Hi Apple Community , We are a MDM vendor and have been testing around implementing BYOD User Enrollment. Where in a step we felt good to have a list of managed apple ids associated with an Organization which would be helpful in inserting them in the MDM payload for Account-driven User Enrollment. To do this I have used a managed apple id in Apple Buisness Manager with Roles Content Manager, Device Enrolment Manager and People Manager and a MDM server From the MDM Server I used the token and have generated a auth_session_token and used it as Header X-ADM-Auth-Session to end point https://mdmenrollment.apple.com/account GET to get the account details The response contains list of urls of which `https://mdmenrollment.apple.com/roster/class/person' POST was there which when tried gives ORGANIZATION_NOT_SUPPORTED 400 response. we are unable to retrieve the list of users in a Apple Buisness Manager Account at this point. Is there any ways to achieve what we are tend to do. But in the Roster API

Problem Description: A App Store (VPP - B2B) app distributed to a device through MDM is not installing. The "InstalledApplicationList" response doesn't have the app in it. The "ManagedApplicationList" response has the app with status as "ManagedButUninstalled". But this cannot happen since there is a restriction - allowAppRemoval is set to false for this device which prevents the removal of installed apps in that device. This is applied before the app was distributed to MDM. Steps to reproduce: Enroll a device in MDM. Use restrictions payload[com.apple.applicationaccess] with a key "allowAppRemoval" set to "true". Distribute an app to device. Perform operations to fetch "InstalledApplicationList" and "ManagedApplicationList". Expected Result: The device should install the app successfully and ManagedApplicationList response should return "Managed" status for the app. Actual Result: The device doesn't install the app and "ManagedApplicationList" returns "ManagedButUninstalled" status. InstallApplication Response: <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CommandUUID</key> <string>InstallApplication;Collection=899898</string> <key>Identifier</key> <string>pad.xxxx.ilD</string> <key>State</key> <string>Installing</string> <key>Status</key> <string>Acknowledged</string> <key>UDID</key> <string>000000-00000000-00000000</string> </dict> </plist> ManagedApplicationList Response: <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CommandUUID</key> <string>ManagedApplicationList</string> <key>ManagedApplicationList</key> <dict> <key>com.manageengine.mdm.iosagent</key> <dict> <key>ExternalVersionIdentifier</key> <integer>857024336</integer> <key>HasConfiguration</key> <true/> <key>HasFeedback</key> <true/> <key>IsValidated</key> <true/> <key>ManagementFlags</key> <integer>5</integer> <key>Status</key> <string>Managed</string> </dict> <key>com.teamviewer.teamviewerQS</key> <dict> <key>ExternalVersionIdentifier</key> <integer>851678159</integer> <key>HasConfiguration</key> <false/> <key>HasFeedback</key> <false/> <key>IsValidated</key> <true/> <key>ManagementFlags</key> <integer>5</integer> <key>Status</key> <string>Managed</string> </dict> <key>pad.xxxx.ilD</key> <dict> <key>ExternalVersionIdentifier</key> <integer>857489710</integer> <key>HasConfiguration</key> <true/> <key>HasFeedback</key> <false/> <key>IsValidated</key> <false/> <key>ManagementFlags</key> <integer>5</integer> <key>Status</key> <string>ManagedButUninstalled</string> </dict> </dict> <key>Status</key> <string>Acknowledged</string> <key>UDID</key> <string>000000-00000000-00000000</string> </dict> </plist> Restrictions Response: <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CommandUUID</key> <string>Restrictions</string> <key>GlobalRestrictions</key> <dict> <key>intersection</key> <dict> <key>autonomousSingleAppModePermittedAppIDs</key> <dict> <key>values</key> <array> <string>pad.xxxx.ilD</string> </array> </dict> <key>whitelistedAppBundleIDs</key> <dict> <key>values</key> <array> <string>pad.xxxx.ilD</string> <string>com.manageengine.mdm.iosagent</string> <string>com.teamviewer.teamviewerQS</string> </array> </dict> </dict> <key>restrictedBool</key> <dict> <key>allowAppRemoval</key> <dict> <key>value</key> <false/> </dict> </dict> <key>restrictedValue</key> <dict> <key>maxInactivity</key> <dict> <key>value</key> <integer>5</integer> </dict> </dict> <key>union</key> <dict> <key>blacklistedAppBundleIDs</key> <dict> <key>values</key> <array> <string>com.google.Drive</string> <string>com.apple.news</string> </array> </dict> </dict> </dict> <key>Status</key> <string>Acknowledged</string> <key>UDID</key> <string>000000-00000000-00000000</string> </dict> </plist>

When I try to sign in Managed Apple ID in supervised device there appears a prompt stating that "Apple ID" is a work account.This account must be signed in as a work account on this device.When I click continue it takes to VPN and device management tab where MDM profile already exists. Note:The managed Apple ID has a ICloud subscription for it. When I remove the subscription for the Apple ID and try to sign in, it works. Kindly help on this or advise on any additional steps required to enable sign in for managed Apple ID in this scenario

Hi all , We are planning to manage about 1 Million+ Apple devices of inclusive of both iPhone and Mac devices under a AxM Account. However while adding VPP Licenses for an App i'm prompted with below error: " You cannot order more than 100000 copies of same the free item per week" While our goal is to manage 1 Million devices under same Location token , i have below questions in mind 1 . What is the upper limit of number of Licenses that can be added per app in a Location token? Currently it says 1 Lakh Licenses per app per week . Wanted to know if there is any limit on this count as it shouldn't surprise us in upcoming weeks. 2 . How many Locations can be created in a AxM Account? Currently we created about 15 location to see if there are any limit but so far couldn't find any limit on number of locations that can be created. This limit could help us plan our deployment in advance 3 . What is the total number of licenses a VPP Location token can hold ? As we manage 1 Million Devices for 12 Apps , 1 Million x 12= 12 Million licenses would be transacted in this location token by our MDM Solution , is this okay or will there be any limitations in this count

Hi Apple Team & Community, The new Introduction of Platform SSO during ADE Enrollment is Great And we tried implementing this. As a Rule mentioned in the Documentation Initially MDM Server should send 403 response with Response Body adhering to ErrorCodePlatformSSORequired when HTTP Header for MachineInfo request contains MDM_CAN_REQUEST_PSSO_CONFIG and set to true There are contradictory claims mentioned in Document, In Process Platform SSO Required Response it is mentioned that MDM Server should send body as JSON Object for ErrorCodePlatformSSORequired Example below >>>>> Response HTTP/1.1 403 Forbidden Content-Type: application/json Content-Length: 558 { "code": "com.apple.psso.required", "description": "MDM Server requires the user to authenticate with Identity Provider - BY MEMDM", "message": "The MDM server requires you to authenticate with your Identity Provider. Please follow the instructions provided by your organization to complete the authentication process - BY MEMDM", "details": { "Package": { "ManifestURL": "https://platform-sso-node-server.vercel.app:443/manifest" }, "ProfileURL": "https://platform-sso-node-server.vercel.app:443/profile", "AuthURL": "https://platform-sso-node-server.vercel.app:443/auth" } } But in the same Document a Sample HTTP Response was Provided but seems to be XML format as below >>>>> Response HTTP/1.1 403 Forbidden Content-Type: application/xml Content-Length: 601 <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Code</key> <string>com.apple.psso.required</string> <key>Details</key> <dict> <key>ProfileURL</key> <string>https://mdmserver.example.com/psso.mobileconfig</string> <key>Package</key> <dict> <key>ManifestURL</key> <string>https://mdmserver.example.com/psso-app.plist</string> </dict> <key>AuthURL</key> <string>https://idp.example.com/authenticate</string> </dict> </dict> </plist> From Github I assume that both Response Types are welcomed hence I tried with Both Followed in JSON Mode, I redirected the HTTP request if MachineInfo contains MDM_CAN_REQUEST_PSSO_CONFIG and set to true to https://platform-sso-node-server.vercel.app/redirectedDEPJSON Followed in XML Mode, I redirected the HTTP request if MachineInfo contains MDM_CAN_REQUEST_PSSO_CONFIG and set to true to https://platform-sso-node-server.vercel.app/redirectedDEPXML In both Response Modes OS is not proceeding after and a error Stating Enrollment with Management Server Failed , Forbidden request (403) appears Can someone kindly guide on where I missed, or is this any OS Bug in Tahoe 26?

Hello All, We are looking to implement the ACME protocol for our organization PKI and as of now, we are trying out the demo ACME server hosted here. So far, we had a minor piece of luck in getting it to work properly twice, but after that, it errors out every time. This is the payload we are using: &amp;amp;lt;?xml version="1.0" encoding="UTF-8"?&amp;amp;gt; &amp;amp;lt;!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"&amp;amp;gt; &amp;amp;lt;plist version="1.0"&amp;amp;gt; &amp;amp;lt;dict&amp;amp;gt; &amp;amp;lt;key&amp;amp;gt;PayloadContent&amp;amp;lt;/key&amp;amp;gt; &amp;amp;lt;array&amp;amp;gt; &amp;amp;lt;dict&amp;amp;gt; &amp;amp;lt;key&amp;amp;gt;ClientIdentifier&amp;amp;lt;/key&amp;amp;gt; &amp;amp;lt;string&amp;amp;gt;123123123123123123123&amp;amp;lt;/string&amp;amp;gt; &amp;amp;lt;key&amp;amp;gt;ExtendedKeyUsage&amp;amp;lt;/key&amp;amp;gt; &amp;amp;lt;array&amp;amp;gt; &amp;amp;lt;string&amp;amp;gt;1.3.6.1.5.5.7.3.2&amp;amp;lt;/string&amp;amp;gt; &amp;amp;lt;/array&amp;amp;gt; &amp;amp;lt;key&amp;amp;gt;HardwareBound&amp;amp;lt;/key&amp;amp;gt; &amp;amp;lt;true/&amp;amp;gt; &amp;amp;lt;key&amp;amp;gt;KeySize&amp;amp;lt;/key&amp;amp;gt; &amp;amp;lt;integer&amp;amp;gt;384&amp;amp;lt;/integer&amp;amp;gt; &amp;amp;lt;key&amp;amp;gt;KeyType&amp;amp;lt;/key&amp;amp;gt; &amp;amp;lt;string&amp;amp;gt;ECSECPrimeRandom&amp;amp;lt;/string&amp;amp;gt; &amp;amp;lt;key&amp;amp;gt;KeyUsage&amp;amp;lt;/key&amp;amp;gt; &amp;amp;lt;integer&amp;amp;gt;5&amp;amp;lt;/integer&amp;amp;gt; &amp;amp;lt;key&amp;amp;gt;PayloadIdentifier&amp;amp;lt;/key&amp;amp;gt; &amp;amp;lt;string&amp;amp;gt;com.example.test&amp;amp;lt;/string&amp;amp;gt; &amp;amp;lt;key&amp;amp;gt;PayloadType&amp;amp;lt;/key&amp;amp;gt; &amp;amp;lt;string&amp;amp;gt;com.apple.security.acme&amp;amp;lt;/string&amp;amp;gt; &amp;amp;lt;key&amp;amp;gt;PayloadUUID&amp;amp;lt;/key&amp;amp;gt; &amp;amp;lt;string&amp;amp;gt;sdf-feec-4171-878d-34e576bbb813&amp;amp;lt;/string&amp;amp;gt; &amp;amp;lt;key&amp;amp;gt;PayloadVersion&amp;amp;lt;/key&amp;amp;gt; &amp;amp;lt;integer&amp;amp;gt;1&amp;amp;lt;/integer&amp;amp;gt; &amp;amp;lt;key&amp;amp;gt;Subject&amp;amp;lt;/key&amp;amp;gt; &amp;amp;lt;array&amp;amp;gt; &amp;amp;lt;array&amp;amp;gt; &amp;amp;lt;array&amp;amp;gt; &amp;amp;lt;string&amp;amp;gt;C&amp;amp;lt;/string&amp;amp;gt; &amp;amp;lt;string&amp;amp;gt;US&amp;amp;lt;/string&amp;amp;gt; &amp;amp;lt;/array&amp;amp;gt; &amp;amp;lt;/array&amp;amp;gt; &amp;amp;lt;array&amp;amp;gt; &amp;amp;lt;array&amp;amp;gt; &amp;amp;lt;string&amp;amp;gt;O&amp;amp;lt;/string&amp;amp;gt; &amp;amp;lt;string&amp;amp;gt;Example Inc.&amp;amp;lt;/string&amp;amp;gt; &amp;amp;lt;/array&amp;amp;gt; &amp;amp;lt;/array&amp;amp;gt; &amp;amp;lt;array&amp;amp;gt; &amp;amp;lt;array&amp;amp;gt; &amp;amp;lt;string&amp;amp;gt;CN&amp;amp;lt;/string&amp;amp;gt; &amp;amp;lt;string&amp;amp;gt;test&amp;amp;lt;/string&amp;amp;gt; &amp;amp;lt;/array&amp;amp;gt; &amp;amp;lt;/array&amp;amp;gt; &amp;amp;lt;/array&amp;amp;gt; &amp;amp;lt;key&amp;amp;gt;SubjectAltName&amp;amp;lt;/key&amp;amp;gt; &amp;amp;lt;dict&amp;amp;gt; &amp;amp;lt;key&amp;amp;gt;dNSName&amp;amp;lt;/key&amp;amp;gt; &amp;amp;lt;string&amp;amp;gt;site.example.com&amp;amp;lt;/string&amp;amp;gt; &amp;amp;lt;/dict&amp;amp;gt; &amp;amp;lt;key&amp;amp;gt;DirectoryURL&amp;amp;lt;/key&amp;amp;gt; &amp;amp;lt;string&amp;amp;gt;https://ca.attestation.dev/acme/acme/directory&amp;amp;lt;/string&amp;amp;gt; &amp;amp;lt;/dict&amp;amp;gt; &amp;amp;lt;/array&amp;amp;gt; &amp;amp;lt;key&amp;amp;gt;PayloadDisplayName&amp;amp;lt;/key&amp;amp;gt; &amp;amp;lt;string&amp;amp;gt;ACME&amp;amp;lt;/string&amp;amp;gt; &amp;amp;lt;key&amp;amp;gt;PayloadIdentifier&amp;amp;lt;/key&amp;amp;gt; &amp;amp;lt;string&amp;amp;gt;com.example.test&amp;amp;lt;/string&amp;amp;gt; &amp;amp;lt;key&amp;amp;gt;PayloadType&amp;amp;lt;/key&amp;amp;gt; &amp;amp;lt;string&amp;amp;gt;Configuration&amp;amp;lt;/string&amp;amp;gt; &amp;amp;lt;key&amp;amp;gt;PayloadUUID&amp;amp;lt;/key&amp;amp;gt; &amp;amp;lt;string&amp;amp;gt;ce876f81-abf0-46f9-9e68-9b3a7ede8097&amp;amp;lt;/string&amp;amp;gt; &amp;amp;lt;key&amp;amp;gt;PayloadVersion&amp;amp;lt;/key&amp;amp;gt; &amp;amp;lt;integer&amp;amp;gt;1&amp;amp;lt;/integer&amp;amp;gt; &amp;amp;lt;/dict&amp;amp;gt; &amp;amp;lt;/plist&amp;amp;gt; We get the below errors from the ACME server: order status is "pending", not yet "valid" order status is "ready", not yet "valid" Any insights on what we are doing wrong could be helpful. Thanks in advance.

On a supervised device running iOS 18 without any AirDrop restrictions applied, when a profile with allowListedAppBundleIDs restriction key is installed, the AirDrop sound plays. But still the accept prompt does not appear, making it impossible to accept files. The prompt works as expected on iOS 18 devices to which the allowListedAppBundleIDs restriction is not installed. This issue occurs only on supervised iOS 18 devices to which the allowListedAppBundleIDs restriction is being applied. Device must be in iOS 18 version > Install the (allowListedAppBundleIDs restriction) profile with the device > Try to AirDrop files to the managed device. The expected result is that the accept prompt must pop up but it does not appear. This issue is occurring irrespective of any Whitelisted bundle ID being added to the allowListedAppBundleIDs restriction profile. Have attached a few Whitelisted bundle ID here com.talentlms.talentlms.ios.beta, com.maxaccel.safetrack, com.manageengine.mdm.iosagent, com.apple.weather, com.apple.mobilenotes, gov.dot.phmsa.erg2, com.apple.calculator, com.manageengine.mdm.iosagent, com.apple.webapp, com.apple.CoreCDPUI.localSecretPrompt etc. Have raised a Feedback request (FB15709399) with sysdiagnose logs and a short video on the issue.

Issue Description: Licenses Expiring - The licenses for [app_name] and 'x' other applications will expire in 'n' days. The given App Store Notification is displayed in many iPad devices. All the apps for which the notification is shown are purchased from ABM (VPP apps). The licenses are still assigned to devices and are not revoked which is made sure from VPP API. The VPP token is also not nearing expiration and it has more than 6 months time for expiry. Screenshot of the notification is attached below Kindly help us with the reason for this behavior