Hi, We're implementing a DDM-capable MDM server. A DEP-enrolled, supervised iPad (iOS 26.4.2) successfully completes manifest synchronization but never proceeds to fetch the individual declaration bodies. Looking for guidance on what we might be missing. Observed flow (from our server logs): We enqueue a DeclarativeManagement MDM command and APNs-wake the device. The command body is: RequestTypeDeclarativeManagement (no Data field) Device acknowledges the command on the Connect endpoint (Status=Acknowledged). Device calls CheckIn with: MessageType = DeclarativeManagement Endpoint = tokens We respond 200 with: { "SyncTokens": { "DeclarationsToken": "", "Timestamp": "2026-05-19T..." } } Device calls CheckIn with: MessageType = DeclarativeManagement Endpoint = declaration-items We respond 200 with: { "Declarations": { "Activations": [{"Identifier":"...","ServerToken":"v1-..."}], "Configurations": [{"Identifier":"...","ServerToken":"v1-..."}], "Assets": [], "Management": [] }, "DeclarationsToken": "" } ---- Nothing further. ---- No request for Endpoint = declaration/activation/ No request for Endpoint = declaration/configuration/ No status report on Endpoint = status The MDM channel is healthy. The same device responds normally to non-DDM commands (DeviceInformation, etc.) immediately before and after this flow. Questions: Is an empty "Management" array acceptable in the declaration-items response, or is at least one declaration (e.g. com.apple.management. organization-info) required before the device will proceed to fetch declaration bodies? The DeclarationsToken returned in step 3 (tokens) and step 4 (declaration-items) are byte-identical. Is that correct, or should they differ in some way? Are there any additional preconditions for the device to begin fetching declaration bodies after receiving the manifest -- e.g. a specific Activation->Configuration linkage we might be missing? Is there a server-side log signal Apple can suggest we look for, or a way to see why the device decided not to fetch? Activation payload sample we publish: { "Type": "com.apple.activation.simple", "Identifier": "...", "ServerToken": "v1-...", "Payload": { "StandardConfigurations": ["<configuration-identifier-from-step-4>"] } } Configuration payload sample we publish: { "Type": "com.apple.configuration.softwareupdate.settings", "Identifier": "...", "ServerToken": "v1-...", "Payload": { ... softwareupdate settings ... } } Any pointers appreciated. Happy to share full server-side logs / payloads if useful. Thanks.

Hi everyone, I'm running an Apple MDM service and encountering an issue where a number of devices stop receiving MDM push commands within 10 days of profile installation, even though everything appears to be set up correctly. Environment: MDM profile is installed and verified (status: OK, result: SUCCESS) Devices are cellular-enabled with no connectivity issues APNs certificate is valid (thousands of other devices are communicating normally) The command being sent to devices is DeviceInformationCommand No "NotNow" response or any check-in received from the affected devices for over a week Issue: We send DeviceInformationCommand to devices to retrieve device information and update the last communication timestamp. However, a subset of devices simply stop responding to this command within 10 days of profile installation. The last communication date is not being updated, and no response — not even a "NotNow" — is coming back from these devices. Since other devices on the same MDM setup are working fine, I've ruled out APNs certificate expiration and general server-side issues. Questions: Are there any known management points or configuration settings that could cause a device to silently stop receiving DeviceInformationCommand shortly after enrollment? What diagnostic steps would you recommend to identify the root cause on the device or server side? Are there any known bugs or reported issues related to this behavior in recent iOS versions? Is there any way to recover the MDM communication without requiring the user to re-enroll? Any insights or suggestions would be greatly appreciated. Thank you!

Hi, I’m testing the ClearPasscode MDM command: https://developer.apple.com/documentation/devicemanagement/clear-passcode-command Question: If a user enters the passcode incorrectly multiple times and the device becomes temporarily locked (e.g., “Try again in X minutes”) or reaches “Security Lockout”, can ClearPasscode still be executed successfully while the device is in that state? {'ErrorCode': 5013, 35708 'ErrorDomain': 'MCPasscodeErrorDomain', 35709 'LocalizedDescription': '\xe3\x81\x93...x89', 35710 'USEnglishDescription': 'The passcode cannot be cleared (-1)'} If it depends on conditions (e.g., supervised vs. user enrollment, availability of UnlockToken, network/check-in state), could you clarify which conditions are required? Thank you.

Hello Apple Developer Community, We’re building an MDM product (SaaS, multi-tenant). I’d like clarification on the APNs MDM push certificate usage model for service providers (MSPs). Question: Is it acceptable for an MDM vendor to use a single APNs MDM push certificate owned by the vendor to manage devices for multiple, independent customer organizations? Or is it required/recommended that each customer (company) must obtain and use its own APNs MDM push certificate (issued under the customer’s Apple ID) for their tenant? Why we’re asking: We understand that many guides show the process where each customer logs into the Apple Push Certificates Portal with their own Apple ID, uploads a CSR provided by the MDM, and then renews yearly. Practically, for a small team and early-stage deployments, using one vendor-owned certificate across multiple tenants would be simpler. We want to ensure we’re not violating any policy, terms, or technical requirements (e.g., certificate ownership, topic binding, device token isolation, audit/compliance expectations). What we need from Apple (or authoritative sources): An official Apple document or policy that clearly states whether per-customer certificates are mandatory vs strongly recommended for MSP/multi-tenant MDMs. If per-customer is mandatory, please point to the relevant clause or section. If a vendor uses a single certificate for multiple organizations, what risks or consequences should we expect (e.g., compliance issues, supportability, potential program violations, off-boarding problems, etc.)? Context: We’re sending only MDM wake notifications (standard MDM flow). We understand certificates expire yearly and must be renewed with the same Apple ID to avoid device re-enrollment. We want to follow Apple’s best practices while keeping early operations manageable. Any guidance, links to official documentation, or clarification from Apple engineers/moderators would be greatly appreciated. Thank you!

Hello ! Currently, we have customers who use about 5,000 devices. In the case of ios26, the phone number is not acquired overall, and 18.x, 17.x, and 16.x are all acquired in half and not acquired in half. https://developer.apple.com/documentation/devicemanagement/deviceinformationcommand/command-data.dictionary/queries-data.dictionary It seems that it is the right behavior not to acquire it on the specification sheet. However, I wonder when it became impossible to acquire. (There are devices that can be acquired and devices that can't be acquired in the same os version.) Will the devices that are being acquired be blocked someday? When it was developed in 2019, it was in a state that could be acquired in full. I would also like to ask if there is an alternative way to get your phone number. Thank you.

I was importing the app's information based on the document below. https://developer.apple.com/documentation/devicemanagement/getting-app-and-book-information-legacy However, I have failed to get the information of the custom app from a few days ago. The result is empty. This is a request with an empty result. https://uclient-api.itunes.apple.com/WebObjects/MZStorePlatform.woa/wa/lookup?version=2&p=mdm-lockup&caller=MDM&platform=volumestore&cc=jp&id=1556411142 This is the request with results. https://uclient-api.itunes.apple.com/WebObjects/MZStorePlatform.woa/wa/lookup?version=2&p=mdm-lockup&caller=MDM&platform=volumestore&cc=jp&id=1202716089 In ABM/ASM, you can see my assets and both the quantity in use and the quantity available will be searched normally. Is there anything else I can check? Please reply. Thank you.

I'm looking at the Apple official document below and getting the app's information. https://developer.apple.com/documentation/devicemanagement/getting-app-and-book-information-legacy However, I couldn't get the custom app's information for a few days ago. The result item is empty. This is a URL that is normally viewed. https://uclient-api.itunes.apple.com/WebObjects/MZStorePlatform.woa/wa/lookup?version=2&p=mdm-lockup&caller=MDM&platform=volumestore&cc=jp&id=1202716089 This is the URL that gives an empty response to the result. https://uclient-api.itunes.apple.com/WebObjects/MZStorePlatform.woa/wa/lookup?version=2&p=mdm-lockup&caller=MDM&platform=volumestore&cc=jp&id=1556411142 In ABM/ASM, the number of applications used and the number of available applications are all viewed normally. Is there anything else I can check? Please reply. Thank you.

Hello Forum, If I send the device the "DeviceInformationCommand.Command.RequestType= DeviceInformation" command and "InstalledApplicationListCommand.Command.RequestType = InstalledApplicationList" command , it can be sent successfully, but I don't get a response from the device. https://developer.apple.com/documentation/devicemanagement/get_device_information ------------- our log ---------------------- general.log.5:[2024/03/27 13:23:30] (172.31.54.87) I #TaskUpdateInformationHandler - did:14379, udid:63a6d7edc9f1128808aaee49d80e9539b5fd9cdd, mdm_task_uuids:['0aa5f838-1891-4a9b-b4fd-9d7c0aa365d3', '3f401ea8-be87-499b-a4be-fea2b1dab379'], result:ok, cid:117 general.log.5:[2024/03/28 03:06:34] (172.31.76.98) I #TaskUpdateInformationHandler - did:14379, udid:63a6d7edc9f1128808aaee49d80e9539b5fd9cdd, mdm_task_uuids:['c46b8523-40cd-4c7e-8a5d-0e49c9d26106', '8a99b664-df27-4bc9-8f41-fe39e3a7f3bc'], result:ok, cid:117 It is transmitted successfully to the Apple MDM server, but there is no response from the device. However, policy distribution such as PushSetting works normally. I would like to get some document or help that I can refer to. Thank you.

The request for command type 'InstalledApplicationList' and 'DeviceInformation' is successful, but there is no response from the device. device udid:00008110-0002309A0A6A401E mdm_task_uuids:['d3faa00d-5be9-48d7-a3ef-4ae57fd9e7ff', 'e396c93e-7c1c-455f-a1ad-33df4836626a'] Currently, the device is enrolled with our MDM server normally, and the installation of the policy profile also succeeds successfully. Which part should check more? Please reply. Thank you

If you try to update information on an enroled Apple device, the request command is successful, but you cannot receive any information from the device. RequestType = "DeviceInformation" RequestType = "InstalledApplicationList" mdm_task_uuids:['bb674e0a-e7ce-4df9-ad7a-ebefb67d852e', '5d3e095d-7be4-4f6e-b0b7-2d57208be4b5'] udid:00008110-0002309A0A6A401E The device is operating normally. Policy profiles are also installed well. Which part should I check more? Please reply. Thank you.