This just has been published in github doc: https://github.com/apple/device-management/compare/release...seed_iOS-18-1_macOS-15-1 there are app based settings or general restrictions.

Hello. Any update on this one ? As user enrollment is supposed to be deprecated with iOS 18, giving a try to User Account Driven Enrollment, and hitting the same - despite Location is properly set when returning authentication end point, the 2nd enrollment phase does not contain the access token in Authorization. Is there anything special to do ?

Has anyone indeed more details ? We tried the following: Build a jwt token, using: headers as headers = { 'typ': 'JWT', 'alg': 'RS256' } and claim as : claim = { 'iss': DEP_SERVER_UUID, 'iat': epoch_time_in_ms, 'jti': RANDOM_UUID, 'service_type': 'com.apple.maid' } The token is signed with the private key which was used to generate the public key added to the DEP server in Apple Business Manager. Using python 3, we're using PyJWT package : https://pyjwt.readthedocs.io/en/latest/api.html This generates jwt token - which seems ok according to https://jwt.io ; token is encoded in utf-8 and then returned in plist as: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>TokenData</key> <data> BASE64_ENCODED_VERSION_OF_THE_TOKEN </data> </dict> </plist> So everything is ok, but I can't log in with a managed Apple ID from the same Business Manager if I enforce "Supervised devices". Device is sending the GetToken checkin request, receives the response, but does not let user log in. is there anything missing ? It looks we fulfill documentation requirements, so can't figure out what's wrong. Thanks for any hint !

Thanks for the confirmation. I guess it's the same for DNSProxy (DNSProxyUUID) ?

Thanks for the reply. I'd have 2 additional questions: which error should be replied by the server ? WWDC sessions says "The MDM will send a JSON 403 response when the device requests the enrollment profile", but JSON is the format of the content, while 403 is at HTTP layer. Should it just be 403 with empty content ? comparing versions is quite straightforward, but is there any guidance / documentation related to supplemental versions ? For instance, my test iPad would return: <key>OS_VERSION</key> <string>17.0</string> <key>PRODUCT</key> <string>iPad12,1</string> <key>SUPPLEMENTAL_BUILD_VERSION</key> <string>21A5248v</string> <key>VERSION</key> <string>21A5248v</string> Obviously, testing if the version is the one we expect is simple, but I guess that most of the time organizations are asking for a minimum version requirement, which means that we need to test if device VERSION / SUPPLEMENTAL_BUILD_VERSION is more recent than the organization requires. I assume the build number could be parsed...