Apple had deprecated some of the payload keys device management Profile Specific Payload instead they are given new keys for it blacklistedAppBundleIDs is deprecated and blockedAppBundleIDs added Apple Developer Doc Are deprecated and new keys are working on the upcoming iOS, iPadOS & Mac.? When are the deprecated keys going to not support permanently?

We are unable to find a key in the MDM's Device information query response that tells us whether a mac uses T1 or T2 security chip. Is there a way to deduce this with the device information response we are already receiving? Thank you.

Hi, We recently noticed that the following Macbook models have the same Model Identifier: MacBook Air (13-inch, Early 2015) MacBook Air (13-inch, 2017) Model Identifier: MacBookAir7,2. Source It causes a little confusion to know what model a device is. Is there any other key available in MDM's DeviceInformation to distinguish different Macbook models? Thanks in advance.

I have an issue where app store app deployed to devices in MDM with App lock policy profile is not updating when the update is pushed from MDM. Instruction: Enroll the device(AppleTVs) in MDM, then apply App Lock profile with any one app store app to the device. After profile is applied successfully and the app is installed, try to push an update for the app from MDM to the device Expected Result: The app must be updated to the newer version. Actual Result: The app doesn't update in the device.

We are trying to push a WiFi mobile config to a fleet of devices. Before mass deployment, we tried manually installing the WiFi mobile config in one Mac device. During manual profile installation It asks for a username-password. (Please see the image) I just click Install without providing anything. The device auto-joins with the WiFi, without asking for username and password We then pushed the same exact mobile config file via a MDM solution, and the profile installs fine. But the device doesn't auto-join the WiFi, and when I choose the WiFi network, it asks for a username and password, even though I have configured SystemModeCredentialsSource to be ActiveDirectory We have double-checked that there're no changes made to mobile config when deployed via MDM. Mobile Config: <dict> <key>AutoJoin</key> <true/> <key>SetupModes</key> <array> <string>System</string> <string>Loginwindow</string> </array> <key>EAPClientConfiguration</key> <dict> <key>AcceptEAPTypes</key> <array> <integer>25</integer> <integer>21</integer> </array> <key>PayloadCertificateAnchorUUID</key> <array> <string>UUID_here</string> <string>UUID_here</string> <string>UUID_here</string> </array> <key>TTLSInnerAuthentication</key> <string>MSCHAPv2</string> <key>SystemModeCredentialsSource</key> <string>ActiveDirectory</string> </dict> <key>EncryptionType</key> <string>WPA2</string> <key>HIDDEN_NETWORK</key> <false/> <key>PayloadDescription</key> <string>Configures Wi-Fi settings</string> <key>PayloadDisplayName</key> <string>Wi-Fi</string> <key>PayloadIdentifier</key> <string>com.test.wifi1</string> <key>PayloadType</key> <string>com.apple.wifi.managed</string> <key>PayloadUUID</key> <string>UUID_here</string> <key>PayloadVersion</key> <integer>1</integer> <key>SSID_STR</key> <string>Test</string> </dict> As a trial and error, We tried providing empty username-password and false to OneTimeUserPassword, in the EAPClientConfiguration, but still when connecting to the WiFi, I'm prompted for username and password. <key>OneTimeUserPassword</key> <false/> <key>UserName</key> <string></string> <key>UserPassword</key> <string></string> We are stuck in this for days. Any help would be appreciated. Please free feel to ask for more details if needed. Thanks in advance.

We are experiencing issues on MDM enrolled devices where the SSL certificates are not trusted after the OS update. We use EnterpriseCA certificate in our server and pushed to devices during enrolment. But after OS update, the CA is missing from the ‘Certificate Trust settings’ in the device, but present under MDM profile. This make the devices to stop communicating with the server. For now we have manually installed the certificate on the devices and enabled full trust. But this involves user intervention and also end user can disable full trust anytime as the option is not greyed out, or remove the certificate from device. We would like to know if there is any other option to push the certificates without user intervention. And also the best practices to avoid this in future. Already we have seen this https://support.apple.com/en-in/HT212962 but it talks only about the Identity certificate. We would like to understand whether SSL certificates are also included in this.

We recently noticed that, In the TokenUpdate message from a MDM enrolled device, the PushMagic value is empty. The response from device is: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>MessageType</key> <string>TokenUpdate</string> <key>PushMagic</key> <string></string> <key>Token</key> <string>[redacted]</string> <key>Topic</key> <string>[redacted]</string> <key>UDID</key> <string>[redacted]</string> </dict> </plist> This is a MacBookPro9,2 with OS version 10.8.5. We would like to understand whether this is an issue. Or how to handle this.

FB9895426 (Apple Device MDM enrolment fails if client certificate is requested during SSL Handshake) Device enrolment fails in an MDM Server configured with client certificate authentication. Upon investigating the issue, we noticed that the device drops the SSL handshake if a client certificate is requested during the handshake. Wireshark Screenshot: From the console logs, we noticed the below error: <MCHTTPRequestor: 0x283b560a0> cannot accept the authentication method NSURLAuthenticationMethodClientCertificate The TLS protocol states that "If no suitable certificate is available, the client SHOULD send a certificate message containing no certificates.". Thus, we expect the MDM client to respond with a "no certificate" response during the SSL handshake. Someone has already raised the same question but there's no reply yet: https://developer.apple.com/forums/thread/680328 https://developer.apple.com/forums/thread/676579 Any help would be appreciated. Thanks in advance.

We are trying to connect macOS devices to Wi-Fi using Wi-Fi configuration profile in MDM. EAP type is PEAP - MSCHAPv2 with both System and LoginWindow setup modes enabled, but unfortunately devices are getting stuck in connecting phase of the Wi-Fi without actually getting connected. We have also send the Sysdiagnose logs to Apple feedback assistance(Ref ID:FB9965644) Please find the configuration we have used below &lt;!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"&gt; &lt;plist version="1.0"&gt; &lt;dict&gt;     &lt;key&gt;PayloadVersion&lt;/key&gt;     &lt;integer&gt;1&lt;/integer&gt;     &lt;key&gt;PayloadUUID&lt;/key&gt;     &lt;string&gt;5f9c93d0-f2b4-45b2-9367-e65a52d1f1a9&lt;/string&gt;     &lt;key&gt;PayloadType&lt;/key&gt;     &lt;string&gt;Configuration&lt;/string&gt;     &lt;key&gt;PayloadOrganization&lt;/key&gt;     &lt;string&gt;MDM&lt;/string&gt;     &lt;key&gt;PayloadIdentifier&lt;/key&gt;     &lt;string&gt;com.mdm.0583c3c2-4fe2-414a-9bc6-87467f0fef02.MacOSWifi&lt;/string&gt;     &lt;key&gt;PayloadDisplayName&lt;/key&gt;     &lt;string&gt;Wifi_Corp&lt;/string&gt;     &lt;key&gt;PayloadRemovalDisallowed&lt;/key&gt;     &lt;true/&gt;     &lt;key&gt;PayloadContent&lt;/key&gt;     &lt;array&gt;         &lt;dict&gt;             &lt;key&gt;PayloadVersion&lt;/key&gt;             &lt;integer&gt;1&lt;/integer&gt;             &lt;key&gt;PayloadUUID&lt;/key&gt;             &lt;string&gt;f962f11d-6524-4061-b93b-82975dd7512b&lt;/string&gt;             &lt;key&gt;PayloadType&lt;/key&gt;             &lt;string&gt;com.apple.wifi.managed&lt;/string&gt;             &lt;key&gt;PayloadOrganization&lt;/key&gt;             &lt;string&gt;MDM&lt;/string&gt;             &lt;key&gt;PayloadIdentifier&lt;/key&gt;             &lt;string&gt;f962f11d-6524-4061-b93b-82975dd7512b&lt;/string&gt;             &lt;key&gt;PayloadDisplayName&lt;/key&gt;             &lt;string&gt;Wifi Profile Configuration&lt;/string&gt;             &lt;key&gt;SSID_STR&lt;/key&gt;             &lt;string&gt;--SSID Over Here--&lt;/string&gt;             &lt;key&gt;AutoJoin&lt;/key&gt;             &lt;true/&gt;             &lt;key&gt;SetupModes&lt;/key&gt;             &lt;array&gt;                 &lt;string&gt;System&lt;/string&gt;                 &lt;string&gt;Loginwindow&lt;/string&gt;             &lt;/array&gt;             &lt;key&gt;HIDDEN_NETWORK&lt;/key&gt;             &lt;false/&gt;             &lt;key&gt;EAPClientConfiguration&lt;/key&gt;             &lt;dict&gt;                 &lt;key&gt;AcceptEAPTypes&lt;/key&gt;                 &lt;array&gt;                     &lt;integer&gt;21&lt;/integer&gt;                     &lt;integer&gt;25&lt;/integer&gt;                 &lt;/array&gt;                 &lt;key&gt;EAPFASTUsePAC&lt;/key&gt;                 &lt;false/&gt;                 &lt;key&gt;EAPFASTProvisionPAC&lt;/key&gt;                 &lt;false/&gt;                 &lt;key&gt;EAPFASTProvisionPACAnonymously&lt;/key&gt;                 &lt;false/&gt;                 &lt;key&gt;UserName&lt;/key&gt;                 &lt;string&gt;---UserName Over here---&lt;/string&gt;                 &lt;key&gt;UserPassword&lt;/key&gt;                 &lt;string&gt;--Password Over here--&lt;/string&gt;                 &lt;key&gt;TTLSInnerAuthentication&lt;/key&gt;                 &lt;string&gt;MSCHAPv2&lt;/string&gt;                 &lt;key&gt;PayloadCertificateAnchorUUID&lt;/key&gt;                 &lt;array&gt;                     &lt;string&gt;b68ceae9-5752-44a3-887c-4dd422428f3d&lt;/string&gt;                 &lt;/array&gt;             &lt;/dict&gt;             &lt;key&gt;EncryptionType&lt;/key&gt;             &lt;string&gt;Any&lt;/string&gt;             &lt;key&gt;ProxyType&lt;/key&gt;             &lt;string&gt;None&lt;/string&gt;         &lt;/dict&gt;         &lt;dict&gt;             &lt;key&gt;PayloadVersion&lt;/key&gt;             &lt;integer&gt;1&lt;/integer&gt;             &lt;key&gt;PayloadUUID&lt;/key&gt;             &lt;string&gt;b68ceae9-5752-44a3-887c-4dd422428f3d&lt;/string&gt;             &lt;key&gt;PayloadType&lt;/key&gt;             &lt;string&gt;com.apple.security.root&lt;/string&gt;             &lt;key&gt;PayloadOrganization&lt;/key&gt;             &lt;string&gt;MDM&lt;/string&gt;             &lt;key&gt;PayloadIdentifier&lt;/key&gt;             &lt;string&gt;b68ceae9-5752-44a3-887c-4dd422428f3d&lt;/string&gt;             &lt;key&gt;PayloadDisplayName&lt;/key&gt;             &lt;string&gt;iOS Certificate Policy&lt;/string&gt;             &lt;key&gt;PayloadContent&lt;/key&gt;             &lt;data&gt;                 -----Trust Certificate Data Here---             &lt;/data&gt;             &lt;key&gt;PayloadCertificateFileName&lt;/key&gt;             &lt;string&gt;----Certificate file name.cer----&lt;/string&gt;         &lt;/dict&gt;     &lt;/array&gt; &lt;/dict&gt; &lt;/plist&gt;

After Energy Saver mobileconfig file with Display sleep time as 1 and System Sleep time as 2 successfully, and then when you change the settings in System Preference->Energy Saver manually. The time that was set manually takes effect instead of what MDM has set for MacBook Pro(Intel Chip tried in both Sierra as well as Monterey). Please find the mobileconfig that we tried below. <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict>     <key>PayloadContent</key>     <array>         <dict>             <key>PayloadDisplayName</key>             <string>Energy Saver</string>             <key>PayloadIdentifier</key>             <string>com.286E9EC9-588D-4BDC-B90C-F4FBAC58A2F0.com.apple.MCX.24D336A4-FE03-493F-81B6-C4CEB640F58F</string>             <key>PayloadType</key>             <string>com.apple.MCX</string>             <key>PayloadUUID</key>             <string>24D336A4-FE03-493F-81B6-C4CEB640F58F</string>             <key>PayloadVersion</key>             <integer>1</integer>             <key>com.apple.EnergySaver.portable.ACPower</key>             <dict>                 <key>Disk Sleep Timer</key>                 <integer>5</integer>                 <key>Display Sleep Timer</key>                 <integer>1</integer>                 <key>System Sleep Timer</key>                 <integer>2</integer>             </dict>             <key>com.apple.EnergySaver.portable.BatteryPower</key>             <dict>                 <key>Disk Sleep Timer</key>                 <integer>5</integer>                 <key>Display Sleep Timer</key>                 <integer>1</integer>                 <key>System Sleep Timer</key>                 <integer>2</integer>             </dict>         </dict>     </array>     <key>PayloadDisplayName</key>     <string>Energy Saver</string>     <key>PayloadIdentifier</key>     <string>A5406D19-83C6-45B2-B6D2-EF9AF9D59EA8</string>     <key>PayloadRemovalDisallowed</key>     <false/>     <key>PayloadType</key>     <string>Configuration</string>     <key>PayloadUUID</key>     <string>803ABA57-F75B-42EB-9849-15D7EAE7B7FA</string>     <key>PayloadVersion</key>     <integer>1</integer> </dict> </plist>

requireManagedPasteboard - boolean If true, copy and paste functionality respects the allowOpenFromManagedToUnmanaged and allowOpenFromUnmanagedToManagedrestrictions. Also available for user enrollment. As it is suggested , It doesn't allow the text to be copied from managed apps and pasted in any unmanaged app and also ViceVersa. But there is an another way to get the text to other Unmanaged/Managed App by highlighting a text from mail content and click on the 'share' option leads the text to be opened in the destination App. Steps: Pushed a Managed Account to Native Mail App. Pushed a Restriction with "requireManagedPasteboard" Opened a Mail and highlighted the text contents Click on Share Option . It will list all the app (both Managed and Unmanaged ) to share the text. I clicked on Notes App. The Highlighted Text got moved to the Notes App. The Same when tried to Copied and pasted in Notes App. It says "Enabled Restriction for Copy/Paste " Attached the screenshot where does the "Share" Option appear. Kindly check whether this is the default behaviour or anything am i missing?

We have sent the payload for restricting all the apps except Youtube and MEMDM app . Payload is listed below. The Problem is we are restricted all the apps except the apps that were offloaded before . the icon of the offloaded apps appears in the homescreen. Attached the Screenshot for the above offloaded icons with multiapp kiosk enabled Is this the expected behaviour? Or anything am i missing. Can anyone help me with this? Payload Sent to the Device :-> <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadUUID</key> <string>------------</string> <key>PayloadType</key> <string>Configuration</string> <key>PayloadOrganization</key> <string>-----</string> <key>PayloadIdentifier</key> <string>----------------</string> <key>PayloadDisplayName</key> <string>MultiApp Kiosk</string> <key>PayloadRemovalDisallowed</key> <true/> <key>PayloadContent</key> <array> <dict> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadUUID</key> <string>----------------</string> <key>PayloadType</key> <string>com.apple.applicationaccess</string> <key>PayloadOrganization</key> <string>MDM</string> <key>PayloadIdentifier</key> <string>---------------</string> <key>PayloadDisplayName</key> <string>AppLock Whitelist Policy</string> <key>whitelistedAppBundleIDs</key> <array> <string>com.google.ios.youtube</string> <string>com.manageengine.mdm.iosagent</string> <string>com.apple.webapp</string> </array> <key>allowListedAppBundleIDs </key> <array> <string>com.google.ios.youtube</string> <string>com.manageengine.mdm.iosagent</string> <string>com.apple.webapp</string> </array> </dict> </array> </dict> </plist>

In the document by Apple over here, it says that AlwaysOn VPN is supported in macOS 10.7+. However, AlwaysOn doesn't seem to work in macOS even in that latest OS. We came across a post where it states that it is supported only for iOS. We had a requirement for supporting AlwaysOn VPN for macOS. Also, in the console log, we found the following error while sending a profile with AlwaysOn VPN configuration error 16:19:45.716722+0530 mdmclient NEConfiguration initWithVPNPayload: failed error 16:19:45.717076+0530 mdmclient [ERROR] <<<<< PlugIn: InstallPayload [NEProfileIngestionPlugin] Error: Error Domain=ConfigProfilePluginDomain Code=-319 "The ‘VPN Service’ payload could not be installed. The VPN service could not be created." UserInfo={NSLocalizedDescription=The ‘VPN Service’ payload could not be installed. The VPN service could not be created.} <<<<<

In the latest update of macOS 12.3, the Login Window Items payload does not work. However, it is working until macOS 12.1. The profile applies successfully but the required apps are not listed under the Login Window Items tab in Users & Groups. Here is the payload we tried in both the OS versions             <key>PayloadVersion</key>             <integer>1</integer>             <key>PayloadUUID</key>             <string>bdcc8534-8a2e-40b5-bf65-17ab9247319c</string>             <key>PayloadType</key>             <string>com.apple.loginitems.managed</string>             <key>PayloadOrganization</key>             <string>MDM</string>             <key>PayloadIdentifier</key>             <string>bdcc8534-8a2e-40b5-bf65-17ab9247319c</string>             <key>PayloadDisplayName</key>             <string>Mac Login Window Item</string>             <key>AutoLaunchedApplicationDictionary-managed</key>             <array>                 <dict>                     <key>Path</key>                     <string>/Applications/Safari.app</string>                     <key>Hide</key>                     <false/>                 </dict>             </array>         </dict>

We have a use case such that we want all the network calls from the mac device to go through VPN. We tried using the OnDemand field in VPN. Unfortunately those user's with admin privilege still able to disconnect from VPN. Even if we enabled OnDemand. Admin users can disconnect by disabling the OnDemand option in VPN settings. We noticed that there is an option to restrict the OnDemand option in iOS as mentioned here using the field OnDemandUserOverrideDisabled However, this is not supported in macOS. Can anyone suggest a mechanism to restrict users from disabling VPN?