In the case of organizational iPad devices, we need to have them in a more organized way via the homescreenlayout payload. We need to control the dock and the app library. We will be allowing certain apps on the device via allowListedAppBundleIDs, so we want to disable the recent apps in the dock and prevent apps from being duplicated in the app library, including recent apps and Siri suggestions. If there are more options to control the complete screen layout on the device, it would be helpful.

When syncing newly added or modified devices in the Apple Business Manager (ABM) portal using the POST request to https://mdmenrollment.apple.com/devices/sync, we are getting an issue when the ABM server account has more than 1000 devices. The response consistently includes 1000 devices, with the ‘more_to_follow’ flag always set to true and the ‘cursor’ value changing. However, subsequent ABM syncs for other devices result in duplicate devices being included in the response, and the ‘more_to_follow’ flag never becomes false. As more_to_follow is always true, we try to hit api continuously. Please refer this for sync API details which is causing issue: https://developer.apple.com/documentation/devicemanagement/sync_the_list_of_devices This issue appears to originate from the Apple ABM side. Any help would be of great use. Thanks in advance.

Hi Apple Team , We have a. Bunch of macOS devices in our Fleet Which has MDM Passcode Payload Applied. We have observed a huge delay in unlocking the user account at login Screen after the Credentials are presented, Where as Removing the Passcode Payload makes the User to unlock their account at login Screen Immediately. Can someone help with this issue any OS Updates helps this ? Have Filed a FeedBack: FB15143190 (MDM Passcode Payload Causing Delay In Device Unlock) Also there is a Discussion reg this Passode Policy Issue

I'm reaching out to discuss a significant issue related to how iOS handles app login sessions, particularly in the context of MDM (Mobile Device Management) and the Outlook app. In our organization, we use MDM to distribute applications, including Outlook, with certificate-based authentication for BYOD (Bring Your Own Device) devices. This setup allows users to log in seamlessly to their accounts. However, we've encountered a concerning behavior: when a user unenrolls from MDM, which automatically removes the distributed apps and certificates, they can later reinstall the app from the App Store and find themselves automatically logged back into their previous accounts without any authentication prompts. Here’s a detailed breakdown of the situation: Initial Installation: Users enroll their devices in MDM, which installs the necessary apps and certificates on those devices. Session Storage: After the initial login, the app stores the session locally on the device. App Deletion: When users un enroll their devices from MDM, it automatically removes the distributed apps and certificates. Reinstallation: Days or weeks later, when they reinstall the Outlook app from the App Store, they find themselves automatically logged back into their accounts. This behavior raises important concerns: Lack of Authentication: The app retaining user sessions even after deletion allows users to access their accounts without re-authentication, which could lead to potential unauthorized access and undermines the effectiveness of certificate-based authentication and two-factor authentication (2FA). Note: This issue is not limited to Outlook; we've observed similar behavior with many other apps. Need for a Solution - Given the implications of this behavior, we are looking for effective solutions to prevent it. Specifically, we need options within the MDM framework to: Restrict Session Retention: Implement settings that ensure any app deleted via MDM will lose all stored sessions and require re-authentication upon reinstallation. Default Settings for MDM-Distributed Apps: Ideally, this would be a default feature for all apps distributed through MDM, ensuring that user sessions are not retained after app deletion. Has anyone else experienced this issue? Are there any existing settings or workarounds within MDM platforms to mitigate this problem? Your insights and experiences would be invaluable as we navigate this challenge. Thank you!

Ref- https://support.apple.com/en-in/guide/deployment/dep3b4cf515/web When we deploy an Payload with identifier "com.apple.airprint" , It will add the deployed printer configurations to printers list in mac. Which additionally needs the mac user to add it from Settings -> Printers -> Add Printer -> (Deployed Printer Configuration will be listed here) Select the printer -> Click Add . Screenshot where user need to add it manually after profile association is attached below. Now the Printer is available to be used ,when an share option in any document is clicked. Why this flow requires multiple to and fro. Can it be able to deploy the printer straight to Printers available List instead of manually adding from the above screenshot

Managed iOS/iPad devices are struck with no network under below conditions Enrolling a Supervised iOS device Send InstallProfile command with AppLock payload (https://developer.apple.com/documentation/devicemanagement/applock) Now when the above managed device loses network connection with MDM server due to unknown network issues - the device is out of contact with MDM server and device is locked. Since such AppLock payload installed devices are placed in remote locations, it becomes difficult for Admins to recover such devices with no network connectivity. The devices have to be brought in from remote location and recover them. Under such conditions, it would be better to allow the end user to change the Network configuration manually to reconnect the device with MDM server. This option can also be allowed only when the device can’t ping MDM server.

Apple iPad Air device failing to enroll through ABM with "failed to retrieve configuration" error. This error occurs while reaching Apple ABM for fetching MDM server enrollment details. When we checked console logs when enrolling the device we found following error: ​default 13:54:07.229022+1000 teslad Error: Error Domain=MCCloudConfigurationErrorDomain Code=34004 "The cloud configuration server is unavailable or busy." UserInfo={NSLocalizedDescription=The cloud configuration server is unavailable or busy., CloudConfigurationErrorType=CloudConfigurationFatalError} default 13:54:07.229120+1000 Setup Service completed default 13:54:07.230096+1000 Setup Could not retrieve cloud configuration. Error: <Error domain: MCCloudConfigErrorDomain, code 33001>\ Feedback raised along with screenshot and console logs as well : FB17785513. Please analyse this issue and reply back to us.

Hi Apple team and community, We’re currently integrating with the Apps and Books for Organizations API as part of our device management solution and would like to highlight a few critical points we've encountered — including a reliability issue, an enhancement suggestion, and a request for clarification on API rate limits. 1. Issue: Intermittent 403 Errors with stoken-authenticated-apps Endpoint We are encountering intermittent 403 Forbidden responses from the stoken-authenticated-apps endpoint. Approximately 30–35% of the requests fail with a 403 status code. These failures are inconsistent — the same request (using the same Content Token and Storefront) may succeed upon retry. All requests are properly authenticated and include the required Cookie and other headers as specified in the API documentation. This issue is impacting our ability to reliably fetch app metadata at scale, particularly in workflows. We’d like to know: Is this a known issue? Could it be due to a rate limit or token misconfiguration? Are any changes required on our end to avoid these failures? 2. Enhancement Request: Include externalVersionId in versionHistory Response The versionHistory extension currently returns: versionString releaseNotes releaseDate However, for Declarative Device Management (DDM) workflows such as App Pinning, we need the externalVersionId as well. Without it, we can't reliably correlate version metadata with the specific version ID required for pinning. Adding externalVersionId would: Enable precise version targeting during App Pinning Improve reliability and automation in managed deployments We request that Apple consider including externalVersionId in the versionHistory response to better support DDM-based app lifecycle management. 3. Rate Limit Clarification We found the following note in the Apps and Books for Organizations API documentation: "The Apps and Books for Organizations API limits the number of requests your app can make using a developer token within a specific period of time. If you exceed this limit, you’ll temporarily receive 429 Too Many Requests error responses for requests that use the token. This error resolves itself shortly after the request rate has reduced." While this confirms that a rate limit is enforced, there is no detailed information about the thresholds — such as the number of allowed requests per minute, hour, or day per developer token. To help us implement proper throttling and retry strategies, we request clarification on the following: What is the exact rate limit threshold per developer token? Are there per-endpoint limits, or is it a global cap for all requests using the token? Does the API return a Retry-After header when the limit is exceeded? What is the recommended backoff strategy for clients to follow when receiving 429 errors? This information would help us implement efficient throttling and error handling logic. Any insights from the Apple team or other developers who’ve encountered these issues would be greatly appreciated!

Hi Apple Community, At WWDC25, introduced a native device migration feature with iOS/macOS 26 and Apple Business Manager that promises seamless migration from one MDM to another without wiping devices or manual re-enrollment. That said, while testing this in iOS/macOS 26 beta, we ran into an issue: the Wi-Fi settings deployed by the old MDM aren’t retained during the migration. This means devices lose Wi-Fi connectivity partway through, and users have to manually reconnect before the migration to the new MDM can continue. This interrupts what should be a smooth, hands-off process. We wanted to ask if this is a known issue or limitation with the current beta? Are there any recommended ways to avoid losing Wi-Fi profiles during this migration window? Will this improve in future updates so that the Wi-Fi connection is preserved or seamlessly handed off to the new MDM? Any tips, workarounds, or official guidance Apple can share on best practices for handling Wi-Fi profiles during ABM-native device migrations would be hugely appreciated. Added Feedback with FeedBackAssistant ID : FB20150763 Thanks in advance.

We have observed that Apple TV doesn't send Ethernet MAC information in DeviceInformation response. (Apple TV is connected to the Ethernet.)   We've confirmed that the following pre requisites are fulfilled on our side. The queries in Network information queries are available if the MDM host has a Network Information access right. Reference doc - https://developer.apple.com/business/documentation/MDM-Protocol-Reference.pdf &check; We have set the maximum access right available (8191).   EthernetMACs - The key to get the Ethernet MAC addresses. This value requires the Network Information access right, and is available in iOS 4 and later, and tvOS 6 and later. Reference doc - https://developer.apple.com/documentation/devicemanagement/deviceinformationcommand/command/queries. &check; The TV OS version of the device we are referring here is 14+. &check; The query dictionary contains the EthernetMACs key.   Is this supported for Apple TV devices as mentioned in the documentation? Please find the attached sample requests and responses.   ?xml version="1.0" encoding="UTF-8"? !DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd" plist version="1.0" dict keyCommandUUID/key stringDeviceInformation/string keyCommand/key dict keyRequestType/key stringDeviceInformation/string keyQueries/key array stringDeviceName/string stringOSVersion/string stringBuildVersion/string stringModelName/string stringModel/string stringProductName/string stringSerialNumber/string stringDeviceCapacity/string stringAvailableDeviceCapacity/string stringBatteryLevel/string stringCellularTechnology/string stringIMEI/string stringMEID/string stringModemFirmwareVersion/string stringICCID/string stringBluetoothMAC/string stringWiFiMAC/string stringCurrentCarrierNetwork/string stringSIMCarrierNetwork/string stringSubscriberCarrier-Network/string stringCarrierSettingsVersion/string stringPhoneNumber/string stringVoiceRoamingEnabled/string stringDataRoamingEnabled/string stringIsRoaming/string stringSubscriberMCC/string stringSubscriberMNC/string stringCurrentMCC/string stringCurrentMNC/string stringUDID/string stringIsSupervised/string stringIsDeviceLocatorServiceEnabled/string stringIsActivationLockEnabled/string stringIsDoNotDisturbInEffect/string stringiTunesStoreAccountIsActive/string stringEASDeviceIdentifier/string stringEthernetMACs/string stringPersonalHotspotEnabled/string stringLastCloudBackupDate/string stringIsCloudBackupEnabled/string stringIsMDMLostModeEnabled/string stringServiceSubscriptions/string stringLanguages/string stringLocales/string stringDeviceID/string stringOrganizationInfo/string stringAwaitingConfiguration/string stringMDMOptions/string stringiTunesStoreAccountHash/string stringSIMMCC/string stringSIMMNC/string stringOSUpdateSettings/string stringLocalHostName/string stringHostName/string stringCatalogURL/string stringIsDefaultCatalog/string stringPreviousScanDate/string stringPreviousScanResult/string stringPerformPeriodicCheck/string stringAutomaticCheckEnabled/string stringBackgroundDownloadEnabled/string stringAutomaticAppInstallationEnabled/string stringAutomaticOSInstallationEnabled/string stringAutomaticSecurityUpdatesEnabled/string stringIsMultiUser/string stringMaximumResidentUsers/string stringPushToken/string stringDiagnosticSubmissionEnabled/string stringAppAnalyticsEnabled/string stringIsNetworkTethered/string /array /dict /dict /plist Response to this request ?xml version="1.0" encoding="UTF-8"? !DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd" plist version="1.0" dict     keyCommandUUID/key     stringDeviceInformation/string     keyQueryResponses/key     dict         keyAwaitingConfiguration/key         false/         keyBluetoothMAC/key         stringxx:xx:xx:xx:xx:xx/string         keyBuildVersion/key         stringxxxxxxx/string         keyDeviceID/key         stringxx:xx:xx:xx:xx:xx/string         keyDeviceName/key         stringxxx/string         keyIsSupervised/key         true/         keyMDMOptions/key         dict/         keyModel/key         stringMR912LL/string         keyModelName/key         stringAppleTV/string         keyOSVersion/key         string14.0.2/string         keyProductName/key         stringAppleTV5,3/string         keySerialNumber/key         stringxxxxxxxxxx/string         keyUDID/key         stringxxxx/string         keyWiFiMAC/key         stringxx:xx:xx:xx:xx:xx/string         keyiTunesStoreAccountIsActive/key         false/     /dict     keyStatus/key     stringAcknowledged/string     keyUDID/key     stringxxx/string /dict /plist   Thank you.

Issue Description: Apps that support both iOS and tvOS can have different versions in App Store for each type(iOS and tvOS) but same Bundle Identifier and iTunesStoreID/trackID. For example, the iOS version of YouTube has the latest version in App Store as 17.30.3 the tvOS version of YouTube has the latest version in App Store as 2.07.01 This can be verified from two by two specific iTunes look Up API as shown below https://itunes.apple.com/lookup?id=544007664 https://itunes.apple.com/lookup?id=544007664&entity=tvSoftware Sample contentMetadataLookup URL: https://uclient-api.itunes.apple.com/WebObjects/MZStorePlatform.woa/wa/lookup?version=2&id=544007664&p=mdm-lockup&caller=MDM&platform=enterprisestore&cc=us&l=en Queries: What should we do to get the tvOS specific version of an app in contentMetadataLookup URL? The trackViewURL doesn't show tvOS specific version history of the app - https://apps.apple.com/us/app/youtube-watch-listen-stream/id544007664?platform=appleTV . How should we view this the apps' tvOS specific version history? Kindly help us with the queries.

Hi, For the SCEP payload's SAN, we are able to provide an array of strings for each key (dNSName, ntPrincipalName). <dict> <key>ntPrincipalName</key> <string>email</string> <key>rfc822Name</key> <array> <string>email</string> <string>email2</string> </array> <key>dNSName</key> <array> <string>test.com</string> <string>example.com</string> </array> </dict> But the ACMECertificate payload is not accepting this and instead, returns the below error. The field “rfc822Name” is invalid. The field “dNSName” is invalid. Does the ACMECertificate payload support multiple SAN values for each key? Thanks for your time!

Hi, We are testing the ACMECertificate payload and noticed that in the device's configuration, the key size is displayed as 0. Thanks in advance.

We are testing the ACMECertificate payload in Mac 13.1 beta and getting this error. The same payload when sent to iOS works fine. Any help on this would be appreciated. Thanks. FB Raised: FB11736586 <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadUUID</key> <string>70e4b45e3c1e</string> <key>PayloadType</key> <string>Configuration</string> <key>PayloadOrganization</key> <string>NewComp</string> <key>PayloadIdentifier</key> <string>4565353a3a84</string> <key>PayloadDisplayName</key> <string>ACME</string> <key>PayloadRemovalDisallowed</key> <true/> <key>PayloadContent</key> <array> <dict> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadUUID</key> <string>f84ef110e39b</string> <key>PayloadType</key> <string>com.apple.security.acme</string> <key>PayloadOrganization</key> <string>NewComp</string> <key>PayloadIdentifier</key> <string>f84ef110e39b</string> <key>PayloadDisplayName</key> <string>ACME Configuration</string> <key>DirectoryURL</key> <string>https://acmeserver/acme/acme/directory</string> <key>ClientIdentifier</key> <string>test</string> <key>HardwareBound</key> <true/> <key>KeyType</key> <string>ECSECPrimeRandom</string> <key>KeySize</key> <integer>384</integer> <key>Subject</key> <array> <array> <array> <string>1.2.840.113549.1.9.1</string> <string>test@test.com</string> </array> </array> </array> <key>SubjectAltName</key> <dict> </dict> <key>KeyUsage</key> <integer>5</integer> <key>Attest</key> <true/> </dict> </array> </dict> </plist>

Hi Apple Community , We are a MDM vendor and have been testing around implementing BYOD User Enrollment. Where in a step we felt good to have a list of managed apple ids associated with an Organization which would be helpful in inserting them in the MDM payload for Account-driven User Enrollment. To do this I have used a managed apple id in Apple Buisness Manager with Roles Content Manager, Device Enrolment Manager and People Manager and a MDM server From the MDM Server I used the token and have generated a auth_session_token and used it as Header X-ADM-Auth-Session to end point https://mdmenrollment.apple.com/account GET to get the account details The response contains list of urls of which `https://mdmenrollment.apple.com/roster/class/person' POST was there which when tried gives ORGANIZATION_NOT_SUPPORTED 400 response. we are unable to retrieve the list of users in a Apple Buisness Manager Account at this point. Is there any ways to achieve what we are tend to do. But in the Roster API