Why don't obtain equipment list (https://mdmenrollment.apple.com/server/devices) interface returns "device_family" contour information. This interface only returns some fields, and many field values are not returned

It seems like there are some "mixed messages" out there about what should be in OID 1.2.840.113635.100.8.11.1 in the attestation cert. Is it just a SHA256 hash of the nonce issued by the ACME server? The MDM profile yaml says: "In the attestation certificate the value of the freshness code OID matches the nonce specified by the ACME server via the ACME protocol." I'm hoping the difficulty we're seeing is down to the certificate being created once (and not again for 7 days). Otherwise, we're not decoding/understanding the OID's contents properly. Thanks.

Hi there, We’re testing Declarative Device Management (DDM) for VPP app management and followed the latest declaration template here: https://github.com/apple/device-management/blob/release/declarative/declarations/configurations/app.managed.yaml Our goal is to enable VPP auto-updates via the declaration. The payload we’re using looks like this: "AppStoreID": "1231325957", "InstallBehavior": "{\"Install\": \"Required\", \"License\": {\"Assignment\": \"Device\"}}", "UpdateBehavior": "{\"AutomaticAppUpdates\": \"AlwaysOn\"}" } What we’re seeing Device A (no Apple ID signed into App Store): User can manually update the VPP app with the above declaration in place. ( The same user cannot update the app if UpdateBehavior is not in the declaration payload. Device B (Apple ID signed into App Store, and the same Apple ID doesn't have the above app purchased): User cannot manually update the same VPP app. The App Store shows the error seen when UpdateBehavior is absent: “ cannot be updated because it was refunded or purchased with a different Apple Account.” Also, in this case, the user has no way to purchase the (free) app by their own as the app shows as owned/managed by MDM server. We have to remove the declaration, let the user purchase the same app, then re-deploy the declaration to allow the user to click that "Update" button when a new version for that app is available. Additionally, we’re unsure about the criteria/timing for automatic VPP app updates under DDM. After a new version became available, we waited several hours but the app did not auto-update. Repro summary App: VPP, device-assigned license Declaration: AutomaticAppUpdates = AlwaysOn, install required Device A: not signed into App Store → manual update allowed Device B: signed into App Store → manual update blocked with “refunded/different account” error Auto-update did not occur after waiting several hours post-release Any guidance, confirmation of expected behavior, or tips on additional logging we should collect (e.g., specific App Store / MDM / DDM logs and subsystems) would be greatly appreciated. If this is a known issue or requires a Feedback Assistant report, we’re happy to file one. Thanks,

We have several apps that our business uses to connect to internal private HTTP sites. We noticed in IOS 18.3 we are getting SSL errors to the web server and noticed the issue in the Chrome Browser as well. Our team is looking at the Application Transport Security layer exceptions in our apps Info.Plist. We do notice the browser forcing HTTPS. Any insight on what could be the issue?

Can someone help me, every time I insert a new attribute in the Table, the Query stops working, the bank keeps giving these messages, thank you

We're currently facing an issue with Intune not automatically updating/downloading the updated build/app to end-user ios devices. It's worth noting that we've recently migrated the Xamarin project to a .NET-style SDK in this version. Previously, the app used to update automatically without any problems. We'd appreciate it if you could help us understand what might be causing this issue.

I have created a jwt token with headers { 'typ': 'JWT', 'alg': 'RS256' } and claim as : { 'iss': dep server UUID from Accounts call, 'iat': epoc time in seconds, 'jti': random uuid, 'service_type': 'com.apple.maid' } And signed the token with private key created during DEP MDM server creation. On the device I see Verification error when tried to login with Managed Apple account. In ABM, Access management setting was set to Managed Devices /Supervised only. Any help would be appreciated.

Apple provides a function to create TTS voice as a file in TTS. (AVSpeechUtterance/AVSpeechSynthesizer) Or, if the user records the video of TTS playback and uses that video I wonder what the scope of use is if I use this TTS voice to make YouTube, TikTok, or commercial videos. Is it impossible to use it commercially at all? Can I use it commercially with the source indicated? Can I use it commercially without a separate source indication? Is there a difference in commercial use license between Siri voices and regular TTS voices?

Why is MDM camera restriction designed not to work on the lock screen?

Hi, I developed a Platform Single Sign-On extension and a corresponding extension for my IdP, which is Keycloak based. The code for both projects are here: https://github.com/unioslo/keycloak-psso-extension and https://github.com/unioslo/weblogin-mac-sso-extension I realized that, when using the Secure Enclave as the AuthenticationMethod, and according to Apple's documentation, the Extension doesn’t obtain fresh ID Tokens when they expire if the refresh token is still valid. When using password as the Authentication Method, it fetches new ID tokens when they expire, without prompting the user for credentials, by using the refresh token. My suggestion is that the same behavior should be implemented for Secure Enclave keys. The thing here is that usually, on OIDC flows, the ID/Access tokens are short-lived. It would make sense for the extension to provide fresh ID tokens. It doesn’t seem to make sense for me that, when using passwords, the extension would fetch these tokens, and not when having the Secure Enclave key. By not doing this, Apple almost forces the developer of an extension to fetch new ID tokens themselves, which doens’t make sense when it clearly provides fresh tokens when using passwords. It almost forces the developers to either implement that logic themselves, or to issue longer tokens, which is not so nice. How so you deal with this? Do you simply use the refresh token as an authentication token, or do you do some sort of manual refresh on the extension?

Hi everyone, I’m sharing this because I’ve been stuck with this issue for over two weeks, and I still haven’t found a solution — or received a meaningful response from Apple Support. A yellow banner has appeared on my account saying: “The Apple Developer Program License Agreement has been updated and needs to be reviewed.” But here’s the problem: I’ve already accepted the latest agreement long ago. When I log into both: App Store Connect Developer Portal …there’s no new agreement to accept, no prompt, no button — absolutely nothing new. The yellow banner simply refuses to go away, and it's preventing updates. I’ve already: Cleared cache & cookies Tried Safari, Chrome, Firefox Logged in from different devices/networks Verified that I am the Account Holder Reported the issue via Apple Developer Support (more than a week ago) Despite clearly stating the urgency of the matter, I’ve received no fix and no timeline. This is beginning to feel like developers’ time — especially for those who depend on timely releases — isn’t being taken seriously. So I’m writing here to ask: 🔹 Has anyone else encountered this same issue recently? 🔹 Is there any known workaround or fix? I’d appreciate any help or shared experience. Thank you.

Managed iOS/iPad devices are struck with no network under below conditions Enrolling a Supervised iOS device Send InstallProfile command with AppLock payload (https://developer.apple.com/documentation/devicemanagement/applock) Now when the above managed device loses network connection with MDM server due to unknown network issues - the device is out of contact with MDM server and device is locked. Since such AppLock payload installed devices are placed in remote locations, it becomes difficult for Admins to recover such devices with no network connectivity. The devices have to be brought in from remote location and recover them. Under such conditions, it would be better to allow the end user to change the Network configuration manually to reconnect the device with MDM server. This option can also be allowed only when the device can’t ping MDM server.

Attempts to programmatically update or add numerous system-installed certificates (a common practice for organizations that rotate certificates regularly) are blocked, forcing manual, insecure, and error-prone workarounds. The root cause lies in the stricter security protocols implemented in macOS 15, specifically: System Integrity Protection (SIP) and Transparency, Consent, and Control (TCC) Command we are using : sudo security authorizationdb write com.apple.trust-settings.admin

I have an in house application that I develop for my company. The application requires our corporate MDM profile is installed on the phone. I recently got a new phone and our corporate IT team installed the MDM profile and the Comp Portal application for me to manage our corporate applications. I installed the application through the Comp Portal. It crashes right away when I launch the application and I see this error message in the Console when connected to the phone: "SpringBoard Snapshot generation request for bundleID: com.mycompany.mygroup.appName rejected due to the app being denylisted." I see other errors from runningboardd about failing to spawn the job and SpringBoard Bootstrapping failed for <FBApplicationProcess: 0x510affd80; app<com.mycompany.mygroup.appName>:> with error: <NSError: 0x301e60090; domain: RBSRequestErrorDomain; code: 5; "Launch failed."> I can launch a development version of the application with no problem by connecting the USB cable from my machine to my device and running through XCode. Other people have no problems launching the application. I compared all the certificates in the management profile with another device where the application does not crash and there are identical. We checked a number of settings on the devices to see if there could be something preventing the application from running but found nothing. We reset all settings and deleted and reinstalled the application with rebooting to see if perhaps it was an incomplete installation. Our IT folks want to wipe the phone and start over but I have little confidence that will fix the issue since we don't know the root cause. I am concerned that one of my Stakeholders might have the same issue if they get a new device. This application worked fine on my old phone. Device: iPhone 16 Pro Max iOS version: 18.2.1 Any ideas on next steps to troubleshoot this issue? How can I figure out the cause of the denylisting?

Hello Developers, We are encountering a consistent Kernel Panic issue on an iPhone device after sending a "Clear Passcode" command via our MDM solution. We're looking for insights or confirmation if others have experienced similar behavior. Device & Environment Details: Device: iPhone13,2 (iPhone 12 Pro) OS Version: iPhone OS 18.3.2 (Build 22D82) (Please note this appears to be a future/beta build identifier) Action Triggering Panic: Sending MDM ClearPasscode command. Roots Installed: 0 (Device is not jailbroken) Incident ID: 4B41C0AE-EE93-4051-BEE4-AB98438C10F0 Panic Log Summary: The kernel panic log clearly indicates the issue originates from the Secure Enclave Processor (SEP). The key panic string is: panic(cpu 3 caller 0xfffffff02357bc1c): SEP Panic: :sks /sks : 0x1000b15fc 0x0003ad60 0x0003ad44 0x100028698 0x10002cae4 0x10002a908 0x10002bc10 0x100045330 [hgggrhlvs] Panic app vers: 1827.80.10 Panic app UUID: 4C066E88-EB93-33C3-BCA7-C5F5474831CC ... Root task vers: AppleSEPOS-2772.80.2 Root task UUID: A39D6C5D-D07D-33EE-85A3-9105A8D93CE2 ... sks /sks 0x329cc/0x326e0/0x1314131413141314 ert/BOOT Use code with caution. The SEP Panic and reference to :sks /sks strongly suggest an issue within the Secure Key Store subsystem of the SEP. The panic occurred on CPU core 3. The kernel backtrace points to the com.apple.driver.AppleSEPManager kernel extension as the immediate caller in the main kernel that initiated the panic process after receiving the signal from the SEP. Analysis/Interpretation: Based on the log, it appears that the MDM ClearPasscode command, which necessarily interacts with the SEP's Secure Key Store via the AppleSEPManager driver, triggered an internal fault or bug within the SEP firmware (AppleSEPOS). This SEP-level panic subsequently caused the main iOS kernel to panic. Questions: Has anyone else encountered similar SEP panics, specifically involving the SKS subsystem, particularly after issuing MDM commands like ClearPasscode on iOS 18.x builds (especially 18.3.2 / 22D82)? Is this a known issue in this specific iOS/SEP firmware version? Are there any suggested workarounds for clearing passcodes via MDM on affected devices/OS versions, or any further diagnostic steps recommended? We appreciate any insights or shared experiences the community might have on this issue. Thank you.

Apologies if this has been asked before, but I am struggling to understand what our options are for app distribution for a new (to our company) use case. Note: we have both an Enterprise account as well as a standard App Store account. We are developing an Apple Vision app for a client company. We need to be able to distribute the app to people within our company as well as within the client company for testing. Once that is complete, we need to be able to distribute the app to a select group of employees in the client company. The client company does not have an MDM, so we originally thought to distribute the app using TestFlight. But that is not available with our Enterprise account. Is this something we can manage with a Business account since the devices involved would belong to our client company instead of ours? Is there a different solution to this workflow within the existing tools provided by Apple? Or is the only option to help the client set up an MDM/set up our own MDM to manage client devices for this?

Hello, I’m facing an issue while trying to add iOS devices to Apple Business Manager (ABM) using Apple Configurator during enrollment. When going through the setup process, the device fails to complete enrollment and times out. I’ve tried it multiple times. The device does appear in ABM during the process and I am able to assign it to different MDM servers but since the setup times out and fails, the device is automatically released. I have tried this with multiple iOS devices and it times out on every single one of them. Steps attempted: Factory reset and re-enrollment of the device Ensured network connectivity is stable and tested on multiple Wi-Fi networks Tried the following process using Apple Configurator on Mac (wired): Created a Wi-Fi profile in Configurator Connected the iPhone via cable and used Prepare (manual configuration) Used the “MDM server” placeholder and trusted anchors (as recommended) Linked the device to the ABM organization Skipped Setup Assistant steps Attached the Wi-Fi profile, then prepared and wiped the device Verified that the device should appear in ABM Attempted to assign the device to my MDM in ABM Despite these checks, the enrollment process times out. I’m attaching a screenshot of the error for reference. Could someone advise what might be causing this timeout or how I can further troubleshoot this? Any guidance would be greatly appreciated. Thanks in advance.

Dear Apple Developer Team, Following the rollout of iOS 26.x and the introduction of the iPhone 17, we have identified a critical issue affecting Mobile Device Management (MDM) enrolment and restore operations. The issue appears to stem from the Device Management Profile configuration 'do_not_use_profile_from_backup' within Apple Business Manager (ABM), which currently defaults to False. This setting should be modified to True to ensure proper functionality. When the profile remains set to False, organisations leveraging MDM encounter repeated failures during device backup and restore operations. Specifically, restoring a supervised or managed device triggers a persistent MDM registration loop, effectively preventing deployment of iPhone 17 devices in managed environments. We recommend that Apple review and adjust the default Device Management Profile property within ABM to address this issue and restore full MDM compatibility for iOS 26.x and later.

Is there a way to restrict an end user from potentially editing a supervised device through Apple Configurator? It seems that Apple Configurator allows to make undesirable changes to a supervised device, like removing profiles, which would in turn be detrimental to the intended experience on the device, if a user would actually be able to perform such changes.

The Center for Innovation in Education created a reading program designed to teach every single child to read, regardless of any supposed difficulty in learning. The Center conducted a ten-year study of its Reading Program’s effectiveness. Over those ten years, the Center placed 2,048 Reading Program kits in classrooms across America. More than 300,000 children took part in the Center’s study. Results: The Reading Program taught every single child to read in every single classroom, every single year, regardless of any child’s supposed reading readiness - including dyslexic, autistic, and even Down syndrome children. No failures then or in any of the many years that have followed. Despite the Program’s success, educational publishers refused to publish it. Their refusals will be explained and hopefully counteracted in a book that is scheduled to be published in 2026. In response to publishers’ refusal to make the program available, the Center made it available as a free download from its website. The Center also made its program available as 14 free iPad apps. While the apps can be searched for individually by their unique names, since the apps are interrelated and meant to complement one another, the first keyword assigned to all 14 apps was the same. That same keyword is still in its first position for every app. The first keyword listed for each of the 14 apps is the word “Dekodiphukan”. That meant-to-be hard-to-read search word has worked well every year since the apps were introduced. However, in June of this year, that search term could find only 1 of the 14 apps. We reported this problem to Apple Support on June 26th. It is now November, and the problem remains unresolved. The only response we receive each time we ask for an update on the resolution of this problem the answer every time is: Reported search issues of this type require extensive review by Apple to determine whether it is valid and to confirm the appropriate action. There is no other response. No update has ever been sent to us. There is no phone number I can find to call. It was suggested to me by someone I spoke with in a different department at Apple Developers that I post my problem on the Developer Forum, in hopes that someone here can provide a suggestion for a way around this problem. Parents and teachers wishing to use our Reading Program with their children should not have to enter 14 different names to access our Reading Program.