Hello All, I am currently developing a mobile management system using declarative management and for the most part it is pretty great. There is one consistent issue I have run into and it comes when testing VPP app installs with not enough licenses. When my server detects that it can't provide a license ID it will return a 404, which causes the rest of the DM syncing to stop, and the activation to throw an error. Per the documentation for using simple activation: An array of strings that specify the identifiers of configurations to install. A failure to install one of the configurations doesn’t prevent other configurations from installing The above would imply that if a config fails it should not affect anything else (aside from possibly reporting an error. Am I returning the wrong error code for it to continue or is the behavior correct and the documentation is wrong? Any additional info would be useful

Hi guys, I need to configure a VPN to work only for specific apps. I already have a supervised iPhone, and I’ve successfully configured the VPN, but right now it applies to the whole phone. I need it to work just for some apps. I tried using both Apple Configurator and iMazing, but I can’t find this option there.

I work at a school in NYC and have a software idea that could better support the new NYC phone ban law than current market options (i.e. Yondr pouches). Right now at my school, students and staff scan a QR code upon entering the building to indicate that they are in the building. They scan again on the way out to indicate they've left the building. This is super helpful for attendance, particularly in emergency situations (fire drills, etc). Imagine if when students scanned their QR code, it also activated an app similar to Opal or ScreenZen, but with an admin preset whitelisted apps. The idea is that this app would default deny access to all apps on students' phones except the admin preset whitelisted ones such as Phone, Calculator, etc. Depending on the age/needs of the student, other apps like Spotify, or medical apps could also be whitelisted. My question is -- is this idea possible to create? We would need admin preset controls to create the preset whitelist. We can't have students picking their own restrictions, as we know most would opt to not restrict at all. We would need an admin dashboard so teachers/admin can see which students have activated the app in the building, and which may be trying to sneakily avoid it. We would ideally need to be able to whitelist both system apps like Phone and Calculator, as well as non-system apps such as Spotify (and medical apps -- we have some students who manage/monitor their Diabetes with an app). I don't have a background in software. I'm a math and health teacher. I've experimented with trying to have friends who majored in CS to create this app for me, but they've all either struggled/lost interest. So I'm also looking for a business partner in this venture. If anyone has any guidance here, it would be so helpful! My boss (Head of School) is super interested in this idea and significantly prefers it to every other alternative that he has encountered. The problem is this idea does not exist yet! Note: I know this is a super similar idea to the app and product "Brick". Notably, though, Brick does not have the ability for admin preset controls, or the admin dashboard. We reached out to the company to see if they're create this for us and they said it's a back burner idea that they're aware of, but it's not a priority for them right now. Thank you for any guidance!

Hi, I am trying to enable declarative management on my device ( it is already enrolled as a sharedIpad with DEP). When sendind the command, the device's response contains an error. It is not acknowledged. Either on the device channel or on the user channel. The device channel returns : 'ErrorChain': [{'ErrorCode': 4, 'ErrorDomain': 'RMErrorDomain', 'LocalizedDescription': 'Feature Disabled: Device Channel.'}], 'Status': 'Error', and the user channel returns : 'ErrorChain': [{'ErrorCode': 12021, 'ErrorDomain': 'MDMErrorDomain', 'LocalizedDescription': '“DeclarativeManagement” is not a valid request type.', 'USEnglishDescription': '“DeclarativeManagement” is not a valid request type.'}], 'Status': 'Error', Does DEP device support declarative management? Thanks.

Is there a way to check if DDM(Declarative Device Management) is enabled on a device?

Hi all, I'm implementing Intune MAM to secure applications on iOS. However, I need my users to be able to save files (e.g. attachments in an email in the Outlook app) to iOS Files. To do so, I'm trying to put Files in exception of my Intune MAM policy and I need to obtain the Files "CFBundleURLSchemes" value from the info.plist file of the Files app. I'm not able to get that information. Are any of you able to get that somehow? Thanks!

We want to set key-value pair (installation_token: xxxxx) into an app installed by MDM. Formerly we could set the key-value using Settings MDM command like this. <dict> <key>Command</key> <dict> <key>RequestType</key> <string>Settings</string> <key>Settings</key> <array> <dict> <key>Configuration</key> <dict> <key>installation_token</key> <string>xxxxxxx</string> </dict> <key>Identifier</key> <string>com.cloudflare.cloudflareoneagent</string> <key>Item</key> <string>ApplicationConfiguration</string> </dict> </array> </dict> We can still use this for the apps installed withInstallApplication MDM command, however we cannot apply this configuration into the app using Declarative Device Management. When we try it, we got an error like this. <dict> <key>CommandUUID</key> <string>.............</string> <key>Settings</key> <array> <dict> <key>ErrorChain</key> <array> <dict> <key>ErrorCode</key> <integer>12008</integer> <key>ErrorDomain</key> <string>MDMErrorDomain</string> <key>LocalizedDescription</key> <string>Could not modify apps managed by Declarative Device Management.</string> <key>USEnglishDescription</key> <string>Could not modify apps managed by Declarative Device Management.</string> </dict> </array> <key>Identifier</key> <string>com.cloudflare.cloudflareoneagent</string> <key>Item</key> <string>ApplicationConfiguration</string> <key>Status</key> <string>Error</string> </dict> </array> How can we work with managed application configuration with DDM?

Hi,team: I have configured SystemExtensions and WebContentFilter for supervised devices through mdm, and set NonRemovableFromUISystemExtensions in SystemExtensions, but found that my network filter cannot be deleted in macOS10, macOS11 and macOS12, but it can still be turned off by selecting the network filter in the network and choosing to disable the service. However, it cannot be turned off in macOS13, macOS14 and macOS15. How can I prevent supervised devices from turning off the network filter in 10, 11 and 12? The macOS 10.15.7 image is as follows: macOS15.1.1 cannot delete and cannot close the image as follows: Hope to receive your reply！

我有十一台M4芯片的mac mini，目前通过AC2将设备挂载在ABM中。目前有10台通过接口 “https://mdmenrollment.apple.com/device/activationlock” 启用企业激活锁去出现INTERNAL_SERVER_ERROR错误，只有一台成功了，成功那台设备使用的ABM账号与其他设备使用的ABM账号不同所属组织也不同。 I have eleven M4 chip Mac mini devices, currently mounted in ABM through AC2. Currently, there are 10 units that have passed the interface“ https://mdmenrollment.apple.com/device/activationlock ”Enabling the enterprise activation lock resulted in an INTERNAL_SERVER-ERROR error, and only one device succeeded. The successful device used a different ABM account than the other failed devices and belonged to a different organization.

Hi, I'm glad to hear that the service discovery process is improved on iOS/iPadOS 18.2 mentioned here. https://support.apple.com/en-ca/guide/deployment/dep4d9e9cd26/1/web/1.0 I tried it on my development MDM server. Set default MDM for iPad to my development MDM server on Apple Business Manager. Call the new API https://developer.apple.com/documentation/devicemanagement/account_driven_enrollment_profile and 200 OK is returned However the service discovery fails with the following error. Invalid well-known response for https://{my email's comain name}/.well-known/com.apple.remotemanagement?user-identifier={my email}&model-family=iPad: <NSHTTPURLResponse: 0x300a9f420> Invalid well-known response for https://axm-servicediscovery.apple.com/mdmBaseURL?user-identifier={my email}&model-family=iPad: <NSHTTPURLResponse: 0x3009047a0> It seems fallback process to https://axm-servicediscovery.apple.com/mdmBaseURL actually works but it returns 404 Not Found error. How can we use this awesome feature? Thank you :)

I'm trying to use DDM manager Safari Extensins in macOS Sequoia. I generate json and load it by mdm and ddm , but it doesn't seems to work. The json I loading is the following: { "Type": "com.apple.configuration.safari.extensions.settings", "Payload": { "ManagedExtensions": { "*": { "State": "AlwaysOn", "PrivateBrowsing": "AlwaysOn", "AllowedDomains": [], "DeniedDomains": [] } } }, "Identifier": "com.test.safari" } macOS Sequoia response is the following: { "StatusItems" : { "management" : { "declarations" : { "activations" : [ { "active" : true, "identifier" : "com.example.act", "valid" : "valid", "server-token" : "5cc191206d1b1933" } ], "configurations" : [ { "active" : true, "identifier" : "com.test.safari", "valid" : "unknown", "server-token" : "29d3ec5ab48e6367" } ], "assets" : [ ], "management" : [ ] } } }, "Errors" : [ ] } you can see, The "valid" value is always "unknown" at ""identifier" : "com.example.act", but "Errors" is empty, Safari app don't load extensions , the SafariExtensionSettings" ddm don't work, Is there anything wrong with "SafariExtensionSettings" json? or how can I debug this bug .

I'm trying to use DDM manager Safari Extensins in macOS Sequoia. I generate json and load it by mdm and ddm , but it doesn't seems to work. The json I loading is the following: { "Type": "com.apple.configuration.safari.extensions.settings", "Payload": { "ManagedExtensions": { "*": { "State": "AlwaysOn", "PrivateBrowsing": "AlwaysOn", "AllowedDomains": [], "DeniedDomains": [] } } }, "Identifier": "com.test.safari" } This following image is macOS Sequoia Console log. It show the "com.apple.configuration.safari.extensions.settings" had been run successfully, and no errors. macOS Sequoia response is the following: { "StatusItems" : { "management" : { "declarations" : { "activations" : [ { "active" : true, "identifier" : "com.example.act", "valid" : "valid", "server-token" : "5cc191206d1b1933" } ], "configurations" : [ { "active" : true, "identifier" : "com.test.safari", "valid" : "unknown", "server-token" : "29d3ec5ab48e6367" } ], "assets" : [ ], "management" : [ ] } } }, "Errors" : [ ] } you can see macOS Sequoia response , The "valid" value is always "unknown" at ""identifier" : "com.test.safari", but "Errors" is empty, Safari app don't load extensions , the SafariExtensionSettings" ddm don't work, Is there anything wrong with "SafariExtensionSettings" json? or how can I debug it

I have 5-6 mac minis connected to my windows server 2022 and the accounts that connect to the mac are network account. How do I block the network users from accessing or using certain apps like terminal and passwords?

Is there a way to restrict an end user from potentially editing a supervised device through Apple Configurator? It seems that Apple Configurator allows to make undesirable changes to a supervised device, like removing profiles, which would in turn be detrimental to the intended experience on the device, if a user would actually be able to perform such changes.

I have a in-house delivered app, I updated certificates and delivered the app before expiring, inviting users to update. after certificates expiration people who did not update now must remove the app loosing personal data, and download it again, but app crashes. I know that since iOS 18 in order to trust again an in-house identity, restart is required. What I need to know, is if there is some documentation where is explained the following: if I remove the only app delivered by in-house enterprise profile I have on a customer device, via home, long time tap gesture, "remove the app" then I install again the app, the profile reappears under "VPN and device management" and results already as "trusted" instead if I remove the app directly from settings > VPN and device management, when I re-install the app VPN and device management reappears and developer/app is not trusted, in it asks me to trust again the developer and during the operation, restarts the device, asks me device code and so on. so, my final question is: since it is clear to me that there is a difference between two removal methods, where is this logic described? Is it only present for in-house distribution?

Is there or will there be an update to the depsim and vppsim simulator tools? The current version is significantly out-of-date in terms of features and fails to start due to the developer not being verified (ironically).

Managed iOS/iPad devices are struck with no network under below conditions Enrolling a Supervised iOS device Send InstallProfile command with AppLock payload (https://developer.apple.com/documentation/devicemanagement/applock) Now when the above managed device loses network connection with MDM server due to unknown network issues - the device is out of contact with MDM server and device is locked. Since such AppLock payload installed devices are placed in remote locations, it becomes difficult for Admins to recover such devices with no network connectivity. The devices have to be brought in from remote location and recover them. Under such conditions, it would be better to allow the end user to change the Network configuration manually to reconnect the device with MDM server. This option can also be allowed only when the device can’t ping MDM server.

Main Issue We are experiencing an issue where iOS devices become unresponsive when attempting to shutdown or reboot from the lock screen while locked into Single App Mode via MDM or Apple Configurator. Steps to Reproduce: Start any iOS device. Use Apple Configurator or an MDM solution to enable Single App Mode. Wait for the device to lock into the specified app. Lock the device so that it goes to the lock screen. Hold the Power button and Volume Up button until the shutdown/emergency screen appears. At this point, the device becomes unresponsive. After approximately 30 seconds, the message "Guided Access app unavailable. Please contact your administrator" appears. The device is now frozen, and the only way to recover is to force restart it using Apple's forced restart method (Apple Support Link). Additional Issue: Additionally, we observe that when using an app in Single App Mode, attempting to reboot the device and canceling the reboot prevents any subsequent reboot attempts until a force restart is performed. Steps to Reproduce This Behavior: Lock the iOS device into Single App Mode. Use the app normally. Attempt to shut down the device by holding the Power and Volume Up buttons. The shutdown/emergency screen appears as expected. Cancel the shutdown by tapping "Cancel." The device returns to the lock screen. Swipe up to return to the app. Attempt to shut down the device again using the same method. Nothing happens—the shutdown screen no longer appears. The only way to reboot the device now is through a forced restart. This appears to be a bug in Single App Mode behavior, potentially related to Guided Access restrictions. Has anyone else encountered this issue? Is this the right place to report this issue? or should I report it elsewhere? I have more videos and material showing how to reproduce this issue if needed.

Hello everybody, We are trying to configure Device APN settings by sending IOS device configuration profiles through OTA. Please refer below url for details which we are following : https://developer.apple.com/library/archive/documentation/NetworkingInternet/Conceptual/iPhoneOTAConfiguration/Introduction/Introduction.html#//apple_ref/doc/uid/TP40009505 We’ve encountered an issue where the APN (Access Point Name) settings are not populating correctly on iOS devices, even though we are sending the configuration via our Device Management Center (DMC) and the configuration message is being pushed correctly over the air (OTA). Path to the APN fields: Settings > Mobile > Mobile Data Network > APN Tested iOS version: 17.3, 17.5, 18.2, 18.3 Configuration message received: Configuration message installed: APN fields are empty: Could you give us any suggestions ? Thank you very much.

Hi there, I am trying to create an IPsec policy for remote access for iOS devices. Is the full updated list with all the settings, which are supported? I could only find this article: https://support.apple.com/de-de/guide/deployment/depdf31db478/web But I am sure it's not updated: Authentication Algorithms: HMAC-MD5 or HMAC-SHA1. Same for DH Groups 2-5