Hi,
For the SCEP payload's SAN, we are able to provide an array of strings for each key (dNSName, ntPrincipalName).
<dict>
<key>ntPrincipalName</key>
<string>email</string>
<key>rfc822Name</key>
<array>
<string>email</string>
<string>email2</string>
</array>
<key>dNSName</key>
<array>
<string>test.com</string>
<string>example.com</string>
</array>
</dict>
But the ACMECertificate payload is not accepting this and instead, returns the below error.
The field “rfc822Name” is invalid.
The field “dNSName” is invalid.
Does the ACMECertificate payload support multiple SAN values for each key?
Thanks for your time!
Selecting any option will automatically load the page
Post
Replies
Boosts
Views
Activity
Hi, We are testing the ACMECertificate payload and noticed that in the device's configuration, the key size is displayed as 0.
Thanks in advance.
Payload associated to the device :
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadUUID</key>
<string>1b5a9bc1-8c80-4ea8-a98d-1a2e8dcb9ac2</string>
<key>PayloadType</key>
<string>com.apple.mobiledevice.passwordpolicy</string>
<key>PayloadOrganization</key>
<string>MD � �M</string>
<key>PayloadIdentifier</key>
<string>1b5a9bc1-8c80-4ea8-a98d-1a2e8dcb9ac2</string>
<key>PayloadDisplayName</key>
<string>Passcode Policy</string>
<key>forcePIN</key>
<true/>
<key>allowSimple</key>
<true/>
<key>changeAtNextAuth</key>
<false/>
<key>minLength</key>
<integer>6</integer>
<key>maxFailedAttempts</key>
<integer>6</integer>
Everything works as expected. No unexpected behaviour.
Out Problem is , we are unable to identify whether the device got wiped due to maxfailedattempt exceeded or due to any Reset actions in Settings.
We have no response from the device , on exceeding maximumfailed attempts.
If there is any message response for this exceeded command,
It will better for us to differentiate the complete wipe action’s source.
Also Raised in Apple Feedback : Id FB11498866
Description:
Apps over 200MB will not be automatically downloaded in iOS device when deployed from MDM if "Ask If Over 200MB" is set under General -> App Store -> Mobile Data -> App Downloads. Is there a setting available for MDM to force enable "Always Ask" under General -> App Store -> Mobile Data -> App Downloads in iOS devices ? Kindly help us on this use case.
Topic:
App Store Distribution & Marketing
SubTopic:
General
Tags:
App Store
Device Management
Managed Settings
Hi Community,
We are happy to see how apple is committed towards making the true Single Sign On Experience and provide Seamless user experience.
Hence We have been testing around The ExtensibleSingleSignOn profile specific payload using the Extension provided by Microsoft for Azure AD called CompanyPortal for macOS and Authenticator App for iOS respectively in both we have tried to deny the SSO flow for some native apps like Excel and Word, by specifying their bundle id's in key "DeniedBundleIdentifiers" provided in ExtensibleSingleSignOn profile. Even though we specify, these Apps seems to go with SSO flow and have not prompted for any credentials.
May I know what is the behaviour of the key "DeniedBundleIdentifiers" and why in this case didn't block the SSO flow?
And also to have some Knowledge on it. Is it the responsibility of the Extensions to block the Redirection from these Apps or the responsibility of Apple?
In the given WWDC22 video, it is mentioned that if a slot is eSIM, then EID will be returned in that slot’s response.
Reference:
https://developer.apple.com/videos/play/wwdc2022/10045/#:~:text=During%20WWDC%202021%2C%20we%20introduced,platform%20support%20and%20new%20features
Above video’s transcript text:
But when tested with iPhone 13 and iPhone 14 models, the ServiceSubscription response contains EID only in any one of the slots in ServiceSubscription query in DeviceInformation
How can we know which SIM slot supports eSIM ?
How can one know which slot’s IMEI should be given to network operator for configuring eSIM ?
In VPP License Mgmt 2.0.0+ API endpoint for creating users - (POST https://vpp.itunes.apple.com/mdm/v2/users/create), what is the use of "email" & "managedAppleId" - keys?
We are able to accept the invitation link in any apple id other than the one given during creation of user. Kindly help us understand the purpose of these two keys and how they should be used (separately/together).
Issue Description :
Incase, if the app version for the iOS and iPadOS differs like iOS and tvOS how can we get the iPadOS app details in ContentMetaDataLookUp API.
sample contentMetadataURL for iOS : https://uclient-api.itunes.apple.com/WebObjects/MZStorePlatform.woa/wa/lookup?version=2&id=544007664&p=mdm-lockup&caller=MDM&platform=enterprisestore&cc=us&l=en
Kindly help us with this case.
Topic:
App Store Distribution & Marketing
SubTopic:
General
Tags:
App Store
Apple Business Manager
Business and Enterprise
Device Management
When we use Migration Assistant to transfer data from one machine to another or when restoring a backup, it breaks the MDM enrollment. Upon checking, we found that as the Identity Certificate in the KeyChain isn't available, the MDM agent is unable to initiate the communication.
Is there any way to avoid behavior like this? Thanks in Advance.
Topic:
Developer Tools & Services
SubTopic:
General
Tags:
Enterprise
Business and Enterprise
Device Management
Hello All,
We are looking to implement the ACME protocol for our organization PKI and as of now, we are trying out the demo ACME server hosted here. So far, we had a minor piece of luck in getting it to work properly twice, but after that, it errors out every time. This is the payload we are using:
&amp;lt;?xml version="1.0" encoding="UTF-8"?&amp;gt;
&amp;lt;!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"&amp;gt;
&amp;lt;plist version="1.0"&amp;gt;
&amp;lt;dict&amp;gt;
&amp;lt;key&amp;gt;PayloadContent&amp;lt;/key&amp;gt;
&amp;lt;array&amp;gt;
&amp;lt;dict&amp;gt;
&amp;lt;key&amp;gt;ClientIdentifier&amp;lt;/key&amp;gt;
&amp;lt;string&amp;gt;123123123123123123123&amp;lt;/string&amp;gt;
&amp;lt;key&amp;gt;ExtendedKeyUsage&amp;lt;/key&amp;gt;
&amp;lt;array&amp;gt;
&amp;lt;string&amp;gt;1.3.6.1.5.5.7.3.2&amp;lt;/string&amp;gt;
&amp;lt;/array&amp;gt;
&amp;lt;key&amp;gt;HardwareBound&amp;lt;/key&amp;gt;
&amp;lt;true/&amp;gt;
&amp;lt;key&amp;gt;KeySize&amp;lt;/key&amp;gt;
&amp;lt;integer&amp;gt;384&amp;lt;/integer&amp;gt;
&amp;lt;key&amp;gt;KeyType&amp;lt;/key&amp;gt;
&amp;lt;string&amp;gt;ECSECPrimeRandom&amp;lt;/string&amp;gt;
&amp;lt;key&amp;gt;KeyUsage&amp;lt;/key&amp;gt;
&amp;lt;integer&amp;gt;5&amp;lt;/integer&amp;gt;
&amp;lt;key&amp;gt;PayloadIdentifier&amp;lt;/key&amp;gt;
&amp;lt;string&amp;gt;com.example.test&amp;lt;/string&amp;gt;
&amp;lt;key&amp;gt;PayloadType&amp;lt;/key&amp;gt;
&amp;lt;string&amp;gt;com.apple.security.acme&amp;lt;/string&amp;gt;
&amp;lt;key&amp;gt;PayloadUUID&amp;lt;/key&amp;gt;
&amp;lt;string&amp;gt;sdf-feec-4171-878d-34e576bbb813&amp;lt;/string&amp;gt;
&amp;lt;key&amp;gt;PayloadVersion&amp;lt;/key&amp;gt;
&amp;lt;integer&amp;gt;1&amp;lt;/integer&amp;gt;
&amp;lt;key&amp;gt;Subject&amp;lt;/key&amp;gt;
&amp;lt;array&amp;gt;
&amp;lt;array&amp;gt;
&amp;lt;array&amp;gt;
&amp;lt;string&amp;gt;C&amp;lt;/string&amp;gt;
&amp;lt;string&amp;gt;US&amp;lt;/string&amp;gt;
&amp;lt;/array&amp;gt;
&amp;lt;/array&amp;gt;
&amp;lt;array&amp;gt;
&amp;lt;array&amp;gt;
&amp;lt;string&amp;gt;O&amp;lt;/string&amp;gt;
&amp;lt;string&amp;gt;Example Inc.&amp;lt;/string&amp;gt;
&amp;lt;/array&amp;gt;
&amp;lt;/array&amp;gt;
&amp;lt;array&amp;gt;
&amp;lt;array&amp;gt;
&amp;lt;string&amp;gt;CN&amp;lt;/string&amp;gt;
&amp;lt;string&amp;gt;test&amp;lt;/string&amp;gt;
&amp;lt;/array&amp;gt;
&amp;lt;/array&amp;gt;
&amp;lt;/array&amp;gt;
&amp;lt;key&amp;gt;SubjectAltName&amp;lt;/key&amp;gt;
&amp;lt;dict&amp;gt;
&amp;lt;key&amp;gt;dNSName&amp;lt;/key&amp;gt;
&amp;lt;string&amp;gt;site.example.com&amp;lt;/string&amp;gt;
&amp;lt;/dict&amp;gt;
&amp;lt;key&amp;gt;DirectoryURL&amp;lt;/key&amp;gt;
&amp;lt;string&amp;gt;https://ca.attestation.dev/acme/acme/directory&amp;lt;/string&amp;gt;
&amp;lt;/dict&amp;gt;
&amp;lt;/array&amp;gt;
&amp;lt;key&amp;gt;PayloadDisplayName&amp;lt;/key&amp;gt;
&amp;lt;string&amp;gt;ACME&amp;lt;/string&amp;gt;
&amp;lt;key&amp;gt;PayloadIdentifier&amp;lt;/key&amp;gt;
&amp;lt;string&amp;gt;com.example.test&amp;lt;/string&amp;gt;
&amp;lt;key&amp;gt;PayloadType&amp;lt;/key&amp;gt;
&amp;lt;string&amp;gt;Configuration&amp;lt;/string&amp;gt;
&amp;lt;key&amp;gt;PayloadUUID&amp;lt;/key&amp;gt;
&amp;lt;string&amp;gt;ce876f81-abf0-46f9-9e68-9b3a7ede8097&amp;lt;/string&amp;gt;
&amp;lt;key&amp;gt;PayloadVersion&amp;lt;/key&amp;gt;
&amp;lt;integer&amp;gt;1&amp;lt;/integer&amp;gt;
&amp;lt;/dict&amp;gt;
&amp;lt;/plist&amp;gt;
We get the below errors from the ACME server:
order status is "pending", not yet "valid"
order status is "ready", not yet "valid"
Any insights on what we are doing wrong could be helpful. Thanks in advance.
Topic:
Business & Education
SubTopic:
Device Management
Tags:
wwdc2022-10143
Device Management
App Attest
Multiple payloads are allowed for App notification settings payload for macOS devices, but for iOS/iPadOS devices they are not allowed.
And this restricts us to maintaining/keep track of a single profile having app notifications payload.
May I know the reason behind this?
Reference : https://developer.apple.com/documentation/devicemanagement/notifications
DESCRIPTION:
An iOS app - (WhatsApp Business) is not getting updated in device when update is deployed. The InstallApplication command is sent to device successfully and it is Acknowledged but the app is not updating. On analyzing the device logs in console we are getting the error- ["This installation was canceled by the user." UserInfo={NSLocalizedFailureReason=User canceled., NSLocalizedDescription=This installation was canceled by the user] for the app. This is a supervised device and app was not open in foreground too. So ideally the app should update silently without any user interruption but it says that user cancelled. There is no prompt in device too. We are unable to remove and re-install the app since app data will be lost.
HOW TO REPRODUCE:
Enroll a iOS device in MDM.
Deploy a VPP App Store App using MDM to the device.
Wait for an update in App Store and then deploy the update to device of the same VPP App Store app from MDM.
EXPECTED RESULT:
The app should be updated in device.
ACTUAL RESULT:
The app is not updated in device. (Error found in device - This installation was canceled by the user] for the app)
InstallApplication Command From MDM:
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CommandUUID</key>
<string>InstallApplication;Collection=51084000003072065</string>
<key>Command</key>
<dict>
<key>RequestType</key>
<string>InstallApplication</string>
<key>iTunesStoreID</key>
<integer>1386412985</integer>
<key>InstallAsManaged</key>
<true/>
<key>ManagementFlags</key>
<integer>5</integer>
<key>Options</key>
<dict>
<key>PurchaseMethod</key>
<integer>1</integer>
</dict>
<key>ChangeManagementState</key>
<string>Managed</string>
</dict>
</dict>
</plist>
InstallApplication Response From Device
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CommandUUID</key>
<string>InstallApplication;Collection=51084000003072065</string>
<key>Identifier</key>
<string>net.whatsapp.WhatsAppSMB</string>
<key>State</key>
<string>Managed</string>
<key>Status</key>
<string>Acknowledged</string>
<key>UDID</key>
<string>*****</string>
</dict>
</plist>
Kindly help us with this case.
Topic:
App Store Distribution & Marketing
SubTopic:
General
Tags:
App Store
Apple Business Manager
Business and Enterprise
Device Management
We are facing issues in VPP Client Configuration API ( POST: https://vpp.itunes.apple.com/mdm/VPPClientConfigSrv ).
For some VPP token, the "clientContext" key in the response says "token being used in v2" instead of giving a proper clientContext. These VPP tokens aren't actually added in any other MDM than ours. But it gives this as response. Also, we didn't use the new API for setting VPP Client Configuration too. We are seeing this issue for some VPP tokens in random. We would like to understand this behaviour in VPP tokens.
In a iPad device with OS Version 15.1, when deploying a app store app through MDM, the InstallApplication command receives "License Not Found" error in response. The app is not purchased through VPP and the "PurchaseMethod" key is not set in InstallApplication request command.
I have attached a sample request and response of InstallApplication commands.
InstallApplication command:
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CommandUUID</key>
<string>InstallApplication;Collection=xxxx</string>
<key>Command</key>
<dict>
<key>RequestType</key>
<string>InstallApplication</string>
<key>iTunesStoreID</key>
<integer>xxxx</integer>
<key>ManagementFlags</key>
<integer>5</integer>
<key>Configuration</key>
<dict>
<key>ServerName</key>
<string>xxxx</string>
<key>ServerPort</key>
<string>xxxx</string>
<key>UDID</key>
<string>xxxx</string>
<key>ErID</key>
<string>xxxx</string>
<key>IsLanguagePackEnabled</key>
<string>true</string>
<key>authtoken</key>
<string>********</string>
<key>SCOPE</key>
<string>MDMOnDemand/MDMCloudEnrollment</string>
<key>Services</key>
<dict>
<key>urls</key>
<dict>
<key>IOSNativeAppServlet</key>
<string>xxxx</string>
<key>DeviceRegistrationServlet</key>
<string>xxxx</string>
<key>IOSCheckInServlet</key>
<string>xxxx</string>
<key>AppCatalogServlet</key>
<string>xxxx</string>
<key>MDMLogUploaderServlet</key>
<string>xxxx</string>
<key>mdmDocsServlet</key>
<string>xxxx</string>
<key>DFSDownloadURL</key>
<string>xxxx</string>
</dict>
<key>token_name</key>
<string>********</string>
<key>token_value</key>
<string>********</string>
</dict>
<key>IsSyncServerEnabled</key>
<true/>
<key>IsAnnouncementEnabled</key>
<true/>
</dict>
<key>ChangeManagementState</key>
<string>Managed</string>
</dict>
</dict>
</plist>
InstallApplication Response:
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CommandUUID</key>
<string>InstallApplication;Collection=xxxx</string>
<key>ErrorChain</key>
<array>
<dict>
<key>ErrorCode</key>
<integer>1005</integer>
<key>ErrorDomain</key>
<string>DeviceManagement.error</string>
<key>LocalizedDescription</key>
<string>Could not install app.</string>
</dict>
<dict>
<key>ErrorCode</key>
<integer>9610</integer>
<key>ErrorDomain</key>
<string>ASDServerErrorDomain</string>
<key>LocalizedDescription</key>
<string>License not found</string>
</dict>
</array>
<key>Status</key>
<string>Error</string>
<key>UDID</key>
<string>xxxx</string>
</dict>
</plist>
Issue Description:
Licenses Expiring - The licenses for [app_name] and 'x' other applications will expire in 'n' days.
The given App Store Notification is displayed in many iPad devices. All the apps for which the notification is shown are purchased from ABM (VPP apps). The licenses are still assigned to devices and are not revoked which is made sure from VPP API. The VPP token is also not nearing expiration and it has more than 6 months time for expiry.
Screenshot of the notification is attached below
Kindly help us with the reason for this behavior
Topic:
App Store Distribution & Marketing
SubTopic:
General
Tags:
App Store
Apple Business Manager
Business and Enterprise
Device Management