When we use Migration Assistant to transfer data from one machine to another or when restoring a backup, it breaks the MDM enrollment. Upon checking, we found that as the Identity Certificate in the KeyChain isn't available, the MDM agent is unable to initiate the communication. Is there any way to avoid behavior like this? Thanks in Advance.

Multiple payloads are allowed for App notification settings payload for macOS devices, but for iOS/iPadOS devices they are not allowed. And this restricts us to maintaining/keep track of a single profile having app notifications payload. May I know the reason behind this? Reference : https://developer.apple.com/documentation/devicemanagement/notifications

DESCRIPTION:  An iOS app - (WhatsApp Business) is not getting updated in device when update is deployed. The InstallApplication command is sent to device successfully and it is Acknowledged but the app is not updating. On analyzing the device logs in console we are getting the error- ["This installation was canceled by the user." UserInfo={NSLocalizedFailureReason=User canceled., NSLocalizedDescription=This installation was canceled by the user] for the app. This is a supervised device and app was not open in foreground too. So ideally the app should update silently without any user interruption but it says that user cancelled. There is no prompt in device too. We are unable to remove and re-install the app since app data will be lost.  HOW TO REPRODUCE:  Enroll a iOS device in MDM.  Deploy a VPP App Store App using MDM to the device.  Wait for an update in App Store and then deploy the update to device of the same VPP App Store app from MDM.  EXPECTED RESULT:  The app should be updated in device.  ACTUAL RESULT:  The app is not updated in device. (Error found in device - This installation was canceled by the user] for the app) InstallApplication Command From MDM: <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CommandUUID</key> <string>InstallApplication;Collection=51084000003072065</string> <key>Command</key> <dict> <key>RequestType</key> <string>InstallApplication</string> <key>iTunesStoreID</key> <integer>1386412985</integer> <key>InstallAsManaged</key> <true/> <key>ManagementFlags</key> <integer>5</integer> <key>Options</key> <dict> <key>PurchaseMethod</key> <integer>1</integer> </dict> <key>ChangeManagementState</key> <string>Managed</string> </dict> </dict> </plist> InstallApplication Response From Device <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CommandUUID</key> <string>InstallApplication;Collection=51084000003072065</string> <key>Identifier</key> <string>net.whatsapp.WhatsAppSMB</string> <key>State</key> <string>Managed</string> <key>Status</key> <string>Acknowledged</string> <key>UDID</key> <string>*****</string> </dict> </plist> Kindly help us with this case.

Hi Apple Community , We are a MDM vendor and have been testing around implementing BYOD User Enrollment. Where in a step we felt good to have a list of managed apple ids associated with an Organization which would be helpful in inserting them in the MDM payload for Account-driven User Enrollment. To do this I have used a managed apple id in Apple Buisness Manager with Roles Content Manager, Device Enrolment Manager and People Manager and a MDM server From the MDM Server I used the token and have generated a auth_session_token and used it as Header X-ADM-Auth-Session to end point https://mdmenrollment.apple.com/account GET to get the account details The response contains list of urls of which `https://mdmenrollment.apple.com/roster/class/person' POST was there which when tried gives ORGANIZATION_NOT_SUPPORTED 400 response. we are unable to retrieve the list of users in a Apple Buisness Manager Account at this point. Is there any ways to achieve what we are tend to do. But in the Roster API

Issue description: In iOS 15+ devices, the enterprise apps ask for update prompt when an update for the app is deployed from MDM even when screen is locked with passcode. The app is running on foreground but the screen is locked in with passcode. Previously, in older iOS versions like iOS 12.0, the enterprise apps will not ask for update prompt when an update is distributed from MDM if screen is locked with passcode(and app running in foreground). Is this an intended behavior or a bug? Kindly help us understand this case. Steps to reproduce. Enroll a iOS (15.0+) device in a MDM. Deploy a enterprise app to device successfully. Open the app in device and lock the screen. Make sure the device has passcode for lock Deploy an update for the same app from the MDM. Expected Result: The app should be installed automatically. Actual Result: The app asks for update prompt in device.

“iPhone Findable After Power Off” - This option is available in unsupervised devices given that Find My iPhone is turned on from iOS 15 (Specific device models) when trying to power off the device.  But this option seems to be not available in Supervised devices. Is there any other way to turn this on in Supervised devices? Kindly confirm Is this the expected behaviour in Supervised devices.

DESCRIPTION: A macOS device (Version 13 and above), "passcode-is-present" and "passcode-compliant" status items are unsupported. After the Successful Acknowledged of the DeclarativeManagement command, we receive supported client capabilities from the device as a status report. but while analyzing the device-supported client capabilities details represent those two status items are supported. On analyzing the device respond with an error. "device.identifier.udid" status item provided halfway correct udid value exactly not. HOW TO REPRODUCE: Enroll a macOS device in MDM. Send the DeclarativeManagement Command to macOS 13+ devices. The MDM server responds with a DeclarativeManagement Command that should include the SynchronizationTokens JSON data. The device fetches the declarations manifest from the MDM server. While synchronization, we will subscribe the status items (passcode-is-present,passcode-compliant, device.identifier.udid, mdm.app) as configuration. For example, { "Type":"com.apple.configuration.management.status-subscriptions", "Identifier":"85B5130A-4D0D-462B-AA0D-0C3B6630E5AA", "ServerToken":"59eb13b9-5d51-54b9-8a4b-e8abe37c27ee", "Payload":{ "StatusItems":[ { "Name":"passcode.is-present" }, { "Name":"passcode.is-compliant" }, { "Name":"device.identifier.udid" } ] } } Response the above JSON payload to the device, While requesting the "declaration/configuration/****" details from MDM. Note: Before subscribing to the status items ("passcode-is-present" and "passcode-compliant") via Declarative Management, Passcode Configuration Policy should be applied to the mac device. EXPECTED APP: The Passcode Status reports will provide certain values (true/false). The "device.identifier.udid" status item provides the exact UDID same as Command Response. ACTUAL RESULT: The Passcode Status reports did not provide values (true/false), but we are getting the error- { "Errors":[ { "Reasons":[ { "Code":"Error.UnsupportedStatusValue", "Description":"Cannot report status on “passcode.is-present†because value is not supported." } ], "StatusItem":"passcode.is-present" }, { "Reasons":[ { "Code":"Error.UnsupportedStatusValue", "Description":"Cannot report status on “passcode.is-compliant†because value is not supported." } ], "StatusItem":"passcode.is-compliant" } ] } The "device.identifier.udid" status provided UDID to MDM like { "device":{ "identifier":{ "udid":"b486fc***0***5d77*****4********9e60e00000000" } } } and UDID of Command Responses like <key>UDID</key> <string>B486FC***-5***0-5D77-****4-******9E60E</string> Kindly help us with this case.

DESCRIPTION: A macOS devices (Version 13 and above), "mdm.app" status item will not be supported. why? HOW TO REPRODUCE: Enroll a macOS device in MDM. Send the DeclarativeManagement Command to macOS 13+ devices. The MDM server responds with a DeclarativeManagement Command that should include the SynchronizationTokens JSON data. The device fetches the declarations manifest from the MDM server. While synchronization, we will subscribe the status items (mdm.app) as configuration. For example, { "Type":"com.apple.configuration.management.status-subscriptions", "Identifier":"85B5130A-4D0D-462B-AA0D-0C3B6630E5AA", "ServerToken":"59eb13b9-5d51-54b9-8a4b-e8abe37c27ee", "Payload":{ "StatusItems":[ { "Name":"mdm.app" } ] } } Response the above JSON payload to the device, While requesting the "declaration/configuration/****" details. EXPECTED RESULT: The "mdm.app" status item responds to the current status of the managed app after sending InstallApplication Command to the device. ACTUAL RESULT: The mdm.app status item response is like the following error- { "Errors":[ { "Reasons":[ { "Code":"Error.UnsupportedStatusValue", "Description":"Cannot report status on “mdm.app†because value is not supported." } ], "StatusItem":"mdm.app" } ] } Any help on this would be appreciated. Thanks.

Issue : When applied applock policy to the device, device not shutting down on long press of the power button and volume button. Shut down happens well when the profile is removed from the device. When tested in iPhone, this worked well when the profile is applied Steps to Reproduce : In iPad 16.3 OS , Payload : <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadUUID</key> <string>01d6d9a0-740f-40e4-a521-b97e3d452547</string> <key>PayloadType</key> <string>Configuration</string> <key>PayloadOrganization</key> <string>MDM</string> <key>PayloadIdentifier</key> <string>com.mdm.b4033cca-328f-4eab-8bbe-b9224a6ab4ed.singleKioks</string> <key>PayloadDisplayName</key> <string>single Kioks</string> <key>PayloadRemovalDisallowed</key> <true/> <key>PayloadContent</key> <array> <dict> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadUUID</key> <string>8533f5c1-fbb6-49fb-88bb-b3cbda8e8bb1</string> <key>PayloadType</key> <string>com.apple.app.lock</string> <key>PayloadOrganization</key> <string>MDM</string> <key>PayloadIdentifier</key> <string>8533f5c1-fbb6-49fb-88bb-b3cbda8 èe8bb1</string> <key>PayloadDisplayName</key> <string>AppLock Policy</string> <key>App</key> <dict> <key>Options</key> <dict> <key>DisableTouch</key> <false/> <key>DisableDeviceRotation</key> <false/> <key>DisableVolumeButtons</key> <false/> <key>DisableRingerSwitch</key> <false/> <key>DisableSleepWakeButton</key> <false/> <key>DisableAutoLock</key> <true/> <key>EnableVoiceOver</key> <false/> <key>EnableZoom</key> <false/> <key>EnableInvertColors</key> <false/> <key>EnableAssistiveTouch</key> <false/> <key>EnableSpeakSelection</key> <false/> <key>EnableMonoAudio</key> <false/> <key>EnableVoiceControl</key> <false/> </dict> <key>UserEnabledOptions</key> <dict> <key>VoiceOver</key> <false/> <key>Zoom</key> <false/> <key>InvertColors</key> <false/> <key>AssistiveTouch</key> <false/> </di µct> <key>Identifier</key> <string>com.apple.AppStore</string> </dict> <key>Identifier</key> <string>com.apple.AppStore</string> </dict> </array> </dict> </plist> -> I have applied the following kiosk profile to the device . -> When pressing the Power button(top Button) and a side volume button, It doesnt shut down the device. -> Whereas, the device when the above profile is removed. the same buttons lead to shut down. -> Same way this was not an issue for the iPhone devices (only iPads doesnt shut down when this profile is applied) Have attached the sysdiagnose logs for the iPad (affected). Kindly help with this case.

We have a device which does not communicate with our MDM server. When we checked the console logs we found that device receives the push notification but does not respond to MDM server. When a restart is performed, it again communicates. From time to time it stops working and we have to restart to bring back communication. Feedback has been raised with sysdiagnose - FB12062214 Any help would be appreciated.

** Hi Community,** We have been testing on using oauth2 for User Enrollment.Where as per doc provided we have supplied the method, authorization-url, token-url, redirect-url, client-id in the 401 response from MDM Server Authorization Request As mentioned the apple client performed authorization request by adding state, login_hint to the Authorization-url and the params mentioned above and successfully received the authorization code after the user makes a login with the IDP. <<<<< Request GET /oauth2/authorization?response_type=code &client_id=XXXXXXXXXX &redirect_uri=apple-remotemanagement-user-login:/oauth2/redirection &state=XXXXXXXXXX &login_hint=useroa@example.com HTTP/1.1 Host: mdmserver.example.com ------- MULTIPLE REQUESTS BETWEEN CLIENT Server ---------- >>>>> Response HTTP/1.1 308 Permanent Redirect Content-Length: 0 Location: apple-remotemanagement-user-login:/oauth2/redirection ?code=XXXXXXXXXX&state=XXXXXXXXXX . Token Request Using the code received from authorization server apple client performs this step to get the access_token and refresh_token.I am using a authorization server created by default in my Okta domain and this step fails. <<<<< Request POST /oauth2/token HTTP/1.1 Content-Type: application/x-www-form-urlencoded Content-Length: 195 grant_type=authorization_code &code=XXXXXXXXXXXX &redirect_uri=apple-remotemanagement-user-login:/oauth2/redirection &client_id=XXXXXXXXXX >>>>> Response HTTP/2 401 Unauthorized Content-Type: application/json { "error": "invalid_client", "error_description": "Client authentication failed. Either the client or the client credentials are invalid." } When debugged this issue, As per Okta's doc https://developer.okta.com/docs/guides/implement-grant-type/authcode/main/#exchange-the-code-for-tokens The client must specify Their credentials in Authorization header as Authorization : Basic <client_id>:<client_secret> in order to get the access_token And Also as per RFC-6749 https://www.rfc-editor.org/rfc/rfc6749#section-4.1.3 The Confidential Clients must specify their client_id, client_secret provided by the authorization server to receive the access_tokens. May I know how to overcome this issue or did I missed any steps that may include the Authorization header Thanks in Advance,.

Hi Apple Team, We tend to update the MDM profile Supplied to the Mobile Devices when the Name of the organisation was changed by the customer we change the value of PayloadOrganization. When it comes to User Enrollment The organisation name will be shown in Settings Tab and also in Profiles Page. After performing update in MDM profile The Organisation name in the profile's page have been updated but The Organisation name in settings tab wasn't updated Old Name : APNS_ORG_NAME New Name : NEWNAME1

https://developer.apple.com/documentation/devicemanagement/homescreenlayout With Respect to the above link, we have deployed HomeScreenLayout Policy to device with iPadOS Version 16.4. Irrespective of all the os's, we cant able to restrict the App Library , whatever we do. Attached screenshot of the App Library shown in Home screen Layout. Is it possible to restrict this or not . Can anyone help on this.

https://developer.apple.com/documentation/devicemanagement/homescreenlayout With Respect to the above link, we have deployed HomeScreenLayout Policy to device with iPadOS Version 16.4. Irrespective of all the os's, we cant able to restrict the App Library , whatever we do. Attached screenshot of the App Library shown in Home screen Layout. Is it possible to restrict this or not . Can anyone help on this.

Issue Description: We tested App Store app update deployment in an iPad with OS version 16.4.1. We put the app AppLock mode in device using a MDM. Then we pushed a update for the app from MDM. The device didn't update the app but the command was successfully sent from MDM and device acknowledged it. When we removed the app from AppLock mode and closed it, the app updated instantly. For enterprise apps, we have observed that while pushing the app update to devices when it is in AppLock mode, the app closes automatically and the app updates and opens automatically in AppLock mode. But for app store apps this behavior is different like mentioned above. Also, if the app is not in AppLock mode and if the app update is pushed when the app is running in foreground, the device asks for update prompt. If we accept it, the app doesn't update automatically. If we close the app manually, then the app is updated instantly. Kindly educate us on this case on App Store App as to whether this an intended behavior or a bug.