We are experiencing issues on MDM enrolled devices where the SSL certificates are not trusted after the OS update.
We use EnterpriseCA certificate in our server and pushed to devices during enrolment. But after OS update, the CA is missing from the ‘Certificate Trust settings’ in the device, but present under MDM profile. This make the devices to stop communicating with the server.
For now we have manually installed the certificate on the devices and enabled full trust. But this involves user intervention and also end user can disable full trust anytime as the option is not greyed out, or remove the certificate from device. We would like to know if there is any other option to push the certificates without user intervention. And also the best practices to avoid this in future.
Already we have seen this https://support.apple.com/en-in/HT212962 but it talks only about the Identity certificate. We would like to understand whether SSL certificates are also included in this.
Selecting any option will automatically load the page
Post
Replies
Boosts
Views
Activity
We recently noticed that, In the TokenUpdate message from a MDM enrolled device, the PushMagic value is empty. The response from device is:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>MessageType</key>
<string>TokenUpdate</string>
<key>PushMagic</key>
<string></string>
<key>Token</key>
<string>[redacted]</string>
<key>Topic</key>
<string>[redacted]</string>
<key>UDID</key>
<string>[redacted]</string>
</dict>
</plist>
This is a MacBookPro9,2 with OS version 10.8.5.
We would like to understand whether this is an issue. Or how to handle this.
FB9895426 (Apple Device MDM enrolment fails if client certificate is requested during SSL Handshake)
Device enrolment fails in an MDM Server configured with client certificate authentication.
Upon investigating the issue, we noticed that the device drops the SSL handshake if a client certificate is requested during the handshake.
Wireshark Screenshot:
From the console logs, we noticed the below error:
<MCHTTPRequestor: 0x283b560a0> cannot accept the authentication method NSURLAuthenticationMethodClientCertificate
The TLS protocol states that "If no suitable certificate is available, the client SHOULD send a certificate message containing no certificates.".
Thus, we expect the MDM client to respond with a "no certificate" response during the SSL handshake.
Someone has already raised the same question but there's no reply yet:
https://developer.apple.com/forums/thread/680328
https://developer.apple.com/forums/thread/676579
Any help would be appreciated. Thanks in advance.
We are trying to connect macOS devices to Wi-Fi using Wi-Fi configuration profile in MDM. EAP type is PEAP - MSCHAPv2 with both System and LoginWindow setup modes enabled, but unfortunately devices are getting stuck in connecting phase of the Wi-Fi without actually getting connected. We have also send the Sysdiagnose logs to Apple feedback assistance(Ref ID:FB9965644)
Please find the configuration we have used below
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadUUID</key>
<string>5f9c93d0-f2b4-45b2-9367-e65a52d1f1a9</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadOrganization</key>
<string>MDM</string>
<key>PayloadIdentifier</key>
<string>com.mdm.0583c3c2-4fe2-414a-9bc6-87467f0fef02.MacOSWifi</string>
<key>PayloadDisplayName</key>
<string>Wifi_Corp</string>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadUUID</key>
<string>f962f11d-6524-4061-b93b-82975dd7512b</string>
<key>PayloadType</key>
<string>com.apple.wifi.managed</string>
<key>PayloadOrganization</key>
<string>MDM</string>
<key>PayloadIdentifier</key>
<string>f962f11d-6524-4061-b93b-82975dd7512b</string>
<key>PayloadDisplayName</key>
<string>Wifi Profile Configuration</string>
<key>SSID_STR</key>
<string>--SSID Over Here--</string>
<key>AutoJoin</key>
<true/>
<key>SetupModes</key>
<array>
<string>System</string>
<string>Loginwindow</string>
</array>
<key>HIDDEN_NETWORK</key>
<false/>
<key>EAPClientConfiguration</key>
<dict>
<key>AcceptEAPTypes</key>
<array>
<integer>21</integer>
<integer>25</integer>
</array>
<key>EAPFASTUsePAC</key>
<false/>
<key>EAPFASTProvisionPAC</key>
<false/>
<key>EAPFASTProvisionPACAnonymously</key>
<false/>
<key>UserName</key>
<string>---UserName Over here---</string>
<key>UserPassword</key>
<string>--Password Over here--</string>
<key>TTLSInnerAuthentication</key>
<string>MSCHAPv2</string>
<key>PayloadCertificateAnchorUUID</key>
<array>
<string>b68ceae9-5752-44a3-887c-4dd422428f3d</string>
</array>
</dict>
<key>EncryptionType</key>
<string>Any</string>
<key>ProxyType</key>
<string>None</string>
</dict>
<dict>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadUUID</key>
<string>b68ceae9-5752-44a3-887c-4dd422428f3d</string>
<key>PayloadType</key>
<string>com.apple.security.root</string>
<key>PayloadOrganization</key>
<string>MDM</string>
<key>PayloadIdentifier</key>
<string>b68ceae9-5752-44a3-887c-4dd422428f3d</string>
<key>PayloadDisplayName</key>
<string>iOS Certificate Policy</string>
<key>PayloadContent</key>
<data>
-----Trust Certificate Data Here---
</data>
<key>PayloadCertificateFileName</key>
<string>----Certificate file name.cer----</string>
</dict>
</array>
</dict>
</plist>
requireManagedPasteboard - boolean If true, copy and paste functionality respects the allowOpenFromManagedToUnmanaged and allowOpenFromUnmanagedToManagedrestrictions. Also available for user enrollment.
As it is suggested , It doesn't allow the text to be copied from managed apps and pasted in any unmanaged app and also ViceVersa.
But there is an another way to get the text to other Unmanaged/Managed App by highlighting a text from mail content and click on the 'share' option leads the text to be opened in the destination App.
Steps:
Pushed a Managed Account to Native Mail App.
Pushed a Restriction with "requireManagedPasteboard"
Opened a Mail and highlighted the text contents
Click on Share Option . It will list all the app (both Managed and Unmanaged ) to share the text.
I clicked on Notes App. The Highlighted Text got moved to the Notes App.
The Same when tried to Copied and pasted in Notes App. It says "Enabled Restriction for Copy/Paste "
Attached the screenshot where does the "Share" Option appear.
Kindly check whether this is the default behaviour or anything am i missing?
We have sent the payload for restricting all the apps except Youtube and MEMDM app . Payload is listed below.
The Problem is we are restricted all the apps except the apps that were offloaded before . the icon of the offloaded apps appears in the homescreen.
Attached the Screenshot for the above offloaded icons with multiapp kiosk enabled
Is this the expected behaviour?
Or anything am i missing. Can anyone help me with this?
Payload Sent to the Device :->
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadUUID</key>
<string>------------</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadOrganization</key>
<string>-----</string>
<key>PayloadIdentifier</key>
<string>----------------</string>
<key>PayloadDisplayName</key>
<string>MultiApp Kiosk</string>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadUUID</key>
<string>----------------</string>
<key>PayloadType</key>
<string>com.apple.applicationaccess</string>
<key>PayloadOrganization</key>
<string>MDM</string>
<key>PayloadIdentifier</key>
<string>---------------</string>
<key>PayloadDisplayName</key>
<string>AppLock Whitelist Policy</string>
<key>whitelistedAppBundleIDs</key>
<array>
<string>com.google.ios.youtube</string>
<string>com.manageengine.mdm.iosagent</string>
<string>com.apple.webapp</string>
</array>
<key>allowListedAppBundleIDs </key>
<array>
<string>com.google.ios.youtube</string>
<string>com.manageengine.mdm.iosagent</string>
<string>com.apple.webapp</string>
</array>
</dict>
</array>
</dict>
</plist>
In the document by Apple over here, it says that AlwaysOn VPN is supported in macOS 10.7+. However, AlwaysOn doesn't seem to work in macOS even in that latest OS. We came across a post where it states that it is supported only for iOS. We had a requirement for supporting AlwaysOn VPN for macOS.
Also, in the console log, we found the following error while sending a profile with AlwaysOn VPN configuration
error 16:19:45.716722+0530 mdmclient NEConfiguration initWithVPNPayload: failed
error 16:19:45.717076+0530 mdmclient [ERROR] <<<<< PlugIn: InstallPayload [NEProfileIngestionPlugin] Error: Error Domain=ConfigProfilePluginDomain Code=-319 "The ‘VPN Service’ payload could not be installed. The VPN service could not be created." UserInfo={NSLocalizedDescription=The ‘VPN Service’ payload could not be installed. The VPN service could not be created.} <<<<<
In the latest update of macOS 12.3, the Login Window Items payload does not work. However, it is working until macOS 12.1. The profile applies successfully but the required apps are not listed under the Login Window Items tab in Users & Groups.
Here is the payload we tried in both the OS versions
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadUUID</key>
<string>bdcc8534-8a2e-40b5-bf65-17ab9247319c</string>
<key>PayloadType</key>
<string>com.apple.loginitems.managed</string>
<key>PayloadOrganization</key>
<string>MDM</string>
<key>PayloadIdentifier</key>
<string>bdcc8534-8a2e-40b5-bf65-17ab9247319c</string>
<key>PayloadDisplayName</key>
<string>Mac Login Window Item</string>
<key>AutoLaunchedApplicationDictionary-managed</key>
<array>
<dict>
<key>Path</key>
<string>/Applications/Safari.app</string>
<key>Hide</key>
<false/>
</dict>
</array>
</dict>
We have a use case such that we want all the network calls from the mac device to go through VPN. We tried using the OnDemand field in VPN. Unfortunately those user's with admin privilege still able to disconnect from VPN. Even if we enabled OnDemand. Admin users can disconnect by disabling the OnDemand option in VPN settings. We noticed that there is an option to restrict the OnDemand option in iOS as mentioned here using the field
OnDemandUserOverrideDisabled
However, this is not supported in macOS. Can anyone suggest a mechanism to restrict users from disabling VPN?
We are pushing a HomeScreenlayout payload with no "docks" array .
The behaviour in iOS's is the dock at the bottom is disappeared. But in ipadOS's , dock is still at the bottom with recent apps listed there. Attached is Screenshot for the ipad's behaviour .
Payload :
<integer>1</integer>
<key>PayloadUUID</key>
<string>____________-</string>
<key>PayloadType</key>
<string>com.apple.homescreenlayout</string>
<key>PayloadOrganization</key>
<string>MDM</string>
<key>PayloadIdentifier</key>
<string>_______________</string>
<key>PayloadDisplayName</key>
<string>Homescreen Layout</string>
<key>Pages</key>
<array>
<array>
<dict>
<key>BundleID</key>
<string>com.apple.mobilephone</string>
<key>Type</key>
<string>Application</string>
</dict>
<dict>
<key>BundleID</key>
<string>com.apple.Preferences</string>
<key>Type</key>
<string>Application</string>
</dict>
<dict>
<key>BundleID</key>
<string>com.google.ios.youtube</string>
<key>Type</key>
<string>Application</string>
</dict>
<dict>
<key>BundleID</key>
<string>com.manageengine.mdm.iosagent</string>
<key>Type</key>
<string>Application</string>
</dict>
</array>
</array>
Is it possible remove the dock from iPadOS or is there anything am i missing to disable the dock or distinguish between dock added apps and Recent Apps?
Issue:
When installing a non VPP app store app in iOS device through MDM, the error - "This Apple ID cannot be used to make purchases" is displayed in the device. But the InstallApplication command response from the device doesn't show any error in it. The response just shows the status as "Installing" and the "ManagedApplicationList" command response shows the device shows the app in "Installing" state. It will be helpful on MDM side if the InstallApplication or ManagedApplicationList command response shows an error. Is it possible?
InstallApplication response:
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CommandUUID</key>
<string>InstallApplication;Collection=xxxx</string>
<key>Identifier</key>
<string>com.zuletteran.scannerfree</string>
<key>State</key>
<string>Prompting</string>
<key>Status</key>
<string>Acknowledged</string>
<key>UDID</key>
<string>xxxx</string>
</dict>
</plist>
ManagedApplicationList response:
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CommandUUID</key>
<string>ManagedApplicationList</string>
<key>ManagedApplicationList</key>
<dict>
<key>com.zuletteran.scannerfree</key>
<dict>
<key>ExternalVersionIdentifier</key>
<integer>0</integer>
<key>HasConfiguration</key>
<false/>
<key>HasFeedback</key>
<false/>
<key>IsValidated</key>
<false/>
<key>ManagementFlags</key>
<integer>5</integer>
<key>Status</key>
<string>Installing</string>
</dict>
</dict>
<key>Status</key>
<string>Acknowledged</string>
<key>UDID</key>
<string>xxxx</string>
</dict>
</plist>
Hi Community,
We are happy to see the changes in the Ventura and when we are exploring the System Settings we have seen that some of the Panes were not controlled and some other Panes were behaving unexpected and have described below.
( The comparison was made with reference to macOS Monterey 12.4)
com.apple.preference.mouse - This System Preference payload key was used to enable and disable Mouse Pane in System Preferences in macOS version 12.4 but in Ventura there was no Pane called Mouse which would be difficult for us to control them using System Preference Pane Payload when the Customer updates their macOS to Ventura
Mouse Pane in macOS version 12.4
com.apple.preferences.extensions - This command was used to control Extensions Pane in OS version 12.4 but in Ventura Beta 4 it was kept within Privacy & Security Pane and this command has no effect on it. Extensions work when Privacy & Security is enabled or not disabled which opens the control for the managed device to use the Extensions Settings even though they were configured when the customer updates their macOS to Ventura.
Extensions Pane in System Preferences macOS v12.4
Extension in System Settings macOS version Ventura Beta 4
com.apple.preferences.parentalcontrols - parental controls were not in either 12.4 and ventura Beta 4
com.apple.preferences.appstore - appstore media and purchases is within Apple Id Preference Pane and has no effect while using the command
com.apple.preference.energysaver - There was no Energy Saver Pane or inner Panes.Most of the energy saver settings are now in the Battery Pane and no System preference pane key was provided to control it.
com.apple.preference.expose - This command was used to control the Mission Control Pane is Version 12.4 but in Ventura Beta 4 there was no such panes and this command has no effect
Mission Control Pane in macOS version 12.4
com.apple.preference.general - this System Preference Pane key was used to enable and disable general Pane in OS version 12.4 but in Ventura Beta 4 while disabling it Doesn't Works,Does not Hide the Pane and we can use all the settings available over there and all non-disabled child settings.and while enabling it cannot Be enabled with the command ( cannot be enabled Even though we enable all the System Preference panes )
com.apple.Localization, com.apple.preference.datetime, com.apple.preferences.sharing, com.apple.prefs.backup, com.apple.preferences.configurationprofiles, com.apple.preference.startupdisk - these preference pane commands were used to enable and disable Language & Region,DateTime, Sharing,TimeMachine, Profiles and StartUp Disk Panes respectively in macOS version 12.4 but in Ventura Beta 4 they were placed under General Pane as children and disabling them works fine but while enabling they are not enabling as General Pane cannot be enabled
Above mentioned System Preference Pane in OS version 12.4
Above mentioned Panes within Ventura Beta 4
Moreover, Also the Newly introduced panes such as Wifi, Focus, Appearance, Control Centre, Screen Save, Battery, Lock Screen, Passwords and Game Center have no System preference pane keys to be disabled But while enabling other panes they get disappeared
Would like to hear from the community for possible resolutions and also support the customers who use managed devices to upgrade to Ventura seamlessly
Issue Description
An tvOS device is enrolled in MDM and an App Store App (VPP App) is deployed in Apple TV (4K) with AppLock policy.
App has an update in App Store and the app update is pushed to device from MDM.
The InstallApplication command is sent to the device for the app update and the command response gives "Managed" state for the app.
But the app doesn't update in the device. Incase if, the AppLock policy is removed from the device and then the app update is pushed, the app updates to latest version in device.
Normally in iOS devices, if an app update is pushed and if the app is open in device with AppLock policy, the app closes automatically and the update is installed and app reopens automatically in AppLock mode without any user intervention.
Is it the same behavior in tvOS devices or does the AppLock policy app update behavior change here?
Kindly help us understand this use case.
Sample InstallApplication Command:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CommandUUID</key>
<string>InstallApplication;Collection=1234</string>
<key>Command</key>
<dict>
<key>RequestType</key>
<string>InstallApplication</string>
<key>iTunesStoreID</key>
<integer>383457673</integer>
<key>ManagementFlags</key>
<integer>5</integer>
<key>Options</key>
<dict>
<key>PurchaseMethod</key>
<integer>1</integer>
</dict>
<key>ChangeManagementState</key>
<string>Managed</string>
</dict>
</dict>
</plist>
Sample InstallApplication Response:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CommandUUID</key>
<string>InstallApplication;Collection=1234</string>
<key>Identifier</key>
<string>com.plexapp.plex</string>
<key>State</key>
<string>Managed</string>
<key>Status</key>
<string>Acknowledged</string>
<key>UDID</key>
<string>00000000-0000XXXXX0000</string>
</dict>
</plist>
Topic:
Business & Education
SubTopic:
General
Tags:
Apple Business Manager
Business and Enterprise
Device Management
Issue Description:
When trying to install a VPP purchased or non VPP App Store App in a iOS device using "InstallApplication" command from MDM, the device gives "Purchase Batch Failed" error in its response.
Sample InstallApplication Request:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CommandUUID</key>
<string>InstallApplication;Collection=11111</string>
<key>Command</key>
<dict>
<key>RequestType</key>
<string>InstallApplication</string>
<key>iTunesStoreID</key>
<integer>815193300</integer>
<key>ManagementFlags</key>
<integer>5</integer>
<key>Options</key>
<dict>
<key>PurchaseMethod</key>
<integer>1</integer>
</dict>
<key>ChangeManagementState</key>
<string>Managed</string>
<key>InstallAsManaged</key>
<true/>
</dict>
</dict>
</plist>
Sample InstallApplication Response:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CommandUUID</key>
<string>InstallApplication;Collection=11111</string>
<key>ErrorChain</key>
<array>
<dict>
<key>ErrorCode</key>
<integer>1005</integer>
<key>ErrorDomain</key>
<string>DeviceManagement.error</string>
<key>LocalizedDescription</key>
<string>Could not install app.</string>
</dict>
<dict>
<key>ErrorCode</key>
<integer>12</integer>
<key>ErrorDomain</key>
<string>AMSErrorDomain</string>
<key>LocalizedDescription</key>
<string>Purchase Batch Failed</string>
</dict>
</array>
<key>Status</key>
<string>Error</string>
<key>UDID</key>
<string>0000-xxxxx-000000000</string>
</dict>
</plist>
Kindly help understand this case and provide a solution for this.
Thanks in advance.
Topic:
App Store Distribution & Marketing
SubTopic:
General
Tags:
App Store
Apple Business Manager
Business and Enterprise
Device Management
Payload associated to the device :
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadUUID</key>
<string>1b5a9bc1-8c80-4ea8-a98d-1a2e8dcb9ac2</string>
<key>PayloadType</key>
<string>com.apple.mobiledevice.passwordpolicy</string>
<key>PayloadOrganization</key>
<string>MD � �M</string>
<key>PayloadIdentifier</key>
<string>1b5a9bc1-8c80-4ea8-a98d-1a2e8dcb9ac2</string>
<key>PayloadDisplayName</key>
<string>Passcode Policy</string>
<key>forcePIN</key>
<true/>
<key>allowSimple</key>
<true/>
<key>changeAtNextAuth</key>
<false/>
<key>minLength</key>
<integer>6</integer>
<key>maxFailedAttempts</key>
<integer>6</integer>
Everything works as expected. No unexpected behaviour.
Out Problem is , we are unable to identify whether the device got wiped due to maxfailedattempt exceeded or due to any Reset actions in Settings.
We have no response from the device , on exceeding maximumfailed attempts.
If there is any message response for this exceeded command,
It will better for us to differentiate the complete wipe action’s source.
Also Raised in Apple Feedback : Id FB11498866