Issue Description An tvOS device is enrolled in MDM and an App Store App (VPP App) is deployed in Apple TV (4K) with AppLock policy. App has an update in App Store and the app update is pushed to device from MDM. The InstallApplication command is sent to the device for the app update and the command response gives "Managed" state for the app. But the app doesn't update in the device. Incase if, the AppLock policy is removed from the device and then the app update is pushed, the app updates to latest version in device. Normally in iOS devices, if an app update is pushed and if the app is open in device with AppLock policy, the app closes automatically and the update is installed and app reopens automatically in AppLock mode without any user intervention. Is it the same behavior in tvOS devices or does the AppLock policy app update behavior change here? Kindly help us understand this use case. Sample InstallApplication Command: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CommandUUID</key> <string>InstallApplication;Collection=1234</string> <key>Command</key> <dict> <key>RequestType</key> <string>InstallApplication</string> <key>iTunesStoreID</key> <integer>383457673</integer> <key>ManagementFlags</key> <integer>5</integer> <key>Options</key> <dict> <key>PurchaseMethod</key> <integer>1</integer> </dict> <key>ChangeManagementState</key> <string>Managed</string> </dict> </dict> </plist> Sample InstallApplication Response: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CommandUUID</key> <string>InstallApplication;Collection=1234</string> <key>Identifier</key> <string>com.plexapp.plex</string> <key>State</key> <string>Managed</string> <key>Status</key> <string>Acknowledged</string> <key>UDID</key> <string>00000000-0000XXXXX0000</string> </dict> </plist>

Issue Description: When trying to install a VPP purchased or non VPP App Store App in a iOS device using "InstallApplication" command from MDM, the device gives "Purchase Batch Failed" error in its response. Sample InstallApplication Request: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CommandUUID</key> <string>InstallApplication;Collection=11111</string> <key>Command</key> <dict> <key>RequestType</key> <string>InstallApplication</string> <key>iTunesStoreID</key> <integer>815193300</integer> <key>ManagementFlags</key> <integer>5</integer> <key>Options</key> <dict> <key>PurchaseMethod</key> <integer>1</integer> </dict> <key>ChangeManagementState</key> <string>Managed</string> <key>InstallAsManaged</key> <true/> </dict> </dict> </plist> Sample InstallApplication Response: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CommandUUID</key> <string>InstallApplication;Collection=11111</string> <key>ErrorChain</key> <array> <dict> <key>ErrorCode</key> <integer>1005</integer> <key>ErrorDomain</key> <string>DeviceManagement.error</string> <key>LocalizedDescription</key> <string>Could not install app.</string> </dict> <dict> <key>ErrorCode</key> <integer>12</integer> <key>ErrorDomain</key> <string>AMSErrorDomain</string> <key>LocalizedDescription</key> <string>Purchase Batch Failed</string> </dict> </array> <key>Status</key> <string>Error</string> <key>UDID</key> <string>0000-xxxxx-000000000</string> </dict> </plist> Kindly help understand this case and provide a solution for this. Thanks in advance.

Payload associated to the device : &lt;key&gt;PayloadVersion&lt;/key&gt; &lt;integer&gt;1&lt;/integer&gt; &lt;key&gt;PayloadUUID&lt;/key&gt; &lt;string&gt;1b5a9bc1-8c80-4ea8-a98d-1a2e8dcb9ac2&lt;/string&gt; &lt;key&gt;PayloadType&lt;/key&gt; &lt;string&gt;com.apple.mobiledevice.passwordpolicy&lt;/string&gt; &lt;key&gt;PayloadOrganization&lt;/key&gt; &lt;string&gt;MD � �M&lt;/string&gt; &lt;key&gt;PayloadIdentifier&lt;/key&gt; &lt;string&gt;1b5a9bc1-8c80-4ea8-a98d-1a2e8dcb9ac2&lt;/string&gt; &lt;key&gt;PayloadDisplayName&lt;/key&gt; &lt;string&gt;Passcode Policy&lt;/string&gt; &lt;key&gt;forcePIN&lt;/key&gt; &lt;true/&gt; &lt;key&gt;allowSimple&lt;/key&gt; &lt;true/&gt; &lt;key&gt;changeAtNextAuth&lt;/key&gt; &lt;false/&gt; &lt;key&gt;minLength&lt;/key&gt; &lt;integer&gt;6&lt;/integer&gt; &lt;key&gt;maxFailedAttempts&lt;/key&gt; &lt;integer&gt;6&lt;/integer&gt; Everything works as expected. No unexpected behaviour. Out Problem is , we are unable to identify whether the device got wiped due to maxfailedattempt exceeded or due to any Reset actions in Settings. We have no response from the device , on exceeding maximumfailed attempts. If there is any message response for this exceeded command, It will better for us to differentiate the complete wipe action’s source. Also Raised in Apple Feedback : Id FB11498866

Description: Apps over 200MB will not be automatically downloaded in iOS device when deployed from MDM if "Ask If Over 200MB" is set under General -> App Store -> Mobile Data -> App Downloads. Is there a setting available for MDM to force enable "Always Ask" under General -> App Store -> Mobile Data -> App Downloads in iOS devices ? Kindly help us on this use case.

In the given WWDC22 video, it is mentioned that if a slot is eSIM, then EID will be returned in that slot’s response. Reference: https://developer.apple.com/videos/play/wwdc2022/10045/#:~:text=During%20WWDC%202021%2C%20we%20introduced,platform%20support%20and%20new%20features Above video’s transcript text: But when tested with iPhone 13 and iPhone 14 models, the ServiceSubscription response contains EID only in any one of the slots in ServiceSubscription query in DeviceInformation   How can we know which SIM slot supports eSIM ?  How can one know which slot’s IMEI should be given to network operator for configuring eSIM ?

Multiple payloads are allowed for App notification settings payload for macOS devices, but for iOS/iPadOS devices they are not allowed. And this restricts us to maintaining/keep track of a single profile having app notifications payload. May I know the reason behind this? Reference : https://developer.apple.com/documentation/devicemanagement/notifications

Issue description: In iOS 15+ devices, the enterprise apps ask for update prompt when an update for the app is deployed from MDM even when screen is locked with passcode. The app is running on foreground but the screen is locked in with passcode. Previously, in older iOS versions like iOS 12.0, the enterprise apps will not ask for update prompt when an update is distributed from MDM if screen is locked with passcode(and app running in foreground). Is this an intended behavior or a bug? Kindly help us understand this case. Steps to reproduce. Enroll a iOS (15.0+) device in a MDM. Deploy a enterprise app to device successfully. Open the app in device and lock the screen. Make sure the device has passcode for lock Deploy an update for the same app from the MDM. Expected Result: The app should be installed automatically. Actual Result: The app asks for update prompt in device.

Pre Note: This issue not reproducing so promisingly. We cant find its issue source. Its occurring randomly on devices Step 1: After enrolling the device in MDM . try to send a clear passcode command to device . Command : There will be response from device with below format Response: On Checking the MDM Protocol Reference - Protocol Ref I can only able to see “5013 Cannot clear passcode” with respect to this issue. Other than it nothing can be seen in any apple docs too. We dont know why this issue occurs and it is resolved after any pending os update or ReEnrolling devices to MDM. Is there any suggestion regarding this and why this happens for random devices.

“iPhone Findable After Power Off” - This option is available in unsupervised devices given that Find My iPhone is turned on from iOS 15 (Specific device models) when trying to power off the device.  But this option seems to be not available in Supervised devices. Is there any other way to turn this on in Supervised devices? Kindly confirm Is this the expected behaviour in Supervised devices.

Problem Description: We are associating 1000 devices to 25 apps using Associate Assets API - https://vpp.itunes.apple.com/mdm/v2/assets/associate We find the association completion state by two ways. Method 1: Using Event Status API - https://vpp.itunes.apple.com/mdm/v2/status We test the success state of event by continuously polling event status API - until it provides COMPLETE/FAILURE in eventStatus. For the above association, the time taken for event Status to give COMPLETE/FAILURE status for the above API is 30 seconds. Improvement Needed: A new type of notification type can be introduced so that on association event completion, the notification request could return the event status response to MDM server without the need to poll the Event Status API from MDM. Method 2: By Subscribing ASSET_MANAGEMENT notification On subscribing ASSET_MANAGEMENT notification in clientConfig API - https://vpp.itunes.apple.com/mdm/v2/client/config, the asset management notification request is enabled. "notificationTypes": [ "ASSET_MANAGEMENT" ] On performing the association, each notification request reaches the MDM server with response in batch of 100 devices per 1 app. Hence, more than 250 notifications requests(including duplicate requests) reaches the MDM server. This takes around 5 mins to complete provide the association results Improvement Needed: The 100 devices status per 1 app for one notification request could be increased to make lesser notification requests and hence improving the time to receive the association response. Hence, currently the Method 1 - using Event Status API provides the association completion response sooner than the Method 2 (Notifications). So, providing a notification type to subscribe for event Status could reduce the long time to provide all association response in ASSET_MANAGEMENT notification and eliminate the need to poll event status from MDM. Kindly consider this request.

DESCRIPTION: A macOS device (Version 13 and above), "passcode-is-present" and "passcode-compliant" status items are unsupported. After the Successful Acknowledged of the DeclarativeManagement command, we receive supported client capabilities from the device as a status report. but while analyzing the device-supported client capabilities details represent those two status items are supported. On analyzing the device respond with an error. "device.identifier.udid" status item provided halfway correct udid value exactly not. HOW TO REPRODUCE: Enroll a macOS device in MDM. Send the DeclarativeManagement Command to macOS 13+ devices. The MDM server responds with a DeclarativeManagement Command that should include the SynchronizationTokens JSON data. The device fetches the declarations manifest from the MDM server. While synchronization, we will subscribe the status items (passcode-is-present,passcode-compliant, device.identifier.udid, mdm.app) as configuration. For example, { "Type":"com.apple.configuration.management.status-subscriptions", "Identifier":"85B5130A-4D0D-462B-AA0D-0C3B6630E5AA", "ServerToken":"59eb13b9-5d51-54b9-8a4b-e8abe37c27ee", "Payload":{ "StatusItems":[ { "Name":"passcode.is-present" }, { "Name":"passcode.is-compliant" }, { "Name":"device.identifier.udid" } ] } } Response the above JSON payload to the device, While requesting the "declaration/configuration/****" details from MDM. Note: Before subscribing to the status items ("passcode-is-present" and "passcode-compliant") via Declarative Management, Passcode Configuration Policy should be applied to the mac device. EXPECTED APP: The Passcode Status reports will provide certain values (true/false). The "device.identifier.udid" status item provides the exact UDID same as Command Response. ACTUAL RESULT: The Passcode Status reports did not provide values (true/false), but we are getting the error- { "Errors":[ { "Reasons":[ { "Code":"Error.UnsupportedStatusValue", "Description":"Cannot report status on “passcode.is-present†because value is not supported." } ], "StatusItem":"passcode.is-present" }, { "Reasons":[ { "Code":"Error.UnsupportedStatusValue", "Description":"Cannot report status on “passcode.is-compliant†because value is not supported." } ], "StatusItem":"passcode.is-compliant" } ] } The "device.identifier.udid" status provided UDID to MDM like { "device":{ "identifier":{ "udid":"b486fc***0***5d77*****4********9e60e00000000" } } } and UDID of Command Responses like <key>UDID</key> <string>B486FC***-5***0-5D77-****4-******9E60E</string> Kindly help us with this case.

DESCRIPTION: A macOS devices (Version 13 and above), "mdm.app" status item will not be supported. why? HOW TO REPRODUCE: Enroll a macOS device in MDM. Send the DeclarativeManagement Command to macOS 13+ devices. The MDM server responds with a DeclarativeManagement Command that should include the SynchronizationTokens JSON data. The device fetches the declarations manifest from the MDM server. While synchronization, we will subscribe the status items (mdm.app) as configuration. For example, { "Type":"com.apple.configuration.management.status-subscriptions", "Identifier":"85B5130A-4D0D-462B-AA0D-0C3B6630E5AA", "ServerToken":"59eb13b9-5d51-54b9-8a4b-e8abe37c27ee", "Payload":{ "StatusItems":[ { "Name":"mdm.app" } ] } } Response the above JSON payload to the device, While requesting the "declaration/configuration/****" details. EXPECTED RESULT: The "mdm.app" status item responds to the current status of the managed app after sending InstallApplication Command to the device. ACTUAL RESULT: The mdm.app status item response is like the following error- { "Errors":[ { "Reasons":[ { "Code":"Error.UnsupportedStatusValue", "Description":"Cannot report status on “mdm.app†because value is not supported." } ], "StatusItem":"mdm.app" } ] } Any help on this would be appreciated. Thanks.

Issue : When applied applock policy to the device, device not shutting down on long press of the power button and volume button. Shut down happens well when the profile is removed from the device. When tested in iPhone, this worked well when the profile is applied Steps to Reproduce : In iPad 16.3 OS , Payload : <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadUUID</key> <string>01d6d9a0-740f-40e4-a521-b97e3d452547</string> <key>PayloadType</key> <string>Configuration</string> <key>PayloadOrganization</key> <string>MDM</string> <key>PayloadIdentifier</key> <string>com.mdm.b4033cca-328f-4eab-8bbe-b9224a6ab4ed.singleKioks</string> <key>PayloadDisplayName</key> <string>single Kioks</string> <key>PayloadRemovalDisallowed</key> <true/> <key>PayloadContent</key> <array> <dict> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadUUID</key> <string>8533f5c1-fbb6-49fb-88bb-b3cbda8e8bb1</string> <key>PayloadType</key> <string>com.apple.app.lock</string> <key>PayloadOrganization</key> <string>MDM</string> <key>PayloadIdentifier</key> <string>8533f5c1-fbb6-49fb-88bb-b3cbda8 èe8bb1</string> <key>PayloadDisplayName</key> <string>AppLock Policy</string> <key>App</key> <dict> <key>Options</key> <dict> <key>DisableTouch</key> <false/> <key>DisableDeviceRotation</key> <false/> <key>DisableVolumeButtons</key> <false/> <key>DisableRingerSwitch</key> <false/> <key>DisableSleepWakeButton</key> <false/> <key>DisableAutoLock</key> <true/> <key>EnableVoiceOver</key> <false/> <key>EnableZoom</key> <false/> <key>EnableInvertColors</key> <false/> <key>EnableAssistiveTouch</key> <false/> <key>EnableSpeakSelection</key> <false/> <key>EnableMonoAudio</key> <false/> <key>EnableVoiceControl</key> <false/> </dict> <key>UserEnabledOptions</key> <dict> <key>VoiceOver</key> <false/> <key>Zoom</key> <false/> <key>InvertColors</key> <false/> <key>AssistiveTouch</key> <false/> </di µct> <key>Identifier</key> <string>com.apple.AppStore</string> </dict> <key>Identifier</key> <string>com.apple.AppStore</string> </dict> </array> </dict> </plist> -> I have applied the following kiosk profile to the device . -> When pressing the Power button(top Button) and a side volume button, It doesnt shut down the device. -> Whereas, the device when the above profile is removed. the same buttons lead to shut down. -> Same way this was not an issue for the iPhone devices (only iPads doesnt shut down when this profile is applied) Have attached the sysdiagnose logs for the iPad (affected). Kindly help with this case.

We have a device which does not communicate with our MDM server. When we checked the console logs we found that device receives the push notification but does not respond to MDM server. When a restart is performed, it again communicates. From time to time it stops working and we have to restart to bring back communication. Feedback has been raised with sysdiagnose - FB12062214 Any help would be appreciated.

Hi Apple Team, We tend to update the MDM profile Supplied to the Mobile Devices when the Name of the organisation was changed by the customer we change the value of PayloadOrganization. When it comes to User Enrollment The organisation name will be shown in Settings Tab and also in Profiles Page. After performing update in MDM profile The Organisation name in the profile's page have been updated but The Organisation name in settings tab wasn't updated Old Name : APNS_ORG_NAME New Name : NEWNAME1