Hi Apple Team, We are excited by looking on the new updates introduced in WWDC23. In a Session named "Do More With Managed Apple IDs" Where There is Sign In Policy Introduced For Managed Apple IDs Any Device Managed Devices Only Supervised Devices Only And as a MDM Vendor We need to Support GetToken CheckIn Request to Support Sign In Policy Managed Devices Only, Supervised Devices Only and have some doubts regarding this. When the Policy is Set To Managed Device Only and we don't have DEP Tokens Registered by Customer with us.How could we able generate the JWT Signed Token with the necessary serverUUID. In case 1) Even though if I have DEP Token with me How could I choose the necessary serverUUID If the device had managed by MDM through Profile Based Enrollments. Can you please provide with appropriate solution to overcome this

We are unable to find the documentation for DDM in Managing apps. We searched the Apple Documentation for the newly introduced API and declarations announced (which are given below) but we could not find any results on this. Documentation for New Apps and Books for Organizations API that replaces ContentMetaData API Documentation for "com.apple.configuration.app.managed" DDM Configuration Documentation for "app.managed.list" DDM status The documentation has not been updated with these cases. Kindly help us on this.

Problem Description: A App Store (VPP - B2B) app distributed to a device through MDM is not installing. The "InstalledApplicationList" response doesn't have the app in it. The "ManagedApplicationList" response has the app with status as "ManagedButUninstalled". But this cannot happen since there is a restriction - allowAppRemoval is set to false for this device which prevents the removal of installed apps in that device. This is applied before the app was distributed to MDM. Steps to reproduce: Enroll a device in MDM. Use restrictions payload[com.apple.applicationaccess] with a key "allowAppRemoval" set to "true". Distribute an app to device. Perform operations to fetch "InstalledApplicationList" and "ManagedApplicationList". Expected Result: The device should install the app successfully and ManagedApplicationList response should return "Managed" status for the app. Actual Result: The device doesn't install the app and "ManagedApplicationList" returns "ManagedButUninstalled" status. InstallApplication Response: <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CommandUUID</key> <string>InstallApplication;Collection=899898</string> <key>Identifier</key> <string>pad.xxxx.ilD</string> <key>State</key> <string>Installing</string> <key>Status</key> <string>Acknowledged</string> <key>UDID</key> <string>000000-00000000-00000000</string> </dict> </plist> ManagedApplicationList Response: <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CommandUUID</key> <string>ManagedApplicationList</string> <key>ManagedApplicationList</key> <dict> <key>com.manageengine.mdm.iosagent</key> <dict> <key>ExternalVersionIdentifier</key> <integer>857024336</integer> <key>HasConfiguration</key> <true/> <key>HasFeedback</key> <true/> <key>IsValidated</key> <true/> <key>ManagementFlags</key> <integer>5</integer> <key>Status</key> <string>Managed</string> </dict> <key>com.teamviewer.teamviewerQS</key> <dict> <key>ExternalVersionIdentifier</key> <integer>851678159</integer> <key>HasConfiguration</key> <false/> <key>HasFeedback</key> <false/> <key>IsValidated</key> <true/> <key>ManagementFlags</key> <integer>5</integer> <key>Status</key> <string>Managed</string> </dict> <key>pad.xxxx.ilD</key> <dict> <key>ExternalVersionIdentifier</key> <integer>857489710</integer> <key>HasConfiguration</key> <true/> <key>HasFeedback</key> <false/> <key>IsValidated</key> <false/> <key>ManagementFlags</key> <integer>5</integer> <key>Status</key> <string>ManagedButUninstalled</string> </dict> </dict> <key>Status</key> <string>Acknowledged</string> <key>UDID</key> <string>000000-00000000-00000000</string> </dict> </plist> Restrictions Response: <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CommandUUID</key> <string>Restrictions</string> <key>GlobalRestrictions</key> <dict> <key>intersection</key> <dict> <key>autonomousSingleAppModePermittedAppIDs</key> <dict> <key>values</key> <array> <string>pad.xxxx.ilD</string> </array> </dict> <key>whitelistedAppBundleIDs</key> <dict> <key>values</key> <array> <string>pad.xxxx.ilD</string> <string>com.manageengine.mdm.iosagent</string> <string>com.teamviewer.teamviewerQS</string> </array> </dict> </dict> <key>restrictedBool</key> <dict> <key>allowAppRemoval</key> <dict> <key>value</key> <false/> </dict> </dict> <key>restrictedValue</key> <dict> <key>maxInactivity</key> <dict> <key>value</key> <integer>5</integer> </dict> </dict> <key>union</key> <dict> <key>blacklistedAppBundleIDs</key> <dict> <key>values</key> <array> <string>com.google.Drive</string> <string>com.apple.news</string> </array> </dict> </dict> </dict> <key>Status</key> <string>Acknowledged</string> <key>UDID</key> <string>000000-00000000-00000000</string> </dict> </plist>

We have the following issues on a iPad enrolled as Shared iPad via MDM using Apple Business Manager (ABM) We are unable to use the mail app in Shared iPad. The following error message is shown “This iPad is restricted from creating mail accounts”. When checked from MDM whether any such account restriction was added, they was none added to this device. We are also unable to add accounts via Settings app as well. And also when checking the Shared iPad restriction documentation, mail app is not in the restricted list for Shared iPad https://support.apple.com/en-mt/guide/apple-school-manager/axm3a8bb0ab8/web Kindly let us know whether we can add mail accounts manually in Shared iPad device. OS Version : iPadOS 16.5

After we wipe the Mac using MDM EraseDevice command, the screen appears asking for PIN and when we enter the correct PIN provided in EraseDevice command, it says Try again in 24284826 minutes, which is like 46 years. We could recover this by connecting the device to LAN, but can we avoid this screen? ?

We encountering an issue with HasUpdateAvailable Key is not updating in InstalledApplicationList when the newer app version is available for the device to update from App Store. Problem Description: When an App Store app or Custom app has a newer version released, the HasUpdateAvailable Key in Installed Application List is never updating. In InstalledApplicationList the HasUpdateAvailable value is False even when a newer app version is available to update. For Example, Google Slides app ( com.google.Slides ) was released a new version - 1.2023.22200 was on June 7, 2023. By checking the device, The InstalledApplicationList response on June 10. The hasUpdateAvailable key is False, Even though the app has an update available. <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CommandUUID</key> <string>InstalledApplicationList</string> <key>InstalledApplicationList</key> <array> <dict> <key>AdHocCodeSigned</key> <false/> <key>AppStoreVendable</key> <true/> <key>BetaApp</key> <false/> <key>BundleSize</key> <integer>198696960</integer> <key>DeviceBasedVPP</key> <false/> <key>DynamicSize</key> <integer>143360</integer> <key>ExternalVersionIdentifier</key> <integer>857221931</integer> <key>HasUpdateAvailable</key> <false/> <key>Identifier</key> <string>com.google.Slides</string> <key>Installing</key> <false/> <key>IsAppClip</key> <false/> <key>IsValidated</key> <true/> <key>Name</key> <string>Slides</string> <key>ShortVersion</key> <string>1.2023.20201</string> <key>Version</key> <string>1.2023.20201</string> </dict> </array> <key>Status</key> <string>Acknowledged</string> <key>UDID</key> <string>00008020-XXXXXXXXXXXX</string> </dict> </plist> Note :- We are experiencing this issue in multiple OS version for most of the apps. All the devices which we tested are compatible with the latest app version

Hi Apple community, I am writing this regarding device based activation lock can enable on device which is in 30 days DEP provisional period. Within the DEP provisional period, I can remove the remote management on my device. So the device is considered to use as my personal device ,not organization owned. Since MDM device based activation lock can enable during this provisional period, The device no longer be referred to use as my personal device also . what is the use of that 30 days? Kindly educate us on this case to whether this an intended options or a bug. Thanks in Advance

Hi Apple community, We encountering an issue with Declarative Management app events when attempting bulk app distribution through our Mobile Device Management (MDM) solution. Description of the Issue: During bulk app distribution, the expected app events defined in the Declarative Management framework are not functioning as intended. While individual app deployments work fine and trigger the desired events, the problem arises specifically when distributing apps in the bulk of more than 20 apps. My Status-Subscription Configuration, { "Type": "com.apple.configuration.management.status-subscriptions", "Identifier": "DEFAULT_STATUS_CONFIG_0", "ServerToken": "2", "Payload": { "StatusItems": [ { "Name": "account.list.caldav" }, { "Name": "account.list.carddav" }, { "Name": "account.list.exchange" }, { "Name": "account.list.google" }, { "Name": "account.list.ldap" }, { "Name": "account.list.mail.incoming" }, { "Name": "account.list.mail.outgoing" }, { "Name": "account.list.subscribed-calendar" }, { "Name": "device.identifier.serial-number" }, { "Name": "device.identifier.udid" }, { "Name": "device.model.family" }, { "Name": "device.model.identifier" }, { "Name": "device.model.marketing-name" }, { "Name": "device.operating-system.build-version" }, { "Name": "device.operating-system.family" }, { "Name": "device.operating-system.marketing-name" }, { "Name": "device.operating-system.supplemental.build-version" }, { "Name": "device.operating-system.supplemental.extra-version" }, { "Name": "device.operating-system.version" }, { "Name": "mdm.app" }, { "Name": "passcode.is-compliant" }, { "Name": "passcode.is-present" } ] } } Has anyone encountered a similar issue where Declarative Management app events fail to trigger during bulk app distribution? If so, I would greatly appreciate any insights, recommendations, or potential workarounds you may have discovered. Additionally, if you have any suggestions for further troubleshooting steps or resources to explore, please feel free to share them. Thank you in advance for your time.

Issue Description: We tested App Store app update deployment in an iPad with OS version 16.4.1. We put the app AppLock mode in device using a MDM. Then we pushed a update for the app from MDM. The device didn't update the app but the command was successfully sent from MDM and device acknowledged it. When we removed the app from AppLock mode and closed it, the app updated instantly. For enterprise apps, we have observed that while pushing the app update to devices when it is in AppLock mode, the app closes automatically and the app updates and opens automatically in AppLock mode. But for app store apps this behavior is different like mentioned above. Also, if the app is not in AppLock mode and if the app update is pushed when the app is running in foreground, the device asks for update prompt. If we accept it, the app doesn't update automatically. If we close the app manually, then the app is updated instantly. Kindly educate us on this case on App Store App as to whether this an intended behavior or a bug.

https://developer.apple.com/documentation/devicemanagement/homescreenlayout With Respect to the above link, we have deployed HomeScreenLayout Policy to device with iPadOS Version 16.4. Irrespective of all the os's, we cant able to restrict the App Library , whatever we do. Attached screenshot of the App Library shown in Home screen Layout. Is it possible to restrict this or not . Can anyone help on this.

https://developer.apple.com/documentation/devicemanagement/homescreenlayout With Respect to the above link, we have deployed HomeScreenLayout Policy to device with iPadOS Version 16.4. Irrespective of all the os's, we cant able to restrict the App Library , whatever we do. Attached screenshot of the App Library shown in Home screen Layout. Is it possible to restrict this or not . Can anyone help on this.

Description: <key>allowSpotlightInternetResults</key> <dict> <key>value</key> <false/> </dict> <key>allowAssistant</key> <dict> <key>value</key> <false/> </dict> I have added the restriction profile with the above restriction keys and values . along with a App Lock Policy locked to a single app. The problem am facing is, the app was locked to a particular app as per the policy . But User can able to open safari preview search view using the spotlight search. Atached Screenshot for the safarii preview in App Lock Policy Enabled Device

Hi Apple Team, We tend to update the MDM profile Supplied to the Mobile Devices when the Name of the organisation was changed by the customer we change the value of PayloadOrganization. When it comes to User Enrollment The organisation name will be shown in Settings Tab and also in Profiles Page. After performing update in MDM profile The Organisation name in the profile's page have been updated but The Organisation name in settings tab wasn't updated Old Name : APNS_ORG_NAME New Name : NEWNAME1

** Hi Community,** We have been testing on using oauth2 for User Enrollment.Where as per doc provided we have supplied the method, authorization-url, token-url, redirect-url, client-id in the 401 response from MDM Server Authorization Request As mentioned the apple client performed authorization request by adding state, login_hint to the Authorization-url and the params mentioned above and successfully received the authorization code after the user makes a login with the IDP. <<<<< Request GET /oauth2/authorization?response_type=code &client_id=XXXXXXXXXX &redirect_uri=apple-remotemanagement-user-login:/oauth2/redirection &state=XXXXXXXXXX &login_hint=useroa@example.com HTTP/1.1 Host: mdmserver.example.com ------- MULTIPLE REQUESTS BETWEEN CLIENT Server ---------- >>>>> Response HTTP/1.1 308 Permanent Redirect Content-Length: 0 Location: apple-remotemanagement-user-login:/oauth2/redirection ?code=XXXXXXXXXX&state=XXXXXXXXXX . Token Request Using the code received from authorization server apple client performs this step to get the access_token and refresh_token.I am using a authorization server created by default in my Okta domain and this step fails. <<<<< Request POST /oauth2/token HTTP/1.1 Content-Type: application/x-www-form-urlencoded Content-Length: 195 grant_type=authorization_code &code=XXXXXXXXXXXX &redirect_uri=apple-remotemanagement-user-login:/oauth2/redirection &client_id=XXXXXXXXXX >>>>> Response HTTP/2 401 Unauthorized Content-Type: application/json { "error": "invalid_client", "error_description": "Client authentication failed. Either the client or the client credentials are invalid." } When debugged this issue, As per Okta's doc https://developer.okta.com/docs/guides/implement-grant-type/authcode/main/#exchange-the-code-for-tokens The client must specify Their credentials in Authorization header as Authorization : Basic <client_id>:<client_secret> in order to get the access_token And Also as per RFC-6749 https://www.rfc-editor.org/rfc/rfc6749#section-4.1.3 The Confidential Clients must specify their client_id, client_secret provided by the authorization server to receive the access_tokens. May I know how to overcome this issue or did I missed any steps that may include the Authorization header Thanks in Advance,.

Apple App Store apps that are not purchased in ABM (Non VPP apps) fails while deployed to macOS and tvOS devices from MDM. Since, we can install apps directly from App Store of macOS and tvOS devices just like iOS devices, kindly help us understand why the non VPP apps fails when distributed to tvOS and macOS from devices.