Hi Community, We are happy to see the changes in the Ventura and when we are exploring the System Settings we have seen that some of the Panes were not controlled and some other Panes were behaving unexpected and have described below. ( The comparison was made with reference to macOS Monterey 12.4)   com.apple.preference.mouse - This System Preference payload key was used to enable and disable Mouse Pane in System Preferences in macOS version 12.4 but in Ventura there was no Pane called Mouse which would be difficult for us to control them using System Preference Pane Payload when the Customer updates their macOS to Ventura                                        Mouse Pane in macOS version 12.4     com.apple.preferences.extensions - This command was used to control Extensions Pane in OS version 12.4 but in Ventura Beta 4 it was kept within Privacy & Security Pane and this command has no effect on it. Extensions work when Privacy & Security is enabled or not disabled which opens the control for the managed device to use the Extensions Settings even though they were configured when the customer updates their macOS to Ventura.                                Extensions Pane in System Preferences macOS v12.4                                        Extension in System Settings macOS version Ventura Beta 4   com.apple.preferences.parentalcontrols - parental controls were not in either 12.4 and ventura Beta 4 com.apple.preferences.appstore - appstore media and purchases is within Apple Id Preference Pane and has no effect while using the command com.apple.preference.energysaver - There was no Energy Saver Pane or inner Panes.Most of the energy saver settings are now in the Battery Pane and no System preference pane key was provided to control it.  com.apple.preference.expose - This command was used to control the Mission Control Pane is Version 12.4 but in Ventura Beta 4 there was no such panes and this command has no effect                                        Mission Control Pane in macOS version 12.4    com.apple.preference.general - this System Preference Pane key was used to enable and disable general Pane in OS version 12.4 but in Ventura Beta 4 while disabling it Doesn't Works,Does not Hide the Pane and we can use all the settings available over there and all non-disabled child settings.and while enabling it cannot Be enabled with the command ( cannot be enabled Even though we enable all the System Preference panes ) com.apple.Localization, com.apple.preference.datetime, com.apple.preferences.sharing, com.apple.prefs.backup, com.apple.preferences.configurationprofiles, com.apple.preference.startupdisk - these preference pane commands were used to enable and disable Language & Region,DateTime, Sharing,TimeMachine, Profiles and StartUp Disk Panes respectively in macOS version 12.4  but in Ventura Beta 4 they were placed under General Pane as children and disabling them works fine but while enabling they are not enabling as General Pane cannot be enabled                          Above mentioned System Preference Pane in OS version 12.4                                             Above mentioned Panes within Ventura Beta 4     Moreover, Also the Newly introduced panes such as Wifi, Focus, Appearance, Control Centre, Screen Save, Battery, Lock Screen, Passwords and Game Center have no System preference pane keys to be disabled But while enabling other panes they get disappeared Would like to hear from the community for possible resolutions and also support the customers who use managed devices to upgrade to Ventura seamlessly

Description: An app update of a app store app or a enterprise app is pushed from MDM using "InstallApplication" command to an iOS device. The app is opened in foreground when an update is pushed. The device is supervised and the app is VPP purchased. When the command is sent to device, the app doesn't update automatically and shows a prompt to update the app. Kindly help us understand this case. Sample InstallApplication Request: <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CommandUUID</key> <string>InstallApplication;Sample=000000</string> <key>Command</key> <dict> <key>RequestType</key> <string>InstallApplication</string> <key>iTunesStoreID</key> <integer>1113153706</integer> <key>InstallAsManaged</key> <true/> <key>ManagementFlags</key> <integer>5</integer> <key>Options</key> <dict> <key>PurchaseMethod</key> <integer>1</integer> </dict> <key>ChangeManagementState</key> <string>Managed</string> </dict> </dict> </plist> Sample InstallApplication Response: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CommandUUID</key> <string>InstallApplication;Sample=000000</string> <key>Identifier</key> <string>com.microsoft.skype.teams</string> <key>State</key> <string>PromptingForUpdate</string> <key>Status</key> <string>Acknowledged</string> <key>UDID</key> <string>0000-000000-0000</string> </dict> </plist>

Description: From MDM, the InstalledApplicationList command is sent to device for querying the list of Installed Apps. Some apps doesn't have version(both Version & ShortVersion) in the response. But the "Installing" key is false for them which should mean that the app is already Installed. But the app version is not available in the response. Also, for these apps without app version, the "IsValidated" key gives "false" value. But these apps are installed on the device. Kindly help us understand about this case. Sample Response of InstalledApplicationList: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CommandUUID</key> <string>InstalledApplicationList</string> <key>InstalledApplicationList</key> <array> <dict> <key>AdHocCodeSigned</key> <false/> <key>AppStoreVendable</key> <false/> <key>BetaApp</key> <false/> <key>BundleSize</key> <integer>135618560</integer> <key>DeviceBasedVPP</key> <true/> <key>ExternalVersionIdentifier</key> <integer>850215498</integer> <key>HasUpdateAvailable</key> <false/> <key>Identifier</key> <string>net.whatsapp.WhatsApp</string> <key>Installing</key> <false/> <key>IsValidated</key> <false/> <key>Name</key> <string>‎WhatsApp</string> </dict> <dict> <key>AdHocCodeSigned</key> <false/> <key>AppStoreVendable</key> <false/> <key>BetaApp</key> <false/> <key>BundleSize</key> <integer>185229312</integer> <key>DeviceBasedVPP</key> <true/> <key>ExternalVersionIdentifier</key> <integer>849733664</integer> <key>HasUpdateAvailable</key> <false/> <key>Identifier</key> <string>com.microsoft.azureauthenticator</string> <key>Installing</key> <false/> <key>IsValidated</key> <true/> <key>Name</key> <string>Authenticator</string> <key>ShortVersion</key> <string>6.5.98</string> <key>Version</key> <string>20</string> </dict> <dict> <key>AdHocCodeSigned</key> <false/> <key>AppStoreVendable</key> <false/> <key>BetaApp</key> <false/> <key>BundleSize</key> <integer>287129600</integer> <key>DeviceBasedVPP</key> <true/> <key>ExternalVersionIdentifier</key> <integer>849978495</integer> <key>HasUpdateAvailable</key> <false/> <key>Identifier</key> <string>com.microsoft.skype.teams</string> <key>Installing</key> <false/> <key>IsValidated</key> <false/> <key>Name</key> <string>Teams</string> </dict> <dict> <key>AdHocCodeSigned</key> <false/> <key>AppStoreVendable</key> <false/> <key>BetaApp</key> <false/> <key>BundleSize</key> <integer>213839872</integer> <key>DeviceBasedVPP</key> <true/> <key>ExternalVersionIdentifier</key> <integer>850097782</integer> <key>HasUpdateAvailable</key> <false/> <key>Identifier</key> <string>com.google.Maps</string> <key>Installing</key> <true/> <key>IsValidated</key> <false/> <key>Name</key> <string>Google Maps</string> </dict> <dict> <key>AdHocCodeSigned</key> <false/> <key>AppStoreVendable</key> <false/> <key>BetaApp</key> <false/> <key>BundleSize</key> <integer>43339776</integer> <key>DeviceBasedVPP</key> <true/> <key>ExternalVersionIdentifier</key> <integer>848157118</integer> <key>HasUpdateAvailable</key> <false/> <key>Identifier</key> <string>com.manageengine.mdm.iosagent</string> <key>Installing</key> <false/> <key>IsValidated</key> <true/> <key>Name</key> <string>ME MDM</string> <key>ShortVersion</key> <string>22.04.01</string> <key>Version</key> <string>1558</string> </dict> <dict> <key>AdHocCodeSigned</key> <false/> <key>AppStoreVendable</key> <false/> <key>BetaApp</key> <false/> <key>BundleSize</key> <integer>209174528</integer> <key>DeviceBasedVPP</key> <true/> <key>ExternalVersionIdentifier</key> <integer>848848517</integer> <key>HasUpdateAvailable</key> <false/> <key>Identifier</key> <string>us.zoom.videomeetings</string> <key>Installing</key> <false/> <key>IsValidated</key> <false/> <key>Name</key> <string>Zoom</string> </dict> </array> <key>Status</key> <string>Acknowledged</string> <key>UDID</key> <string>00000-000000-000000</string> </dict> </plist> Some apps with the issue in the given response:- net.whatsapp.WhatsApp, com.microsoft.skype.teams, us.zoom.videomeetings, etc.

Issue: When installing a non VPP app store app in iOS device through MDM, the error - "This Apple ID cannot be used to make purchases" is displayed in the device. But the InstallApplication command response from the device doesn't show any error in it. The response just shows the status as "Installing" and the "ManagedApplicationList" command response shows the device shows the app in "Installing" state. It will be helpful on MDM side if the InstallApplication or ManagedApplicationList command response shows an error. Is it possible? InstallApplication response: <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CommandUUID</key> <string>InstallApplication;Collection=xxxx</string> <key>Identifier</key> <string>com.zuletteran.scannerfree</string> <key>State</key> <string>Prompting</string> <key>Status</key> <string>Acknowledged</string> <key>UDID</key> <string>xxxx</string> </dict> </plist> ManagedApplicationList response: <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CommandUUID</key> <string>ManagedApplicationList</string> <key>ManagedApplicationList</key> <dict> <key>com.zuletteran.scannerfree</key> <dict> <key>ExternalVersionIdentifier</key> <integer>0</integer> <key>HasConfiguration</key> <false/> <key>HasFeedback</key> <false/> <key>IsValidated</key> <false/> <key>ManagementFlags</key> <integer>5</integer> <key>Status</key> <string>Installing</string> </dict> </dict> <key>Status</key> <string>Acknowledged</string> <key>UDID</key> <string>xxxx</string> </dict> </plist>

What were you doing on the device just before the crash occurred? Pushed an App update for the autonomous kiosk enabled mode via MDM Which of the following did you encounter on-screen when the system crash occurred Stuck on Black Screen (Had to Force Reboot device) Steps to Reproduce: Created two versions of the enterprise app, which will enter guided access mode on launch. With MDM, we have created a Autonomous Kiosk Profile with the app(say Version 1) we created and pushed the profile to the device . Checked that the profile payload is in correct format . On Launching the App , the device enters kiosk mode and i was unable to exit the app (Expected Behaviour). Other Functionalities of the app worked good. Now pushed another enterprise app of higher version (say Version 2) . Actual Behaviour : App got to background and app is seen to updating with a loading symbol over it. After App got successfully updated, App Launches and done. The Device hangs. Cant touch anything or move to background or lock the screen. I could only get back the device only after starting remote Restart command from MDM. Expected Behaviour : On App update , App should get updated and then App should be again relaunched automatically on successful update . System shouldn’t be freezed. can anyone help me with this case? Whether this is the behaviour or anything to add in guided access enabled app? Thanks in Advance

Our MDM server is hosted with our enterprise. All the devices pass through the proxy & firewall server to reach it. Due to some misconfiguration, our proxy server responded with 401 to all the requests. Later we noticed that the MDM profile is missing from some of the devices. On checking with the MDM team, they forwarded us to Apple documents saying this is out of their control and 401 response would remove MDM profile. Could this be handled in such a way that, MDM server could have some control over this, say only MDM server can send 401 to remove the profile. Has anyone faced this. Any help this would be appreciated.

For creating APNS certificate, we use a signed CSR from our MDM vendor which is a .plist file. We were using this for quite some years now. But currently APNS portal throws error saying invalid file type (as attached below) Is the Portal updated to support only .csr / .txt / .rtf? Can anyone help to use the correct file format. (P.S: Works if we edit the extension & upload it)

Some customers wants to add a remote file address in the Files App -> Connect to Server option. For now , We cant find any api's to add this to the device via any Commands /Profiles . Is it not at all possible to add this to Files app or am i missing something? If it is not yet supported and no apis available , Will it be available in Future ? Needed some help here.

We tried this Global Preference configuration profile payload to enable fast switching in the device, but unfortunately, after successfully applying the payload, fast user switching still remains disabled in the device with the user restricted to modify the setting. PFA the screenshot of the settings applied in the Profile as well as a screenshot of Login Window settings. OS version: macOS 12.1 <dict> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadUUID</key> <string>7b3041b6-d1fb-43d8-af8c-1028cde8b534</string> <key>PayloadType</key> <string>.GlobalPreferences</string> <key>PayloadOrganization</key> <string>MDM</string> <key>PayloadIdentifier</key> <string>7b3041b6-d1fb-43d8-af8c-1028cde8b534</string> <key>PayloadDisplayName</key> <string>Mac Global Preference payload</string> <key>MultipleSessionEnabled</key> <true/> <key>LULookupDisabled</key> <false/> <key>com.apple.autologout.AutoLogOutDelay</key> <integer>0</integer> </dict>

We are pushing a HomeScreenlayout payload with no "docks" array . The behaviour in iOS's is the dock at the bottom is disappeared. But in ipadOS's , dock is still at the bottom with recent apps listed there. Attached is Screenshot for the ipad's behaviour . Payload : <integer>1</integer> <key>PayloadUUID</key> <string>____________-</string> <key>PayloadType</key> <string>com.apple.homescreenlayout</string> <key>PayloadOrganization</key> <string>MDM</string> <key>PayloadIdentifier</key> <string>_______________</string> <key>PayloadDisplayName</key> <string>Homescreen Layout</string> <key>Pages</key> <array> <array> <dict> <key>BundleID</key> <string>com.apple.mobilephone</string> <key>Type</key> <string>Application</string> </dict> <dict> <key>BundleID</key> <string>com.apple.Preferences</string> <key>Type</key> <string>Application</string> </dict> <dict> <key>BundleID</key> <string>com.google.ios.youtube</string> <key>Type</key> <string>Application</string> </dict> <dict> <key>BundleID</key> <string>com.manageengine.mdm.iosagent</string> <key>Type</key> <string>Application</string> </dict> </array> </array> Is it possible remove the dock from iPadOS or is there anything am i missing to disable the dock or distinguish between dock added apps and Recent Apps?

We have a use case such that we want all the network calls from the mac device to go through VPN. We tried using the OnDemand field in VPN. Unfortunately those user's with admin privilege still able to disconnect from VPN. Even if we enabled OnDemand. Admin users can disconnect by disabling the OnDemand option in VPN settings. We noticed that there is an option to restrict the OnDemand option in iOS as mentioned here using the field OnDemandUserOverrideDisabled However, this is not supported in macOS. Can anyone suggest a mechanism to restrict users from disabling VPN?

In the latest update of macOS 12.3, the Login Window Items payload does not work. However, it is working until macOS 12.1. The profile applies successfully but the required apps are not listed under the Login Window Items tab in Users & Groups. Here is the payload we tried in both the OS versions             <key>PayloadVersion</key>             <integer>1</integer>             <key>PayloadUUID</key>             <string>bdcc8534-8a2e-40b5-bf65-17ab9247319c</string>             <key>PayloadType</key>             <string>com.apple.loginitems.managed</string>             <key>PayloadOrganization</key>             <string>MDM</string>             <key>PayloadIdentifier</key>             <string>bdcc8534-8a2e-40b5-bf65-17ab9247319c</string>             <key>PayloadDisplayName</key>             <string>Mac Login Window Item</string>             <key>AutoLaunchedApplicationDictionary-managed</key>             <array>                 <dict>                     <key>Path</key>                     <string>/Applications/Safari.app</string>                     <key>Hide</key>                     <false/>                 </dict>             </array>         </dict>

In the document by Apple over here, it says that AlwaysOn VPN is supported in macOS 10.7+. However, AlwaysOn doesn't seem to work in macOS even in that latest OS. We came across a post where it states that it is supported only for iOS. We had a requirement for supporting AlwaysOn VPN for macOS. Also, in the console log, we found the following error while sending a profile with AlwaysOn VPN configuration error 16:19:45.716722+0530 mdmclient NEConfiguration initWithVPNPayload: failed error 16:19:45.717076+0530 mdmclient [ERROR] <<<<< PlugIn: InstallPayload [NEProfileIngestionPlugin] Error: Error Domain=ConfigProfilePluginDomain Code=-319 "The ‘VPN Service’ payload could not be installed. The VPN service could not be created." UserInfo={NSLocalizedDescription=The ‘VPN Service’ payload could not be installed. The VPN service could not be created.} <<<<<

We have sent the payload for restricting all the apps except Youtube and MEMDM app . Payload is listed below. The Problem is we are restricted all the apps except the apps that were offloaded before . the icon of the offloaded apps appears in the homescreen. Attached the Screenshot for the above offloaded icons with multiapp kiosk enabled Is this the expected behaviour? Or anything am i missing. Can anyone help me with this? Payload Sent to the Device :-> <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadUUID</key> <string>------------</string> <key>PayloadType</key> <string>Configuration</string> <key>PayloadOrganization</key> <string>-----</string> <key>PayloadIdentifier</key> <string>----------------</string> <key>PayloadDisplayName</key> <string>MultiApp Kiosk</string> <key>PayloadRemovalDisallowed</key> <true/> <key>PayloadContent</key> <array> <dict> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadUUID</key> <string>----------------</string> <key>PayloadType</key> <string>com.apple.applicationaccess</string> <key>PayloadOrganization</key> <string>MDM</string> <key>PayloadIdentifier</key> <string>---------------</string> <key>PayloadDisplayName</key> <string>AppLock Whitelist Policy</string> <key>whitelistedAppBundleIDs</key> <array> <string>com.google.ios.youtube</string> <string>com.manageengine.mdm.iosagent</string> <string>com.apple.webapp</string> </array> <key>allowListedAppBundleIDs </key> <array> <string>com.google.ios.youtube</string> <string>com.manageengine.mdm.iosagent</string> <string>com.apple.webapp</string> </array> </dict> </array> </dict> </plist>

requireManagedPasteboard - boolean If true, copy and paste functionality respects the allowOpenFromManagedToUnmanaged and allowOpenFromUnmanagedToManagedrestrictions. Also available for user enrollment. As it is suggested , It doesn't allow the text to be copied from managed apps and pasted in any unmanaged app and also ViceVersa. But there is an another way to get the text to other Unmanaged/Managed App by highlighting a text from mail content and click on the 'share' option leads the text to be opened in the destination App. Steps: Pushed a Managed Account to Native Mail App. Pushed a Restriction with "requireManagedPasteboard" Opened a Mail and highlighted the text contents Click on Share Option . It will list all the app (both Managed and Unmanaged ) to share the text. I clicked on Notes App. The Highlighted Text got moved to the Notes App. The Same when tried to Copied and pasted in Notes App. It says "Enabled Restriction for Copy/Paste " Attached the screenshot where does the "Share" Option appear. Kindly check whether this is the default behaviour or anything am i missing?