Enroll an iOS device via MDM and apply passcode policy with "maxFailedAttempts" setting enabled https://developer.apple.com/documentation/devicemanagement/passcode Now when the user attempts to unlock device exceeds above "maxFailedAttempts" - the device gets wiped. Now the administrator is unaware of this event. It would be helpful to get an message/DDM status from device to notify the MDM server that device is wiped due to incorrect passcode attempts.

Enrol Supervised iOS device Turn ON screen time restriction by opening Settings app -> Content & Privacy restrictions -> Passcode & Face ID -> Don’t Allow. Now install a Passcode policy profile via MDM with the key “forcePIN” set to “true”, such that the device is needed to change the passcode in device. By following above steps, the profile fails. The failure response from the device states that passcode restriction is applied in the device, “The profile ‘Profilename’ may require a passcode change but the passcode cannot be modified.” This is an incorrect behaviour as MDM should have more control over the screen-time restriction as well. Error response from the device <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CommandUUID</key> <string>InstallProfile</string> <key>ErrorChain</key> <array> <dict> <key>ErrorCode</key> <integer>4001</integer> <key>ErrorDomain</key> <string>MCInstallationErrorDomain</string> <key>LocalizedDescription</key> <string>Profile Installation Failed</string> <key>USEnglishDescription</key> <string>Profile Installation Failed</string> </dict> <dict> <key>ErrorCode</key> <integer>4026</integer> <key>ErrorDomain</key> <string>MCInstallationErrorDomain</string> <key>LocalizedDescription</key> <string>The profile **** may require a passcode change but the passcode cannot be modified.</string> <key>USEnglishDescription</key> <string>The profile **** may require a passcode change but the passcode cannot be modified.</string> </dict> </array> <key>Status</key> <string>Error</string> <key>UDID</key> <string>****</string> </dict> </plist> Feedback ID : FB14249704

Enrol Supervised iOS device. Push an CardDAV policy for the above device, the contacts gets synced in the native Contacts app as expected. (https://developer.apple.com/documentation/devicemanagement/carddav) When the above same profile is re-installed in the above device, the synced contacts are lost and password prompt is shown to enter the password - even though the installed profile contains password for the CardDAV policy. Password prompt from the device Re-Installed configuration <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadUUID</key> <string>35ee541b-fec0-46b0-bd48-bcc0702ab60b</string> <key>PayloadType</key> <string>Configuration</string> <key>PayloadOrganization</key> <string>MDM</string> <key>PayloadIdentifier</key> <string>com.mdm.ec89620f-2905-4c14-b09d-7e9f17944468.CardDAV</string> <key>PayloadDisplayName</key> <string>CardDAV</string> <key>PayloadRemovalDisallowed</key> <true/> <key>PayloadContent</key> <array> <dict> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadUUID</key> <string>07c423b5-8ae2-4e6e-9336-aa9ca850d6c9</string> <key>PayloadType</key> <string>com.apple.carddav.account</string> <key>PayloadOrganization</key> <string>MDM</string> <key>PayloadIdentifier</key> <string>07cV423b5-8ae2-4e6e-9336-aa9ca850d6c9</string> <key>PayloadDisplayName</key> <string>CardDAV Policy</string> <key>CardDAVAccountDescription</key> <string>****</string> <key>CardDAVHostName</key> <string>www.googleapis.com</string> <key>CardDAVPassword</key> <string>****</string> <key>CardDAVPort</key> <integer>443</integer> <key>CardDAVPrincipalURL</key> <string></string> <key>CardDAVUseSSL</key> <true/> <key>CardDAVUsername</key> <string>****</string> </dict> </array> </dict> </plist> Feedback ID : FB14250521

When making a GET request to the ABM Account API at https://mdmenrollment.apple.com/account, we receive a response that includes an org_email field. However, we’ve noticed that the value of org_email varies. Sometimes it corresponds to an account with the role of Administrator, while other times it comes from account with roles Device Enrolment Manager, Content Manager and People Manager. We seek clarification on the following points: Which roles determine the org_email sent in the response? Is the org_email coming in API response always same or does it change when we hit the APIs in multiple times. org_email in this response: https://developer.apple.com/documentation/devicemanagement/accountdetail

Dear Apple Team, As an MDM (Mobile Device Management) service provider, we are writing to bring attention to an issue that is affecting many of our customers who manage large fleets of iOS devices. Specifically, we have encountered challenges with the app update process via MDM, which is impacting both kiosk devices and non-kiosk devices in a variety of use cases. Issue 1: App Updates Delayed on Kiosk Devices Many of our customers are deploying kiosk devices that are used 24/7 independently with no attendants. In these cases, when an app update is sent through MDM via the installApplication command, the installation does not begin immediately. Instead, the update starts only after the device is locked. However, since these kiosk devices are running continuously, they are rarely locked, preventing the app update from occurring. To force the update, administrators need to manually remote lock or physically lock the device, which is a time-consuming process. This becomes even more challenging for devices like Apple TV, where remotely locking and unlocking the device to complete app updates is especially difficult, making it hard to keep the apps up to date in a timely manner. Issue 2: User Cancellations of Critical Updates on Non-Kiosk Devices In the case of non-kiosk devices, customers are encountering another challenge: when a critical update is pushed during business hours, users are often prompted to install the update. However, many users tend to cancel the update, leaving devices unpatched and potentially vulnerable. This behavior can delay the deployment of important security patches, which is a critical concern for organizations managing sensitive data or business-critical apps. Request for a Solution Our customers have expressed the need for a more reliable and forceful app update mechanism. Specifically, we are requesting the following features to improve the app update experience: Scheduled app updates: The ability to schedule app updates, similar to the way OS updates are handled. If the user does not install the update within a specified timeframe, the update should begin automatically or prompt the user with a stronger reminder. Force install option: A feature that would allow MDM administrators to force an app update immediately, without relying on user intervention. This would ensure that critical updates are installed promptly, improving security and system stability across all devices. These features are essential for many of our customers who rely on timely and consistent app updates to maintain security, functionality, and compliance across their managed devices. Without these options, they face challenges in ensuring devices are kept up-to-date, which can result in security vulnerabilities and operational disruptions. We kindly request that Apple consider adding these functionalities to improve the MDM app update process and provide a more reliable experience for both kiosk and non-kiosk device management. Thank you for your attention to this matter. We look forward to your feedback and any potential improvements in future iOS updates. Raised in the same manner as feedback: FB15910292

Hi Apple Community, If a macOS Device is FileVault Encrypted, We are using the keys FDE_HasInstitutionalRecoveryKey, FDE_HasPersonalRecoveryKey from SecurityInfo to know the Device Encryption Type. But Some times rarely we get FDE_Enabled as true but both the above mentioned keys as false Also we get SecurityInfo Response patterns like these only if FileVault is enabled in Device with iCloud as option to unlock the disk Can we confirm this pattern or is there any way to know if device is encrypted with options other than Personal / Institutional Types <plist version="1.0"> <dict> <key>CommandUUID</key> <string>SecurityInfo</string> <key>SecurityInfo</key> <dict> ...... ...... ...... <key>FDE_Enabled</key> <true/> <key>FDE_HasInstitutionalRecoveryKey</key> <false/> <key>FDE_HasPersonalRecoveryKey</key> <false/> ...... ...... ...... <key>Status</key> <string>Acknowledged</string> <key>UDID</key> <string>..............</string> </dict> </plist>

Hi Apple Community, I have been Testing with key allowAccountModification in macOS Restriction Payload and found some contrasting behavior In macOS 14, macOS 15.1 in both of the OS Version when allowAccountModification is set to False it restricts adding new Account in System Settings and this is expected behavior How ever things are contrasting and not going as expected in the below situation When macOS 14 Version has 2 profiles for Restriction Payload one with allowAccountModification set to False and another with allowAccountModification set to True it restricts adding Apple Account When macOS 15.1 Version has 2 profiles for Restriction Payload one with allowAccountModification set to False and another with allowAccountModification set to True it allows adding Apple Account I remember when restrictions payload keys are contrasting across different profile Apple Uses the most restrictive one among them. But in macOS 15.1 the behavior is unexpected. Is this a issue in 15.1 and is there any list of macOS versions which shows this unexpected behavior

Issue - Safari application not fetched from system_profile command Use case - We are trying to get list of installed applications in the mac. For this we use System_profiler command to fetch the details list. It is working good, but the thing is , It doesnt fetch Safari app as an installed Application. Command used - **/usr/sbin/system_profiler SPApplicationsDataType** Can anyone suggest any other way to fetch the installed applications list from the mac , which includes all the apps (including safari app) and remains effective ?

I am using system_profiler command to check on the installed application list from mac device. **Terminal command to check installed java version - ** But while running /usr/sbin/system_profiler SPApplicationsDataType -xml , I cant able to find Java as an installed application. Is this a known issue or do we have any alternative workaround to fetch the same?

During MDM Automated Device Enrollment of Apple TV, the web view defined by configuration_web_url is not working. We are using the web view to display the usage policy for all devices. While the web view functions correctly for other devices, it is resulting in an error specifically for Apple TV. Could you please clarify whether Apple plans to implement support for this feature on Apple TV in the future or if it will not be supported? Referring to configuration_web_url in: https://developer.apple.com/documentation/devicemanagement/profile

We are experiencing an issue with Apple Business Manager (ABM) synchronization that is blocking our device management workflow. Issue Description: During the ABM sync process in our MDM, we receive the error: "ABM Terms and Conditions not signed." What We’ve Checked: Logged into the ABM portal as the Administrator and confirmed that the latest Terms and Conditions. Attempted to renew the ABM token on our existing server, but the same error message continues to appear in MDM. Tried creating a brand new ABM server integration, which also fails with the same error. We checked with our MDM provider and they shared the logs, response received from ABM. It says T_C_NOT_SIGNED. But we have already accepted all the new Terms in ABM. We would appreciate any help in resolving this issue or guidance on what steps to take next.

Apple had deprecated some of the payload keys device management Profile Specific Payload instead they are given new keys for it blacklistedAppBundleIDs is deprecated and blockedAppBundleIDs added Apple Developer Doc Are deprecated and new keys are working on the upcoming iOS, iPadOS & Mac.? When are the deprecated keys going to not support permanently?

We are unable to find a key in the MDM's Device information query response that tells us whether a mac uses T1 or T2 security chip. Is there a way to deduce this with the device information response we are already receiving? Thank you.

In a iPad device with OS Version 15.1, when deploying a app store app through MDM, the InstallApplication command receives "License Not Found" error in response. The app is not purchased through VPP and the "PurchaseMethod" key is not set in InstallApplication request command. I have attached a sample request and response of InstallApplication commands. InstallApplication command: <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CommandUUID</key> <string>InstallApplication;Collection=xxxx</string> <key>Command</key> <dict> <key>RequestType</key> <string>InstallApplication</string> <key>iTunesStoreID</key> <integer>xxxx</integer> <key>ManagementFlags</key> <integer>5</integer> <key>Configuration</key> <dict> <key>ServerName</key> <string>xxxx</string> <key>ServerPort</key> <string>xxxx</string> <key>UDID</key> <string>xxxx</string> <key>ErID</key> <string>xxxx</string> <key>IsLanguagePackEnabled</key> <string>true</string> <key>authtoken</key> <string>********</string> <key>SCOPE</key> <string>MDMOnDemand/MDMCloudEnrollment</string> <key>Services</key> <dict> <key>urls</key> <dict> <key>IOSNativeAppServlet</key> <string>xxxx</string> <key>DeviceRegistrationServlet</key> <string>xxxx</string> <key>IOSCheckInServlet</key> <string>xxxx</string> <key>AppCatalogServlet</key> <string>xxxx</string> <key>MDMLogUploaderServlet</key> <string>xxxx</string> <key>mdmDocsServlet</key> <string>xxxx</string> <key>DFSDownloadURL</key> <string>xxxx</string> </dict> <key>token_name</key> <string>********</string> <key>token_value</key> <string>********</string> </dict> <key>IsSyncServerEnabled</key> <true/> <key>IsAnnouncementEnabled</key> <true/> </dict> <key>ChangeManagementState</key> <string>Managed</string> </dict> </dict> </plist> InstallApplication Response: <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CommandUUID</key> <string>InstallApplication;Collection=xxxx</string> <key>ErrorChain</key> <array> <dict> <key>ErrorCode</key> <integer>1005</integer> <key>ErrorDomain</key> <string>DeviceManagement.error</string> <key>LocalizedDescription</key> <string>Could not install app.</string> </dict> <dict> <key>ErrorCode</key> <integer>9610</integer> <key>ErrorDomain</key> <string>ASDServerErrorDomain</string> <key>LocalizedDescription</key> <string>License not found</string> </dict> </array> <key>Status</key> <string>Error</string> <key>UDID</key> <string>xxxx</string> </dict> </plist>

We are facing issues in VPP Client Configuration API ( POST: https://vpp.itunes.apple.com/mdm/VPPClientConfigSrv ). For some VPP token, the "clientContext" key in the response says "token being used in v2" instead of giving a proper clientContext. These VPP tokens aren't actually added in any other MDM than ours. But it gives this as response. Also, we didn't use the new API for setting VPP Client Configuration too. We are seeing this issue for some VPP tokens in random. We would like to understand this behaviour in VPP tokens.