Platform SSO not working on macos devices for zscaler application other app like safari / chrome working well. Need help from apple expert on the same. Environment : IDP : Entra ID MDM : Omnissa Workspace one UEM platform : macOS

We are managing VPP license switching operations using Apple's VPP Manage Licenses API. License information is managed by matching the “clientUserIdStr” data with the VPP account ID information managed on the server side. We received an inquiry stating that a VPP license did not activate despite the activation process being performed. Upon checking the API results, the update API returned a success status during execution. However, the “clientUserIdStr” information was missing from the license information field in the response of the information retrieval API. We kindly request your guidance on the reason why the “clientUserIdStr” information is missing when retrieving license information, and the steps to ensure this information is reliably returned. VPPAccoountId:0123456789abcdef0123456789abcdef adamIdStr:521974902 *Some details have been altered from the actual data to protect personal information.

I'm are attempting to use the device management migration feature in Apple Business Manager / Apple School Manager (for devices running iOS 26 / iPadOS 26) to re-assign managed devices from one MDM server to another. We followed the published procedure (select device(s) → Assign Device Management → Set deadline → Continue). However, we are observing that on the device side, no notification or prompt appears to the user (such as “Enrollment Required” or “Your organization requires this device to enroll in a different device management service”), even after the migration deadline has passed. Here are the environment details: Device OS version: (iOS 26.1) Device ownership: enrolled via Automated Device Enrollment MDM re-assignment in ABM: old MDM server（name: https://dev5.clomo.com/panel/mackey-dev/ ） → new MDM server (name: https://obliging-bunny-equally.ngrok-free.app/ ) Deadline set: (12/10/2025 12:00 AM) Network connectivity: confirmed online at deadline time We would like to know: Under what exact conditions will the device display the notification/prompt, and what common mis-configurations prevent it from appearing? Is there any device log or activity indicator in ABM/ASM to confirm that the migration instruction has been sent to the device? In cases where the prompt does not appear, what troubleshooting steps can we perform on the device (or in the MDM/ABM configuration) to correct it?

Hi Team, As per this documentation Handling NotNow Status Responses | Apple Developer Documentation, the last command that is delivered to the device on a connection should be the one that the device reported NotNow so that the device will automatically retry when it is ready to consume commands. Our question is it possible to have a fixed command which we can try at the end once all commands are tried and if device has reported NotNow for any of the commands. E.g. If there were 3 commands delivered to the device one by one SSO profile (com.apple.sso ) was delivered and device reported NotNow VPN profile (com.apple.vpn.managed) was delivered and the device reported NotNow DeviceInformation command was delivered and the device reported Acknowledged. As there were NotNow responses earlier, can we try a certificate profile(com.apple.security.pkcs1), with a dummy certificate payload, to ensure that the last command delivered to the device in this connection is responded with NotNow. Questions: Can we use a fixed command e.g. certificate profile(com.apple.security.pkcs1) as in above example to ensure the last command delivered to the device has NotNow response. Or is it better to try one of the commands which the device reported NotNow earlier. As in above example should we try the SSO or VPN profile at step 4 instead of the certificate profile? Following up to above, when a device reports NotNow for any profile installation command, can we say it will always report NotNow for certificate profile(com.apple.security.pkcs1) as well for all iOS and MacOS devices?

Hi everyone, We manage several macs through Microsoft Intune. We've deployed Platform SSO using the password based method (not the Secure Enclave) and have also enforced filevault encryption through policy. What we're trying to achieve is that multiple users can log into the same Mac. For example, I (the initial enrolling user) can log in without issues. However, we want a colleague to be able to log in as well if they're physically in front of the mac. The challenge we've run into is that once filevault is enabled (We're not sure about it but reading on forums it seems that the problem is filevault), it seems the network is not available at the login screen. This means that while the first user can create a mobile account and log in, a second user can't do the same. The moment we try to log in with another set of credentials, we get an immediate error and the password field shakes instantly, suggesting it's not even reaching out to the network or directory to validate the credentials. We'd like to confirm if this behavior is expected when FileVault is active and whether the only solution is to disable FileVault or if there are alternative solutions to allow network connectivity at the login screen. Essentially, we want to know if there's a way to let a second user log in without having to turn off disk encryption. Or if we can pre-authorize a set of users on the mac in order to create all the mobile account needed.. Thanks in advance! Thomas

I'm using Apple's MDM protocol InstalledApplicationListCommand to get information about installed apps. From iOS/iPadOS 26, the app information obtained by InstalledApplicationListCommand includes information on all apps including system apps (apps that come standard with iOS/iPadOS). https://developer.apple.com/documentation/devicemanagement/installed-application-list-command I want iOS/iPadOS26 to get the same information as the app information I get from the previous iOS/iPadOS, and I want to exclude system apps from the app information I get with the InstalledApplicationListCommand. As a way to exclude system apps, you can use the app ID I'm thinking of a way to exclude anything that starts with "com.apple" (the Identifier key value of the InstalledApplicationListResponse.InstalledApplicationListItem object). As a way to exclude system apps, please tell us whether the above method is appropriate and whether there will be any problems in the future.

Hello, I am building a Content Filter app for iOS and would like to get access to some information about network connections that are happening on the device. I managed to have the handle(_ report: NEFilterReport) method of my NEFilterControlProvider called, but the bytesOutboundCount and bytesInboundCount properties of the report are always 0. How can I have the real byte count of the connection ?

We have a WebContentFilter that has an AllowList with a couple of domains and a DenyList that includes www.apple.com. This works on iOS18.x but doesn't work in iOS26 as www.apple.com can be reached. https://support.apple.com/en-gb/guide/deployment/depc77c9609/web Indicates that .apple.com is always accessible but evidence seems to indicate this wasn't the case pre iOS26. An older version of this page https://web.archive.org/web/20220427202204/https://support.apple.com/en-gb/guide/deployment/depc77c9609/web has no mention of .apple.com although field names are also different. Has this change come about due to the filtering changes introduced in iOS26 and is there any way we can still block .apple.com going forward. Would a content plugin be an options ?

Steps to Reproduce Step 1: Fetch Initial Device List Called the device list endpoint to retrieve all devices and saved the cursor: GET https://mdmenrollment.apple.com/server/devices Step 2: Modify Devices Added and deleted several devices via https://business.apple.com/ Step 3: Sync Without Pagination Called the sync endpoint using the cursor from Step 1 (no limit): GET https://mdmenrollment.apple.com/devices/sync?cursor={step1_cursor} Result: Returned 3 device records as expected: { "devices": [ { "serial_number": "F70JJ4C16L", "op_type": "added", "op_date": "2025-12-11T07:05:05Z" }, { "serial_number": "F70JJ4C16L", "op_type": "deleted", "op_date": "2025-12-11T07:04:36Z" }, { "serial_number": "C8RWGXZXJWF5", "op_type": "deleted", "op_date": "2025-12-11T07:04:52Z" } ], "more_to_follow": false } Step 4: Sync With Pagination (First Page) Called the sync endpoint using the same cursor from Step 1 with limit=1: GET https://mdmenrollment.apple.com/devices/sync?cursor={step1_cursor}&limit=1 Result: Returned 1 record with more_to_follow: true — indicating more data exists: { "devices": [ { "serial_number": "F70JJ4C16L", "op_type": "added", "op_date": "2025-12-11T07:05:05Z" } ], "more_to_follow": true, "cursor": "MTowOjE3NjU0MzgyNDI5ODc6..." } Step 5: Sync With Pagination (Second Page) Called the sync endpoint using the cursor from Step 4 with limit=1: { "devices": [], "more_to_follow": false } Expected Behavior When paginating with limit=1, the API should return all 3 records across 3 sequential requests. Actual Behavior Without pagination: Returns 3 records ✓ With pagination (limit=1): Returns only 1 record, then empty array ✗ 2 records are missing when using pagination. Impact This inconsistency makes the sync API unreliable for incremental device synchronization workflows.

I’m looking for advice on implementing an Active Supervision Mode for enhanced parental control. My goal is to restrict access to both iOS system apps and third-party applications to create a safer and more tailored digital experience for my child. Here’s what I’d like to achieve: App Restrictions: Block specific apps (both iOS and third-party) and allow access only to approved ones. Time Limits: Set daily usage limits for individual apps or app categories. Content Filtering: Apply restrictions to block inappropriate content and age-inappropriate apps. Remote Management: Manage these settings remotely from my device for added convenience. Activity Monitoring: View app usage stats or receive alerts for policy violations. I understand that Screen Time on iOS offers basic parental controls, but I’m exploring whether iOS supports more advanced capabilities natively or through additional configurations. I’ve also heard that enrolling a device in Apple Business Manager (ABM) and linking it to an MDM (Mobile Device Management) solution might provide greater control. If this is a viable solution, could anyone provide guidance on: Enrolling a personal or family-owned device into Apple Business Manager. Linking an MDM for configuring app restrictions and monitoring usage. Alternatively, if there are third-party parental control apps that work seamlessly with iOS to achieve these goals, I’d appreciate your recommendations! Thanks in advance for your insights!

When clicking Upload for the CSR file, there is no APNS certificate available for download. Instead, the portal redirects to https://www.apple.com/filenotfound MDM Push Certificates are critical for the operation of managed devices, if they expire, all devices will have to be reenrolled creating a catastrophic event for all the customers devices. Please review and given how critical this service for renewing certificates is for your customers, please also make sure it is always available without downtimes. Let me know if you need more details, Thank you, Sergio

I have an MDM supervised device with an installed managed app, that activates a content-filter solution to filter traffic system-wide. Is it possible in any way for the user to install a third party content-filter app that would somehow overtake the control of content filtering from my app? I'm asking this because I've tested such a case with my another test content-filter solution and it takes control over content filtering from my content-filter – I think this is possible only because my device is in developer mode, but I'm not entirely sure, and I need a confirmation that it would not be possible to happen in an end used environment.

It would often be useful to deactivate horizontal scrolling, especially for number sheets. So I have customized these 2 files. But no success. Nothing happens. Scrolling is still possible in both directions. Vertically and horizontally. Does anyone have an ingenious idea?

We are using management properties in DDM to assign configurations and assets to a particular device, and one of those properties should be updated by a business app on the device. For example, if the business application is not launched every 30 days, then a predicate should evaluate to false and the device put into single app mode to force the application to run. If, however, the app is launched any time in the 30 days, then the counter should be reset. Essentially trying to enforce that users in the field cannot work offline for extended periods of time without getting the latest dataset from the company. The single app mode part is very clear and the predicate to assign the configuration based on the date in the management property seems logical. However, the question is: Can a predicate be built upon data that is updated by the custom MDM app? ie: If the app is launched on the device without connectivity, can a property be updated that the DDM predicate system can access that can be used as an input property? such as "last launch time" or "last check-in" of the custom app? Alternately, could the custom MDM app read any of the management properties set via DDM? That way the user would know the value that the DDM configuration for restricting the device.

My institution uses Blackboard and iPads to conduct assessments, and I’m trying to find some proctoring tools. Students conduct the assessments directly on Blackboard using either Safari or Chrome. I know that Apple has a function that does EXACTLY what I’m looking for, but from what I understand, this function has to be made available by Safari or Chrome: https://developer.apple.com/documentation/automaticassessmentconfiguration I don’t know whether either of these two browsers have this function enabled, and whether it can be switched on and off for custom-made Blackboard assessments. Is this a possibility? Are there other options? I know Blackboard offers built-in and third-party proctoring, but contacting them is difficult, and my company does not give me the appropriate authority to speak directly with Blackboard. So, I’m not able to find out about the feasibility, costs, etc. of this option. Any help would be greatly appreciated.

I have a simple organization-info declaration that contains the following: "Identifier": "com.example.declaration.org-info", "Payload": { "Email": "info@example.com", "Name": "Example Organization Info", "URL": "http://example.com" }, "ServerToken": "c23b40ca47b11420", "Type": "com.apple.management.organization-info" } And an activation that includes the org-info declaration: "Identifier": "com.example.activation.org-info", "Payload": { "StandardConfigurations": [ "com.example.declaration.org-info" ] }, "ServerToken": "5f6c37a6a0c44e35", "Type": "com.apple.activation.simple" } When I check the status of the declaration, I see the following error: "StatusItems": { "management": { "declarations": { "activations": [ { "reasons": [ { "details": { "Identifier": "com.example.activation.org-info", "ServerToken": "5f6c37a6a0c44e35", "ConfigurationIdentifiers": "com.example.declaration.org-info" }, "description": "Activation (com.example.activation.org-info:5f6c37a6a0c44e35) is missing configurations.", "code": "Error.MissingConfigurations" } ], "active": false, "identifier": "com.example.activation.org-info", "valid": "valid", "server-token": "5f6c37a6a0c44e35" } ], "configurations": [], "assets": [], "management": [ { "active": false, "identifier": "com.example.declaration.org-info", "valid": "valid", "server-token": "542fded47e432de3" } ] } } }, "Errors": [] } I'm not seeing the error in either the activation or the declaration that might throw this error. Does anyone have any insight?

I'm looking at the Apple official document below and getting the app's information. https://developer.apple.com/documentation/devicemanagement/getting-app-and-book-information-legacy However, I couldn't get the custom app's information for a few days ago. The result item is empty. This is a URL that is normally viewed. https://uclient-api.itunes.apple.com/WebObjects/MZStorePlatform.woa/wa/lookup?version=2&p=mdm-lockup&caller=MDM&platform=volumestore&cc=jp&id=1202716089 This is the URL that gives an empty response to the result. https://uclient-api.itunes.apple.com/WebObjects/MZStorePlatform.woa/wa/lookup?version=2&p=mdm-lockup&caller=MDM&platform=volumestore&cc=jp&id=1556411142 In ABM/ASM, the number of applications used and the number of available applications are all viewed normally. Is there anything else I can check? Please reply. Thank you.

I found that "search" endpoint is recently added to api.ent.apple.com : https://developer.apple.com/documentation/devicemanagement/get-catalog-search-results However it seems we cannot find custom apps using this API even with sToken. Is it not suppoted yet? Thank you

I want to side load a .ipa file from a Mac to iPhone connected to Mac via USB. I don't want to use ABM or enterprise account. Also these can be any number of unknown devices. Is there any way to set this up automatically?

Is there any mechanism to restrict camera usage on a user-owned device, once they have opted in, consented to the restriction, and installed a management profile? Documentation suggests it was possible with allowCamera, but has be deprecated on unsupervised devices. Am I understanding correctly that it's simply not possible anymore unless the device is supervised?