party content-filter app that would somehow overtake the control of content filtering from my app? I'm asking this because I've tested such a case with my another test content-filter solution and it takes control over content filtering from my content-filter – I think this is possible only because my device is in developer mode, but I'm not entirely sure, and I need a confirmation that it would not be possible to happen in an end used environment.

It would often be useful to deactivate horizontal scrolling, especially for number sheets. So I have customized these 2 files. But no success. Nothing happens. Scrolling is still possible in both directions. Vertically and horizontally. Does anyone have an ingenious idea?

We are using management properties in DDM to assign configurations and assets to a particular device, and one of those properties should be updated by a business app on the device. For example, if the business application is not launched every 30 days, then a predicate should evaluate to false and the device put into single app mode to force the application to run. If, however, the app is launched any time in the 30 days, then the counter should be reset. Essentially trying to enforce that users in the field cannot work offline for extended periods of time without getting the latest dataset from the company. The single app mode part is very clear and the predicate to assign the configuration based on the date in the management property seems logical. However, the question is: Can a predicate be built upon data that is updated by the custom MDM app? ie: If the app is launched on the device without connectivity, can a property be updated that the DDM predicate system can access that can be used as an input property? such as "last launch time" or "last check-in" of the custom app? Alternately, could the custom MDM app read any of the management properties set via DDM? That way the user would know the value that the DDM configuration for restricting the device.

My institution uses Blackboard and iPads to conduct assessments, and I’m trying to find some proctoring tools. Students conduct the assessments directly on Blackboard using either Safari or Chrome. I know that Apple has a function that does EXACTLY what I’m looking for, but from what I understand, this function has to be made available by Safari or Chrome: https://developer.apple.com/documentation/automaticassessmentconfiguration I don’t know whether either of these two browsers have this function enabled, and whether it can be switched on and off for custom-made Blackboard assessments. Is this a possibility? Are there other options? I know Blackboard offers built-in and third-party proctoring, but contacting them is difficult, and my company does not give me the appropriate authority to speak directly with Blackboard. So, I’m not able to find out about the feasibility, costs, etc. of this option. Any help would be greatly appreciated.

I have a simple organization-info declaration that contains the following: "Identifier": "com.example.declaration.org-info", "Payload": { "Email": "info@example.com", "Name": "Example Organization Info", "URL": "http://example.com" }, "ServerToken": "c23b40ca47b11420", "Type": "com.apple.management.organization-info" } And an activation that includes the org-info declaration: "Identifier": "com.example.activation.org-info", "Payload": { "StandardConfigurations": [ "com.example.declaration.org-info" ] }, "ServerToken": "5f6c37a6a0c44e35", "Type": "com.apple.activation.simple" } When I check the status of the declaration, I see the following error: "StatusItems": { "management": { "declarations": { "activations": [ { "reasons": [ { "details": { "Identifier": "com.example.activation.org-info", "ServerToken": "5f6c37a6a0c44e35", "ConfigurationIdentifiers": "com.example.declaration.org-info" }, "description": "Activation (com.example.activation.org-info:5f6c37a6a0c44e35) is missing configurations.", "code": "Error.MissingConfigurations" } ], "active": false, "identifier": "com.example.activation.org-info", "valid": "valid", "server-token": "5f6c37a6a0c44e35" } ], "configurations": [], "assets": [], "management": [ { "active": false, "identifier": "com.example.declaration.org-info", "valid": "valid", "server-token": "542fded47e432de3" } ] } } }, "Errors": [] } I'm not seeing the error in either the activation or the declaration that might throw this error. Does anyone have any insight?

I'm looking at the Apple official document below and getting the app's information. https://developer.apple.com/documentation/devicemanagement/getting-app-and-book-information-legacy However, I couldn't get the custom app's information for a few days ago. The result item is empty. This is a URL that is normally viewed. https://uclient-api.itunes.apple.com/WebObjects/MZStorePlatform.woa/wa/lookup?version=2&p=mdm-lockup&caller=MDM&platform=volumestore&cc=jp&id=1202716089 This is the URL that gives an empty response to the result. https://uclient-api.itunes.apple.com/WebObjects/MZStorePlatform.woa/wa/lookup?version=2&p=mdm-lockup&caller=MDM&platform=volumestore&cc=jp&id=1556411142 In ABM/ASM, the number of applications used and the number of available applications are all viewed normally. Is there anything else I can check? Please reply. Thank you.

I found that "search" endpoint is recently added to api.ent.apple.com : https://developer.apple.com/documentation/devicemanagement/get-catalog-search-results However it seems we cannot find custom apps using this API even with sToken. Is it not suppoted yet? Thank you

I want to side load a .ipa file from a Mac to iPhone connected to Mac via USB. I don't want to use ABM or enterprise account. Also these can be any number of unknown devices. Is there any way to set this up automatically?

Is there any mechanism to restrict camera usage on a user-owned device, once they have opted in, consented to the restriction, and installed a management profile? Documentation suggests it was possible with allowCamera, but has be deprecated on unsupervised devices. Am I understanding correctly that it's simply not possible anymore unless the device is supervised?

I'm working on the companion iOS app for my purpose-built MDM system. when I use the following in a .swift file: import DeviceManagement I get the build issue: No such module 'DeviceManagement' When I attempt to add the framework in the Frameworks, Libraries, and Embedded Content settings, DeviceManagement doesn't even show up in the available frameworks. Alll the documentation I can find suggests that is the correct framework to import, but I'm new to this and not sure if I'm just missing something. Some AI help is suggesting that the culprit might be v16.x of Xcode, but I don't know enough to prove that correct or not. Any ideas on why Xcode believes there is no such module? Is there documentation that might help me learn how to make that framework available for my project?

We are going to replace our iPhone SE to iPhone 16e. The issue is that we are unable to install an in-house app on the new iPhone 16e. The app works on the iPhone SE Both phones run on the same iOS version (18.5) Has anyone else experienced the same issue? I initially thought the iPhone 16e was the successor to the iPhone SE

Three months ago I molded a mold program. I believe could be tweaked and tried unlined zero code. swear. anyway I would like to scale with some people if I can go to commercial area code phoned series and calls.and if I have rights. but my next moves for them. on iOS I think they should have a seri settings. where they can call seri.on settings, and it jump many codes-and navigation is hard. plus I think seri can help in settings expecially since seri settings is verbal drop. if the words fit or are similar it cues goes to but you have to hard call the switch.so there’s no hey no Sami where you setting no Sammy right I think it could skip cauldron and everything verbally either. Seri settings I think iOS should try it.

Hi Apple Team & Community, The new Introduction of Platform SSO during ADE Enrollment is Great And we tried implementing this. As a Rule mentioned in the Documentation Initially MDM Server should send 403 response with Response Body adhering to ErrorCodePlatformSSORequired when HTTP Header for MachineInfo request contains MDM_CAN_REQUEST_PSSO_CONFIG and set to true There are contradictory claims mentioned in Document, In Process Platform SSO Required Response it is mentioned that MDM Server should send body as JSON Object for ErrorCodePlatformSSORequired Example below >>>>> Response HTTP/1.1 403 Forbidden Content-Type: application/json Content-Length: 558 { "code": "com.apple.psso.required", "description": "MDM Server requires the user to authenticate with Identity Provider - BY MEMDM", "message": "The MDM server requires you to authenticate with your Identity Provider. Please follow the instructions provided by your organization to complete the authentication process - BY MEMDM", "details": { "Package": { "ManifestURL": "https://platform-sso-node-server.vercel.app:443/manifest" }, "ProfileURL": "https://platform-sso-node-server.vercel.app:443/profile", "AuthURL": "https://platform-sso-node-server.vercel.app:443/auth" } } But in the same Document a Sample HTTP Response was Provided but seems to be XML format as below >>>>> Response HTTP/1.1 403 Forbidden Content-Type: application/xml Content-Length: 601 <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Code</key> <string>com.apple.psso.required</string> <key>Details</key> <dict> <key>ProfileURL</key> <string>https://mdmserver.example.com/psso.mobileconfig</string> <key>Package</key> <dict> <key>ManifestURL</key> <string>https://mdmserver.example.com/psso-app.plist</string> </dict> <key>AuthURL</key> <string>https://idp.example.com/authenticate</string> </dict> </dict> </plist> From Github I assume that both Response Types are welcomed hence I tried with Both Followed in JSON Mode, I redirected the HTTP request if MachineInfo contains MDM_CAN_REQUEST_PSSO_CONFIG and set to true to https://platform-sso-node-server.vercel.app/redirectedDEPJSON Followed in XML Mode, I redirected the HTTP request if MachineInfo contains MDM_CAN_REQUEST_PSSO_CONFIG and set to true to https://platform-sso-node-server.vercel.app/redirectedDEPXML In both Response Modes OS is not proceeding after and a error Stating Enrollment with Management Server Failed , Forbidden request (403) appears Can someone kindly guide on where I missed, or is this any OS Bug in Tahoe 26?

I'm currently implementing a managed app using the new AppConfig specification. I referred to Apple's official documentation: Specifying and decoding a configuration. Based on the example provided in the "Publish your configuration specification" section, I structured my application configuration plist like this: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>configuration</key> <dict> <key>account</key> <dict> <key>username</key> <string>test user</string> <key>password</key> <string>test 123</string> </dict> <key>domain</key> <string>test example.com</string> </dict> </dict> </plist> When I deployed this configuration via my MDM server, the server reported valid for the activation, configuration and asset (which is the plist), but the configuration did not reflect or apply within my app. My app was unable to retrieve these settings. After some troubleshooting, I found that removing the top-level <key>configuration</key> wrapper resolved the issue. The following plist structure successfully pushed the configuration to my app: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>account</key> <dict> <key>username</key> <string>test user</string> <key>password</key> <string>test 123</string> </dict> <key>domain</key> <string>test example.com</string> </dict> </plist> My question is: Is the inclusion of the <key>configuration</key> wrapper (as shown in the Apple documentation example) incorrect for the current AppConfig implementation? Or is this structure intended for a future release (e.g., iOS 26 or beyond) and the documentation implicitly refers to it, causing confusion for current implementation? Any clarification would be greatly appreciated! Thank you!

Hi everyone, I’m working as an IT engineer in the cruise industry and need to troubleshoot passenger complaints about Apple’s new RCS messaging feature (introduced with iOS 18). Could someone help confirm which domains and ports iPhones use when they send RCS messages? For the fortigate and palo alto firewalls I need specifics: domains (or subdomains) that need whitelisting and the ports involved. Any official or community-sourced info would be super helpful—thanks in advance!