Problem Description: A App Store (VPP - B2B) app distributed to a device through MDM is not installing. The "InstalledApplicationList" response doesn't have the app in it. The "ManagedApplicationList" response has the app with status as "ManagedButUninstalled". But this cannot happen since there is a restriction - allowAppRemoval is set to false for this device which prevents the removal of installed apps in that device. This is applied before the app was distributed to MDM. Steps to reproduce: Enroll a device in MDM. Use restrictions payload[com.apple.applicationaccess] with a key "allowAppRemoval" set to "true". Distribute an app to device. Perform operations to fetch "InstalledApplicationList" and "ManagedApplicationList". Expected Result: The device should install the app successfully and ManagedApplicationList response should return "Managed" status for the app. Actual Result: The device doesn't install the app and "ManagedApplicationList" returns "ManagedButUninstalled" status. InstallApplication Response: <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CommandUUID</key> <string>InstallApplication;Collection=899898</string> <key>Identifier</key> <string>pad.xxxx.ilD</string> <key>State</key> <string>Installing</string> <key>Status</key> <string>Acknowledged</string> <key>UDID</key> <string>000000-00000000-00000000</string> </dict> </plist> ManagedApplicationList Response: <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CommandUUID</key> <string>ManagedApplicationList</string> <key>ManagedApplicationList</key> <dict> <key>com.manageengine.mdm.iosagent</key> <dict> <key>ExternalVersionIdentifier</key> <integer>857024336</integer> <key>HasConfiguration</key> <true/> <key>HasFeedback</key> <true/> <key>IsValidated</key> <true/> <key>ManagementFlags</key> <integer>5</integer> <key>Status</key> <string>Managed</string> </dict> <key>com.teamviewer.teamviewerQS</key> <dict> <key>ExternalVersionIdentifier</key> <integer>851678159</integer> <key>HasConfiguration</key> <false/> <key>HasFeedback</key> <false/> <key>IsValidated</key> <true/> <key>ManagementFlags</key> <integer>5</integer> <key>Status</key> <string>Managed</string> </dict> <key>pad.xxxx.ilD</key> <dict> <key>ExternalVersionIdentifier</key> <integer>857489710</integer> <key>HasConfiguration</key> <true/> <key>HasFeedback</key> <false/> <key>IsValidated</key> <false/> <key>ManagementFlags</key> <integer>5</integer> <key>Status</key> <string>ManagedButUninstalled</string> </dict> </dict> <key>Status</key> <string>Acknowledged</string> <key>UDID</key> <string>000000-00000000-00000000</string> </dict> </plist> Restrictions Response: <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CommandUUID</key> <string>Restrictions</string> <key>GlobalRestrictions</key> <dict> <key>intersection</key> <dict> <key>autonomousSingleAppModePermittedAppIDs</key> <dict> <key>values</key> <array> <string>pad.xxxx.ilD</string> </array> </dict> <key>whitelistedAppBundleIDs</key> <dict> <key>values</key> <array> <string>pad.xxxx.ilD</string> <string>com.manageengine.mdm.iosagent</string> <string>com.teamviewer.teamviewerQS</string> </array> </dict> </dict> <key>restrictedBool</key> <dict> <key>allowAppRemoval</key> <dict> <key>value</key> <false/> </dict> </dict> <key>restrictedValue</key> <dict> <key>maxInactivity</key> <dict> <key>value</key> <integer>5</integer> </dict> </dict> <key>union</key> <dict> <key>blacklistedAppBundleIDs</key> <dict> <key>values</key> <array> <string>com.google.Drive</string> <string>com.apple.news</string> </array> </dict> </dict> </dict> <key>Status</key> <string>Acknowledged</string> <key>UDID</key> <string>000000-00000000-00000000</string> </dict> </plist>

We are currently working on a SCEP server implementation that operates in FIPS-approved mode. In this mode, RSA PKCS#1 v1.5 encryption is disallowed due to compliance requirements, and only FIPS-approved padding schemes such as RSA-OAEP are permitted. However, we have observed that the SCEP client functionality on Apple devices currently does not support RSA-OAEP for CMS EnvelopedData decryption. This creates a challenge for us in ensuring FIPS compliance while maintaining compatibility with Apple devices during certificate enrollment through SCEP. We would appreciate your guidance on the following: Are there any alternative FIPS-approved encryption algorithms or configurations supported by Apple devices for SCEP CMS EnvelopedData decryption? Is there any plan or timeline for future support of RSA-OAEP on Apple platforms for this use case? Feedback raised along with sysdiagnose logs as well : FB17655410

When I try to sign in Managed Apple ID in supervised device there appears a prompt stating that "Apple ID" is a work account.This account must be signed in as a work account on this device.When I click continue it takes to VPN and device management tab where MDM profile already exists. Note:The managed Apple ID has a ICloud subscription for it. When I remove the subscription for the Apple ID and try to sign in, it works. Kindly help on this or advise on any additional steps required to enable sign in for managed Apple ID in this scenario

Hi all , We are planning to manage about 1 Million+ Apple devices of inclusive of both iPhone and Mac devices under a AxM Account. However while adding VPP Licenses for an App i'm prompted with below error: " You cannot order more than 100000 copies of same the free item per week" While our goal is to manage 1 Million devices under same Location token , i have below questions in mind 1 . What is the upper limit of number of Licenses that can be added per app in a Location token? Currently it says 1 Lakh Licenses per app per week . Wanted to know if there is any limit on this count as it shouldn't surprise us in upcoming weeks. 2 . How many Locations can be created in a AxM Account? Currently we created about 15 location to see if there are any limit but so far couldn't find any limit on number of locations that can be created. This limit could help us plan our deployment in advance 3 . What is the total number of licenses a VPP Location token can hold ? As we manage 1 Million Devices for 12 Apps , 1 Million x 12= 12 Million licenses would be transacted in this location token by our MDM Solution , is this okay or will there be any limitations in this count

Hi Apple Team & Community, The new Introduction of Platform SSO during ADE Enrollment is Great And we tried implementing this. As a Rule mentioned in the Documentation Initially MDM Server should send 403 response with Response Body adhering to ErrorCodePlatformSSORequired when HTTP Header for MachineInfo request contains MDM_CAN_REQUEST_PSSO_CONFIG and set to true There are contradictory claims mentioned in Document, In Process Platform SSO Required Response it is mentioned that MDM Server should send body as JSON Object for ErrorCodePlatformSSORequired Example below >>>>> Response HTTP/1.1 403 Forbidden Content-Type: application/json Content-Length: 558 { "code": "com.apple.psso.required", "description": "MDM Server requires the user to authenticate with Identity Provider - BY MEMDM", "message": "The MDM server requires you to authenticate with your Identity Provider. Please follow the instructions provided by your organization to complete the authentication process - BY MEMDM", "details": { "Package": { "ManifestURL": "https://platform-sso-node-server.vercel.app:443/manifest" }, "ProfileURL": "https://platform-sso-node-server.vercel.app:443/profile", "AuthURL": "https://platform-sso-node-server.vercel.app:443/auth" } } But in the same Document a Sample HTTP Response was Provided but seems to be XML format as below >>>>> Response HTTP/1.1 403 Forbidden Content-Type: application/xml Content-Length: 601 <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Code</key> <string>com.apple.psso.required</string> <key>Details</key> <dict> <key>ProfileURL</key> <string>https://mdmserver.example.com/psso.mobileconfig</string> <key>Package</key> <dict> <key>ManifestURL</key> <string>https://mdmserver.example.com/psso-app.plist</string> </dict> <key>AuthURL</key> <string>https://idp.example.com/authenticate</string> </dict> </dict> </plist> From Github I assume that both Response Types are welcomed hence I tried with Both Followed in JSON Mode, I redirected the HTTP request if MachineInfo contains MDM_CAN_REQUEST_PSSO_CONFIG and set to true to https://platform-sso-node-server.vercel.app/redirectedDEPJSON Followed in XML Mode, I redirected the HTTP request if MachineInfo contains MDM_CAN_REQUEST_PSSO_CONFIG and set to true to https://platform-sso-node-server.vercel.app/redirectedDEPXML In both Response Modes OS is not proceeding after and a error Stating Enrollment with Management Server Failed , Forbidden request (403) appears Can someone kindly guide on where I missed, or is this any OS Bug in Tahoe 26?

Hello All, We are looking to implement the ACME protocol for our organization PKI and as of now, we are trying out the demo ACME server hosted here. So far, we had a minor piece of luck in getting it to work properly twice, but after that, it errors out every time. This is the payload we are using: &amp;amp;lt;?xml version="1.0" encoding="UTF-8"?&amp;amp;gt; &amp;amp;lt;!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"&amp;amp;gt; &amp;amp;lt;plist version="1.0"&amp;amp;gt; &amp;amp;lt;dict&amp;amp;gt; &amp;amp;lt;key&amp;amp;gt;PayloadContent&amp;amp;lt;/key&amp;amp;gt; &amp;amp;lt;array&amp;amp;gt; &amp;amp;lt;dict&amp;amp;gt; &amp;amp;lt;key&amp;amp;gt;ClientIdentifier&amp;amp;lt;/key&amp;amp;gt; &amp;amp;lt;string&amp;amp;gt;123123123123123123123&amp;amp;lt;/string&amp;amp;gt; &amp;amp;lt;key&amp;amp;gt;ExtendedKeyUsage&amp;amp;lt;/key&amp;amp;gt; &amp;amp;lt;array&amp;amp;gt; &amp;amp;lt;string&amp;amp;gt;1.3.6.1.5.5.7.3.2&amp;amp;lt;/string&amp;amp;gt; &amp;amp;lt;/array&amp;amp;gt; &amp;amp;lt;key&amp;amp;gt;HardwareBound&amp;amp;lt;/key&amp;amp;gt; &amp;amp;lt;true/&amp;amp;gt; &amp;amp;lt;key&amp;amp;gt;KeySize&amp;amp;lt;/key&amp;amp;gt; &amp;amp;lt;integer&amp;amp;gt;384&amp;amp;lt;/integer&amp;amp;gt; &amp;amp;lt;key&amp;amp;gt;KeyType&amp;amp;lt;/key&amp;amp;gt; &amp;amp;lt;string&amp;amp;gt;ECSECPrimeRandom&amp;amp;lt;/string&amp;amp;gt; &amp;amp;lt;key&amp;amp;gt;KeyUsage&amp;amp;lt;/key&amp;amp;gt; &amp;amp;lt;integer&amp;amp;gt;5&amp;amp;lt;/integer&amp;amp;gt; &amp;amp;lt;key&amp;amp;gt;PayloadIdentifier&amp;amp;lt;/key&amp;amp;gt; &amp;amp;lt;string&amp;amp;gt;com.example.test&amp;amp;lt;/string&amp;amp;gt; &amp;amp;lt;key&amp;amp;gt;PayloadType&amp;amp;lt;/key&amp;amp;gt; &amp;amp;lt;string&amp;amp;gt;com.apple.security.acme&amp;amp;lt;/string&amp;amp;gt; &amp;amp;lt;key&amp;amp;gt;PayloadUUID&amp;amp;lt;/key&amp;amp;gt; &amp;amp;lt;string&amp;amp;gt;sdf-feec-4171-878d-34e576bbb813&amp;amp;lt;/string&amp;amp;gt; &amp;amp;lt;key&amp;amp;gt;PayloadVersion&amp;amp;lt;/key&amp;amp;gt; &amp;amp;lt;integer&amp;amp;gt;1&amp;amp;lt;/integer&amp;amp;gt; &amp;amp;lt;key&amp;amp;gt;Subject&amp;amp;lt;/key&amp;amp;gt; &amp;amp;lt;array&amp;amp;gt; &amp;amp;lt;array&amp;amp;gt; &amp;amp;lt;array&amp;amp;gt; &amp;amp;lt;string&amp;amp;gt;C&amp;amp;lt;/string&amp;amp;gt; &amp;amp;lt;string&amp;amp;gt;US&amp;amp;lt;/string&amp;amp;gt; &amp;amp;lt;/array&amp;amp;gt; &amp;amp;lt;/array&amp;amp;gt; &amp;amp;lt;array&amp;amp;gt; &amp;amp;lt;array&amp;amp;gt; &amp;amp;lt;string&amp;amp;gt;O&amp;amp;lt;/string&amp;amp;gt; &amp;amp;lt;string&amp;amp;gt;Example Inc.&amp;amp;lt;/string&amp;amp;gt; &amp;amp;lt;/array&amp;amp;gt; &amp;amp;lt;/array&amp;amp;gt; &amp;amp;lt;array&amp;amp;gt; &amp;amp;lt;array&amp;amp;gt; &amp;amp;lt;string&amp;amp;gt;CN&amp;amp;lt;/string&amp;amp;gt; &amp;amp;lt;string&amp;amp;gt;test&amp;amp;lt;/string&amp;amp;gt; &amp;amp;lt;/array&amp;amp;gt; &amp;amp;lt;/array&amp;amp;gt; &amp;amp;lt;/array&amp;amp;gt; &amp;amp;lt;key&amp;amp;gt;SubjectAltName&amp;amp;lt;/key&amp;amp;gt; &amp;amp;lt;dict&amp;amp;gt; &amp;amp;lt;key&amp;amp;gt;dNSName&amp;amp;lt;/key&amp;amp;gt; &amp;amp;lt;string&amp;amp;gt;site.example.com&amp;amp;lt;/string&amp;amp;gt; &amp;amp;lt;/dict&amp;amp;gt; &amp;amp;lt;key&amp;amp;gt;DirectoryURL&amp;amp;lt;/key&amp;amp;gt; &amp;amp;lt;string&amp;amp;gt;https://ca.attestation.dev/acme/acme/directory&amp;amp;lt;/string&amp;amp;gt; &amp;amp;lt;/dict&amp;amp;gt; &amp;amp;lt;/array&amp;amp;gt; &amp;amp;lt;key&amp;amp;gt;PayloadDisplayName&amp;amp;lt;/key&amp;amp;gt; &amp;amp;lt;string&amp;amp;gt;ACME&amp;amp;lt;/string&amp;amp;gt; &amp;amp;lt;key&amp;amp;gt;PayloadIdentifier&amp;amp;lt;/key&amp;amp;gt; &amp;amp;lt;string&amp;amp;gt;com.example.test&amp;amp;lt;/string&amp;amp;gt; &amp;amp;lt;key&amp;amp;gt;PayloadType&amp;amp;lt;/key&amp;amp;gt; &amp;amp;lt;string&amp;amp;gt;Configuration&amp;amp;lt;/string&amp;amp;gt; &amp;amp;lt;key&amp;amp;gt;PayloadUUID&amp;amp;lt;/key&amp;amp;gt; &amp;amp;lt;string&amp;amp;gt;ce876f81-abf0-46f9-9e68-9b3a7ede8097&amp;amp;lt;/string&amp;amp;gt; &amp;amp;lt;key&amp;amp;gt;PayloadVersion&amp;amp;lt;/key&amp;amp;gt; &amp;amp;lt;integer&amp;amp;gt;1&amp;amp;lt;/integer&amp;amp;gt; &amp;amp;lt;/dict&amp;amp;gt; &amp;amp;lt;/plist&amp;amp;gt; We get the below errors from the ACME server: order status is "pending", not yet "valid" order status is "ready", not yet "valid" Any insights on what we are doing wrong could be helpful. Thanks in advance.

On a supervised device running iOS 18 without any AirDrop restrictions applied, when a profile with allowListedAppBundleIDs restriction key is installed, the AirDrop sound plays. But still the accept prompt does not appear, making it impossible to accept files. The prompt works as expected on iOS 18 devices to which the allowListedAppBundleIDs restriction is not installed. This issue occurs only on supervised iOS 18 devices to which the allowListedAppBundleIDs restriction is being applied. Device must be in iOS 18 version > Install the (allowListedAppBundleIDs restriction) profile with the device > Try to AirDrop files to the managed device. The expected result is that the accept prompt must pop up but it does not appear. This issue is occurring irrespective of any Whitelisted bundle ID being added to the allowListedAppBundleIDs restriction profile. Have attached a few Whitelisted bundle ID here com.talentlms.talentlms.ios.beta, com.maxaccel.safetrack, com.manageengine.mdm.iosagent, com.apple.weather, com.apple.mobilenotes, gov.dot.phmsa.erg2, com.apple.calculator, com.manageengine.mdm.iosagent, com.apple.webapp, com.apple.CoreCDPUI.localSecretPrompt etc. Have raised a Feedback request (FB15709399) with sysdiagnose logs and a short video on the issue.

Issue Description: Licenses Expiring - The licenses for [app_name] and 'x' other applications will expire in 'n' days. The given App Store Notification is displayed in many iPad devices. All the apps for which the notification is shown are purchased from ABM (VPP apps). The licenses are still assigned to devices and are not revoked which is made sure from VPP API. The VPP token is also not nearing expiration and it has more than 6 months time for expiry. Screenshot of the notification is attached below Kindly help us with the reason for this behavior