Issue Description: Licenses Expiring - The licenses for [app_name] and 'x' other applications will expire in 'n' days. The given App Store Notification is displayed in many iPad devices. All the apps for which the notification is shown are purchased from ABM (VPP apps). The licenses are still assigned to devices and are not revoked which is made sure from VPP API. The VPP token is also not nearing expiration and it has more than 6 months time for expiry. Screenshot of the notification is attached below Kindly help us with the reason for this behavior

On a supervised device running iOS 18 without any AirDrop restrictions applied, when a profile with allowListedAppBundleIDs restriction key is installed, the AirDrop sound plays. But still the accept prompt does not appear, making it impossible to accept files. The prompt works as expected on iOS 18 devices to which the allowListedAppBundleIDs restriction is not installed. This issue occurs only on supervised iOS 18 devices to which the allowListedAppBundleIDs restriction is being applied. Device must be in iOS 18 version > Install the (allowListedAppBundleIDs restriction) profile with the device > Try to AirDrop files to the managed device. The expected result is that the accept prompt must pop up but it does not appear. This issue is occurring irrespective of any Whitelisted bundle ID being added to the allowListedAppBundleIDs restriction profile. Have attached a few Whitelisted bundle ID here com.talentlms.talentlms.ios.beta, com.maxaccel.safetrack, com.manageengine.mdm.iosagent, com.apple.weather, com.apple.mobilenotes, gov.dot.phmsa.erg2, com.apple.calculator, com.manageengine.mdm.iosagent, com.apple.webapp, com.apple.CoreCDPUI.localSecretPrompt etc. Have raised a Feedback request (FB15709399) with sysdiagnose logs and a short video on the issue.

Hello All, We are looking to implement the ACME protocol for our organization PKI and as of now, we are trying out the demo ACME server hosted here. So far, we had a minor piece of luck in getting it to work properly twice, but after that, it errors out every time. This is the payload we are using: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>PayloadContent</key> <array> <dict> <key>ClientIdentifier</key> <string>123123123123123123123</string> <key>ExtendedKeyUsage</key> <array> <string>1.3.6.1.5.5.7.3.2</string> </array> <key>HardwareBound</key> <true/> <key>KeySize</key> <integer>384</integer> <key>KeyType</key> <string>ECSECPrimeRandom</string> <key>KeyUsage</key> <integer>5</integer> <key>PayloadIdentifier</key> <string>com.example.test</string> <key>PayloadType</key> <string>com.apple.security.acme</string> <key>PayloadUUID</key> <string>sdf-feec-4171-878d-34e576bbb813</string> <key>PayloadVersion</key> <integer>1</integer> <key>Subject</key> <array> <array> <array> <string>C</string> <string>US</string> </array> </array> <array> <array> <string>O</string> <string>Example Inc.</string> </array> </array> <array> <array> <string>CN</string> <string>test</string> </array> </array> </array> <key>SubjectAltName</key> <dict> <key>dNSName</key> <string>site.example.com</string> </dict> <key>DirectoryURL</key> <string>https://ca.attestation.dev/acme/acme/directory</string> </dict> </array> <key>PayloadDisplayName</key> <string>ACME</string> <key>PayloadIdentifier</key> <string>com.example.test</string> <key>PayloadType</key> <string>Configuration</string> <key>PayloadUUID</key> <string>ce876f81-abf0-46f9-9e68-9b3a7ede8097</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </plist> We get the below errors from the ACME server: order status is "pending", not yet "valid" order status is "ready", not yet "valid" Any insights on what we are doing wrong could be helpful. Thanks in advance.

Hi all , We are planning to manage about 1 Million+ Apple devices of inclusive of both iPhone and Mac devices under a AxM Account. However while adding VPP Licenses for an App i'm prompted with below error: " You cannot order more than 100000 copies of same the free item per week" While our goal is to manage 1 Million devices under same Location token , i have below questions in mind 1 . What is the upper limit of number of Licenses that can be added per app in a Location token? Currently it says 1 Lakh Licenses per app per week . Wanted to know if there is any limit on this count as it shouldn't surprise us in upcoming weeks. 2 . How many Locations can be created in a AxM Account? Currently we created about 15 location to see if there are any limit but so far couldn't find any limit on number of locations that can be created. This limit could help us plan our deployment in advance 3 . What is the total number of licenses a VPP Location token can hold ? As we manage 1 Million Devices for 12 Apps , 1 Million x 12= 12 Million licenses would be transacted in this location token by our MDM Solution , is this okay or will there be any limitations in this count

Hi Apple Team & Community, The new Introduction of Platform SSO during ADE Enrollment is Great And we tried implementing this. As a Rule mentioned in the Documentation Initially MDM Server should send 403 response with Response Body adhering to ErrorCodePlatformSSORequired when HTTP Header for MachineInfo request contains MDM_CAN_REQUEST_PSSO_CONFIG and set to true There are contradictory claims mentioned in Document, In Process Platform SSO Required Response it is mentioned that MDM Server should send body as JSON Object for ErrorCodePlatformSSORequired Example below >>>>> Response HTTP/1.1 403 Forbidden Content-Type: application/json Content-Length: 558 { "code": "com.apple.psso.required", "description": "MDM Server requires the user to authenticate with Identity Provider - BY MEMDM", "message": "The MDM server requires you to authenticate with your Identity Provider. Please follow the instructions provided by your organization to complete the authentication process - BY MEMDM", "details": { "Package": { "ManifestURL": "https://platform-sso-node-server.vercel.app:443/manifest" }, "ProfileURL": "https://platform-sso-node-server.vercel.app:443/profile", "AuthURL": "https://platform-sso-node-server.vercel.app:443/auth" } } But in the same Document a Sample HTTP Response was Provided but seems to be XML format as below >>>>> Response HTTP/1.1 403 Forbidden Content-Type: application/xml Content-Length: 601 <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Code</key> <string>com.apple.psso.required</string> <key>Details</key> <dict> <key>ProfileURL</key> <string>https://mdmserver.example.com/psso.mobileconfig</string> <key>Package</key> <dict> <key>ManifestURL</key> <string>https://mdmserver.example.com/psso-app.plist</string> </dict> <key>AuthURL</key> <string>https://idp.example.com/authenticate</string> </dict> </dict> </plist> From Github I assume that both Response Types are welcomed hence I tried with Both Followed in JSON Mode, I redirected the HTTP request if MachineInfo contains MDM_CAN_REQUEST_PSSO_CONFIG and set to true to https://platform-sso-node-server.vercel.app/redirectedDEPJSON Followed in XML Mode, I redirected the HTTP request if MachineInfo contains MDM_CAN_REQUEST_PSSO_CONFIG and set to true to https://platform-sso-node-server.vercel.app/redirectedDEPXML In both Response Modes OS is not proceeding after and a error Stating Enrollment with Management Server Failed , Forbidden request (403) appears Can someone kindly guide on where I missed, or is this any OS Bug in Tahoe 26?

We have observed that Apple TV doesn't send Ethernet MAC information in DeviceInformation response. (Apple TV is connected to the Ethernet.)   We've confirmed that the following pre requisites are fulfilled on our side. The queries in Network information queries are available if the MDM host has a Network Information access right. Reference doc - https://developer.apple.com/business/documentation/MDM-Protocol-Reference.pdf &check; We have set the maximum access right available (8191).   EthernetMACs - The key to get the Ethernet MAC addresses. This value requires the Network Information access right, and is available in iOS 4 and later, and tvOS 6 and later. Reference doc - https://developer.apple.com/documentation/devicemanagement/deviceinformationcommand/command/queries. &check; The TV OS version of the device we are referring here is 14+. &check; The query dictionary contains the EthernetMACs key.   Is this supported for Apple TV devices as mentioned in the documentation? Please find the attached sample requests and responses.   ?xml version="1.0" encoding="UTF-8"? !DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd" plist version="1.0" dict keyCommandUUID/key stringDeviceInformation/string keyCommand/key dict keyRequestType/key stringDeviceInformation/string keyQueries/key array stringDeviceName/string stringOSVersion/string stringBuildVersion/string stringModelName/string stringModel/string stringProductName/string stringSerialNumber/string stringDeviceCapacity/string stringAvailableDeviceCapacity/string stringBatteryLevel/string stringCellularTechnology/string stringIMEI/string stringMEID/string stringModemFirmwareVersion/string stringICCID/string stringBluetoothMAC/string stringWiFiMAC/string stringCurrentCarrierNetwork/string stringSIMCarrierNetwork/string stringSubscriberCarrier-Network/string stringCarrierSettingsVersion/string stringPhoneNumber/string stringVoiceRoamingEnabled/string stringDataRoamingEnabled/string stringIsRoaming/string stringSubscriberMCC/string stringSubscriberMNC/string stringCurrentMCC/string stringCurrentMNC/string stringUDID/string stringIsSupervised/string stringIsDeviceLocatorServiceEnabled/string stringIsActivationLockEnabled/string stringIsDoNotDisturbInEffect/string stringiTunesStoreAccountIsActive/string stringEASDeviceIdentifier/string stringEthernetMACs/string stringPersonalHotspotEnabled/string stringLastCloudBackupDate/string stringIsCloudBackupEnabled/string stringIsMDMLostModeEnabled/string stringServiceSubscriptions/string stringLanguages/string stringLocales/string stringDeviceID/string stringOrganizationInfo/string stringAwaitingConfiguration/string stringMDMOptions/string stringiTunesStoreAccountHash/string stringSIMMCC/string stringSIMMNC/string stringOSUpdateSettings/string stringLocalHostName/string stringHostName/string stringCatalogURL/string stringIsDefaultCatalog/string stringPreviousScanDate/string stringPreviousScanResult/string stringPerformPeriodicCheck/string stringAutomaticCheckEnabled/string stringBackgroundDownloadEnabled/string stringAutomaticAppInstallationEnabled/string stringAutomaticOSInstallationEnabled/string stringAutomaticSecurityUpdatesEnabled/string stringIsMultiUser/string stringMaximumResidentUsers/string stringPushToken/string stringDiagnosticSubmissionEnabled/string stringAppAnalyticsEnabled/string stringIsNetworkTethered/string /array /dict /dict /plist Response to this request ?xml version="1.0" encoding="UTF-8"? !DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd" plist version="1.0" dict     keyCommandUUID/key     stringDeviceInformation/string     keyQueryResponses/key     dict         keyAwaitingConfiguration/key         false/         keyBluetoothMAC/key         stringxx:xx:xx:xx:xx:xx/string         keyBuildVersion/key         stringxxxxxxx/string         keyDeviceID/key         stringxx:xx:xx:xx:xx:xx/string         keyDeviceName/key         stringxxx/string         keyIsSupervised/key         true/         keyMDMOptions/key         dict/         keyModel/key         stringMR912LL/string         keyModelName/key         stringAppleTV/string         keyOSVersion/key         string14.0.2/string         keyProductName/key         stringAppleTV5,3/string         keySerialNumber/key         stringxxxxxxxxxx/string         keyUDID/key         stringxxxx/string         keyWiFiMAC/key         stringxx:xx:xx:xx:xx:xx/string         keyiTunesStoreAccountIsActive/key         false/     /dict     keyStatus/key     stringAcknowledged/string     keyUDID/key     stringxxx/string /dict /plist   Thank you.

Hi, For the SCEP payload's SAN, we are able to provide an array of strings for each key (dNSName, ntPrincipalName). <dict> <key>ntPrincipalName</key> <string>email</string> <key>rfc822Name</key> <array> <string>email</string> <string>email2</string> </array> <key>dNSName</key> <array> <string>test.com</string> <string>example.com</string> </array> </dict> But the ACMECertificate payload is not accepting this and instead, returns the below error. The field “rfc822Name” is invalid. The field “dNSName” is invalid. Does the ACMECertificate payload support multiple SAN values for each key? Thanks for your time!

Hi, We are testing the ACMECertificate payload and noticed that in the device's configuration, the key size is displayed as 0. Thanks in advance.

We are testing the ACMECertificate payload in Mac 13.1 beta and getting this error. The same payload when sent to iOS works fine. Any help on this would be appreciated. Thanks. FB Raised: FB11736586 <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadUUID</key> <string>70e4b45e3c1e</string> <key>PayloadType</key> <string>Configuration</string> <key>PayloadOrganization</key> <string>NewComp</string> <key>PayloadIdentifier</key> <string>4565353a3a84</string> <key>PayloadDisplayName</key> <string>ACME</string> <key>PayloadRemovalDisallowed</key> <true/> <key>PayloadContent</key> <array> <dict> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadUUID</key> <string>f84ef110e39b</string> <key>PayloadType</key> <string>com.apple.security.acme</string> <key>PayloadOrganization</key> <string>NewComp</string> <key>PayloadIdentifier</key> <string>f84ef110e39b</string> <key>PayloadDisplayName</key> <string>ACME Configuration</string> <key>DirectoryURL</key> <string>https://acmeserver/acme/acme/directory</string> <key>ClientIdentifier</key> <string>test</string> <key>HardwareBound</key> <true/> <key>KeyType</key> <string>ECSECPrimeRandom</string> <key>KeySize</key> <integer>384</integer> <key>Subject</key> <array> <array> <array> <string>1.2.840.113549.1.9.1</string> <string>test@test.com</string> </array> </array> </array> <key>SubjectAltName</key> <dict> </dict> <key>KeyUsage</key> <integer>5</integer> <key>Attest</key> <true/> </dict> </array> </dict> </plist>

Hi Apple Community , We are a MDM vendor and have been testing around implementing BYOD User Enrollment. Where in a step we felt good to have a list of managed apple ids associated with an Organization which would be helpful in inserting them in the MDM payload for Account-driven User Enrollment. To do this I have used a managed apple id in Apple Buisness Manager with Roles Content Manager, Device Enrolment Manager and People Manager and a MDM server From the MDM Server I used the token and have generated a auth_session_token and used it as Header X-ADM-Auth-Session to end point https://mdmenrollment.apple.com/account GET to get the account details The response contains list of urls of which `https://mdmenrollment.apple.com/roster/class/person' POST was there which when tried gives ORGANIZATION_NOT_SUPPORTED 400 response. we are unable to retrieve the list of users in a Apple Buisness Manager Account at this point. Is there any ways to achieve what we are tend to do. But in the Roster API

Problem Description: A App Store (VPP - B2B) app distributed to a device through MDM is not installing. The "InstalledApplicationList" response doesn't have the app in it. The "ManagedApplicationList" response has the app with status as "ManagedButUninstalled". But this cannot happen since there is a restriction - allowAppRemoval is set to false for this device which prevents the removal of installed apps in that device. This is applied before the app was distributed to MDM. Steps to reproduce: Enroll a device in MDM. Use restrictions payload[com.apple.applicationaccess] with a key "allowAppRemoval" set to "true". Distribute an app to device. Perform operations to fetch "InstalledApplicationList" and "ManagedApplicationList". Expected Result: The device should install the app successfully and ManagedApplicationList response should return "Managed" status for the app. Actual Result: The device doesn't install the app and "ManagedApplicationList" returns "ManagedButUninstalled" status. InstallApplication Response: <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CommandUUID</key> <string>InstallApplication;Collection=899898</string> <key>Identifier</key> <string>pad.xxxx.ilD</string> <key>State</key> <string>Installing</string> <key>Status</key> <string>Acknowledged</string> <key>UDID</key> <string>000000-00000000-00000000</string> </dict> </plist> ManagedApplicationList Response: <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CommandUUID</key> <string>ManagedApplicationList</string> <key>ManagedApplicationList</key> <dict> <key>com.manageengine.mdm.iosagent</key> <dict> <key>ExternalVersionIdentifier</key> <integer>857024336</integer> <key>HasConfiguration</key> <true/> <key>HasFeedback</key> <true/> <key>IsValidated</key> <true/> <key>ManagementFlags</key> <integer>5</integer> <key>Status</key> <string>Managed</string> </dict> <key>com.teamviewer.teamviewerQS</key> <dict> <key>ExternalVersionIdentifier</key> <integer>851678159</integer> <key>HasConfiguration</key> <false/> <key>HasFeedback</key> <false/> <key>IsValidated</key> <true/> <key>ManagementFlags</key> <integer>5</integer> <key>Status</key> <string>Managed</string> </dict> <key>pad.xxxx.ilD</key> <dict> <key>ExternalVersionIdentifier</key> <integer>857489710</integer> <key>HasConfiguration</key> <true/> <key>HasFeedback</key> <false/> <key>IsValidated</key> <false/> <key>ManagementFlags</key> <integer>5</integer> <key>Status</key> <string>ManagedButUninstalled</string> </dict> </dict> <key>Status</key> <string>Acknowledged</string> <key>UDID</key> <string>000000-00000000-00000000</string> </dict> </plist> Restrictions Response: <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CommandUUID</key> <string>Restrictions</string> <key>GlobalRestrictions</key> <dict> <key>intersection</key> <dict> <key>autonomousSingleAppModePermittedAppIDs</key> <dict> <key>values</key> <array> <string>pad.xxxx.ilD</string> </array> </dict> <key>whitelistedAppBundleIDs</key> <dict> <key>values</key> <array> <string>pad.xxxx.ilD</string> <string>com.manageengine.mdm.iosagent</string> <string>com.teamviewer.teamviewerQS</string> </array> </dict> </dict> <key>restrictedBool</key> <dict> <key>allowAppRemoval</key> <dict> <key>value</key> <false/> </dict> </dict> <key>restrictedValue</key> <dict> <key>maxInactivity</key> <dict> <key>value</key> <integer>5</integer> </dict> </dict> <key>union</key> <dict> <key>blacklistedAppBundleIDs</key> <dict> <key>values</key> <array> <string>com.google.Drive</string> <string>com.apple.news</string> </array> </dict> </dict> </dict> <key>Status</key> <string>Acknowledged</string> <key>UDID</key> <string>000000-00000000-00000000</string> </dict> </plist>

When I try to sign in Managed Apple ID in supervised device there appears a prompt stating that "Apple ID" is a work account.This account must be signed in as a work account on this device.When I click continue it takes to VPN and device management tab where MDM profile already exists. Note:The managed Apple ID has a ICloud subscription for it. When I remove the subscription for the Apple ID and try to sign in, it works. Kindly help on this or advise on any additional steps required to enable sign in for managed Apple ID in this scenario

Apple had deprecated some of the payload keys device management Profile Specific Payload instead they are given new keys for it blacklistedAppBundleIDs is deprecated and blockedAppBundleIDs added Apple Developer Doc Are deprecated and new keys are working on the upcoming iOS, iPadOS & Mac.? When are the deprecated keys going to not support permanently?

We are unable to find a key in the MDM's Device information query response that tells us whether a mac uses T1 or T2 security chip. Is there a way to deduce this with the device information response we are already receiving? Thank you.

In a iPad device with OS Version 15.1, when deploying a app store app through MDM, the InstallApplication command receives "License Not Found" error in response. The app is not purchased through VPP and the "PurchaseMethod" key is not set in InstallApplication request command. I have attached a sample request and response of InstallApplication commands. InstallApplication command: <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CommandUUID</key> <string>InstallApplication;Collection=xxxx</string> <key>Command</key> <dict> <key>RequestType</key> <string>InstallApplication</string> <key>iTunesStoreID</key> <integer>xxxx</integer> <key>ManagementFlags</key> <integer>5</integer> <key>Configuration</key> <dict> <key>ServerName</key> <string>xxxx</string> <key>ServerPort</key> <string>xxxx</string> <key>UDID</key> <string>xxxx</string> <key>ErID</key> <string>xxxx</string> <key>IsLanguagePackEnabled</key> <string>true</string> <key>authtoken</key> <string>********</string> <key>SCOPE</key> <string>MDMOnDemand/MDMCloudEnrollment</string> <key>Services</key> <dict> <key>urls</key> <dict> <key>IOSNativeAppServlet</key> <string>xxxx</string> <key>DeviceRegistrationServlet</key> <string>xxxx</string> <key>IOSCheckInServlet</key> <string>xxxx</string> <key>AppCatalogServlet</key> <string>xxxx</string> <key>MDMLogUploaderServlet</key> <string>xxxx</string> <key>mdmDocsServlet</key> <string>xxxx</string> <key>DFSDownloadURL</key> <string>xxxx</string> </dict> <key>token_name</key> <string>********</string> <key>token_value</key> <string>********</string> </dict> <key>IsSyncServerEnabled</key> <true/> <key>IsAnnouncementEnabled</key> <true/> </dict> <key>ChangeManagementState</key> <string>Managed</string> </dict> </dict> </plist> InstallApplication Response: <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CommandUUID</key> <string>InstallApplication;Collection=xxxx</string> <key>ErrorChain</key> <array> <dict> <key>ErrorCode</key> <integer>1005</integer> <key>ErrorDomain</key> <string>DeviceManagement.error</string> <key>LocalizedDescription</key> <string>Could not install app.</string> </dict> <dict> <key>ErrorCode</key> <integer>9610</integer> <key>ErrorDomain</key> <string>ASDServerErrorDomain</string> <key>LocalizedDescription</key> <string>License not found</string> </dict> </array> <key>Status</key> <string>Error</string> <key>UDID</key> <string>xxxx</string> </dict> </plist>