Hi Apple community, We encountering an issue with Declarative Management app events when attempting bulk app distribution through our Mobile Device Management (MDM) solution. Description of the Issue: During bulk app distribution, the expected app events defined in the Declarative Management framework are not functioning as intended. While individual app deployments work fine and trigger the desired events, the problem arises specifically when distributing apps in the bulk of more than 20 apps. My Status-Subscription Configuration, { "Type": "com.apple.configuration.management.status-subscriptions", "Identifier": "DEFAULT_STATUS_CONFIG_0", "ServerToken": "2", "Payload": { "StatusItems": [ { "Name": "account.list.caldav" }, { "Name": "account.list.carddav" }, { "Name": "account.list.exchange" }, { "Name": "account.list.google" }, { "Name": "account.list.ldap" }, { "Name": "account.list.mail.incoming" }, { "Name": "account.list.mail.outgoing" }, { "Name": "account.list.subscribed-calendar" }, { "Name": "device.identifier.serial-number" }, { "Name": "device.identifier.udid" }, { "Name": "device.model.family" }, { "Name": "device.model.identifier" }, { "Name": "device.model.marketing-name" }, { "Name": "device.operating-system.build-version" }, { "Name": "device.operating-system.family" }, { "Name": "device.operating-system.marketing-name" }, { "Name": "device.operating-system.supplemental.build-version" }, { "Name": "device.operating-system.supplemental.extra-version" }, { "Name": "device.operating-system.version" }, { "Name": "mdm.app" }, { "Name": "passcode.is-compliant" }, { "Name": "passcode.is-present" } ] } } Has anyone encountered a similar issue where Declarative Management app events fail to trigger during bulk app distribution? If so, I would greatly appreciate any insights, recommendations, or potential workarounds you may have discovered. Additionally, if you have any suggestions for further troubleshooting steps or resources to explore, please feel free to share them. Thank you in advance for your time.

Hi Apple community, I am writing this regarding device based activation lock can enable on device which is in 30 days DEP provisional period. Within the DEP provisional period, I can remove the remote management on my device. So the device is considered to use as my personal device ,not organization owned. Since MDM device based activation lock can enable during this provisional period, The device no longer be referred to use as my personal device also . what is the use of that 30 days? Kindly educate us on this case to whether this an intended options or a bug. Thanks in Advance

We encountering an issue with HasUpdateAvailable Key is not updating in InstalledApplicationList when the newer app version is available for the device to update from App Store. Problem Description: When an App Store app or Custom app has a newer version released, the HasUpdateAvailable Key in Installed Application List is never updating. In InstalledApplicationList the HasUpdateAvailable value is False even when a newer app version is available to update. For Example, Google Slides app ( com.google.Slides ) was released a new version - 1.2023.22200 was on June 7, 2023. By checking the device, The InstalledApplicationList response on June 10. The hasUpdateAvailable key is False, Even though the app has an update available. <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CommandUUID</key> <string>InstalledApplicationList</string> <key>InstalledApplicationList</key> <array> <dict> <key>AdHocCodeSigned</key> <false/> <key>AppStoreVendable</key> <true/> <key>BetaApp</key> <false/> <key>BundleSize</key> <integer>198696960</integer> <key>DeviceBasedVPP</key> <false/> <key>DynamicSize</key> <integer>143360</integer> <key>ExternalVersionIdentifier</key> <integer>857221931</integer> <key>HasUpdateAvailable</key> <false/> <key>Identifier</key> <string>com.google.Slides</string> <key>Installing</key> <false/> <key>IsAppClip</key> <false/> <key>IsValidated</key> <true/> <key>Name</key> <string>Slides</string> <key>ShortVersion</key> <string>1.2023.20201</string> <key>Version</key> <string>1.2023.20201</string> </dict> </array> <key>Status</key> <string>Acknowledged</string> <key>UDID</key> <string>00008020-XXXXXXXXXXXX</string> </dict> </plist> Note :- We are experiencing this issue in multiple OS version for most of the apps. All the devices which we tested are compatible with the latest app version

After we wipe the Mac using MDM EraseDevice command, the screen appears asking for PIN and when we enter the correct PIN provided in EraseDevice command, it says Try again in 24284826 minutes, which is like 46 years. We could recover this by connecting the device to LAN, but can we avoid this screen? ?

Problem Description: A App Store (VPP - B2B) app distributed to a device through MDM is not installing. The "InstalledApplicationList" response doesn't have the app in it. The "ManagedApplicationList" response has the app with status as "ManagedButUninstalled". But this cannot happen since there is a restriction - allowAppRemoval is set to false for this device which prevents the removal of installed apps in that device. This is applied before the app was distributed to MDM. Steps to reproduce: Enroll a device in MDM. Use restrictions payload[com.apple.applicationaccess] with a key "allowAppRemoval" set to "true". Distribute an app to device. Perform operations to fetch "InstalledApplicationList" and "ManagedApplicationList". Expected Result: The device should install the app successfully and ManagedApplicationList response should return "Managed" status for the app. Actual Result: The device doesn't install the app and "ManagedApplicationList" returns "ManagedButUninstalled" status. InstallApplication Response: <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CommandUUID</key> <string>InstallApplication;Collection=899898</string> <key>Identifier</key> <string>pad.xxxx.ilD</string> <key>State</key> <string>Installing</string> <key>Status</key> <string>Acknowledged</string> <key>UDID</key> <string>000000-00000000-00000000</string> </dict> </plist> ManagedApplicationList Response: <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CommandUUID</key> <string>ManagedApplicationList</string> <key>ManagedApplicationList</key> <dict> <key>com.manageengine.mdm.iosagent</key> <dict> <key>ExternalVersionIdentifier</key> <integer>857024336</integer> <key>HasConfiguration</key> <true/> <key>HasFeedback</key> <true/> <key>IsValidated</key> <true/> <key>ManagementFlags</key> <integer>5</integer> <key>Status</key> <string>Managed</string> </dict> <key>com.teamviewer.teamviewerQS</key> <dict> <key>ExternalVersionIdentifier</key> <integer>851678159</integer> <key>HasConfiguration</key> <false/> <key>HasFeedback</key> <false/> <key>IsValidated</key> <true/> <key>ManagementFlags</key> <integer>5</integer> <key>Status</key> <string>Managed</string> </dict> <key>pad.xxxx.ilD</key> <dict> <key>ExternalVersionIdentifier</key> <integer>857489710</integer> <key>HasConfiguration</key> <true/> <key>HasFeedback</key> <false/> <key>IsValidated</key> <false/> <key>ManagementFlags</key> <integer>5</integer> <key>Status</key> <string>ManagedButUninstalled</string> </dict> </dict> <key>Status</key> <string>Acknowledged</string> <key>UDID</key> <string>000000-00000000-00000000</string> </dict> </plist> Restrictions Response: <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CommandUUID</key> <string>Restrictions</string> <key>GlobalRestrictions</key> <dict> <key>intersection</key> <dict> <key>autonomousSingleAppModePermittedAppIDs</key> <dict> <key>values</key> <array> <string>pad.xxxx.ilD</string> </array> </dict> <key>whitelistedAppBundleIDs</key> <dict> <key>values</key> <array> <string>pad.xxxx.ilD</string> <string>com.manageengine.mdm.iosagent</string> <string>com.teamviewer.teamviewerQS</string> </array> </dict> </dict> <key>restrictedBool</key> <dict> <key>allowAppRemoval</key> <dict> <key>value</key> <false/> </dict> </dict> <key>restrictedValue</key> <dict> <key>maxInactivity</key> <dict> <key>value</key> <integer>5</integer> </dict> </dict> <key>union</key> <dict> <key>blacklistedAppBundleIDs</key> <dict> <key>values</key> <array> <string>com.google.Drive</string> <string>com.apple.news</string> </array> </dict> </dict> </dict> <key>Status</key> <string>Acknowledged</string> <key>UDID</key> <string>000000-00000000-00000000</string> </dict> </plist>

We have the following issues on a iPad enrolled as Shared iPad via MDM using Apple Business Manager (ABM) We are unable to use the mail app in Shared iPad. The following error message is shown “This iPad is restricted from creating mail accounts”. When checked from MDM whether any such account restriction was added, they was none added to this device. We are also unable to add accounts via Settings app as well. And also when checking the Shared iPad restriction documentation, mail app is not in the restricted list for Shared iPad https://support.apple.com/en-mt/guide/apple-school-manager/axm3a8bb0ab8/web Kindly let us know whether we can add mail accounts manually in Shared iPad device. OS Version : iPadOS 16.5

We are unable to find the documentation for DDM in Managing apps. We searched the Apple Documentation for the newly introduced API and declarations announced (which are given below) but we could not find any results on this. Documentation for New Apps and Books for Organizations API that replaces ContentMetaData API Documentation for "com.apple.configuration.app.managed" DDM Configuration Documentation for "app.managed.list" DDM status The documentation has not been updated with these cases. Kindly help us on this.

Hi Apple Team, We are excited by looking on the new updates introduced in WWDC23. In a Session named "Do More With Managed Apple IDs" Where There is Sign In Policy Introduced For Managed Apple IDs Any Device Managed Devices Only Supervised Devices Only And as a MDM Vendor We need to Support GetToken CheckIn Request to Support Sign In Policy Managed Devices Only, Supervised Devices Only and have some doubts regarding this. When the Policy is Set To Managed Device Only and we don't have DEP Tokens Registered by Customer with us.How could we able generate the JWT Signed Token with the necessary serverUUID. In case 1) Even though if I have DEP Token with me How could I choose the necessary serverUUID If the device had managed by MDM through Profile Based Enrollments. Can you please provide with appropriate solution to overcome this

During the "What’s new in managing Apple devices" session, you provided information about the "Not Now" option during Mac ABM Enrollment. We observed that this option was functional when enrolling a Mac through ABM using the "profiles renew -type enrollment" command. However, when attempting to enroll a Mac by erasing it through ABM, we couldn't find the "Not Now" option. Could you please confirm whether the "Not Now" option is intended to be available when enrolling a Mac by erasing it through ABM? Your clarification on this matter would be greatly appreciated.

Able to access corporate mail attachment in unmanaged apps even after the restriction profile (“allowOpenFromManagedToUnmanaged”) has been installed in the device. Followed the following steps able to reproduce this issue Logged in with a personal mail account in iOS device in Mail app. Pushed an MDM profile with Email configuration to an iOS device. Now this account is in managed space Pushed a Restriction profile which has the key “allowOpenFromManagedToUnmanaged” to “false”. This restricts unmanaged apps to open attachments from managed space. Now when I send a email with an attachment to this managed mail account from personal account (Mail is sent from another device, not managed device) On receiving the email in managed mail account, Able to open the attachment in unmanaged apps. The restriction seems not to be working when the personal mail account is present in the mail app along with the corporate mail account and the attachment received in a corporate mail account is treated to be in unmanaged space. The restriction works fine when the personal mail account is removed from mail app. Kindly confirm whether this is the expected behaviour.

When pushing the “ScheduleOSUpdate” command to a Supervised MDM enrolled iPad device, command fails with the following error. Available OS Update response <key>AvailableOSUpdates</key> <array> <dict> <key>AllowsInstallLater</key> <false/> <key>Build</key> <string>20G75</string> <key>DownloadSize</key> <integer>4456890240</integer> <key>HumanReadableName</key> <string>iOS 16</string> <key>InstallSize</key> <integer>467664896</integer> <key>IsCritical</key> <false/> <key>ProductKey</key> <string>iOSUpdate20G75</string> <key>ProductName</key> <string>iOS</string> <key>RestartRequired</key> <true/> <key>Version</key> <string>16.6</string> </dict> </array> <key>CommandUUID</key> <string>AvailableOSUpdates</string> <key>Status</key> <string>Acknowledged</string> ScheduleOSUpdate command <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CommandUUID</key> <string>ScheduleOSUpdate</string> <key>Command</key> <dict> <key>RequestType</key> <string>ScheduleOSUpdate</string> <key>Updates</key> <array> <dict> <key>ProductKey</key> <string>iOSUpdate20G75</string> <key>InstallAction</key> <string>Default</string> <key>ProductVersion</key> <string>16.6</string> </dict> </array> </dict> </dict> </plist> ScheduleOSUpdate command response <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CommandUUID</key> <string>AttemptOSUpdate</string> <key>Status</key> <string>Acknowledged</string> <key>UDID</key> <string>****</string> <key>UpdateResults</key> <array> <dict> <key>ErrorChain</key> <array> <dict> <key>ErrorCode</key> <integer>12057</integer> <key>ErrorDomain</key> <string>MCMDMErrorDomain</string> <key>LocalizedDescription</key> <string>The update failed to download.</string> <key>USEnglishDescription</key> <string>The update failed to download.</string> </dict> <dict> <key>ErrorCode</key> <integer>2202</integer> <key>ErrorDomain</key> <string>DeviceManagement.error</string> <key>LocalizedDescription</key> <string>A download failed.</string> </dict> <dict> <key>ErrorCode</key> <integer>31</integer> <key>ErrorDomain</key> <string>com.apple.softwareupdateservices.errors</string> <key>LocalizedDescription</key> <string>The operation couldn’t be completed. (com.apple.softwareupdateservices.errors error 31.)</string> </dict> </array> <key>InstallAction</key> <string>Error</string> <key>ProductKey</key> <string>iOSUpdate20G75</string> <key>Status</key> <string>DownloadFailed</string> </dict> </array> </dict> </plist> As seen in the AvailableOSUpdate response, this device is applicable for iOS 16 update but unable to update manually as well as via MDM. The device has the following message showing up, is there any relation between the MDM command failing and this message. This iPad device is currently running "12.1.4" OS version Kindly confirm the reason for this message and the reason for this failure via MDM. And also confirm if there are any restrictions to update to certain major OS versions from lower OS versions, if so kindly share any documentation available regarding this. 

** Hi Community,** We have been testing on using oauth2 for User Enrollment.Where as per doc provided we have supplied the method, authorization-url, token-url, redirect-url, client-id in the 401 response from MDM Server Authorization Request As mentioned the apple client performed authorization request by adding state, login_hint to the Authorization-url and the params mentioned above and successfully received the authorization code after the user makes a login with the IDP. <<<<< Request GET /oauth2/authorization?response_type=code &client_id=XXXXXXXXXX &redirect_uri=apple-remotemanagement-user-login:/oauth2/redirection &state=XXXXXXXXXX &login_hint=useroa@example.com HTTP/1.1 Host: mdmserver.example.com ------- MULTIPLE REQUESTS BETWEEN CLIENT Server ---------- >>>>> Response HTTP/1.1 308 Permanent Redirect Content-Length: 0 Location: apple-remotemanagement-user-login:/oauth2/redirection ?code=XXXXXXXXXX&state=XXXXXXXXXX . Token Request Using the code received from authorization server apple client performs this step to get the access_token and refresh_token.I am using a authorization server created by default in my Okta domain and this step fails. <<<<< Request POST /oauth2/token HTTP/1.1 Content-Type: application/x-www-form-urlencoded Content-Length: 195 grant_type=authorization_code &code=XXXXXXXXXXXX &redirect_uri=apple-remotemanagement-user-login:/oauth2/redirection &client_id=XXXXXXXXXX >>>>> Response HTTP/2 401 Unauthorized Content-Type: application/json { "error": "invalid_client", "error_description": "Client authentication failed. Either the client or the client credentials are invalid." } When debugged this issue, As per Okta's doc https://developer.okta.com/docs/guides/implement-grant-type/authcode/main/#exchange-the-code-for-tokens The client must specify Their credentials in Authorization header as Authorization : Basic <client_id>:<client_secret> in order to get the access_token And Also as per RFC-6749 https://www.rfc-editor.org/rfc/rfc6749#section-4.1.3 The Confidential Clients must specify their client_id, client_secret provided by the authorization server to receive the access_tokens. May I know how to overcome this issue or did I missed any steps that may include the Authorization header Thanks in Advance,.

Problem Description: We are using manageVPPLicensesByAdamIdSrv API for assigning licenses for serial numbers. We get "Internal error - 9603" response for this API when assigning the API for valid adamID of an app. When using the same API other apps, this issue doesn't occur. AdamID: 720111835. The license is assigning properly for the same app in VPP License Management 2.0.0 + - Associate Assets API. Currently, we will not able to the new API. We overcame this issue by creating a new location token in the same organization and purchasing the same app in it and using it to assign the license to device for the same app which is successful. Kindly help us with this issue. Request: {"pricingParam":"STDQ","disassociateSerialNumbers":["SAMPLESERIAL"],"adamIdStr":"720111835","sToken":"********************","notifyDisassociation":false} Response: {"errorMessage":"Internal error.","errorNumber":9603,"status":-1}

Hi Apple Community, Problem Description: Regarding the transition from MDM (Mobile Device Management) profiles to DDM (Declarative Device Management) profiles, as announced during WWDC 2023, this marks a significant step forward in simplifying our device management process. When we attempted to test this transition with the 17 developer beta OS version devices, we encountered a notable challenge. Specifically, when trying to apply a DDM Webclip legacy profile configuration to a device that already had the same profile applied through MDM. We received the following status response from DDM: "The profile “<profile_identifier>” cannot replace an existing profile." As a result, the configuration was not applied. However, after removing the existing applied MDM profile and then reapplying the same profile as a legacy profile via DDM, the configuration was successfully applied. My DDM Configuration: { "Type": "com.apple.configuration.legacy", "Identifier": "DEFAULT_APP_CATALOG_CLIP_CONFIG", "ServerToken": "3", "Payload": { "ProfileURL": "https://mdmtest:8080/certificates/appConfig.mobileconfig" } } My DDM Status Response : { "StatusItems" : { "management" : { "declarations" : { "activations" : [ { "active" : true, "identifier" : "DEFAULT_ACT_0", "valid" : "valid", "server-token" : "1" }, { "active" : false, "identifier" : "DEFAULT_APP_CATALOG_CLIP_ACT", "valid" : "valid", "server-token" : "3" } ], "configurations" : [ { "reasons" : [ { "details" : { "Error" : "The profile “<profile_identifier>” cannot replace an existing profile." }, "description" : "Configuration cannot be applied", "code" : "Error.ConfigurationCannotBeApplied" }, { "details" : { "Identifier" : "DEFAULT_APP_CATALOG_CLIP_ACT", "ServerToken" : "3" }, "description" : "Activation “DEFAULT_APP_CATALOG_CLIP_ACT:3” has errors.", "code" : "Error.ActivationFailed" } ], "active" : false, "identifier" : "DEFAULT_APP_CATALOG_CLIP_CONFIG", "valid" : "invalid", "server-token" : "3" }, { "active" : true, "identifier" : "DEFAULT_STATUS_CONFIG_0", "valid" : "valid", "server-token" : "2" } ], "assets" : [ ], "management" : [ ] } } }, "Errors" : [ ] } Kindly help us with this issue. Note : We have posted a feedback in Feedback Assistant portal FB13132059 - along with device sysdiagnose.

We are making an appstore app to be opened in single app kiosk mode(App Lock Policy for a single app) . When tried to open and login , a popup which is seen when opened without kiosk mode is not opening up. Attached the screenshot of the popup screen. (not able to attach the video here) Raised Feedback id - FB13304240 AppLock Policy Payload sent to the device : <dict> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadUUID</key> <string></string> <key>PayloadType</key> <string>Configuration</string> <key>PayloadOrganization</key> <string>fhd</string> <key>PayloadIdentifier</key> <string>sample_id</string> <key>PayloadDisplayName</key> <string>Kiosk Zenoti</string> <key>PayloadRemovalDisallowed</key> <true/> <key>PayloadContent</key> <array> <dict> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadUUID</key> <string>ad18a938-211e-4670-9be6-6f43162b6290</string> <key>PayloadType</key> <string>com.apple.app.lock</string> <key>PayloadOrganization</key> <string>MDM</string> <key>PayloadIdentifier</key> <string>a � �d18a938-211e-4670-9be6-6f43162b6290</string> <key>PayloadDisplayName</key> <string>AppLock Policy</string> <key>App</key> <dict> <key>Options</key> <dict> <key>DisableTouch</key> <false/> <key>DisableDeviceRotation</key> <false/> <key>DisableVolumeButtons</key> <false/> <key>DisableRingerSwitch</key> <false/> <key>DisableSleepWakeButton</key> <false/> <key>DisableAutoLock</key> <true/> <key>EnableVoiceOver</key> <false/> <key>EnableZoom</key> <false/> <key>EnableInvertColors</key> <false/> <key>EnableAssistiveTouch</key> <false/> <key>EnableSpeakSelection</key> <false/> <key>EnableMonoAudio</key> <false/> <key>EnableVoiceControl</key> <false/> </dict> <key>UserEnabledOptions</key> <dict> <key>VoiceOver</key> <false/> <key>Zoom</key> <false/> <key>InvertColors</ke � y> <false/> <key>AssistiveTouch</key> <false/> </dict> <key>Identifier</key> <string>com.zenoti.mpos</string> </dict> <key>Identifier</key> <string>com.zenoti.mpos</string> </dict> </array> </dict> </plist>