Ref- https://support.apple.com/en-in/guide/deployment/dep3b4cf515/web When we deploy an Payload with identifier "com.apple.airprint" , It will add the deployed printer configurations to printers list in mac. Which additionally needs the mac user to add it from Settings -> Printers -> Add Printer -> (Deployed Printer Configuration will be listed here) Select the printer -> Click Add . Screenshot where user need to add it manually after profile association is attached below. Now the Printer is available to be used ,when an share option in any document is clicked. Why this flow requires multiple to and fro. Can it be able to deploy the printer straight to Printers available List instead of manually adding from the above screenshot

Hi Apple Team & Community, The new Introduction of Platform SSO during ADE Enrollment is Great And we tried implementing this. As a Rule mentioned in the Documentation Initially MDM Server should send 403 response with Response Body adhering to ErrorCodePlatformSSORequired when HTTP Header for MachineInfo request contains MDM_CAN_REQUEST_PSSO_CONFIG and set to true There are contradictory claims mentioned in Document, In Process Platform SSO Required Response it is mentioned that MDM Server should send body as JSON Object for ErrorCodePlatformSSORequired Example below >>>>> Response HTTP/1.1 403 Forbidden Content-Type: application/json Content-Length: 558 { "code": "com.apple.psso.required", "description": "MDM Server requires the user to authenticate with Identity Provider - BY MEMDM", "message": "The MDM server requires you to authenticate with your Identity Provider. Please follow the instructions provided by your organization to complete the authentication process - BY MEMDM", "details": { "Package": { "ManifestURL": "https://platform-sso-node-server.vercel.app:443/manifest" }, "ProfileURL": "https://platform-sso-node-server.vercel.app:443/profile", "AuthURL": "https://platform-sso-node-server.vercel.app:443/auth" } } But in the same Document a Sample HTTP Response was Provided but seems to be XML format as below >>>>> Response HTTP/1.1 403 Forbidden Content-Type: application/xml Content-Length: 601 <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Code</key> <string>com.apple.psso.required</string> <key>Details</key> <dict> <key>ProfileURL</key> <string>https://mdmserver.example.com/psso.mobileconfig</string> <key>Package</key> <dict> <key>ManifestURL</key> <string>https://mdmserver.example.com/psso-app.plist</string> </dict> <key>AuthURL</key> <string>https://idp.example.com/authenticate</string> </dict> </dict> </plist> From Github I assume that both Response Types are welcomed hence I tried with Both Followed in JSON Mode, I redirected the HTTP request if MachineInfo contains MDM_CAN_REQUEST_PSSO_CONFIG and set to true to https://platform-sso-node-server.vercel.app/redirectedDEPJSON Followed in XML Mode, I redirected the HTTP request if MachineInfo contains MDM_CAN_REQUEST_PSSO_CONFIG and set to true to https://platform-sso-node-server.vercel.app/redirectedDEPXML In both Response Modes OS is not proceeding after and a error Stating Enrollment with Management Server Failed , Forbidden request (403) appears Can someone kindly guide on where I missed, or is this any OS Bug in Tahoe 26?

Issue Description: The Get Assets VPP License Management API (both 1.0.0 & 2.0.0) should return the assets with the adamIds of Apps available in App Store. For some location tokens, from this API, we get adamIds that are not available in App Store. The contentMetaData API doesn't return any response for these adamIds and they are not B2B apps too. How can we identify if the adamIds are of the apps that are removed from App Store? Or are we missing anything here? Kindly help us with this case. Get Assets URL: https://vpp.itunes.apple.com/mdm/v2/assets

https://developer.apple.com/documentation/managedappdistribution https://developer.apple.com/documentation/appdistribution/fetching-and-displaying-managed-apps We have tested the above apple documentation regarding Managed Application Distribution . To Note : We are trying to provide a custom AppStore in our MDM App for Managed Apps. We have done all the steps mentioned in the documentation Got Entitlement and enabled for the app. Used the Exact code in a new swift UI Project Attaching Screenshots for the compile time error , i get First Screenshot , shows an error when building the project with a physical device(iOS 17.4). Seconds one , shows different error when building with a simulator. I have checked all the apple documentations and wwdc videos for further clue on this. But no help ! It will be helpful, if anyone help me with exact working model for this framework.

Hi all , We are planning to manage about 1 Million+ Apple devices of inclusive of both iPhone and Mac devices under a AxM Account. However while adding VPP Licenses for an App i'm prompted with below error: " You cannot order more than 100000 copies of same the free item per week" While our goal is to manage 1 Million devices under same Location token , i have below questions in mind 1 . What is the upper limit of number of Licenses that can be added per app in a Location token? Currently it says 1 Lakh Licenses per app per week . Wanted to know if there is any limit on this count as it shouldn't surprise us in upcoming weeks. 2 . How many Locations can be created in a AxM Account? Currently we created about 15 location to see if there are any limit but so far couldn't find any limit on number of locations that can be created. This limit could help us plan our deployment in advance 3 . What is the total number of licenses a VPP Location token can hold ? As we manage 1 Million Devices for 12 Apps , 1 Million x 12= 12 Million licenses would be transacted in this location token by our MDM Solution , is this okay or will there be any limitations in this count

When making a GET request to the ABM Account API at https://mdmenrollment.apple.com/account, we receive a response that includes an org_email field. However, we’ve noticed that the value of org_email varies. Sometimes it corresponds to an account with the role of Administrator, while other times it comes from account with roles Device Enrolment Manager, Content Manager and People Manager. We seek clarification on the following points: Which roles determine the org_email sent in the response? Is the org_email coming in API response always same or does it change when we hit the APIs in multiple times. org_email in this response: https://developer.apple.com/documentation/devicemanagement/accountdetail

I'm reaching out to discuss a significant issue related to how iOS handles app login sessions, particularly in the context of MDM (Mobile Device Management) and the Outlook app. In our organization, we use MDM to distribute applications, including Outlook, with certificate-based authentication for BYOD (Bring Your Own Device) devices. This setup allows users to log in seamlessly to their accounts. However, we've encountered a concerning behavior: when a user unenrolls from MDM, which automatically removes the distributed apps and certificates, they can later reinstall the app from the App Store and find themselves automatically logged back into their previous accounts without any authentication prompts. Here’s a detailed breakdown of the situation: Initial Installation: Users enroll their devices in MDM, which installs the necessary apps and certificates on those devices. Session Storage: After the initial login, the app stores the session locally on the device. App Deletion: When users un enroll their devices from MDM, it automatically removes the distributed apps and certificates. Reinstallation: Days or weeks later, when they reinstall the Outlook app from the App Store, they find themselves automatically logged back into their accounts. This behavior raises important concerns: Lack of Authentication: The app retaining user sessions even after deletion allows users to access their accounts without re-authentication, which could lead to potential unauthorized access and undermines the effectiveness of certificate-based authentication and two-factor authentication (2FA). Note: This issue is not limited to Outlook; we've observed similar behavior with many other apps. Need for a Solution - Given the implications of this behavior, we are looking for effective solutions to prevent it. Specifically, we need options within the MDM framework to: Restrict Session Retention: Implement settings that ensure any app deleted via MDM will lose all stored sessions and require re-authentication upon reinstallation. Default Settings for MDM-Distributed Apps: Ideally, this would be a default feature for all apps distributed through MDM, ensuring that user sessions are not retained after app deletion. Has anyone else experienced this issue? Are there any existing settings or workarounds within MDM platforms to mitigate this problem? Your insights and experiences would be invaluable as we navigate this challenge. Thank you!

Dear Apple Team, As an MDM (Mobile Device Management) service provider, we are writing to bring attention to an issue that is affecting many of our customers who manage large fleets of iOS devices. Specifically, we have encountered challenges with the app update process via MDM, which is impacting both kiosk devices and non-kiosk devices in a variety of use cases. Issue 1: App Updates Delayed on Kiosk Devices Many of our customers are deploying kiosk devices that are used 24/7 independently with no attendants. In these cases, when an app update is sent through MDM via the installApplication command, the installation does not begin immediately. Instead, the update starts only after the device is locked. However, since these kiosk devices are running continuously, they are rarely locked, preventing the app update from occurring. To force the update, administrators need to manually remote lock or physically lock the device, which is a time-consuming process. This becomes even more challenging for devices like Apple TV, where remotely locking and unlocking the device to complete app updates is especially difficult, making it hard to keep the apps up to date in a timely manner. Issue 2: User Cancellations of Critical Updates on Non-Kiosk Devices In the case of non-kiosk devices, customers are encountering another challenge: when a critical update is pushed during business hours, users are often prompted to install the update. However, many users tend to cancel the update, leaving devices unpatched and potentially vulnerable. This behavior can delay the deployment of important security patches, which is a critical concern for organizations managing sensitive data or business-critical apps. Request for a Solution Our customers have expressed the need for a more reliable and forceful app update mechanism. Specifically, we are requesting the following features to improve the app update experience: Scheduled app updates: The ability to schedule app updates, similar to the way OS updates are handled. If the user does not install the update within a specified timeframe, the update should begin automatically or prompt the user with a stronger reminder. Force install option: A feature that would allow MDM administrators to force an app update immediately, without relying on user intervention. This would ensure that critical updates are installed promptly, improving security and system stability across all devices. These features are essential for many of our customers who rely on timely and consistent app updates to maintain security, functionality, and compliance across their managed devices. Without these options, they face challenges in ensuring devices are kept up-to-date, which can result in security vulnerabilities and operational disruptions. We kindly request that Apple consider adding these functionalities to improve the MDM app update process and provide a more reliable experience for both kiosk and non-kiosk device management. Thank you for your attention to this matter. We look forward to your feedback and any potential improvements in future iOS updates. Raised in the same manner as feedback: FB15910292

We are currently working on a SCEP server implementation that operates in FIPS-approved mode. In this mode, RSA PKCS#1 v1.5 encryption is disallowed due to compliance requirements, and only FIPS-approved padding schemes such as RSA-OAEP are permitted. However, we have observed that the SCEP client functionality on Apple devices currently does not support RSA-OAEP for CMS EnvelopedData decryption. This creates a challenge for us in ensuring FIPS compliance while maintaining compatibility with Apple devices during certificate enrollment through SCEP. We would appreciate your guidance on the following: Are there any alternative FIPS-approved encryption algorithms or configurations supported by Apple devices for SCEP CMS EnvelopedData decryption? Is there any plan or timeline for future support of RSA-OAEP on Apple platforms for this use case? Feedback raised along with sysdiagnose logs as well : FB17655410

When I try to sign in Managed Apple ID in supervised device there appears a prompt stating that "Apple ID" is a work account.This account must be signed in as a work account on this device.When I click continue it takes to VPN and device management tab where MDM profile already exists. Note:The managed Apple ID has a ICloud subscription for it. When I remove the subscription for the Apple ID and try to sign in, it works. Kindly help on this or advise on any additional steps required to enable sign in for managed Apple ID in this scenario

In a iPad device with OS Version 15.1, when deploying a app store app through MDM, the InstallApplication command receives "License Not Found" error in response. The app is not purchased through VPP and the "PurchaseMethod" key is not set in InstallApplication request command. I have attached a sample request and response of InstallApplication commands. InstallApplication command: <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CommandUUID</key> <string>InstallApplication;Collection=xxxx</string> <key>Command</key> <dict> <key>RequestType</key> <string>InstallApplication</string> <key>iTunesStoreID</key> <integer>xxxx</integer> <key>ManagementFlags</key> <integer>5</integer> <key>Configuration</key> <dict> <key>ServerName</key> <string>xxxx</string> <key>ServerPort</key> <string>xxxx</string> <key>UDID</key> <string>xxxx</string> <key>ErID</key> <string>xxxx</string> <key>IsLanguagePackEnabled</key> <string>true</string> <key>authtoken</key> <string>********</string> <key>SCOPE</key> <string>MDMOnDemand/MDMCloudEnrollment</string> <key>Services</key> <dict> <key>urls</key> <dict> <key>IOSNativeAppServlet</key> <string>xxxx</string> <key>DeviceRegistrationServlet</key> <string>xxxx</string> <key>IOSCheckInServlet</key> <string>xxxx</string> <key>AppCatalogServlet</key> <string>xxxx</string> <key>MDMLogUploaderServlet</key> <string>xxxx</string> <key>mdmDocsServlet</key> <string>xxxx</string> <key>DFSDownloadURL</key> <string>xxxx</string> </dict> <key>token_name</key> <string>********</string> <key>token_value</key> <string>********</string> </dict> <key>IsSyncServerEnabled</key> <true/> <key>IsAnnouncementEnabled</key> <true/> </dict> <key>ChangeManagementState</key> <string>Managed</string> </dict> </dict> </plist> InstallApplication Response: <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CommandUUID</key> <string>InstallApplication;Collection=xxxx</string> <key>ErrorChain</key> <array> <dict> <key>ErrorCode</key> <integer>1005</integer> <key>ErrorDomain</key> <string>DeviceManagement.error</string> <key>LocalizedDescription</key> <string>Could not install app.</string> </dict> <dict> <key>ErrorCode</key> <integer>9610</integer> <key>ErrorDomain</key> <string>ASDServerErrorDomain</string> <key>LocalizedDescription</key> <string>License not found</string> </dict> </array> <key>Status</key> <string>Error</string> <key>UDID</key> <string>xxxx</string> </dict> </plist>

Issue Description: Apps that support both iOS and tvOS can have different versions in App Store for each type(iOS and tvOS) but same Bundle Identifier and iTunesStoreID/trackID. For example, the iOS version of YouTube has the latest version in App Store as 17.30.3 the tvOS version of YouTube has the latest version in App Store as 2.07.01 This can be verified from two by two specific iTunes look Up API as shown below https://itunes.apple.com/lookup?id=544007664 https://itunes.apple.com/lookup?id=544007664&entity=tvSoftware Sample contentMetadataLookup URL: https://uclient-api.itunes.apple.com/WebObjects/MZStorePlatform.woa/wa/lookup?version=2&id=544007664&p=mdm-lockup&caller=MDM&platform=enterprisestore&cc=us&l=en Queries: What should we do to get the tvOS specific version of an app in contentMetadataLookup URL? The trackViewURL doesn't show tvOS specific version history of the app - https://apps.apple.com/us/app/youtube-watch-listen-stream/id544007664?platform=appleTV . How should we view this the apps' tvOS specific version history? Kindly help us with the queries.

Description: Apps over 200MB will not be automatically downloaded in iOS device when deployed from MDM if "Ask If Over 200MB" is set under General -> App Store -> Mobile Data -> App Downloads. Is there a setting available for MDM to force enable "Always Ask" under General -> App Store -> Mobile Data -> App Downloads in iOS devices ? Kindly help us on this use case.

We have observed that Apple TV doesn't send Ethernet MAC information in DeviceInformation response. (Apple TV is connected to the Ethernet.)   We've confirmed that the following pre requisites are fulfilled on our side. The queries in Network information queries are available if the MDM host has a Network Information access right. Reference doc - https://developer.apple.com/business/documentation/MDM-Protocol-Reference.pdf &check; We have set the maximum access right available (8191).   EthernetMACs - The key to get the Ethernet MAC addresses. This value requires the Network Information access right, and is available in iOS 4 and later, and tvOS 6 and later. Reference doc - https://developer.apple.com/documentation/devicemanagement/deviceinformationcommand/command/queries. &check; The TV OS version of the device we are referring here is 14+. &check; The query dictionary contains the EthernetMACs key.   Is this supported for Apple TV devices as mentioned in the documentation? Please find the attached sample requests and responses.   ?xml version="1.0" encoding="UTF-8"? !DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd" plist version="1.0" dict keyCommandUUID/key stringDeviceInformation/string keyCommand/key dict keyRequestType/key stringDeviceInformation/string keyQueries/key array stringDeviceName/string stringOSVersion/string stringBuildVersion/string stringModelName/string stringModel/string stringProductName/string stringSerialNumber/string stringDeviceCapacity/string stringAvailableDeviceCapacity/string stringBatteryLevel/string stringCellularTechnology/string stringIMEI/string stringMEID/string stringModemFirmwareVersion/string stringICCID/string stringBluetoothMAC/string stringWiFiMAC/string stringCurrentCarrierNetwork/string stringSIMCarrierNetwork/string stringSubscriberCarrier-Network/string stringCarrierSettingsVersion/string stringPhoneNumber/string stringVoiceRoamingEnabled/string stringDataRoamingEnabled/string stringIsRoaming/string stringSubscriberMCC/string stringSubscriberMNC/string stringCurrentMCC/string stringCurrentMNC/string stringUDID/string stringIsSupervised/string stringIsDeviceLocatorServiceEnabled/string stringIsActivationLockEnabled/string stringIsDoNotDisturbInEffect/string stringiTunesStoreAccountIsActive/string stringEASDeviceIdentifier/string stringEthernetMACs/string stringPersonalHotspotEnabled/string stringLastCloudBackupDate/string stringIsCloudBackupEnabled/string stringIsMDMLostModeEnabled/string stringServiceSubscriptions/string stringLanguages/string stringLocales/string stringDeviceID/string stringOrganizationInfo/string stringAwaitingConfiguration/string stringMDMOptions/string stringiTunesStoreAccountHash/string stringSIMMCC/string stringSIMMNC/string stringOSUpdateSettings/string stringLocalHostName/string stringHostName/string stringCatalogURL/string stringIsDefaultCatalog/string stringPreviousScanDate/string stringPreviousScanResult/string stringPerformPeriodicCheck/string stringAutomaticCheckEnabled/string stringBackgroundDownloadEnabled/string stringAutomaticAppInstallationEnabled/string stringAutomaticOSInstallationEnabled/string stringAutomaticSecurityUpdatesEnabled/string stringIsMultiUser/string stringMaximumResidentUsers/string stringPushToken/string stringDiagnosticSubmissionEnabled/string stringAppAnalyticsEnabled/string stringIsNetworkTethered/string /array /dict /dict /plist Response to this request ?xml version="1.0" encoding="UTF-8"? !DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd" plist version="1.0" dict     keyCommandUUID/key     stringDeviceInformation/string     keyQueryResponses/key     dict         keyAwaitingConfiguration/key         false/         keyBluetoothMAC/key         stringxx:xx:xx:xx:xx:xx/string         keyBuildVersion/key         stringxxxxxxx/string         keyDeviceID/key         stringxx:xx:xx:xx:xx:xx/string         keyDeviceName/key         stringxxx/string         keyIsSupervised/key         true/         keyMDMOptions/key         dict/         keyModel/key         stringMR912LL/string         keyModelName/key         stringAppleTV/string         keyOSVersion/key         string14.0.2/string         keyProductName/key         stringAppleTV5,3/string         keySerialNumber/key         stringxxxxxxxxxx/string         keyUDID/key         stringxxxx/string         keyWiFiMAC/key         stringxx:xx:xx:xx:xx:xx/string         keyiTunesStoreAccountIsActive/key         false/     /dict     keyStatus/key     stringAcknowledged/string     keyUDID/key     stringxxx/string /dict /plist   Thank you.

FB9895426 (Apple Device MDM enrolment fails if client certificate is requested during SSL Handshake) Device enrolment fails in an MDM Server configured with client certificate authentication. Upon investigating the issue, we noticed that the device drops the SSL handshake if a client certificate is requested during the handshake. Wireshark Screenshot: From the console logs, we noticed the below error: <MCHTTPRequestor: 0x283b560a0> cannot accept the authentication method NSURLAuthenticationMethodClientCertificate The TLS protocol states that "If no suitable certificate is available, the client SHOULD send a certificate message containing no certificates.". Thus, we expect the MDM client to respond with a "no certificate" response during the SSL handshake. Someone has already raised the same question but there's no reply yet: https://developer.apple.com/forums/thread/680328 https://developer.apple.com/forums/thread/676579 Any help would be appreciated. Thanks in advance.