Hi Dear Apple experts, I am hitting a problem (observed from Apr-15, maybe earlier) for renewing ABM/DEP token from my MDM server. My renewal steps: Download public key from my MDM server Upload the public key to the ABM Device Management server instance in ABM portal, and download a new token Upload the new token to my MDM server The problem here is at step-2: If upload the public key to an existing ABM Device Management server instance in ABM portal, then the generated token will be rejected by my MDM server with error "Could not find recipient info"; However, if upload the public key to a newly created ABM Device Management server instance, then everything is good. So, looks to me, it is the token issue when renewing an existing ABM MDM instance. Could you please help take a look? Thanks, Wei

Hi Dear Apple Developer, We had some problem to ping iTunes server since Oct-30, 2024. Previously we can ping the VPP server url http://ax.itunes.apple.com/WebObjects/MZStoreServices.woa/wa/wsSearch?media=software&entity=software&country=US&lang=en_us&limit=1&term= w/o any issues, but now it failed. Even if I tried to use "https" to access the above url, it still failed with error "This server could not prove that it is ax.itunes.apple.com; its security certificate is from a248.e.akamai.net. This may be caused by a misconfiguration or an attacker intercepting your connection." And finally ended with this error "Access Denied You don't have permission to access "http://ax.itunes.apple.com/WebObjects/MZStoreServices.woa/wa/wsSearch?" on this server. Reference #18.55503617.1730815948.be1bde3 https://errors.edgesuite.net/18.55503617.1730815948.be1bde3" Same that we had problem to get VPP app details via url: http://ax.itunes.apple.com/WebObjects/MZStoreServices.woa/wa/wsLookup?country=us&id=6445849909 Is there any changes to this url recently? Thanks, Wei

I know that Apple provides MDM software update and upgrade commands to force update/upgrade iOS software, but seems we need user interaction to accept some T&C or give passcode when OS upgrade takes place, on some non-DEP devices. My question is, is there any way that non-DEP OS update/upgrade can go forward with zero-user-interaction? FYI: I get the below information from doc https://support.apple.com/en-sg/guide/deployment/depafd2fad80/web: If a device is assigned in Apple School Manager or Apple Business Manager, users won’t need to review and accept updated operating system terms and conditions to complete the update or upgrade. If there is no passcode on the device, you can complete the installation remotely using your MDM solution. If the device has a passcode, after MDM sends the update or upgrade to the device, the device queues the update or upgrade and the user is prompted to enter their passcode in order to start the installation immediately or defer for an overnight installation. Thanks, Wei

Dear Apple experts, One of our departments is asking if we can procure the premium version of some already installed application but with free version. I can see in Apple Business Manager we can add licenses for the free version to be pushed down with VPP. Within the free version, there are options to purchase the premium version. If our department here purchases premium licenses, is there a way we can push a policy or config that will apply the premium license to the free VPP app that we push down to the iPads? Thanks for your suggestions!

Hi Dear Apple expert, I have a DEP profile defined with "allow_pairing" = false and my iOS DEP devices enrolled to DEP program without any issues. After that, I enabled "allow_pairing" in the DEP settings, but this change won't take effect on my enrolled devices. Is there any method/workaround to bypass the pairing issue on the already enrolled devices(no re-enrollment, no factory reset)? Thanks, Wei

When I push a Wi-Fi policy from my MDM server, if I use payload scope= "User", then I will get 2 keychain entries auto-generated; if payload scope="system", then I can only get 1 keychain entry. I have "UserName" defined in Wi-Fi payload, it will be responsible to create an "802.1X Password" keychain entry, but it does not work when set payload scope = "system": UserName host / xxxxxxx Can any expert help look into this? Why the "802.1X password" is not generated when payload scope = "system"?

We are using FileVault PRK escrow feature in our MDM server. And hit issue when the certificate used for PRK encryption get expired and renewed. From the test result, seems PRK encryption always uses the OLD certificate, which was initially used to enable the FileVault and escrow the PRK, even if the FileVault policy is updated with NEW certificate and already pushed to device. The only thing we can do to get the key escrowed successfully, is to toggle (turn off then turn on) FileVault on device. Seems MacOS will use the NEW certificate to encrypt the PRK after toggling FV. We will need Apple's feedback/suggestion if anything we can do to make device pick the new cert for encryption without user interaction(toggle FileVault on device). I have an Apple feedback ticket created for this: FB9582469 Repro steps: MDM server will inject a certificate in FDERecoveryKeyEscrow payload MDM will push the FileVault profile to device, the profile is installed successfully Enable FileVault on device, select option to “store key” in my MDM server The PRK will be generated and escrowed to MDM server CEM can decrypt the encrypted PRK with the private key of the certificate mentioned in step-1 —————Here issue comes——— The certificate mentioned in step-1 get expired, and we renew it on MDM server Push a new FileVault policy injected with the renewed certificate in FDERecoveryKeyEscrow payload From our test result, seems device is still using the old certificate to encrypt the PRK, and CEM fails to decrypt it If we toggle(turn off then turn on) FileVault on device, the new key can be decrypted successfully by MDM server. Thanks, Wei

I am running into an issue when uploading a macOS .pkg file to my MDM server, finally, find issue happens when using "com.sprylab.xar:xar" to unarchive the .pkg, the "Distribution" file extracted from .pkg is not in the correct format, it should be an XML file, but what I get is a binary data file. PKGs which will run into this issue are all signed Apple Software, such as (Provisioning Utility 2.1.0.pkg,macOSDeveloperBetaAccessUtility.pkg) we can use "pkgutil --check-signature " command to check the signing cert chain: pkgutil --check-signature Provisioning\ Utility\ 2.1.0.pkg Package "Provisioning Utility 2.1.0.pkg": Status: signed Apple Software Certificate Chain: 1. Software Update Expires: 2029-04-14 21:28:23 +0000 SHA256 Fingerprint: E0 74 D2 04 AC 24 98 E9 DC 90 4A 7B C7 CE D8 46 41 19 B7 9D 05 66 80 28 92 05 83 B1 E8 96 EB B4 ------------------------------------------------------------------------ 2. Apple Software Update Certification Authority Expires: 2031-10-15 00:00:00 +0000 SHA256 Fingerprint: 12 99 E9 BF E7 76 A2 9F F4 52 F8 C4 F5 E5 5F 3B 4D FD 29 34 34 9D D1 85 0B 82 74 F3 5C 71 74 5C ------------------------------------------------------------------------ 3. Apple Root CA Expires: 2035-02-09 21:40:36 +0000 SHA256 Fingerprint: B0 B1 73 0E CB C7 FF 45 05 14 2C 49 F1 29 5E 6E DA 6B CA ED 7E 2C 68 C5 BE 91 B5 A1 10 01 F0 24 But other .pkg files which are signed by "Developer Installer" cert work well: Package "ProdWrapped_qualys.pkg": Status: signed by a certificate that has since expired Certificate Chain: 1. 3rd Party Mac Developer Installer: XXXX(XXXXXXXX) SHA256 Fingerprint: 6E D8 DC A5 2E C3 3C DE 72 FA 10 AA DE 82 F3 59 3A 5E 46 1E 41 8E AF FC 89 B8 6C 82 57 6F 9C C4 ------------------------------------------------------------------------ 2. Apple Worldwide Developer Relations Certification Authority SHA256 Fingerprint: CE 05 76 91 D7 30 F8 9C A2 5E 91 6F 73 35 F4 C8 A1 57 13 DC D2 73 A6 58 C0 24 02 3F 8E B8 09 C2 ------------------------------------------------------------------------ 3. Apple Root CA SHA256 Fingerprint: B0 B1 73 0E CB C7 FF 45 05 14 2C 49 F1 29 5E 6E DA 6B CA ED 7E 2C 68 C5 BE 91 B5 A1 10 01 F0 24 Appreciated if anyone has any insight on this? Could it because of the codesign issue? Or we may need to change to use other unarchiver jars? If yes, any suggestion for unarchiving a .pkg? Thanks, Wei

Hi Dear Apple experts, I hit a DEP enrollment failure recently. No request reached MDM server when issue happens. DEP configuration is correct on MDM server. No wrong DEP profile data sent to Apple. Check network trace with Wireshark, no “Certificate finish” sent out from device during SSL connection setup Only find error in Xcode log like this: MCHTTPRequestor: 0x280360030 cannot accept the authentication method NSURLAuthenticationMethodClientCertificate Seems client cert is not using a correct auth method. We may need some input from Apple for this error, such as any invalid auth method is using in CEM SSL listener cert? or any other reasons.. We already filed Feedback ticket FB9045594 for this issue, but can not provide sysdiagnose log since this is a DEP device and user can not find a way to sync the iPad with a Mac or a PC via iTunes in the current state if the iPad after the enrollment failed. Appreciated if any insight shared on this issue. Thanks, Wei